Closed
Description
This is to track changes needed to upgrade modules to ECS 1.8:
- After 1.8 is released, update ecs dependency to 1.8
Carry-over from 1.7 upgrade:
-
network.directionFilebeat cisco umbrella(need CIDR matching processors/painless support in elasticsearch)- can leverage Network direction processor elasticsearch#66644 -
network.directionin Filebeat rsa2elk modules - Add network.direction classification to rsa2elk modules #23114
Add os.type field:
-
add_host_metadataprocessor (@adriansr) Add os.type field from ECS 1.8 #23513 - other places that fill in os information (@adriansr) Add os.type field from ECS 1.8 #23513
New event.category value registry:
- Winlogbeat (@marc-gr) [ECS] Winlogbeat ecs 1.8 changes #23563
New event.category value session:
- Winlogbeat (@marc-gr) [ECS] Winlogbeat ecs 1.8 changes #23563
- Auditbeat (@adriansr)
- beats Update Auditbeat auditd module to ECS 1.8 #23594
- integrations (auditd ingest pipeline)
- Filebeat auditd fileset (@adriansr)
Multiple users in an event elastic/ecs#914:
- Auditbeat (sudo, iam events, AUDIT_CH*_ID events, file ownership syscalls, set/get*id syscalls, all auid values) (@adriansr) Update Auditbeat auditd module to ECS 1.8 #23594
- Journalbeat (maybe?, sudo & iam events) (@marc-gr) [Journalbeat][ecs] Journalbeat ecs 1.8 #23737
- Packetbeat (@marc-gr) [ECS] Packetbeat ecs 1.8 #23783
- Winlogbeat (Run As, iam events) (@marc-gr)
- Filebeat auditd (same as auditbeat) (@adriansr)
- Filebeat rsa2elk modules (@adriansr) (no changes)
- Filebeat checkpoint firewall (@marc-gr) (no changes)
- Filebeat cisco asa (@marc-gr)
- Filebeat cef (@marc-gr)
- Filebeat cisco ftd (@marc-gr)
- Filebeat cisco umbrella (@marc-gr)
- beats [ECS] Upgrade cisco modules to ecs 1.8 #23819
- [ ] integrations
- beats [ECS] Upgrade cisco modules to ecs 1.8 #23819
- Filebeat crowdstrike falcon (@marc-gr)
- Filebeat fortinet firewall (@marc-gr)
- Filebeat googlecloud audit (iam events) (@adriansr) (no changes, discuss)
- beats
- integrations
- Filebeat microsoft (@adriansr)
- Filebeat elasticsearch/audit (maybe?) (@marc-gr)
- beats [ecs] Upgrade elasticsearch/audit to ECS 1.8 #24000
- [ ] integrations
- beats [ecs] Upgrade elasticsearch/audit to ECS 1.8 #24000
- Filebeat Gsuite/Workspace (@marc-gr)
- Filebeat o365 (Actors, iam events) (@adriansr)
- Filebeat zoom (@adriansr)
- Filebeat okta (maybe? actors, iam events, targets) (@marc-gr)
- Filebeat aws cloudtrail (assumed role, iam events) (@adriansr)
- Filebeat aws s3access (assumed role) (@adriansr)
- Filebeat azure (@adriansr) (not a lot of test data, discuss)
- Filebeat juniper/srx (@marc-gr)
- Filebeat panw (@marc-gr)
- Filebeat sophos/xg (@adriansr)
- beats Update sophos/xg to ECS 1.8 #23967
- integrations Add sophos xg integration integrations#479
- Filebeat system/auth (sudo) (@marc-gr)
- Filebeat mysql/mysqlenterprise (@adriansr)
- beats Update mysqlenterprise module to ECS 1.8 #23978
- [ ] integrations
- beats Update mysqlenterprise module to ECS 1.8 #23978
- Filebeat zeek (@marc-gr)
- Review other modules to make sure none missing
- Make all Beats and modules report ECS 1.8.0 Update all Beats to report ECS version 1.8.0 #23992