Skip to content

Commit 1de5ff6

Browse files
taylor-swansontaylor-swanson
committed
[fortinet_fortiedr] Generate processor tags and normalize error handler
- Generate tags for processors missing tags - Normalize the pipeline error handler
1 parent dbf1e3e commit 1de5ff6

File tree

3 files changed

+63
-2
lines changed

3 files changed

+63
-2
lines changed

packages/fortinet_fortiedr/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.19.2"
3+
changes:
4+
- description: Generate processor tags and normalize error handler.
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/15538
27
- version: "1.19.1"
38
changes:
49
- description: Changed owners.

packages/fortinet_fortiedr/data_stream/log/elasticsearch/ingest_pipeline/default.yml

Lines changed: 57 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,21 +2,27 @@
22
description: Pipeline for Fortinet FortiEDR Endpoint Detection and Response
33
processors:
44
- set:
5+
tag: set_ecs_version_f5923549
56
field: ecs.version
67
value: '8.17.0'
78
- set:
9+
tag: set_observer_vendor_7e57c221
810
field: observer.vendor
911
value: Fortinet
1012
- set:
13+
tag: set_observer_product_021ae16c
1114
field: observer.product
1215
value: FortiEDR
1316
- set:
17+
tag: set_observer_type_d173ab65
1418
field: observer.type
1519
value: edr
1620
- set:
21+
tag: set_event_category_36016f0f
1722
field: event.category
1823
value: malware
1924
- rename:
25+
tag: rename_message_to_event_original_56a77271
2026
field: message
2127
target_field: event.original
2228
ignore_missing: true
@@ -26,6 +32,7 @@ processors:
2632
# This populates the host.hostname, process.name, timestamp and other fields
2733
# from the header and stores the message contents in _temp_.full_message.
2834
- grok:
35+
tag: grok_event_original_cd3ce7b9
2936
field: event.original
3037
patterns:
3138
- "(?:%{SYSLOG_HEADER})?\\s*%{GREEDYDATA:_temp_.full_message}"
@@ -38,12 +45,14 @@ processors:
3845
HOST_PROCESS_MSG: "(?:-|%{SYSLOGHOST:log.syslog.hostname}) (?:-|%{PROCESS:log.syslog.appname}) (?:-|%{POSINT:log.syslog.procid}) (?:-|%{NOTSPACE:log.syslog.msgid})"
3946
PROCESS: "(?:[^%\\s:\\[]+)"
4047
- date:
48+
tag: date__temp__raw_date_to_@timestamp_829b2f69
4149
if: ctx._temp_?.raw_date != null
4250
field: _temp_.raw_date
4351
target_field: "@timestamp"
4452
formats:
4553
- ISO8601
4654
- script:
55+
tag: script_4a9d0c10
4756
lang: painless
4857
source: |
4958
if (ctx.log?.syslog?.priority != null) {
@@ -56,6 +65,7 @@ processors:
5665
}
5766
# Get FortiEDR fields
5867
- kv:
68+
tag: kv__temp__full_message_to_fortinet_edr_1f579157
5969
field: _temp_.full_message
6070
target_field: fortinet.edr
6171
field_split: ";"
@@ -65,134 +75,172 @@ processors:
6575
ignore_missing: true
6676
ignore_failure: true
6777
- rename:
78+
tag: rename_fortinet_edr_Action_to_fortinet_edr_action_35599e37
6879
field: "fortinet.edr.Action"
6980
target_field: fortinet.edr.action
7081
- rename:
82+
tag: rename_fortinet_edr_Autonomous_System_to_fortinet_edr_autonomous_system_39cbe4f8
7183
field: "fortinet.edr.Autonomous System"
7284
target_field: fortinet.edr.autonomous_system
7385
- rename:
86+
tag: rename_fortinet_edr_Certificate_to_fortinet_edr_certificate_b250c7d7
7487
field: "fortinet.edr.Certificate"
7588
target_field: fortinet.edr.certificate
7689
- rename:
90+
tag: rename_fortinet_edr_Classification_to_fortinet_edr_classification_017c02c3
7791
field: "fortinet.edr.Classification"
7892
target_field: fortinet.edr.classification
7993
- rename:
94+
tag: rename_fortinet_edr_Count_to_fortinet_edr_count_61261977
8095
field: "fortinet.edr.Count"
8196
target_field: fortinet.edr.count
8297
- rename:
98+
tag: rename_fortinet_edr_Country_to_fortinet_edr_country_e678e3c3
8399
field: "fortinet.edr.Country"
84100
target_field: fortinet.edr.country
85101
- rename:
102+
tag: rename_fortinet_edr_Destination_to_fortinet_edr_destination_52d05a37
86103
field: "fortinet.edr.Destination"
87104
target_field: fortinet.edr.destination
88105
- rename:
106+
tag: rename_fortinet_edr_Device_Name_to_fortinet_edr_device_name_cde7b780
89107
field: "fortinet.edr.Device Name"
90108
target_field: fortinet.edr.device_name
91109
- rename:
110+
tag: rename_fortinet_edr_Event_ID_to_fortinet_edr_event_id_7626f88a
92111
field: "fortinet.edr.Event ID"
93112
target_field: fortinet.edr.event_id
94113
- rename:
114+
tag: rename_fortinet_edr_First_Seen_to_fortinet_edr_first_seen_996ed276
95115
field: "fortinet.edr.First Seen"
96116
target_field: fortinet.edr.first_seen
97117
- rename:
118+
tag: rename_fortinet_edr_Last_Seen_to_fortinet_edr_last_seen_18134fa4
98119
field: "fortinet.edr.Last Seen"
99120
target_field: fortinet.edr.last_seen
100121
- rename:
122+
tag: rename_fortinet_edr_MAC_Address_to_fortinet_edr_mac_address_1efb5ac2
101123
field: "fortinet.edr.MAC Address"
102124
target_field: fortinet.edr.mac_address
103125
- rename:
126+
tag: rename_fortinet_edr_Operating_System_to_fortinet_edr_operating_system_f598a6f0
104127
field: "fortinet.edr.Operating System"
105128
target_field: fortinet.edr.operating_system
106129
- rename:
130+
tag: rename_fortinet_edr_Organization_to_fortinet_edr_organization_06a21789
107131
field: "fortinet.edr.Organization"
108132
target_field: fortinet.edr.organization
109133
- rename:
134+
tag: rename_fortinet_edr_Organization_ID_to_fortinet_edr_organization_id_07371d10
110135
field: "fortinet.edr.Organization ID"
111136
target_field: fortinet.edr.organization_id
112137
- rename:
138+
tag: rename_fortinet_edr_Process_Name_to_fortinet_edr_process_name_dc7a1cd4
113139
field: "fortinet.edr.Process Name"
114140
target_field: fortinet.edr.process_name
115141
- rename:
142+
tag: rename_fortinet_edr_Process_Path_to_fortinet_edr_process_path_bfe8b920
116143
field: "fortinet.edr.Process Path"
117144
target_field: fortinet.edr.process_path
118145
- rename:
146+
tag: rename_fortinet_edr_Process_Type_to_fortinet_edr_process_type_bbe737a6
119147
field: "fortinet.edr.Process Type"
120148
target_field: fortinet.edr.process_type
121149
- rename:
150+
tag: rename_fortinet_edr_Raw_Data_ID_to_fortinet_edr_raw_data_id_64467335
122151
field: "fortinet.edr.Raw Data ID"
123152
target_field: fortinet.edr.raw_data_id
124153
- rename:
154+
tag: rename_fortinet_edr_Rules_List_to_fortinet_edr_rules_list_c59abb2e
125155
field: "fortinet.edr.Rules List"
126156
target_field: fortinet.edr.rules_list
127157
- rename:
158+
tag: rename_fortinet_edr_Script_to_fortinet_edr_script_d0bb93b5
128159
field: "fortinet.edr.Script"
129160
target_field: fortinet.edr.script
130161
- rename:
162+
tag: rename_fortinet_edr_Script_Path_to_fortinet_edr_script_path_4aae1f50
131163
field: "fortinet.edr.Script Path"
132164
target_field: fortinet.edr.script_path
133165
- rename:
166+
tag: rename_fortinet_edr_Severity_to_fortinet_edr_severity_c5d4dfa9
134167
field: "fortinet.edr.Severity"
135168
target_field: fortinet.edr.severity
136169
- rename:
170+
tag: rename_fortinet_edr_Users_to_fortinet_edr_users_d370e51b
137171
field: "fortinet.edr.Users"
138172
target_field: fortinet.edr.users
139173
# Map to ECS fields
140174
- set:
175+
tag: set_event_id_a4647cb7
141176
field: event.id
142177
copy_from: fortinet.edr.event_id
143178
if: ctx.fortinet?.edr?.event_id != null
144179
- set:
180+
tag: set_event_action_f6e21da8
145181
field: event.action
146182
copy_from: fortinet.edr.action
147183
if: ctx.fortinet?.edr?.action != null
148184
- lowercase:
185+
tag: lowercase_event_action_9334b869
149186
field: event.action
150187
ignore_missing: true
151188
- set:
189+
tag: set_host_hostname_c6ee9f9c
152190
field: host.hostname
153191
copy_from: fortinet.edr.device_name
154192
if: ctx.fortinet?.edr?.device_name != null && ctx.fortinet.edr.device_name != "N/A"
155193
- set:
194+
tag: set_host_os_full_cb6ed2c5
156195
field: host.os.full
157196
copy_from: fortinet.edr.operating_system
158197
if: ctx.fortinet?.edr?.operating_system != null && ctx.fortinet.edr.operating_system != "N/A"
159198
- append:
199+
tag: append_related_hosts_06cfcc6e
160200
field: related.hosts
161201
value:
162202
- '{{{host.hostname}}}'
163203
if: ctx.host?.hostname != null
164204
- append:
205+
tag: append_related_hosts_09fefffb
165206
field: related.hosts
166207
value:
167208
- '{{{log.syslog.hostname}}}'
168209
if: ctx.log?.syslog?.hostname != null
169210
- append:
211+
tag: append_host_mac_82405959
170212
field: host.mac
171213
value: '{{{fortinet.edr.mac_address}}}'
172214
if: ctx.fortinet?.edr?.mac_address != null && ctx.fortinet.edr.mac_address != "N/A"
173215
- set:
216+
tag: set_user_id_b4e1deff
174217
field: user.id
175218
copy_from: fortinet.edr.users
176219
if: ctx.fortinet?.edr?.users != null && ctx.fortinet.edr.users != "N/A"
177220
- set:
221+
tag: set_process_name_fd547906
178222
field: process.name
179223
copy_from: fortinet.edr.process_name
180224
if: ctx.fortinet?.edr?.process_name != null && ctx.fortinet.edr.process_name != "N/A"
181225
- set:
226+
tag: set_process_executable_cfcf1f21
182227
field: process.executable
183228
copy_from: fortinet.edr.process_path
184229
if: ctx.fortinet?.edr?.process_path != null && ctx.fortinet.edr.process_path != "N/A"
185230
- append:
231+
tag: append_related_user_256d2798
186232
field: related.user
187233
value:
188234
- '{{{user.id}}}'
189235
if: ctx.user?.id != null
190236
- append:
237+
tag: append_related_hosts_018c6b42
191238
field: related.hosts
192239
value: '{{{host.name}}}'
193240
allow_duplicates: false
194241
if: ctx.host?.name != null && ctx.host?.name != ''
195242
- date:
243+
tag: date_fortinet_edr_first_seen_to_fortinet_edr_first_seen_b7d71a2b
196244
if: ctx.fortinet?.edr?.first_seen != null
197245
field: fortinet.edr.first_seen
198246
target_field: fortinet.edr.first_seen
@@ -204,10 +252,12 @@ processors:
204252
- "MMM d yyyy HH:mm:ss z"
205253
- "MMM d yyyy HH:mm:ss"
206254
- set:
255+
tag: set_event_start_f62a8a60
207256
field: event.start
208257
copy_from: fortinet.edr.first_seen
209258
if: ctx.fortinet?.edr?.first_seen != null
210259
- date:
260+
tag: date_fortinet_edr_last_seen_to_fortinet_edr_last_seen_754580b9
211261
if: ctx.fortinet?.edr?.last_seen != null
212262
field: fortinet.edr.last_seen
213263
target_field: fortinet.edr.last_seen
@@ -219,10 +269,12 @@ processors:
219269
- "MMM d yyyy HH:mm:ss z"
220270
- "MMM d yyyy HH:mm:ss"
221271
- set:
272+
tag: set_event_end_8b3b4ca3
222273
field: event.end
223274
copy_from: fortinet.edr.last_seen
224275
if: ctx.fortinet?.edr?.last_seen != null
225276
- remove:
277+
tag: remove_4282d280
226278
field:
227279
- _temp_
228280
ignore_failure: true
@@ -232,4 +284,8 @@ on_failure:
232284
value: pipeline_error
233285
- append:
234286
field: error.message
235-
value: '{{{ _ingest.on_failure_message }}}'
287+
value: >-
288+
Processor '{{{ _ingest.on_failure_processor_type }}}'
289+
{{#_ingest.on_failure_processor_tag}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
290+
{{/_ingest.on_failure_processor_tag}}in pipeline '{{{ _ingest.pipeline }}}'
291+
failed with message '{{{ _ingest.on_failure_message }}}'

packages/fortinet_fortiedr/manifest.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: fortinet_fortiedr
22
title: Fortinet FortiEDR Logs
3-
version: "1.19.1"
3+
version: "1.19.2"
44
description: Collect logs from Fortinet FortiEDR instances with Elastic Agent.
55
type: integration
66
format_version: "3.0.3"

0 commit comments

Comments
 (0)