Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint] Add ECS field for event.code #85109

Merged
merged 1 commit into from
Dec 9, 2020
Merged

[Security Solution][Endpoint] Add ECS field for event.code #85109

merged 1 commit into from
Dec 9, 2020

Conversation

pjhampton
Copy link
Contributor

Summary

The alert from a simulated host is being posted to the staging telemetry service. It's making its way downstream to the Security Data Engineering telemetry services. There is a lot of processing of these docs on our end via stream processors, but these docs keep ending up in a dead letter index due to the missing event.code ECS field.

https://www.elastic.co/guide/en/ecs/master/ecs-event.html#field-event-code

We have been receiving this field from the endpoint for a while to monitor protections artifacts.

cc @jeska

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@pjhampton pjhampton added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Dec 7, 2020
@pjhampton pjhampton requested review from a team as code owners December 7, 2020 08:48
@pjhampton pjhampton self-assigned this Dec 7, 2020
@pjhampton pjhampton added release_note:skip Skip the PR/issue when compiling release notes v7.11.0 labels Dec 7, 2020
@pjhampton pjhampton requested review from tsg and jeska December 7, 2020 08:49
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Distributable file count

id before after diff
default 46897 47657 +760

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

jeska
jeska approved these changes Dec 7, 2020
View reviewed changes
Copy link
Member

@jeska jeska left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @pjhampton ! This is awesome & will be great for us to keep our docs consistent with what we're getting in prod :)

@pjhampton pjhampton mentioned this pull request Dec 8, 2020
Merged
9 tasks
madirey
madirey approved these changes Dec 8, 2020
View reviewed changes
Copy link
Contributor

@madirey madirey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@pjhampton pjhampton merged commit fc2673b into master Dec 9, 2020
@pjhampton pjhampton deleted the pjhampton/sample-data-event-code branch December 9, 2020 08:33
@pjhampton pjhampton mentioned this pull request Dec 9, 2020
Merged
pjhampton added a commit that referenced this pull request Dec 9, 2020
@pjhampton
Add ECS field for event.code. (#85109) (#85384)
99ec80a
jloleysens added a commit to jloleysens/kibana that referenced this pull request Dec 9, 2020
@jloleysens
Merge branch 'master' of github.com:elastic/kibana into ilm/add-shrin…
0e2c525 
…k-field-to-hot-phase

* 'master' of github.com:elastic/kibana: (429 commits)
  simplify popover open state logic (elastic#85379)
  [Logs UI][Metrics UI] Move actions to the kibana header (elastic#84648)
  [Search Source] Do not pick scripted fields if * provided (elastic#85133)
  [Search] Session SO polling (elastic#84225)
  [Transform] Replace legacy elasticsearch client (elastic#84932)
  [Uptime]Refactor header and action menu (elastic#83779)
  Fix agg select external link (elastic#85380)
  [ILM] Show forcemerge in hot when rollover is searchable snapshot is enabled (elastic#85292)
  clear using keyboard (elastic#85042)
  [GS] add tag and dashboard suggestion results (elastic#85144)
  [ML] API integration tests - skip GetAnomaliesTableData
  Add ECS field for event.code. (elastic#85109)
  [Functional][TSVB] Wait for markdown textarea to be cleaned (elastic#85128)
  skip flaky suite (elastic#62060)
  skip flaky suite (elastic#85098)
  Bump highlight.js to v9.18.5 (elastic#84296)
  Add `server.publicBaseUrl` config (elastic#85075)
  [Alerting & Actions ] More debug logging (elastic#85149)
  [Security Solution][Case] Manual attach alert to a case (elastic#82996)
  Loosen UUID regex to accept uuidv1 or uuidv4 (elastic#85338)
  ...

# Conflicts:
#	x-pack/plugins/index_lifecycle_management/__jest__/client_integration/edit_policy/edit_policy.helpers.tsx
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/phases/hot_phase/hot_phase.tsx
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/phases/shared_fields/index.ts
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/components/phases/warm_phase/warm_phase.tsx
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/edit_policy.tsx
#	x-pack/plugins/index_lifecycle_management/public/application/sections/edit_policy/i18n_texts.ts
#	x-pack/plugins/index_lifecycle_management/server/routes/api/policies/register_create_route.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

@madirey madirey madirey approved these changes

@jeska jeska jeska approved these changes

@tsg tsg Awaiting requested review from tsg

Assignees

@pjhampton pjhampton

Labels
release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@pjhampton @kibanamachine @jeska @madirey @patrykkopycinski