-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mimecast_Elastic integration #2157
Conversation
💚 CLA has been signed |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
/test |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. In addition could be interesting to add some system tests (you can take a look at the tests in the google_workspace integration for reference), this way we can ensure the httpjson config is set as expected on top of validating the pipelines.
separator: "\\." | ||
target_field: file.parts | ||
if: 'ctx?.file?.name != null && ctx?.event?.action == "threat-intel-feed-download"' | ||
# - join: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this comment slipped in.
packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/mimecast/docs/README.md
Outdated
@@ -0,0 +1,5 @@ | |||
# Mimecast/Elastic Integration | |||
|
|||
This is a new integration created using the [elastic-package](https:/elastic/elastic-package) tool. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to add some information about the integration in the readme, anything relevant to its setup, prerequisites, ... along with the list of fields and a sample event. You can take a look at the README template found in _dev/build/docs/README.md
and use the one in some other packages as a guide.
"from": "\u003c\u003e", | ||
"message_id": "\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e", | ||
"attachments": { | ||
"hash": "2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hashes, user info, ips, etc.. would be nice if you could add a processor to copy them into the related.*
fields, it is very useful for cross referencing and making searches easier. https://www.elastic.co/guide/en/ecs/current/ecs-related.html
"name": "Inbound - Safe file with On-Demand Sandbox" | ||
}, | ||
"event": { | ||
"action": "user release, none", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not 100% sure spaces and commas are desired in the event.action
field, maybe processing it a bit to clean it up would be nice
@djordje-adzemovic-devtech the Mimecast integration is looking awesome! @jamiehynds had mentioned you've adopted some fields proposed over in the ECS email RFC. Not sure if it impacts any work here, but I wanted to call out that I've changed the proposed mappings a bit based on feedback from several users. A summary of the changes is covered in elastic/ecs#1593 (comment) |
Thank you @ebeahan ! Should not be such a big deal, and will be implemented. |
/test |
4 similar comments
/test |
/test |
/test |
/test |
/test |
1 similar comment
/test |
/test |
1 similar comment
/test |
Great work! Could you add a screenshot of the dashboards and the setup page? Would help a lot :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small changes aside from the screenshots and I think it should be good to go
packages/mimecast/changelog.yml
Outdated
changes: | ||
- description: Initial draft of the package | ||
type: enhancement | ||
link: https:/elastic/integrations/pull/0 # FIXME Replace with the real PR link |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
link: https:/elastic/integrations/pull/0 # FIXME Replace with the real PR link | |
link: https:/elastic/integrations/pull/2157 |
--- | ||
description: Pipeline for processing sample logs | ||
processors: | ||
# Generic event/ecs fields we always want to populated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# Generic event/ecs fields we always want to populated | |
# Generic event/ecs fields we always want to populate |
- set: | ||
field: event.created | ||
value: "{{mimecast.date}}" | ||
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | ||
- append: | ||
field: event.created | ||
value: "{{mimecast.time}}" | ||
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | ||
- join: | ||
field: event.created | ||
separator: " " | ||
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- set: | |
field: event.created | |
value: "{{mimecast.date}}" | |
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
- append: | |
field: event.created | |
value: "{{mimecast.time}}" | |
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
- join: | |
field: event.created | |
separator: " " | |
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
- join: | |
field: event.created | |
separator: " " | |
if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' |
### RECEIPT LOGS | ||
- rename: | ||
field: mimecast.acc | ||
target_field: cloud.account.id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field might be populated in some cases, would be necessary to re-map to a custom field to avoid issues (it is failing right now in CI, for example one or more errors found in documents stored in logs-mimecast.siem_logs-ep data stream: [0] found error.message in event: field [cloud.account.id] already exists
/test |
1 similar comment
/test |
/test |
* Mimecast package initial build * First Data stream added * Package commited * Mimecast Elastic package - everything should be ok now * Correct test which fails * CR requested changes * Nullcheck and formatting fixes Co-authored-by: Marc Guasch <[email protected]>
What does this PR do?
Checklist
changelog.yml
file.manifest.yml
file to point to the latest Elastic stack release (e.g.^7.13.0
).Author's Checklist
How to test this PR locally
Related issues
Screenshots