Skip to content

[FireEye] Add missing ECS fields #14550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[FireEye] Add missing ECS fields #14550

wants to merge 6 commits into from
+225 −91

Conversation

moxarth-rathod
Copy link
Contributor

Proposed commit message

fireeye: add missing ECS fields

This PR has added the missing ECS fields like event, file, IP related fields, etc.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/fireeye directory.
  • Run the following command to run tests.

elastic-package test -v

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Jul 15, 2025
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner July 15, 2025 11:25
@moxarth-rathod moxarth-rathod added enhancement New feature or request Integration:fireeye FireEye Network Security (Community supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 15, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 15, 2025
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 15, 2025
andrewkroh
andrewkroh reviewed Jul 15, 2025
View reviewed changes
packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml Outdated
@@ -12,7 +12,20 @@ processors:
- rename:
field: rawmsg.app_proto
target_field: network.protocol
if: ctx.rawmsg.app_proto != null && !['failed','succeded'].contains(ctx.rawmsg.app_proto.toLowerCase())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be written out as "if foo equals failed || if foo equals succeeded" to avoid allocating a new list in each expression eval.

kcreddy
kcreddy reviewed Jul 23, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For issue suggestion: tls.client.server_name > destination.hostname, the correct mapping should be into destination.domain

packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml
@@ -58,9 +66,15 @@ processors:
target_field: fireeye.nx.deviceid
ignore_missing: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use json. for meta_oml and deviceid as well.

packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml Outdated
Comment on lines 61 to 71
field: meta_cbname
target_field: fireeye.nx.hostname
field: json.meta_cbname
target_field: observer.hostname
ignore_missing: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without removing custom field fireeye.nx.hostname, can you set observer.hostname after?
I think this could cause a breaking-change for users if we remove custom fields.

packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml
Comment on lines +195 to +199
- set:
field: file.size
tag: set_file_size_from_fileinfo_size
copy_from: fireeye.nx.fileinfo.size
ignore_empty_value: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As per the issue, user also expects fireeye.nx.fileinfo.filename > file.name.

@moxarth-rathod
Copy link
Contributor Author

For issue suggestion: tls.client.server_name > destination.hostname, the correct mapping should be into destination.domain

Yes, i've mapped tls.client.server_name to destination.domain here -

integrations/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml

Lines 485 to 489 in 595c3c9

- set:
field: destination.domain
tag: set_destination_domain_from_server_name
copy_from: tls.client.server_name
ignore_empty_value: true

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @moxarth-rathod

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
93.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy left review comments

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

At least 1 approving review is required to merge this pull request.

Assignees

@moxarth-rathod moxarth-rathod

Labels
documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:fireeye FireEye Network Security (Community supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FireEye Network Security]: ECS Fields Missing
4 participants
@moxarth-rathod @elasticmachine @andrewkroh @kcreddy