Skip to content

[FireEye] Add missing ECS fields #14550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

[FireEye] Add missing ECS fields #14550

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
96289c6
[FireEye] Add missing ECS fields
moxarth-rathod Jul 15, 2025
2a3efcf
Apply suggestions from code review
moxarth-rathod Jul 16, 2025
7a55036
Address PR comments
moxarth-rathod Jul 16, 2025
c7ac94d
Use `equalsIgnoreCase` as per the suggestion
moxarth-rathod Jul 21, 2025
9284d00
Remove event.outcome from pipeline
moxarth-rathod Jul 23, 2025
595c3c9
Address PR suggestions
moxarth-rathod Jul 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/fireeye/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
- version: "1.27.0"
changes:
- description: Add support for `event.kind`, `destination.domain`, `file.hash.md5`, `file.path`, `observer.hostname` and `observer.ip` ECS fields.
type: enhancement
link: https://github.com/elastic/integrations/pull/14550
- version: "1.26.0"
changes:
- description: Add Overview Dashboard.
Expand Down
106 changes: 98 additions & 8 deletions packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ processors:
- set:
field: ecs.version
value: '8.11.0'
- set:
field: event.kind
tag: set_event_kind_to_event
value: event
- set:
field: observer.vendor
value: "Fireeye"
Expand Down
69 changes: 62 additions & 7 deletions packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/renaming-raws.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,22 +45,40 @@ processors:
field: rawmsg.dest_port
target_field: destination.port
ignore_missing: true
- append:
field: observer.ip
tag: append_observer_ip_from_meta_sip4
value: "{{{json.meta_sip4}}}"
allow_duplicates: false
if: ctx.json?.meta_sip4 != null
- append:
field: related.ip
tag: append_related_ip_from_meta_sip4
value: "{{{json.meta_sip4}}}"
allow_duplicates: false
if: ctx.json?.meta_sip4 != null
- rename:
field: meta_sip4
target_field: fireeye.nx.device_ip
ignore_missing: true
- rename:
field: meta_oml
field: json.meta_oml
target_field: fireeye.nx.device_oml
ignore_missing: true
- rename:
field: deviceid
field: json.deviceid
target_field: fireeye.nx.deviceid
ignore_missing: true
- rename:
field: meta_cbname
field: json.meta_cbname
target_field: fireeye.nx.hostname
ignore_missing: true
- set:
field: observer.hostname
copy_from: fireeye.nx.hostname
ignore_empty_value: true
- append:
field: related.hosts
tag: append_related_hosts_from_observer_hostname
value: "{{{observer.hostname}}}"
allow_duplicates: false
if: ctx.url?.domain != null
# flow event type fields
- rename:
field: rawmsg.proto_number
Expand Down Expand Up @@ -112,6 +130,11 @@ processors:
target_field: fireeye.nx.flow.reason
if: ctx?.event?.type == 'flow'
ignore_missing: true
- set:
field: event.reason
tag: set_event_reason_from_flow_reason
copy_from: fireeye.nx.flow.reason
ignore_empty_value: true
- rename:
field: rawmsg.flow.alerted
target_field: fireeye.nx.flow.alerted
Expand Down Expand Up @@ -148,6 +171,11 @@ processors:
target_field: fireeye.nx.fileinfo.filename
if: ctx?.event?.type == 'fileinfo'
ignore_missing: true
- set:
field: file.name
tag: set_file_path_from_fileinfo_filename
copy_from: fireeye.nx.fileinfo.filename
ignore_empty_value: true
- rename:
field: rawmsg.fileinfo.magic
target_field: fireeye.nx.fileinfo.magic
Expand All @@ -158,11 +186,21 @@ processors:
target_field: fireeye.nx.fileinfo.md5
if: ctx?.event?.type == 'fileinfo'
ignore_missing: true
- set:
field: file.hash.md5
tag: set_file_hash_md5_from_hostname
copy_from: fireeye.nx.fileinfo.md5
ignore_empty_value: true
- rename:
field: rawmsg.fileinfo.size
target_field: fireeye.nx.fileinfo.size
if: ctx?.event?.type == 'fileinfo'
ignore_missing: true
- set:
field: file.size
tag: set_file_size_from_fileinfo_size
copy_from: fireeye.nx.fileinfo.size
ignore_empty_value: true
- rename:
field: rawmsg.fileinfo.state
target_field: fireeye.nx.fileinfo.state
Expand Down Expand Up @@ -280,6 +318,12 @@ processors:
target_field: url.domain
if: ctx?.event?.type == 'http'
ignore_missing: true
- append:
field: related.hosts
tag: append_related_hosts_from_url_domain
value: "{{{url.domain}}}"
allow_duplicates: false
if: ctx.url?.domain != null
- rename:
field: rawmsg.http.http_content_type
target_field: http.request.mime_type
Expand Down Expand Up @@ -438,6 +482,17 @@ processors:
target_field: tls.client.server_name
if: ctx?.event?.type == 'tls'
ignore_missing: true
- set:
field: destination.domain
tag: set_destination_domain_from_server_name
copy_from: tls.client.server_name
ignore_empty_value: true
- append:
field: related.hosts
tag: append_related_hosts_from_destination_domain
value: "{{{destination.domain}}}"
allow_duplicates: false
if: ctx.destination?.domain != null
- rename:
field: rawmsg.tls.subject
target_field: tls.client.subject
Expand Down
9 changes: 9 additions & 0 deletions packages/fireeye/data_stream/nx/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,15 @@
- name: stored
type: boolean
description: File stored or not.
- name: device_oml
type: long
description: Device OML (Object Management Layer) identifier.
- name: deviceid
type: keyword
description: Device ID of the event.
- name: hostname
type: keyword
description: Hostname of the event.
- name: tls
type: group
fields:
Expand Down
60 changes: 22 additions & 38 deletions packages/fireeye/data_stream/nx/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,15 @@
{
"@timestamp": "2020-09-22T08:34:44.991Z",
"agent": {
"ephemeral_id": "dff6c436-37c3-4536-bdf9-08aed3ed94bd",
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"name": "docker-fleet-agent",
"ephemeral_id": "29a00621-9074-4b14-bcbb-db252f6203c3",
"id": "7740d13f-75db-41df-89ee-b1cb3b873df4",
"name": "elastic-agent-93841",
"type": "filebeat",
"version": "8.10.1"
"version": "8.13.0"
},
"data_stream": {
"dataset": "fireeye.nx",
"namespace": "ep",
"namespace": "68601",
"type": "logs"
},
"destination": {
Expand All @@ -23,18 +23,19 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "f25d13cd-18cc-4e73-822c-c4f849322623",
"id": "7740d13f-75db-41df-89ee-b1cb3b873df4",
"snapshot": false,
"version": "8.10.1"
"version": "8.13.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
"dataset": "fireeye.nx",
"ingested": "2023-09-25T20:05:32Z",
"original": "{\"rawmsg\":\"{\\\"timestamp\\\":\\\"2020-09-22T08:34:44.991339+0000\\\",\\\"flow_id\\\":721570461162990,\\\"event_type\\\":\\\"flow\\\",\\\"src_ip\\\":\\\"fe80:0000:0000:0000:feec:daff:fe31:b706\\\",\\\"src_port\\\":45944,\\\"dest_ip\\\":\\\"ff02:0000:0000:0000:0000:0000:0000:0001\\\",\\\"dest_port\\\":10001,\\\"proto\\\":\\\"UDP\\\",\\\"proto_number\\\":17,\\\"ip_tc\\\":0,\\\"app_proto\\\":\\\"failed\\\",\\\"flow\\\":{\\\"pkts_toserver\\\":8,\\\"pkts_toclient\\\":0,\\\"bytes_toserver\\\":1680,\\\"bytes_toclient\\\":0,\\\"start\\\":\\\"2020-09-22T08:34:12.761326+0000\\\",\\\"end\\\":\\\"2020-09-22T08:34:12.761348+0000\\\",\\\"age\\\":0,\\\"state\\\":\\\"new\\\",\\\"reason\\\":\\\"timeout\\\",\\\"alerted\\\":false}}\\n\",\"meta_sip4\":\"192.168.1.99\",\"meta_oml\":520,\"deviceid\":\"860665216674\",\"meta_cbname\":\"fireeye-7e0de1\"}",
"ingested": "2025-07-23T06:50:57Z",
"kind": "event",
"reason": "timeout",
"timezone": "+00:00",
"type": [
"info"
Expand All @@ -53,36 +54,13 @@
"flow_id": 721570461162990
}
},
"host": {
"architecture": "x86_64",
"containerized": false,
"hostname": "docker-fleet-agent",
"id": "28da52b32df94b50aff67dfb8f1be3d6",
"ip": [
"192.168.80.5"
],
"mac": [
"02-42-C0-A8-50-05"
],
"name": "docker-fleet-agent",
"os": {
"codename": "focal",
"family": "debian",
"kernel": "5.10.104-linuxkit",
"name": "Ubuntu",
"platform": "ubuntu",
"type": "linux",
"version": "20.04.6 LTS (Focal Fossa)"
}
},
"input": {
"type": "log"
"type": "udp"
},
"log": {
"file": {
"path": "/tmp/service_logs/fireeye-nx.log"
},
"offset": 0
"source": {
"address": "192.168.245.3:36580"
}
},
"network": {
"community_id": "1:McNAQcsUcKZYOHHZYm0sD8JiBLc=",
Expand All @@ -91,11 +69,16 @@
"transport": "udp"
},
"observer": {
"hostname": "fireeye-7e0de1",
"ip": [
"192.168.1.99"
],
"product": "NX",
"vendor": "Fireeye"
},
"related": {
"ip": [
"192.168.1.99",
"fe80:0000:0000:0000:feec:daff:fe31:b706",
"ff02:0000:0000:0000:0000:0000:0000:0001"
]
Expand All @@ -108,6 +91,7 @@
"port": 45944
},
"tags": [
"fireeye-nx"
"fireeye-nx",
"forwarded"
]
}
}
Loading