Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Osquery manager: ECS mapping support #1318

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 20, 2021
Merged

Osquery manager: ECS mapping support #1318

merged 2 commits into from
Jul 20, 2021

Conversation

aleksmaus
Copy link
Contributor

What does this PR do?

Adds ECS mapping settings support for each query/stream.
Bumps up version to 0.4.0 and minimum kibana version to 7.15.0

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.15.0).

The integration settings update payload with ecs_mapping (using /api/fleet/package_policies kibana API) example:

{
    "version": "WzE3MjUsM10=",
    "name": "osquery_manager-1",
    "description": "",
    "namespace": "default",
    "policy_id": "548a3940-df4e-11eb-8fdd-b98cebb63257",
    "enabled": true,
    "output_id": "",
    "package": {
        "name": "osquery_manager",
        "title": "Osquery Manager",
        "version": "0.4.0"
    },
    "inputs": [
        {
            "policy_template": "osquery_manager",
            "type": "osquery",
            "enabled": true,
            "streams": [
                {
                    "data_stream": {
                        "type": "logs",
                        "dataset": "osquery_manager.result"
                    },
                    "id": "osquery-osquery_manager.result-1b63ffff-c050-4bef-98d9-fc8507fd1406",
                    "vars": {
                        "query": {
                            "type": "text",
                            "value": "select * from users limit 6"
                        },
                        "interval": {
                            "type": "integer",
                            "value": 60
                        },
                        "id": {
                            "type": "text",
                            "value": "users"
                        },
                        "ecs_mapping": {
                            "value": {
                                "uid" : "user.id",
                                "gid" : "user.group.id",
                                "username" : "user.name"
                            }
                        }
                    },
                    "enabled": true
                }
            ]
        }
    ]
}

Screenshots

Verified, it's stored correctly within the policy:
Screen Shot 2021-07-09 at 7 10 23 PM

Tested with Agent and Osquerybeat with sample mapping:
Screen Shot 2021-07-09 at 4 52 25 PM

that results in the document with ECS mapped fields according to the given mapping:
Screen Shot 2021-07-09 at 4 52 10 PM

@elasticmachine
Copy link

elasticmachine commented Jul 10, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-07-10T01:15:15.000+0000

  • Duration: 12 min 13 sec

  • Commit: 399ce8c

Test stats 🧪

Test Results
Failed 0
Passed 1
Skipped 0
Total 1

Trends 🧪

Image of Build Times

Image of Tests

@aleksmaus aleksmaus mentioned this pull request Jul 11, 2021
Merged
3 tasks
@aleksmaus aleksmaus merged commit 8677ece into elastic:master Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@james-elastic james-elastic james-elastic approved these changes

@lykkin lykkin Awaiting requested review from lykkin

@patrykkopycinski patrykkopycinski Awaiting requested review from patrykkopycinski

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aleksmaus @elasticmachine @james-elastic