Added ECS fields

Author: gauravneelwarna

packages/checkpoint_harmony_endpoint/data_stream/forensics/agent/stream/forensics.yml.hbs

@@ -1,9 +1,10 @@
 config_version: 3
+{{#if enable_request_tracer}}
 resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
-request.tracer.maxbackups: 5
+resource.tracer.maxbackups: 5
+{{/if}}
 resource.url: {{base_url}}
 interval: {{interval}}
-prefix: json
 state:
   auth_client_id: {{client_id}}
   auth_access_key: {{access_key}}
@@ -199,7 +200,7 @@ program: |
             body.data.nextPageToken == "NULL"
             ?
             {
-              "events": body.data.records,
+              "events": body.data.records.map(e, { "message": e.encode_json(), }),
               "want_more": false,
               "cursor": {
                 "auth_token": null,
@@ -218,7 +219,7 @@ program: |
             }
             :
             {
-              "events": body.data.records,
+              "events": body.data.records.map(e, { "message": e.encode_json(), }),
               "want_more": true,
               "cursor": {
                 "auth_token": state.cursor.auth_token,
@@ -240,3 +241,20 @@ program: |
       )
     )
   )
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}

packages/checkpoint_harmony_endpoint/data_stream/forensics/elasticsearch/ingest_pipeline/default.yml

@@ -1,13 +1,230 @@
 ---
-description: Pipeline for processing sample logs
+description: Pipeline for processing Harmony Endpoint Forensics logs
 processors:
-- set:
-    field: event.ingested
-    value: '{{_ingest.timestamp}}'
+  - set:
+      field: ecs.version
+      value: "8.11.0"
+  - set:
+      field: event.ingested
+      value: "{{_ingest.timestamp}}"
+  - set:
+      field: event.kind
+      value: alert
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+      if: ctx.event?.original == null
+  - json:
+      field: event.original
+      target_field: json
+      ignore_failure: true
+  - date:
+      field: json.time
+      target_field: event.created  # Issue: When set to "@timestamp", event creation fails.
+      formats:
+        - strict_date_optional_time_nanos
+      ignore_failure: true
+  - rename:
+      field: json.id
+      target_field: event.id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.action
+      target_field: event.action
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: event.dataset
+      value: harmony_endpoint.forensics
+  - set:
+      field: event.module
+      value: harmony_endpoint
+  - set:
+      field: event.category
+      value: malware
+  - set:
+      field: event.type
+      value: info
+  - rename:
+      field: json.host_type
+      target_field: host.type
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.src
+      target_field: host.ip
+      override: true
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.src_machine_name
+      target_field: host.hostname
+      override: true
+      ignore_missing: true
+      ignore_failure: true
+  - set:
+      field: host.name
+      copy_from: host.hostname
+  - join:
+      field: json.os_name
+      target_field: host.os.name
+      separator: ','
+      if: ctx.json?.os_name != null
+      ignore_failure: true
+  - join:
+      field: json.os_version
+      target_field: host.os.version
+      separator: ','
+      if: ctx.json?.os_version != null
+      ignore_failure: true
+  - rename:
+      field: json.domain
+      target_field: user.domain
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.src_user_name
+      target_field: user.name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.user_sid
+      target_field: user.id
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.file_type
+      target_field: file.type
+      if: ctx.json?.file_type != null
+      ignore_missing: true
+      ignore_failure: true
+  - join:
+      field: json.file_name
+      target_field: file.name
+      separator: ','
+      if: ctx.json?.file_name != null
+      ignore_failure: true
+  - remove:
+      field: file.name
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.file.name == " "
+  - rename:
+      field: json.file_size
+      target_field: file.size
+      ignore_missing: true
+      ignore_failure: true
+  - join:
+      field: json.resource
+      target_field: file.path
+      separator: ','
+      if: ctx.json?.resource != null && !["http emulation", "url reputation"].contains(ctx.json?.protection_type?.toLowerCase())
+      ignore_failure: true
+  - join:
+      field: json.resource
+      target_field: url.original
+      separator: ','
+      if: ctx.json?.resource != null && ["http emulation", "url reputation"].contains(ctx.json?.protection_type?.toLowerCase())
+      ignore_failure: true
+  - uri_parts:
+      field: url.original
+      tag: uri_parts_harmony_endpoint_forensics
+      ignore_missing: true
+      on_failure:
+        - append:
+            field: error.message
+            value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+  - rename:
+      field: json.file_md5
+      target_field: file.hash.md5
+      if: ctx.json?.file_md5 != null
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.file_sha1
+      target_field: file.hash.sha1
+      if: ctx.json?.file_sha1 != null
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.protection_name
+      target_field: rule.name
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.protection_type
+      target_field: harmony_endpoint.forensics.protection_type
+  - rename:
+      field: json.attack_status
+      target_field: harmony_endpoint.forensics.attack_status
+      ignore_missing: true
+      ignore_failure: true
+  - rename:
+      field: json.detected_by
+      target_field: harmony_endpoint.forensics.detected_by
+  - rename:
+      field: json.confidence_level
+      target_field: harmony_endpoint.forensics.confidence_level
+  - rename:
+      field: json.description
+      target_field: harmony_endpoint.forensics.description
+  - rename:
+      field: json.policy_date
+      target_field: harmony_endpoint.forensics.policy.date
+  - rename:
+      field: json.policy_name
+      target_field: harmony_endpoint.forensics.policy.name
+  - rename:
+      field: json.policy_number
+      target_field: harmony_endpoint.forensics.policy.number
+  - rename:
+      field: json.severity
+      target_field: harmony_endpoint.forensics.severity
+  - rename:
+      field: json.service_domain
+      target_field: harmony_endpoint.forensics.service_domain
+  - rename:
+      field: json.packet_capture_unique_id
+      target_field: harmony_endpoint.forensics.packet_capture_unique_id
+  - rename:
+      field: json.suspicious_events
+      target_field: harmony_endpoint.forensics.suspicious_events
+      if: ctx.json?.suspicious_events != null
+  - rename:
+      field: json.tenant_id
+      target_field: harmony_endpoint.forensics.tenant_id
+  - rename:
+      field: json.client_name
+      target_field: harmony_endpoint.forensics.client.name
+  - join:
+      field: json.malware_action
+      target_field: harmony_endpoint.forensics.malware.action
+      separator: ','
+      ignore_failure: true
+      if: ctx.json?.malware_action != null
+  - remove:
+      field: harmony_endpoint.forensics.malware.action
+      ignore_missing: true
+      ignore_failure: true
+      if: ctx.harmony_endpoint?.forensics?.malware?.action == " "
+  - join:
+      field: json.client_version
+      target_field: harmony_endpoint.forensics.client.version
+      separator: ','
+      ignore_failure: true
+      if: ctx.json?.client_version != null
+  - remove:
+      field: json
+      ignore_missing: true
+      ignore_failure: true
+  - remove:
+      field: message
+      if: ctx.event?.original != null
+      ignore_missing: true
+      ignore_failure: true
 on_failure:
-- set:
-    field: error.message
-    value: '{{ _ingest.on_failure_message }}'
-- remove:
-    field: event.installed_products
-    ignore_failure: true
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"

packages/checkpoint_harmony_endpoint/data_stream/forensics/fields/fields.yml

@@ -1,75 +1,42 @@
-- name: harmony_endpoint
+- name: harmony_endpoint.forensics
   type: group
   fields:
-    - name: time
-      type: date
-      description: Time
-    - name: id
-      type: keyword
-      description: ID
-    - name: confidence_level
-      type: keyword
-      description: Confidence level
-    - name: severity
-      type: keyword
-      description: Event severity
-    - name: policy_date
-      type: date
-      description: Policy Date
-    - name: policy_name
-      type: keyword
-      description: Policy Name
-    - name: policy_number
-      type: keyword
-      description: Policy Name
-    - name: action
-      type: keyword
-      description: Action
-    - name: protection_type
-      type: keyword
-      description: Protection Type
     - name: attack_status
       type: keyword
-      description: Attack Status
     - name: detected_by
       type: keyword
-      description: Detected By
-    - name: event_type
+    - name: confidence_level
       type: keyword
-      description: Event Type
-    - name: malware_action
-      type: text
-      description: Action Taken
-    - name: protection_name
+    - name: description
       type: text
-      description: Protection Name
-    - name: text
-      type: flattened
-      description: Resource
-    - name: src
-      type: ip
-      description: Source IP
-    - name: src_machine_name
+    - name: policy
+      type: group
+      fields:
+        - name: date
+          type: date
+        - name: name
+          type: keyword
+        - name: number
+          type: integer
+    - name: protection_type
       type: keyword
-      description: Source Host Name
-    - name: src_user_name
-      type: text
-      description: Source User Name
-    - name: file_name
-      type: text   #Apply Regex or extract first value from list.
-      description: File Name
-    - name: file_size
-      type: integer
-      description: File Size
-    - name: host_type
-      type: text
-      description: Host Types
-    - name: product
+    - name: severity
       type: keyword
-      description: Product
-    - name: user_sid
+    - name: service_domain
       type: keyword
-      description: User SID
-    - name: type
+    - name: packet_capture_unique_id
       type: keyword
-      description: Capture Type
+    - name: suspicious_events
+      type: flattened
+    - name: tenant_id
+      type: keyword
+    - name: malware
+      type: group
+      fields:
+        - name: action
+          type: keyword
+    - name: client
+      type: group
+      fields:
+        - name: version
+          type: version