Skip to content

[symantec_endpoint_security] Event mapping improvements #13671

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 29 commits into from
May 2, 2025
Merged

[symantec_endpoint_security] Event mapping improvements #13671

merged 29 commits into from
May 2, 2025

Conversation

chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Apr 24, 2025
edited
Loading

Proposed commit message

[symantec_endpoint_security] Event mapping improvements

Added parsing of embedded JSON data, additional ECS mappings and one ECS
mapping improvement.

Discussion

Can be reviewed commit-by-commit.

Suggested mappings done with adjustments:

  • Suggestion: ses.actor.file.folder -> file.path
    Done as ses.actor.file.folder -> file.directory to match ECS.

  • Suggestion: ses.cybox.files.folder -> file.path
    Done as ses.cybox.files.folder -> file.directory to match ECS.

  • Suggestion: ses.file.folder -> file.path
    Done as ses.file.folder -> file.directory to match ECS.

  • Suggestion: ses.connection.url.host -> url.original
    Done as ses.connection.url.host -> url.domain to match ECS.

  • Suggestion: ses.connection.url.domain_name -> url.domain
    Done as ses.connection.url.host -> url.domain to use the Symantec-documented URL field.

  • Suggestion: ses.process.file.original_name -> process.name
    Done as ses.process.file.original_name -> file.name (as was already done for ses.process.file.name).

  • Suggestion: ses.reg_value_result.data -> registry.data.strings
    Done as ses.reg_value_result.data -> registry.data.bytes because the sample value is base64, so it belongs in .bytes not .strings.

  • Suggestion: ses.reg_value.name -> registry.value
    Done. Also changed prevous mapping ses.reg_value.data -> registry.value, to instead go to registry.data.bytes.

  • Suggestion: ses.product_data.bpe_description (from JSON) -> threat.enrichments.indicator.description (or message)
    Done. Now ses.product_data is parsed if JSON, and message if empty is set to ses.product_data.bpe_description if present.

Suggested mappings not done:

  • Suggestion: ses.cybox.files.product_name -> file.name
    Not done because product_name doesn’t seem to be a file name with extension. The name field exists and is mapped to ECS’s file.name.

  • Suggestion: ses.connection.dst_name -> related.host
    Not done. Should already be done by the processor with the tag append_related_host_from_connection_dst_name.

  • Suggestion: ses.edr_enriched_data.rule_description -> message
    Not done. We don’t have edr_enriched_data as a defined field, and our sample data doesn’t have it. According to the Symantec documentation, all the given event types all have a recommended message field, which is mapped from ses.message to message. None of them have a documented field with enriched in the name. I’d like to understand why these events aren’t getting message (ses.message) populated. If ses.edr_enriched_data.rule_description is a good fallback source for a message value, I’d at least like to have some sample data that shows that.

  • Suggestion: ses.data -> message
    Not done. I don’t think message is the right field for this, since message is expected to be human-readable rather than structured data. Everything will be decoded under winlog.event_data.*, so I’m not sure that duplicating it under message (as well as ses.data) has any utility.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@chrisberkhout chrisberkhout added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:symantec_endpoint_security Symantec Endpoint Security labels Apr 24, 2025
@chrisberkhout chrisberkhout self-assigned this Apr 24, 2025
@chrisberkhout chrisberkhout requested a review from a team as a code owner April 24, 2025 14:34
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Apr 29, 2025
View reviewed changes
packages/symantec_endpoint_security/data_stream/event/fields/winlog.yml Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How were these field removals/final inclusions chosen?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I included the ones that were mentioned in the request, plus some others that looked like they might be good to use in a query: ClientMachine, Reason, StartTime, State, SubjectDomain, User, Version.

...dpoint_security/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system.yml Outdated
description: Parse Windows Event data and store it in the same fields as the winlog integration does
field: ses.data
target_field: winlog.event_data
if: ctx.ses?.type_id == '8015' && ctx.ses?.data instanceof String && ctx.ses.data.length() > 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ctx.ses?.type_id == '8015' && ctx.ses.data instanceof String && ctx.ses.data.length() > 0

...dpoint_security/data_stream/event/elasticsearch/ingest_pipeline/pipeline_category_system.yml Outdated
- set:
field: winlog.event_id
copy_from: ses.ref_event
if: ctx.ses?.type_id == '8015' && ctx.ses?.ref_event != null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ctx.ses?.type_id == '8015' && ctx.ses.ref_event != null

...c_endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_file.yml Outdated
field: file.hash.sha256
copy_from: ses.file.sha2
tag: set_file_hash_sha256_from_file_sha2
if: ctx.ses?.file?.sha2 != null && ctx.ses.file.sha2 != ''
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instanceof String?

...ndpoint_security/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_process.yml Outdated
field: process.hash.sha256
copy_from: ses.process.file.sha2
tag: set_file_hash_sha256_from_process_file_sha2
if: ctx.ses?.process?.file?.sha2 != null && ctx.ses.process.file.sha2 != ''
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

instanceof String?

...endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/pipeline_object_attack.yml Outdated
- _ingest._value.sub_technique_name
tag: remove_custom_duplicate_fields_from_ses_attacks
ignore_missing: true
if: ctx.tags?.contains('preserve_duplicate_custom_fields') != true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it the case that this condition must be true here given that it must have been true to run the foreach?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct. At the time I was thinking it's better to repeat the condition in case parts are moved around, but that doesn't actually make much sense here. I've removed it.

@chrisberkhout chrisberkhout requested a review from efd6 April 29, 2025 13:49
efd6
efd6 approved these changes Apr 30, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM after conflicts are resolved.

Agree with the adjustments and the wont-do list in the description. Is it worth filing a follow-up for ses.edr_enriched_data.rule_description -> message?

chrisberkhout added 21 commits May 2, 2025 12:28
@chrisberkhout
Add newlines at end of pipeline test expected output, since that's wh…
037bc15 
…at elastic-package now generates.
@chrisberkhout
Add winlog.event_data.* fields from the winlog integration.
30aae9d
@chrisberkhout
Add extra Windows Event fields.
b96bc7a
@chrisberkhout
Remove most explicit winlog.event_data.* fields to come in under fiel…
3ca8cd3 
…d limit of 2048.
@chrisberkhout
Update README.
4050995
@chrisberkhout
Parse and map Windows Event data.
1fc7881
@chrisberkhout
Add winlog.event_id (value from ses.ref_event).
15f9685
@chrisberkhout
Set event.module to ses.feature_name instead of the redundant constan…
3845cbd 
…t "symantec_endpoint_security".
@chrisberkhout
Set file and process hash ECS fields.
3950290
@chrisberkhout
Set risk.calcuated_score and risk.calculated_level fields.
e282731
@chrisberkhout
Populate threat.tactic.id and threat.technique.* fields.
7c29209
@chrisberkhout
Set group.name from ses.device_group.
b27d085
@chrisberkhout
Populate host.ip and host.mac from ses.device_networks.*.
f6e0547
@chrisberkhout
Map ses.actor.file.{folder,original_name} and ses.actor.user.sid to E…
c70078f 
…CS fields.

Specifically:

    ses.actor.file.folder        -> file.directory
    ses.actor.file.original_name -> file.name
    ses.actor.user.sid           -> user.id
    ses.actor.user.sid           -> related.user
@chrisberkhout
Map ses.cybox.files.folder to file.directory.
b5fde2c
@chrisberkhout
Map ses.file.folder to file.directory.
e35f608
@chrisberkhout
Map ses.process.file.original_name to file.name.
b8ed662 
This follows the existing mapping of ses.process.file.name to file.name.
@chrisberkhout
Map ses.lineage to process.previous.executable.
9395fd2
@chrisberkhout
Use populate message with ses.type if ses.message is absent or empty.
9c6ceb4
@chrisberkhout
Append ses.process.user.name to user.name.
d862e27
@chrisberkhout
Map ses.connection.url.{scheme,host} to url.{scheme,domain}.
404a204
@chrisberkhout
Improve ses.reg_value* mapping.
9dccceb 
- Map `ses.reg_value.path` to `registry.path`.
- Change mapping of `ses.reg_value.data` from to `registry.value` to
  `registry.data.bytes`.
- Map `ses.reg_value.name` to `registry.value` (which is defined in ECS
  as "Name of the value written").
- Map `ses.reg_value_result.data` to `registry.data.bytes`.
@chrisberkhout
Parse ses.product_data if it's a JSON string.
ae18bc8
@chrisberkhout
Set message if empty to ses.product_data.bpe_description if present.
c19d399
@chrisberkhout
Update sample_event.json for event data stream.
3d3f6a8
@chrisberkhout
Version bump, changelog entry.
ab60298
@chrisberkhout
Remove redunant null check.
622bee7
@chrisberkhout
Set ECS hash fields only if the value is a string.
80edff8
@chrisberkhout
Remove redundant condition.
2239113
@chrisberkhout chrisberkhout force-pushed the symantec_mapping_improvements branch from 6da5dff to 2239113 Compare May 2, 2025 10:32
@chrisberkhout chrisberkhout enabled auto-merge (squash) May 2, 2025 10:34
@chrisberkhout
Copy link
Contributor Author

LGTM after conflicts are resolved.

Agree with the adjustments and the wont-do list in the description. Is it worth filing a follow-up for ses.edr_enriched_data.rule_description -> message?

Thanks. Seems like a good one to leave out since it's not in the documented fields, but I'll double check with the requestor and do a follow-up if it does make sense.

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
85.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @chrisberkhout

@chrisberkhout chrisberkhout merged commit ee25461 into elastic:main May 2, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package symantec_endpoint_security - 1.11.0 containing this change is available at https://epr.elastic.co/package/symantec_endpoint_security/1.11.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chrisberkhout chrisberkhout

Labels
enhancement New feature or request Integration:symantec_endpoint_security Symantec Endpoint Security Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[symantec_endpoint_security] Comprehensive mapping updates for various SES events
3 participants
@chrisberkhout @elasticmachine @efd6