Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

carbon_black_cloud: fix mapping for process lineage #11686

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

carbon_black_cloud: fix mapping for process lineage #11686

wants to merge 1 commit into from
+890 −811

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Nov 11, 2024

Proposed commit message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 added Integration:carbon_black_cloud VMware Carbon Black Cloud bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Nov 11, 2024
@efd6 efd6 self-assigned this Nov 11, 2024
@efd6 efd6 force-pushed the 11653-carbon_black_cloud branch 2 times, most recently from d1a80b4 to fa852d3 Compare November 11, 2024 04:41
@efd6 efd6 mentioned this pull request Nov 11, 2024
Open
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
50.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

mike-flowers-airbnb
mike-flowers-airbnb reviewed Nov 11, 2024
View reviewed changes
Copy link

@mike-flowers-airbnb mike-flowers-airbnb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @efd6 , thanks for putting this together so quickly. Left a couple of comments based on my understanding of ECS+CBC.

...ages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -252,19 +252,19 @@ processors:
ignore_missing: true
- rename:
field: json.process_cmdline
target_field: process.command_line
target_field: process.parent.command_line
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this and all of the subsequent renames, the remapping is only necessary for procstart event type events. In all of the other event types, the event mapping is correct. Could you make the remapping conditional for each based on the json.type?
I'm not sure if it can be optimized, but similar to:

  - rename:
      field: json.process_cmdline
      target_field: process.command_line
      ignore_missing: true
      if: ctx.json?.type? == 'endpoint.event.procstart'
  - rename:
      field: json.process_cmdline
      target_field: process.parent.command_line
      ignore_missing: true
      if: ctx.json?.type? != 'endpoint.event.procstart'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I missed that subtlety. I'm not convinced that this change carries it's weight then. I will discuss internally.

...ages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
@@ -652,15 +678,15 @@ processors:
# Mapping for endpoint.event.procstart event type
- rename:
field: json.childproc_guid
target_field: carbon_black_cloud.endpoint_event.childproc.guid
target_field: carbon_black_cloud.endpoint_event.process.guid
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one should go to process.entity_id

...ages/carbon_black_cloud/data_stream/endpoint_event/elasticsearch/ingest_pipeline/default.yml
ignore_missing: true
- rename:
field: json.childproc_username
target_field: carbon_black_cloud.endpoint_event.childproc.username
target_field: carbon_black_cloud.endpoint_event.process.username
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that this one can instead go to process.user.name

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mike-flowers-airbnb mike-flowers-airbnb mike-flowers-airbnb left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@efd6 efd6

Labels
breaking change bugfix Pull request that fixes a bug issue Integration:carbon_black_cloud VMware Carbon Black Cloud Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[carbon_black_cloud]: Process Start events not mapped correctly
3 participants
@efd6 @elasticmachine @mike-flowers-airbnb