Mimecast_Elastic integration #2157
Conversation
|
💚 CLA has been signed |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
|
/test |
marc-gr
added
enhancement
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/test |
There was a problem hiding this comment.
Left some comments. In addition could be interesting to add some system tests (you can take a look at the tests in the google_workspace integration for reference), this way we can ensure the httpjson config is set as expected on top of validating the pipelines.
| separator: "\\." | ||
| target_field: file.parts | ||
| if: 'ctx?.file?.name != null && ctx?.event?.action == "threat-intel-feed-download"' | ||
| # - join: |
There was a problem hiding this comment.
I think this comment slipped in.
packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/mimecast/docs/README.md
Outdated
| @@ -0,0 +1,5 @@ | |||
| # Mimecast/Elastic Integration | |||
|
|
|||
| This is a new integration created using the [elastic-package](https:/elastic/elastic-package) tool. | |||
There was a problem hiding this comment.
Would be nice to add some information about the integration in the readme, anything relevant to its setup, prerequisites, ... along with the list of fields and a sample event. You can take a look at the README template found in _dev/build/docs/README.md and use the one in some other packages as a guide.
| "from": "\u003c\u003e", | ||
| "message_id": "\u003cDB8P194MB0824EE4C8D360CCE3DEB0243A1B89@DB8P194MB0824.EURP194.PROD.OUTLOOK.COM\u003e", | ||
| "attachments": { | ||
| "hash": "2fb26be55ac710e4d9f80677ba24ae212dbb36bd934a0569fe521839e9f5d16e", |
There was a problem hiding this comment.
Hashes, user info, ips, etc.. would be nice if you could add a processor to copy them into the related.* fields, it is very useful for cross referencing and making searches easier. https://www.elastic.co/guide/en/ecs/current/ecs-related.html
| "name": "Inbound - Safe file with On-Demand Sandbox" | ||
| }, | ||
| "event": { | ||
| "action": "user release, none", |
There was a problem hiding this comment.
I am not 100% sure spaces and commas are desired in the event.action field, maybe processing it a bit to clean it up would be nice
|
@djordje-adzemovic-devtech the Mimecast integration is looking awesome! @jamiehynds had mentioned you've adopted some fields proposed over in the ECS email RFC. Not sure if it impacts any work here, but I wanted to call out that I've changed the proposed mappings a bit based on feedback from several users. A summary of the changes is covered in elastic/ecs#1593 (comment) |
|
Thank you @ebeahan ! Should not be such a big deal, and will be implemented. |
|
/test |
4 similar comments
|
/test |
|
/test |
|
/test |
|
/test |
|
/test |
1 similar comment
|
/test |
|
/test |
1 similar comment
|
/test |
|
Great work! Could you add a screenshot of the dashboards and the setup page? Would help a lot :) |
packages/mimecast/changelog.yml
Outdated
| changes: | ||
| - description: Initial draft of the package | ||
| type: enhancement | ||
| link: https:/elastic/integrations/pull/0 # FIXME Replace with the real PR link |
There was a problem hiding this comment.
| link: https:/elastic/integrations/pull/0 # FIXME Replace with the real PR link | |
| link: https:/elastic/integrations/pull/2157 |
| --- | ||
| description: Pipeline for processing sample logs | ||
| processors: | ||
| # Generic event/ecs fields we always want to populated |
There was a problem hiding this comment.
| # Generic event/ecs fields we always want to populated | |
| # Generic event/ecs fields we always want to populate |
| - set: | ||
| field: event.created | ||
| value: "{{mimecast.date}}" | ||
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | ||
| - append: | ||
| field: event.created | ||
| value: "{{mimecast.time}}" | ||
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | ||
| - join: | ||
| field: event.created | ||
| separator: " " | ||
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' |
There was a problem hiding this comment.
| - set: | |
| field: event.created | |
| value: "{{mimecast.date}}" | |
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
| - append: | |
| field: event.created | |
| value: "{{mimecast.time}}" | |
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
| - join: | |
| field: event.created | |
| separator: " " | |
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' | |
| - join: | |
| field: event.created | |
| separator: " " | |
| if: 'ctx?.mimecast?.date != null && ctx?.mimecast?.time != null' |
| ### RECEIPT LOGS | ||
| - rename: | ||
| field: mimecast.acc | ||
| target_field: cloud.account.id |
There was a problem hiding this comment.
This field might be populated in some cases, would be necessary to re-map to a custom field to avoid issues (it is failing right now in CI, for example one or more errors found in documents stored in logs-mimecast.siem_logs-ep data stream: [0] found error.message in event: field [cloud.account.id] already exists
|
Here are dashboards: |
|
Setup page screenshots: |
|
/test |
1 similar comment
|
/test |
|
/test |
* Mimecast package initial build * First Data stream added * Package commited * Mimecast Elastic package - everything should be ok now * Correct test which fails * CR requested changes * Nullcheck and formatting fixes Co-authored-by: Marc Guasch <[email protected]>
What does this PR do?
Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^7.13.0).Author's Checklist
How to test this PR locally
Related issues
Screenshots