Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat][New Module] Adding support for Microsoft Defender ATP #19197

Merged
merged 22 commits into from
Jul 14, 2020
Merged

[Filebeat][New Module] Adding support for Microsoft Defender ATP #19197

Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
4d3ebf8
atp MVP push
P1llus Jun 12, 2020
27a60ba
stashing changes for later
P1llus Jun 12, 2020
86e8f72
Initial MVP for Defender ATP
P1llus Jun 15, 2020
f344d42
Updating default config
P1llus Jun 15, 2020
443ac5d
some updates, still not complete before more testing with new httpjso…
P1llus Jun 18, 2020
0296140
added new things to the pipeline, sorted them and commented them for …
P1llus Jun 20, 2020
24c655f
updated ingest pipeline with more ECS fields and evidence fields
P1llus Jun 25, 2020
cb01b5e
updated pipelines to fix yml indentations and added date_cursor funct…
P1llus Jun 30, 2020
6be6205
mage fmt update
P1llus Jun 30, 2020
cbf15f4
applying some new changes for date cursor and rebasing
P1llus Jul 4, 2020
8d6b316
Cleaning up pipelines, adding testdata, updating config fields, makin…
P1llus Jul 5, 2020
b46e849
changes to generate golden files
leehinman Jul 6, 2020
31ace16
adding requested changes based on PR comments, fixing some field type…
P1llus Jul 7, 2020
e7132bc
adding null checks for evidence subfield
P1llus Jul 7, 2020
37eeb56
updating painless scripts
P1llus Jul 7, 2020
db32b3a
mage fmt update
P1llus Jul 9, 2020
fc70654
one last styling change, will need to revert the event.test.message o…
P1llus Jul 9, 2020
a23be78
update golden files
P1llus Jul 9, 2020
fcb1082
updating tests to ignore timestamp and event.ingested
P1llus Jul 9, 2020
00b9f63
temp removing the default text for dashboard, dashboard will be inclu…
P1llus Jul 10, 2020
a4e762a
Merge branch 'master' into filebeat_atp_module_mvp
P1llus Jul 14, 2020
937975b
updating docs due to merge with microsoft dhcp
P1llus Jul 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
mage fmt update
  • Loading branch information
@P1llus
P1llus committed Jul 13, 2020
commit db32b3af6dd4b0df8be9d03d26264c4fb9b663d1
1 change: 1 addition & 0 deletions x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,7 @@ processors:
target_field: rule.description
ignore_missing: true
if: (ctx.json?.description).length() < 1020
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

optional. I'm wondering if we should copy the first 1019 chars, not skip if over 1019.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the sentence would just break off at that point, it would be half a sentence. I think that its just to ensure it never hits the limit as it was the only field that can in very niche usecases maybe include too much info. It wouldn't stop any of the events I have seen, and its more to drop it on ingest rather than creating an error in elasticsearch due to the field size limit (1024?)


######################
## ECS File Mapping ##
######################
Expand Down