From be594347566a9cbb1c1a624c8beec82ddcecb487 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 2 Oct 2024 07:02:17 +0930 Subject: [PATCH] ssi_all: use triple-brace templating (#11284) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The mustache templating system used by ingest pipelines has two levels of escaping available, not escaped (triple stache) and HTML escaped (double stache) — see man mustache[1] under "tag types: variables". This can lead to data corruption, particularly in cases where an operating system has chosen to use a character requiring escaping in its path syntax. The cloudflare package is omitted from this set of changes due to ci difficulties with its system tests. [1]http://mustache.github.io/mustache.5.html [git-generate] for f in $( ( for p in $( yq 'select(.owner.github == "elastic/security-service-integrations")|.name' packages/**/manifest.yml \ | grep -v -- '---' ); do rg -l -g '*.yml' ": ('\{\{[^{][ .a-zA-Z0-9_]*[^}]}}'|\"\{\{[^{][ .a-zA-Z0-9_]*[^}]}}\")" packages/$p done )|grep -v "cloudflare"|grep "elasticsearch/ingest_pipeline"|sort|uniq ); do sed -i -r "s/: (['\"])\{\{([^{][ .a-zA-Z0-9_]*[^}])}}['\"]/: \1{{{\2}}}\1/g" $f done for p in $(git diff --name-only HEAD~1|cut -d/ -f1,2|sort|uniq); do ( cd $p elastic-package test pipeline -g elastic-package changelog add \ --description "Use triple-brace Mustache templating when referencing variables in ingest pipelines." \ --type bugfix \ --next patch \ --link https://github.com/elastic/integrations/pull/11284 )>/dev/null 2>&1 done --- packages/1password/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 8 +-- .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/1password/manifest.yml | 2 +- packages/akamai/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/akamai/manifest.yml | 2 +- packages/atlassian_bitbucket/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 10 ++-- packages/atlassian_bitbucket/manifest.yml | 2 +- packages/atlassian_confluence/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 8 +-- .../ingest_pipeline/self-hosted.yml | 2 +- packages/atlassian_confluence/manifest.yml | 2 +- packages/atlassian_jira/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 10 ++-- .../ingest_pipeline/self-hosted.yml | 2 +- packages/atlassian_jira/manifest.yml | 2 +- packages/azure_frontdoor/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 12 ++--- .../elasticsearch/ingest_pipeline/default.yml | 12 ++--- packages/azure_frontdoor/manifest.yml | 2 +- packages/barracuda/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/access.yml | 10 ++-- .../elasticsearch/ingest_pipeline/audit.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../ingest_pipeline/networkfirewall.yml | 2 +- .../elasticsearch/ingest_pipeline/system.yml | 2 +- .../ingest_pipeline/webfirewall.yml | 2 +- packages/barracuda/manifest.yml | 2 +- packages/bitdefender/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/bitdefender/manifest.yml | 2 +- packages/carbonblack_edr/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- packages/carbonblack_edr/manifest.yml | 2 +- packages/cisco_secure_endpoint/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 30 +++++------ packages/cisco_secure_endpoint/manifest.yml | 2 +- packages/cisco_umbrella/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 22 ++++---- packages/cisco_umbrella/manifest.yml | 2 +- packages/cribl/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/cribl/manifest.yml | 2 +- packages/crowdstrike/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 8 +-- .../ingest_pipeline/detection_summary.yml | 6 +-- .../ingest_pipeline/firewall_match.yml | 2 +- packages/crowdstrike/manifest.yml | 2 +- packages/cyberark_pta/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 14 ++--- packages/cyberark_pta/manifest.yml | 2 +- packages/cylance/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/cylance/manifest.yml | 2 +- packages/f5/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/f5/manifest.yml | 2 +- packages/falco/changelog.yml | 5 ++ .../pipeline/test-falco.log-expected.json | 36 ++++++------- .../test-nopreserve.log-expected.json | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/falco/manifest.yml | 2 +- packages/fireeye/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/fireeye/manifest.yml | 2 +- packages/forgerock/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/forgerock/manifest.yml | 2 +- packages/github/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 10 ++-- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/github/manifest.yml | 2 +- packages/gitlab/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 12 ++--- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/gitlab/manifest.yml | 2 +- packages/google_workspace/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/google_workspace/manifest.yml | 2 +- packages/infoblox_nios/changelog.yml | 5 ++ .../ingest_pipeline/pipeline_dns.yml | 2 +- packages/infoblox_nios/manifest.yml | 2 +- packages/jamf_protect/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 14 ++--- .../pipeline_event_system_performance.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../ingest_pipeline/pipeline_audit.yml | 2 +- .../ingest_pipeline/pipeline_event.yml | 2 +- .../pipeline_system_performance_metrics.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 8 +-- packages/jamf_protect/manifest.yml | 2 +- packages/jumpcloud/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 18 +++---- packages/jumpcloud/manifest.yml | 2 +- packages/keycloak/changelog.yml | 5 ++ .../test/pipeline/test-log.log-expected.json | 1 + .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/events.yml | 8 +-- packages/keycloak/manifest.yml | 2 +- packages/lyve_cloud/changelog.yml | 5 ++ .../ingest_pipeline/audit_lc.yml | 6 +-- packages/lyve_cloud/manifest.yml | 2 +- packages/mattermost/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 18 +++---- packages/mattermost/manifest.yml | 2 +- packages/menlo/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 6 +-- packages/menlo/manifest.yml | 2 +- .../microsoft_defender_endpoint/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 16 +++--- .../microsoft_defender_endpoint/manifest.yml | 2 +- packages/mimecast/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 12 ++--- .../elasticsearch/ingest_pipeline/default.yml | 12 ++--- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/mimecast/manifest.yml | 2 +- packages/netskope/changelog.yml | 5 ++ .../pipeline/test-alerts.log-expected.json | 10 ++++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../pipeline/test-events.log-expected.json | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/netskope/manifest.yml | 2 +- packages/o365/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 20 +++---- packages/o365/manifest.yml | 2 +- packages/okta/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 24 ++++----- packages/okta/manifest.yml | 2 +- packages/pulse_connect_secure/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/pulse_connect_secure/manifest.yml | 2 +- packages/santa/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 14 ++--- packages/santa/manifest.yml | 2 +- packages/slack/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/slack/manifest.yml | 2 +- packages/snyk/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- packages/snyk/manifest.yml | 2 +- .../symantec_endpoint_security/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../symantec_endpoint_security/manifest.yml | 2 +- packages/ti_abusech/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../test-abusechurl-dump.log-expected.json | 8 +-- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_abusech/manifest.yml | 2 +- packages/ti_cif3/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_cif3/manifest.yml | 2 +- packages/ti_custom/changelog.yml | 5 ++ ...st-indicator-file-ndjson.log-expected.json | 2 +- ...-windows-registry-ndjson.log-expected.json | 2 +- ...st-indicator-x509-ndjson.log-expected.json | 6 +-- .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../ingest_pipeline/indicator-asn.yml | 2 +- .../ingest_pipeline/indicator-domain-name.yml | 6 +-- .../ingest_pipeline/indicator-email.yml | 2 +- .../ingest_pipeline/indicator-file.yml | 14 ++--- .../ingest_pipeline/indicator-ip.yml | 4 +- .../ingest_pipeline/indicator-url.yml | 2 +- .../indicator-windows-registry.yml | 6 +-- .../ingest_pipeline/indicator-x509.yml | 54 +++++++++---------- packages/ti_custom/manifest.yml | 2 +- packages/ti_cybersixgill/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 6 +-- packages/ti_cybersixgill/manifest.yml | 2 +- packages/ti_eclecticiq/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_eclecticiq/manifest.yml | 2 +- packages/ti_eset/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/ti_eset/manifest.yml | 2 +- packages/ti_maltiverse/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_maltiverse/manifest.yml | 2 +- packages/ti_misp/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- .../elasticsearch/ingest_pipeline/default.yml | 2 +- packages/ti_misp/manifest.yml | 2 +- packages/tychon/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/rest.yml | 2 +- .../elasticsearch/ingest_pipeline/rest.yml | 2 +- packages/tychon/manifest.yml | 2 +- packages/zeronetworks/changelog.yml | 5 ++ .../elasticsearch/ingest_pipeline/default.yml | 4 +- packages/zeronetworks/manifest.yml | 2 +- 222 files changed, 696 insertions(+), 435 deletions(-) diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index 187e73d5fed..7be4b0c291e 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.30.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.30.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml index 9f4f9d175d9..2790589e1d6 100644 --- a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml +++ b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml @@ -40,22 +40,22 @@ processors: ######################### - append: field: related.user - value: "{{onepassword.user.uuid}}" + value: "{{{onepassword.user.uuid}}}" allow_duplicates: false if: ctx?.onepassword?.user?.uuid != null - append: field: related.user - value: "{{onepassword.user.email}}" + value: "{{{onepassword.user.email}}}" allow_duplicates: false if: ctx?.onepassword?.user?.email != null - append: field: related.user - value: "{{onepassword.user.name}}" + value: "{{{onepassword.user.name}}}" allow_duplicates: false if: ctx?.onepassword?.user?.name != null - append: field: related.ip - value: "{{onepassword.client.ip_address}}" + value: "{{{onepassword.client.ip_address}}}" allow_duplicates: false if: ctx?.onepassword?.client?.ip_address != null ###################### diff --git a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml index af678d25914..336f1451585 100644 --- a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml @@ -50,22 +50,22 @@ processors: ######################### - append: field: related.user - value: "{{onepassword.target_user.uuid}}" + value: "{{{onepassword.target_user.uuid}}}" allow_duplicates: false if: ctx?.onepassword?.target_user?.uuid != null - append: field: related.user - value: "{{onepassword.target_user.email}}" + value: "{{{onepassword.target_user.email}}}" allow_duplicates: false if: ctx?.onepassword?.target_user?.email != null - append: field: related.user - value: "{{onepassword.target_user.name}}" + value: "{{{onepassword.target_user.name}}}" allow_duplicates: false if: ctx?.onepassword?.target_user?.name != null - append: field: related.ip - value: "{{onepassword.client.ip_address}}" + value: "{{{onepassword.client.ip_address}}}" allow_duplicates: false if: ctx?.onepassword?.client?.ip_address != null ###################### diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index 9c431085731..6676b402ae6 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: 1password title: "1Password" -version: "1.30.0" +version: "1.30.1" description: Collect logs from 1Password with Elastic Agent. type: integration categories: diff --git a/packages/akamai/changelog.yml b/packages/akamai/changelog.yml index 56144012d2d..294446f8cf8 100644 --- a/packages/akamai/changelog.yml +++ b/packages/akamai/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.25.1" changes: - description: Fix definition of subfields of nested objects diff --git a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml index c658cd4a748..a9e1c83df57 100644 --- a/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml +++ b/packages/akamai/data_stream/siem/elasticsearch/ingest_pipeline/default.yml @@ -426,7 +426,7 @@ processors: ## - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false - set: field: client diff --git a/packages/akamai/manifest.yml b/packages/akamai/manifest.yml index 265e5323ee0..2532c588f2d 100644 --- a/packages/akamai/manifest.yml +++ b/packages/akamai/manifest.yml @@ -1,6 +1,6 @@ name: akamai title: Akamai -version: "2.25.1" +version: "2.25.2" description: Collect logs from Akamai with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/atlassian_bitbucket/changelog.yml b/packages/atlassian_bitbucket/changelog.yml index eabe67f9e0d..1e1046202bc 100644 --- a/packages/atlassian_bitbucket/changelog.yml +++ b/packages/atlassian_bitbucket/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.2.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 5c4ec1565e2..1e7c8030749 100644 --- a/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/atlassian_bitbucket/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -386,27 +386,27 @@ processors: } - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: ctx.user?.name != null - append: field: related.user - value: '{{user.target.name}}' + value: '{{{user.target.name}}}' allow_duplicates: false if: ctx.user?.target?.name != null - append: field: related.user - value: '{{user.changes.name}}' + value: '{{{user.changes.name}}}' allow_duplicates: false if: ctx.user?.changes?.name != null - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false if: ctx.source?.ip != null - append: field: related.hosts - value: '{{_tmp.service.domain}}' + value: '{{{_tmp.service.domain}}}' allow_duplicates: false if: ctx._tmp?.service?.domain != null - remove: diff --git a/packages/atlassian_bitbucket/manifest.yml b/packages/atlassian_bitbucket/manifest.yml index 649c528c159..0868221cc3a 100644 --- a/packages/atlassian_bitbucket/manifest.yml +++ b/packages/atlassian_bitbucket/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_bitbucket title: Atlassian Bitbucket -version: "2.2.0" +version: "2.2.1" description: Collect logs from Atlassian Bitbucket with Elastic Agent. type: integration categories: diff --git a/packages/atlassian_confluence/changelog.yml b/packages/atlassian_confluence/changelog.yml index 0d23ad66f8f..5312452317f 100644 --- a/packages/atlassian_confluence/changelog.yml +++ b/packages/atlassian_confluence/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.26.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 4fa872bc2a1..4a1020786e2 100644 --- a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -376,22 +376,22 @@ processors: } - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: ctx.user?.name != null - append: field: related.user - value: '{{user.target.name}}' + value: '{{{user.target.name}}}' allow_duplicates: false if: ctx.user?.target?.name != null - append: field: related.user - value: '{{user.changes.name}}' + value: '{{{user.changes.name}}}' allow_duplicates: false if: ctx.user?.changes?.name != null - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false if: ctx.source?.ip != null - remove: diff --git a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml index d9dcef1a5e1..514a5c0d978 100644 --- a/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml +++ b/packages/atlassian_confluence/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml @@ -74,7 +74,7 @@ processors: ignore_empty_value: true - append: field: related.hosts - value: '{{_tmp.service.domain}}' + value: '{{{_tmp.service.domain}}}' allow_duplicates: false if: ctx._tmp?.service?.domain != null on_failure: diff --git a/packages/atlassian_confluence/manifest.yml b/packages/atlassian_confluence/manifest.yml index 86f08ee5729..e8c343b02b5 100644 --- a/packages/atlassian_confluence/manifest.yml +++ b/packages/atlassian_confluence/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_confluence title: Atlassian Confluence -version: "1.26.0" +version: "1.26.1" description: Collect logs from Atlassian Confluence with Elastic Agent. type: integration categories: diff --git a/packages/atlassian_jira/changelog.yml b/packages/atlassian_jira/changelog.yml index d54dc309c88..e304e1fe6b2 100644 --- a/packages/atlassian_jira/changelog.yml +++ b/packages/atlassian_jira/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.27.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index cb08498e8f6..1bee685949c 100644 --- a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -355,27 +355,27 @@ processors: } - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: ctx.user?.name != null - append: field: related.user - value: '{{user.target.name}}' + value: '{{{user.target.name}}}' allow_duplicates: false if: ctx.user?.target?.name != null - append: field: related.user - value: '{{user.changes.name}}' + value: '{{{user.changes.name}}}' allow_duplicates: false if: ctx.user?.changes?.name != null - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false if: ctx.source?.ip != null - append: field: related.hosts - value: '{{_tmp.service.domain}}' + value: '{{{_tmp.service.domain}}}' allow_duplicates: false if: ctx._tmp?.service?.domain != null - remove: diff --git a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml index 926023753c8..8bee62bffab 100644 --- a/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml +++ b/packages/atlassian_jira/data_stream/audit/elasticsearch/ingest_pipeline/self-hosted.yml @@ -85,7 +85,7 @@ processors: ignore_empty_value: true - append: field: related.hosts - value: '{{_tmp.service.domain}}' + value: '{{{_tmp.service.domain}}}' allow_duplicates: false if: ctx._tmp?.service?.domain != null on_failure: diff --git a/packages/atlassian_jira/manifest.yml b/packages/atlassian_jira/manifest.yml index 340682f2684..4b90d5adb41 100644 --- a/packages/atlassian_jira/manifest.yml +++ b/packages/atlassian_jira/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: atlassian_jira title: Atlassian Jira -version: "1.27.0" +version: "1.27.1" description: Collect logs from Atlassian Jira with Elastic Agent. type: integration categories: diff --git a/packages/azure_frontdoor/changelog.yml b/packages/azure_frontdoor/changelog.yml index f3a963614f7..aad9d7bb50b 100644 --- a/packages/azure_frontdoor/changelog.yml +++ b/packages/azure_frontdoor/changelog.yml @@ -1,3 +1,8 @@ +- version: "2.0.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.0.0" changes: - description: "Changed keyword field type to double in time_to_first_byte, time_taken fields and to date in time fields" diff --git a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml index 36b5f38f1ea..e7f42869a0c 100644 --- a/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure_frontdoor/data_stream/access/elasticsearch/ingest_pipeline/default.yml @@ -241,13 +241,13 @@ processors: # set user.email to the original name if the above grok succeeded. - set: field: user.email - value: '{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}' + value: '{{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}}' ignore_empty_value: true if: 'ctx.user?.name != null' # set user.name to the original name if the above grok failed (name format is not an email). - set: field: user.name - value: '{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}' + value: '{{{azure.frontdoor.access.identity.claims_initiated_by_user.name}}}' ignore_empty_value: true if: 'ctx.user?.name == null' - rename: @@ -260,22 +260,22 @@ processors: ignore_missing: true - append: field: user.roles - value: '{{azure.frontdoor.access.identity.authorization.evidence.role}}' + value: '{{{azure.frontdoor.access.identity.authorization.evidence.role}}}' allow_duplicates: false if: ctx.azure?.frontdoor?.access?.identity?.authorization?.evidence?.role != null - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: 'ctx.user?.name != null' - append: field: related.user - value: '{{user.full_name}}' + value: '{{{user.full_name}}}' allow_duplicates: false if: 'ctx.user?.name != null' - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' allow_duplicates: false if: 'ctx.user?.name != null' - rename: diff --git a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml index c01422c3614..0f1a3a73cfb 100644 --- a/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure_frontdoor/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -184,13 +184,13 @@ processors: # set user.email to the original name if the above grok succeeded. - set: field: user.email - value: '{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}' + value: '{{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}}' ignore_empty_value: true if: 'ctx.user?.name != null' # set user.name to the original name if the above grok failed (name format is not an email). - set: field: user.name - value: '{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}' + value: '{{{azure.frontdoor.waf.identity.claims_initiated_by_user.name}}}' ignore_empty_value: true if: 'ctx.user?.name == null' - rename: @@ -203,22 +203,22 @@ processors: ignore_missing: true - append: field: user.roles - value: '{{azure.frontdoor.waf.identity.authorization.evidence.role}}' + value: '{{{azure.frontdoor.waf.identity.authorization.evidence.role}}}' allow_duplicates: false if: ctx.azure?.frontdoor?.waf?.identity?.authorization?.evidence?.role != null - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: 'ctx.user?.name != null' - append: field: related.user - value: '{{user.full_name}}' + value: '{{{user.full_name}}}' allow_duplicates: false if: 'ctx.user?.name != null' - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' allow_duplicates: false if: 'ctx.user?.name != null' - rename: diff --git a/packages/azure_frontdoor/manifest.yml b/packages/azure_frontdoor/manifest.yml index 91277aa1245..b844bc6c7e0 100644 --- a/packages/azure_frontdoor/manifest.yml +++ b/packages/azure_frontdoor/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: azure_frontdoor title: "Azure Frontdoor" -version: "2.0.0" +version: "2.0.1" description: "This Elastic integration collects logs from Azure Frontdoor." type: integration categories: diff --git a/packages/barracuda/changelog.yml b/packages/barracuda/changelog.yml index 6465278a595..9fabd79bbe5 100644 --- a/packages/barracuda/changelog.yml +++ b/packages/barracuda/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.15.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml index 8f03e97f936..c48885b622d 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/access.yml @@ -113,22 +113,22 @@ processors: copy_from: client - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx.source?.ip != null allow_duplicates: false - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" if: ctx.destination?.ip != null allow_duplicates: false - append: field: related.ip - value: "{{network.forwarded_ip}}" + value: "{{{network.forwarded_ip}}}" if: ctx.network?.forwarded_ip != null allow_duplicates: false - append: field: related.ip - value: "{{server.ip}}" + value: "{{{server.ip}}}" if: ctx.server?.ip != null allow_duplicates: false - set: @@ -147,4 +147,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml index 6e5c563c85b..714a49813b2 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/audit.yml @@ -24,12 +24,12 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{client.ip}}" + value: "{{{client.ip}}}" if: ctx.client?.ip != null allow_duplicates: false - append: field: related.user - value: "{{client.user.name}}" + value: "{{{client.user.name}}}" if: ctx.client?.user?.name != null allow_duplicates: false - set: diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml index 597b89b60fa..aeb9ad83424 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/default.yml @@ -93,4 +93,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/networkfirewall.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/networkfirewall.yml index ab8f98baebc..2ccd5ae2fe1 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/networkfirewall.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/networkfirewall.yml @@ -73,4 +73,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml index d8c1601d429..9395da6f47a 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/system.yml @@ -30,4 +30,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/webfirewall.yml b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/webfirewall.yml index 45c833e8311..092ecdcdfb3 100644 --- a/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/webfirewall.yml +++ b/packages/barracuda/data_stream/waf/elasticsearch/ingest_pipeline/webfirewall.yml @@ -93,4 +93,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/barracuda/manifest.yml b/packages/barracuda/manifest.yml index 145eadc9c3d..440e4bef135 100644 --- a/packages/barracuda/manifest.yml +++ b/packages/barracuda/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: barracuda title: "Barracuda Web Application Firewall" -version: "1.15.0" +version: "1.15.1" description: "Collect logs from Barracuda Web Application Firewall with Elastic Agent." type: integration source: diff --git a/packages/bitdefender/changelog.yml b/packages/bitdefender/changelog.yml index 4c6b7b58371..ad45346cf00 100644 --- a/packages/bitdefender/changelog.yml +++ b/packages/bitdefender/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.1.1" changes: - description: Ensure remediation actions are correlated with their file paths. diff --git a/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml b/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml index e071113a0e7..3d3b4aeb09c 100644 --- a/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml +++ b/packages/bitdefender/data_stream/push_notifications/elasticsearch/ingest_pipeline/default.yml @@ -1586,4 +1586,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/bitdefender/manifest.yml b/packages/bitdefender/manifest.yml index 807cc506e31..ceacb9dc599 100644 --- a/packages/bitdefender/manifest.yml +++ b/packages/bitdefender/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: bitdefender title: "BitDefender" -version: "2.1.1" +version: "2.1.2" source: license: "Elastic-2.0" description: "Ingest BitDefender GravityZone logs and data" diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index 5fb93221fd3..398dd0ee9bf 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.18.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 1bb2ce603bd..5250d1dea8b 100644 --- a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -833,11 +833,11 @@ processors: - append: field: related.hash - value: "{{tls.server.ja3s}}" + value: "{{{tls.server.ja3s}}}" if: "ctx?.tls?.server?.ja3s != null" - append: field: related.hash - value: "{{tls.client.ja3}}" + value: "{{{tls.client.ja3}}}" if: "ctx?.tls?.client?.ja3 != null" allow_duplicates: false # @@ -872,4 +872,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index 840d63ed13d..6a43a3dd84f 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,6 +1,6 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: "1.18.0" +version: "1.18.1" description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/cisco_secure_endpoint/changelog.yml b/packages/cisco_secure_endpoint/changelog.yml index d9fdbfd385e..e056f86d45f 100644 --- a/packages/cisco_secure_endpoint/changelog.yml +++ b/packages/cisco_secure_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.27.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.27.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 4e4f75aea07..9cd6d5fe515 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -449,72 +449,72 @@ processors: ######################### - append: field: related.user - value: "{{ user.name }}" + value: "{{{ user.name }}}" if: ctx.user?.name != null allow_duplicates: false - append: field: related.hash - value: "{{ process.hash.sha256 }}" + value: "{{{ process.hash.sha256 }}}" if: ctx.process?.parent?.hash?.sha256 != null allow_duplicates: false - append: field: related.hash - value: "{{ process.hash.md5 }}" + value: "{{{ process.hash.md5 }}}" if: ctx.process?.parent?.hash?.md5 != null allow_duplicates: false - append: field: related.hash - value: "{{ process.hash.sha1 }}" + value: "{{{ process.hash.sha1 }}}" if: ctx.process?.parent?.hash?.sha1 != null allow_duplicates: false - append: field: related.hash - value: "{{ file.hash.sha256 }}" + value: "{{{ file.hash.sha256 }}}" if: ctx.file?.hash?.sha256 != null allow_duplicates: false - append: field: related.hash - value: "{{ file.hash.md5 }}" + value: "{{{ file.hash.md5 }}}" if: ctx.file?.hash?.md5 != null allow_duplicates: false - append: field: related.hash - value: "{{ file.hash.sha1 }}" + value: "{{{ file.hash.sha1 }}}" if: ctx.file?.hash?.sha1 != null allow_duplicates: false - append: field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}" + value: "{{{ cisco.secure_endpoint.network_info.parent.identity.sha256 }}}" if: ctx.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha256 != null allow_duplicates: false - append: field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}" + value: "{{{ cisco.secure_endpoint.network_info.parent.identity.md5 }}}" if: ctx.cisco?.secure_endpoint?.network_info?.parent?.identity?.md5 != null allow_duplicates: false - append: field: related.hash - value: "{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}" + value: "{{{ cisco.secure_endpoint.network_info.parent.identity.sha1 }}}" if: ctx.cisco?.secure_endpoint?.network_info?.parent?.identity?.sha1 != null allow_duplicates: false - append: field: related.hosts - value: "{{ host.name }}" + value: "{{{ host.name }}}" if: ctx.host?.name != null allow_duplicates: false - append: field: related.ip - value: "{{ source.ip }}" + value: "{{{ source.ip }}}" if: ctx.source?.ip != null allow_duplicates: false - append: field: related.ip - value: "{{ destination.ip }}" + value: "{{{ destination.ip }}}" if: ctx.destination?.ip != null allow_duplicates: false - append: field: related.ip - value: "{{ cisco.secure_endpoint.computer.external_ip }}" + value: "{{{ cisco.secure_endpoint.computer.external_ip }}}" if: ctx.cisco?.secure_endpoint?.computer?.external_ip != null allow_duplicates: false - script: @@ -557,7 +557,7 @@ processors: processor: append: field: cisco.secure_endpoint.related.cve - value: "{{ _ingest._value.cve }}" + value: "{{{ _ingest._value.cve }}}" allow_duplicates: false if: ctx.cisco?.secure_endpoint?.vulnerabilities != null ############# diff --git a/packages/cisco_secure_endpoint/manifest.yml b/packages/cisco_secure_endpoint/manifest.yml index ed63a51bd89..dc6761cc0e5 100644 --- a/packages/cisco_secure_endpoint/manifest.yml +++ b/packages/cisco_secure_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_secure_endpoint title: Cisco Secure Endpoint -version: "2.27.0" +version: "2.27.1" description: Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. type: integration categories: diff --git a/packages/cisco_umbrella/changelog.yml b/packages/cisco_umbrella/changelog.yml index f0fd146e6f4..885abac9822 100644 --- a/packages/cisco_umbrella/changelog.yml +++ b/packages/cisco_umbrella/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.26.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.26.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml index df0e25c5e82..3c36047747b 100644 --- a/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -378,7 +378,7 @@ processors: if: ctx.user?.name != null && ctx.user?.name.contains('@') == true - set: field: user.id - value: "{{user.email}}" + value: "{{{user.email}}}" if: ctx.user?.email != null - remove: field: user.email @@ -652,37 +652,37 @@ processors: ###################### - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" allow_duplicates: false if: ctx.user?.name != null - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: ctx.source?.ip != null - append: field: related.ip - value: "{{source.nat.ip}}" + value: "{{{source.nat.ip}}}" allow_duplicates: false if: ctx.source?.nat?.ip != null - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null - append: field: related.hosts - value: "{{host.name}}" + value: "{{{host.name}}}" allow_duplicates: false if: ctx.host?.name != null - append: field: related.hosts - value: "{{source.domain}}" + value: "{{{source.domain}}}" allow_duplicates: false if: ctx.source?.domain != null - append: field: related.hosts - value: "{{dns.question.name}}" + value: "{{{dns.question.name}}}" allow_duplicates: false if: ctx.dns?.question?.name != null - foreach: @@ -691,16 +691,16 @@ processors: processor: append: field: related.hosts - value: '{{_ingest._value}}' + value: '{{{_ingest._value}}}' allow_duplicates: false - append: field: related.hash - value: "{{cisco.umbrella.sha_sha256}}" + value: "{{{cisco.umbrella.sha_sha256}}}" allow_duplicates: false if: ctx.cisco?.umbrella?.sha_sha256 != null - append: field: related.hash - value: "{{file.hash.sha256}}" + value: "{{{file.hash.sha256}}}" allow_duplicates: false if: ctx.file?.hash?.sha256 != null ########### diff --git a/packages/cisco_umbrella/manifest.yml b/packages/cisco_umbrella/manifest.yml index 3d793f7cfe2..f34528c1efd 100644 --- a/packages/cisco_umbrella/manifest.yml +++ b/packages/cisco_umbrella/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_umbrella title: Cisco Umbrella -version: "1.26.0" +version: "1.26.1" description: Collect logs from Cisco Umbrella with Elastic Agent. type: integration categories: diff --git a/packages/cribl/changelog.yml b/packages/cribl/changelog.yml index f7b87b3cf6d..928d18fa413 100644 --- a/packages/cribl/changelog.yml +++ b/packages/cribl/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.4.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "0.4.1" changes: - description: Update documentation diff --git a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml index e1378d7d99f..fb41d7d7ce6 100644 --- a/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cribl/data_stream/logs/elasticsearch/ingest_pipeline/default.yml @@ -20,4 +20,4 @@ processors: on_failure: - set: field: error.message - value: "{{ _ingest.on_failure_message }}" \ No newline at end of file + value: "{{{ _ingest.on_failure_message }}}" \ No newline at end of file diff --git a/packages/cribl/manifest.yml b/packages/cribl/manifest.yml index 8921319a3d5..cca7e892f63 100644 --- a/packages/cribl/manifest.yml +++ b/packages/cribl/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: cribl title: "Cribl" -version: "0.4.1" +version: "0.4.2" description: Stream logs from Cribl into Elastic. type: integration categories: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index fbe07d6c3a0..bb268c69892 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.42.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.42.0" changes: - description: Add support of IDP and EPP alert fields. diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml index b4b16370024..b21235e8359 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -264,25 +264,25 @@ processors: if: ctx.user?.name != null && ctx.user?.name.contains("@") - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false tag: append_related_user if: ctx.user?.name != null && ctx.user?.name != "" - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false tag: append_related_src_ip if: ctx.source?.ip != null && ctx.source?.ip != "" - append: field: related.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' allow_duplicates: false tag: append_related_dst_ip if: ctx.destination?.ip != null && ctx.destination?.ip != "" - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false tag: append_related_host if: ctx.host?.name != null && ctx.host?.name != "" diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml index 22dddfa4729..55e23708ced 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/detection_summary.yml @@ -132,19 +132,19 @@ processors: tag: rename_sha1_string - append: field: related.hash - value: "{{file.hash.sha1}}" + value: "{{{file.hash.sha1}}}" allow_duplicates: false tag: append_sha1_hash if: ctx.file?.hash?.sha1 != null && ctx.file?.hash?.sha1 != "" - append: field: related.hash - value: "{{file.hash.sha256}}" + value: "{{{file.hash.sha256}}}" allow_duplicates: false tag: append_sha256_hash if: ctx.file?.hash?.sha256 != null && ctx.file?.hash?.sha256 != "" - append: field: related.hash - value: "{{file.hash.md5}}" + value: "{{{file.hash.md5}}}" allow_duplicates: false tag: append_md5_hash if: ctx.file?.hash?.md5 != null && ctx.file?.hash?.md5 != "" diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml index 2d378dddb5d..1e8d447e2b9 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/firewall_match.yml @@ -44,7 +44,7 @@ processors: if: ctx._tmp_?.action == null - set: field: message - value: "Firewall Rule: '{{crowdstrike.event.RuleName}}' triggered - Action: '{{_tmp_.action}}'" + value: "Firewall Rule: '{{{crowdstrike.event.RuleName}}}' triggered - Action: '{{{_tmp_.action}}}'" tag: set_message if: ctx.crowdstrike?.event?.RuleName != null - rename: diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index b5c299ad1db..abab9a8ec6b 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.42.0" +version: "1.42.1" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/cyberark_pta/changelog.yml b/packages/cyberark_pta/changelog.yml index 518877773d5..3c38b94cc91 100644 --- a/packages/cyberark_pta/changelog.yml +++ b/packages/cyberark_pta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.10.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.10.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 04f7760b78d..0ecec820a24 100644 --- a/packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cyberark_pta/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -7,28 +7,28 @@ processors: value: '8.11.0' - set: field: event.action - value: "{{cef.extensions.deviceCustomString5}}" + value: "{{{cef.extensions.deviceCustomString5}}}" if: "ctx?.cef?.extensions?.deviceCustomString5 != null && ctx?.cef?.extensions?.deviceCustomString5 != ''" - set: field: '@timestamp' - value: "{{cef.extensions.deviceCustomDate1}}" + value: "{{{cef.extensions.deviceCustomDate1}}}" ignore_empty_value: true override: true - set: field: event.id - value: "{{cef.extensions.deviceCustomString2}}" + value: "{{{cef.extensions.deviceCustomString2}}}" if: "ctx?.cef?.extensions?.deviceCustomString2 != null && ctx?.cef?.extensions?.deviceCustomString2 != ''" - set: field: event.reference - value: "{{cef.extensions.deviceCustomString3}}" + value: "{{{cef.extensions.deviceCustomString3}}}" if: "ctx?.cef?.extensions?.deviceCustomString3 != null && ctx?.cef?.extensions?.deviceCustomString3 != ''" - set: field: event.url - value: "{{cef.extensions.deviceCustomString4}}" + value: "{{{cef.extensions.deviceCustomString4}}}" if: "ctx?.cef?.extensions?.deviceCustomString4 != null && ctx?.cef?.extensions?.deviceCustomString4 != ''" - set: field: cyberark_pta.log.event_type - value: "{{cef.device.event_class_id}}" + value: "{{{cef.device.event_class_id}}}" if: "ctx?.cef?.device?.event_class_id != null && ctx?.cef?.device?.event_class_id != ''" - rename: field: message @@ -44,7 +44,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/cyberark_pta/manifest.yml b/packages/cyberark_pta/manifest.yml index 4174cdcb71f..2b34d586d9e 100644 --- a/packages/cyberark_pta/manifest.yml +++ b/packages/cyberark_pta/manifest.yml @@ -1,6 +1,6 @@ name: cyberark_pta title: Cyberark Privileged Threat Analytics -version: "1.10.0" +version: "1.10.1" description: Collect security logs from Cyberark PTA integration. type: integration format_version: "3.0.3" diff --git a/packages/cylance/changelog.yml b/packages/cylance/changelog.yml index 9d526f2fb04..289ebbec959 100644 --- a/packages/cylance/changelog.yml +++ b/packages/cylance/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.21.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "0.21.0" changes: - description: "Allow @custom pipeline access to event.original without setting preserve_original_event." diff --git a/packages/cylance/data_stream/protect/elasticsearch/ingest_pipeline/default.yml b/packages/cylance/data_stream/protect/elasticsearch/ingest_pipeline/default.yml index d8e1f9aecca..0a89c45a638 100644 --- a/packages/cylance/data_stream/protect/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cylance/data_stream/protect/elasticsearch/ingest_pipeline/default.yml @@ -68,7 +68,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' on_failure: @@ -77,4 +77,4 @@ on_failure: value: pipeline_error - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" diff --git a/packages/cylance/manifest.yml b/packages/cylance/manifest.yml index a2b63faa5b3..d97a76f61dc 100644 --- a/packages/cylance/manifest.yml +++ b/packages/cylance/manifest.yml @@ -1,7 +1,7 @@ format_version: 2.7.0 name: cylance title: CylanceProtect Logs -version: "0.21.0" +version: "0.21.1" description: Collect logs from CylanceProtect devices with Elastic Agent. categories: ["security", "edr_xdr"] type: integration diff --git a/packages/f5/changelog.yml b/packages/f5/changelog.yml index fe92c2c1f62..8d4e7ef6c49 100644 --- a/packages/f5/changelog.yml +++ b/packages/f5/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.17.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "0.17.2" changes: - description: Changed owners diff --git a/packages/f5/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml b/packages/f5/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml index 12586ecc052..af4abdeb6b1 100644 --- a/packages/f5/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml +++ b/packages/f5/data_stream/bigipafm/elasticsearch/ingest_pipeline/default.yml @@ -78,7 +78,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/f5/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml b/packages/f5/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml index 0421c24590b..a3823c79cd0 100644 --- a/packages/f5/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml +++ b/packages/f5/data_stream/bigipapm/elasticsearch/ingest_pipeline/default.yml @@ -78,7 +78,7 @@ processors: ignore_missing: true - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' allow_duplicates: false if: ctx.host?.name != null && ctx.host?.name != '' - remove: diff --git a/packages/f5/manifest.yml b/packages/f5/manifest.yml index 77b25e98f66..81a12a35598 100644 --- a/packages/f5/manifest.yml +++ b/packages/f5/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: f5 title: F5 Logs (Deprecated) -version: "0.17.2" +version: "0.17.3" description: Deprecated. Use the F5 BIG-IP package instead. categories: ["observability", "load_balancer"] release: experimental diff --git a/packages/falco/changelog.yml b/packages/falco/changelog.yml index 6aaef9aaa66..a794c7acdea 100644 --- a/packages/falco/changelog.yml +++ b/packages/falco/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json index f7ddbfeb6cb..b93e135de60 100644 --- a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-falco.log-expected.json @@ -10,7 +10,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056005301Z", + "ingested": "2024-10-01T07:45:33.384604281Z", "kind": "alert", "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:19.341081180+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-07T18:54:19.341081180Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108059341081180,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -116,7 +116,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056013593Z", + "ingested": "2024-10-01T07:45:33.384618783Z", "kind": "alert", "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[\"NIST_800-53_AC-2\",\"T1059\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"users\"],\"time\":\"2024-05-07T18:54:20.008519431Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108060008519431,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", "provider": "syscall", @@ -228,7 +228,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056014551Z", + "ingested": "2024-10-01T07:45:33.384619722Z", "kind": "alert", "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:26.271403849+0000: Warning Sensitive file opened for reading by trusted program after startup (file=/etc/shadow pcmdline=event-generator run --loop gparent=containerd-shim ggparent=runc gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=httpd proc_exepath=/bin/event-generator parent=event-generator command=httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s terminal=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file trusted after startup\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-07T18:54:26.271403849Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.full_id\":\"9656db3bb3588e7b23da7d48fe889434573036c27ae5a74837233de441c3601e\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"container.image\": \"falcosecurity/event-generator:0.10.0\",\"container.image.tag\":\"0.10.0\",\"container.image.digest\":[\"sha256:d977378f890d445c15e51795296e4e5062f109ce6da83e0a355fc4ad8699d27\"],\"container.image.id\":\"16e0fa09a4f1018f22be6cce3ec21848dccaa566b063bda4c814c37dc36adfea\",\"container.image.repository\":\"falcosecurity/event-generator\",\"evt.time.iso8601\":1715108066271403849,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.cmdline\":\"httpd --loglevel info run ^syscall.ReadSensitiveFileUntrusted$ --sleep 6s\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"httpd\",\"proc.pcmdline\":\"event-generator run --loop\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -346,7 +346,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056015343Z", + "ingested": "2024-10-01T07:45:33.384620462Z", "kind": "alert", "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:27.767673017+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator3982217557/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"time\":\"2024-05-07T18:54:27.767673017Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108067767673017,\"evt.type\":\"execve\",\"proc.cmdline\":\"bash -c ls > /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator3982217557/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -458,7 +458,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056016093Z", + "ingested": "2024-10-01T07:45:33.384621061Z", "kind": "alert", "original": "{\"hostname\":\"97ade2b595f0\",\"output\":\"2024-05-07T18:54:20.008519431+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=9656db3bb358 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[],\"time\":\"2024-05-07T18:54:20.008519431Z\", \"output_fields\": {\"container.id\":\"9656db3bb358\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715108060008519431,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", "provider": "syscall", @@ -551,7 +551,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056016843Z", + "ingested": "2024-10-01T07:45:33.384621548Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:26.104747558+0000: Informational System user ran an interactive command (evt_type=execve user=daemon user_uid=2 user_loginuid=-1 process=login proc_exepath=/bin/busybox parent=event-generator command=login terminal=0 exe_flags=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"System user interactive\",\"source\":\"syscall\",\"tags\":[\"NIST_800-53_AC-2\",\"T1059\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"users\"],\"time\":\"2024-05-13T13:23:26.104747558Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.arg.flags\":\"0\",\"evt.time.iso8601\":1715606606104747558,\"evt.type\":\"execve\",\"proc.cmdline\":\"login\",\"proc.exepath\":\"/bin/busybox\",\"proc.name\":\"login\",\"proc.pname\":\"event-generator\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"daemon\",\"user.uid\":2}}", "provider": "syscall", @@ -656,7 +656,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056017551Z", + "ingested": "2024-10-01T07:45:33.384622035Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:27.021777225+0000: Notice Shell spawned by untrusted binary (parent_exe=/tmp/falco-event-generator2286495765/httpd parent_exepath=/bin/event-generator pcmdline=httpd --loglevel info run ^helper.RunShell$ gparent=event-generator ggparent=containerd-shim aname[4]=runc aname[5]=init aname[6]=init aname[7]= evt_type=execve user=root user_uid=0 user_loginuid=-1 process=bash proc_exepath=/bin/bash parent=httpd command=bash -c ls > /dev/null terminal=0 exe_flags=EXE_WRITABLE container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Notice\",\"rule\":\"Run shell untrusted\",\"source\":\"syscall\",\"tags\":[\"T1059.004\",\"container\",\"host\",\"maturity_stable\",\"mitre_execution\",\"process\",\"shell\"],\"time\":\"2024-05-13T13:23:27.021777225Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.arg.flags\":\"EXE_WRITABLE\",\"evt.time.iso8601\":1715606607021777225,\"evt.type\":\"execve\",\"proc.aname[2]\":\"event-generator\",\"proc.aname[3]\":\"containerd-shim\",\"proc.aname[4]\":\"runc\",\"proc.aname[5]\":\"init\",\"proc.aname[6]\":\"init\",\"proc.aname[7]\":null,\"proc.cmdline\":\"bash -c ls > /dev/null\",\"proc.exepath\":\"/bin/bash\",\"proc.name\":\"bash\",\"proc.pcmdline\":\"httpd --loglevel info run ^helper.RunShell$\",\"proc.pexe\":\"/tmp/falco-event-generator2286495765/httpd\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.pname\":\"httpd\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -769,7 +769,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056018260Z", + "ingested": "2024-10-01T07:45:33.384622511Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:28.170686725+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:28.170686725Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606608170686725,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -875,7 +875,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056019051Z", + "ingested": "2024-10-01T07:45:33.384623306Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "provider": "syscall", @@ -981,7 +981,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056019801Z", + "ingested": "2024-10-01T07:45:33.384623860Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"SUCCESS\",\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "success", @@ -1089,7 +1089,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056020510Z", + "ingested": "2024-10-01T07:45:33.384624576Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:29.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:29.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1198,7 +1198,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056021343Z", + "ingested": "2024-10-01T07:45:33.384625192Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:31.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:31.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.num\":4525,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"k8s.ns.name\":\"kubernetes-ns\",\"k8s.pod.ip\":\"175.16.199.0/24\",\"k8s.pod.name\":\"kubernetes-pod-1\",\"k8s.pod.uid\":\"aadadjh763wiuh\",\"k8s.pod.labels\":[\"key1:value1\",\"key2:value2\",\"key3:value3\"],\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1337,7 +1337,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056022051Z", + "ingested": "2024-10-01T07:45:33.384625725Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:33.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:33.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.mounts\":\"/proc/sys/fs/binfmt_misc:/tmp/binary:bind:ro:private /var/log:/mnt/log:bind:rw:shared\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1472,7 +1472,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056022885Z", + "ingested": "2024-10-01T07:45:33.384626243Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:34.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:34.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"container.type\":\"docker\",\"container.privileged\":true,\"container.ip\":\"81.2.69.144\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"fd.cip.name\":\"example.com\",\"fd.sip.name\":\"otherexample.com\",\"fd.rip.name\":\"fourthexample.com\",\"fd.lip.name\":\"thirdexample.com\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1615,7 +1615,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056023676Z", + "ingested": "2024-10-01T07:45:33.384626724Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:36.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Warning\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:36.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"fd.directory\":\"var/log/example\",\"fd.filename\":\"example.tar.gz\",\"fd.cip\":\"216.160.83.56\",\"fd.sip\":\"89.160.20.112\",\"fd.lip\":\"89.160.20.128\",\"fd.rip\":\"67.43.156.0\",\"fd.cport\":5400,\"fd.sport\":5700,\"fd.lport\":5689,\"fd.rport\":6789,\"fd.ino\":\"567874\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1758,7 +1758,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056024426Z", + "ingested": "2024-10-01T07:45:33.384627406Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:37.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Critical\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:37.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time.iso8601\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"group.gid\":\"123355\",\"group.name\":\"test-1\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdnargs\": 1,\"proc.env\":\"TEST_VALUE1=testvalue1 TEST_VALUE2=testvalue2\",\"proc.cwd\":\"/bin/event-generator\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.exepath\":\"/bin/event-generator\",\"proc.args\":\"run --loop\",\"proc.name\":\"event-generator\",\"proc.pid\":133567,\"proc.ppid\":133568,\"proc.vpgid\":4555852,\"proc.vpgid.name\":\"generic-process\",\"proc.vpgid.exepath\":\"/bin/event-generator\",\"proc.ppid.duration\":2345,\"proc.ppid.ts\":\"23455\",\"proc.pid.ts\":\"23451\",\"proc.vpid\":133569,\"proc.pvpid\":133570,\"proc.sid\":133571,\"proc.sid.exepath\":\"/bin/event-generator\",\"proc.sname\":\"containerd-shim\",\"proc.is_sid_leader\":true,\"proc.is_vpgid_leader\":false,\"proc.pname\":\"containerd-shim\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -1940,7 +1940,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056025176Z", + "ingested": "2024-10-01T07:45:33.384627931Z", "kind": "alert", "original": "{\"hostname\":\"a2000de987ff\",\"output\":\"2024-05-13T13:23:38.089890892+0000: Warning Sensitive file opened for reading by non-trusted program (file=/etc/shadow gparent=runc ggparent=init gggparent=init evt_type=openat user=root user_uid=0 user_loginuid=-1 process=event-generator proc_exepath=/bin/event-generator parent=containerd-shim command=event-generator run --loop terminal=0 container_id=84c0b936c919 container_name=elastic-package-service-falco-event-generator-1)\",\"priority\":\"Informational\",\"rule\":\"Read sensitive file untrusted\",\"source\":\"syscall\",\"tags\":[\"T1555\",\"container\",\"filesystem\",\"host\",\"maturity_stable\",\"mitre_credential_access\"],\"time\":\"2024-05-13T13:23:38.089890892Z\", \"output_fields\": {\"container.id\":\"84c0b936c919\",\"container.name\":\"elastic-package-service-falco-event-generator-1\",\"evt.time\":1715606609089890892,\"evt.type\":\"openat\",\"evt.res\": \"ENOENT\",\"evt.failed\":true,\"fd.name\":\"/etc/shadow\",\"proc.aname[2]\":\"runc\",\"proc.aname[3]\":\"init\",\"proc.aname[4]\":\"init\",\"proc.cmdline\":\"event-generator run --loop\",\"proc.pexepath\":\"/bin/event-generator\",\"proc.exepath\":\"/bin/event-generator\",\"proc.args\":\"run --loop -v\",\"proc.name\":\"event-generator\",\"proc.pname\":\"containerd-shim\",\"proc.duration\":\"662789\",\"proc.tty\":0,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0}}", "outcome": "failure", @@ -2058,7 +2058,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.056025885Z", + "ingested": "2024-10-01T07:45:33.384628397Z", "kind": "alert", "original": "{\"uuid\":\"7466e462-ddde-434d-8dee-390ca5656f83\",\"output\":\"21:35:04.518808525: Notice A shell was spawned in a container with an attached terminal (evt_type=execve user=root user_uid=0 user_loginuid=-1 process=sh proc_exepath=/bin/sh parent=containerd-shim command=sh terminal=34816 exe_flags=EXE_WRITABLE container_id=8645a7a530c3 container_image=docker.io/library/busybox container_image_tag=latest container_name=debug k8s_ns=default k8s_pod_name=debug)\",\"priority\":\"Notice\",\"rule\":\"Terminal shell in container\",\"time\":\"2024-08-28T21:35:04.518808525Z\",\"output_fields\":{\"container.id\":\"8645a7a530c3\",\"container.image.repository\":\"docker.io/library/busybox\",\"container.image.tag\":\"latest\",\"container.name\":\"debug\",\"evt.arg.flags\":\"EXE_WRITABLE\",\"evt.time\":1724880904518808600,\"evt.type\":\"execve\",\"k8s.ns.name\":\"default\",\"k8s.pod.name\":\"debug\",\"proc.cmdline\":\"sh\",\"proc.exepath\":\"/bin/sh\",\"proc.name\":\"sh\",\"proc.pname\":\"containerd-shim\",\"proc.tty\":34816,\"user.loginuid\":-1,\"user.name\":\"root\",\"user.uid\":0},\"source\":\"syscall\",\"tags\":[\"T1059\",\"container\",\"maturity_stable\",\"mitre_execution\",\"shell\"],\"hostname\":\"cluster-1-default-pool-131bf483-7km9\"}", "provider": "syscall", diff --git a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json index b6897f37744..49c090630e9 100644 --- a/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json +++ b/packages/falco/data_stream/alerts/_dev/test/pipeline/test-nopreserve.log-expected.json @@ -10,7 +10,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.931966989Z", + "ingested": "2024-10-01T07:45:34.350857827Z", "kind": "alert", "provider": "syscall", "severity": 47, @@ -99,7 +99,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.931974156Z", + "ingested": "2024-10-01T07:45:34.350879378Z", "kind": "alert", "provider": "syscall", "severity": 21, @@ -186,7 +186,7 @@ "category": [ "process" ], - "ingested": "2024-09-10T23:29:32.931975322Z", + "ingested": "2024-10-01T07:45:34.350881190Z", "kind": "alert", "provider": "syscall", "severity": 47, diff --git a/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index 882b702fd90..4df6cb01bba 100644 --- a/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/falco/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -228,7 +228,7 @@ processors: tag: set_event_outcome_failure - set: field: event.ingested - value: '{{_ingest.timestamp}}' + value: '{{{_ingest.timestamp}}}' ignore_empty_value: true ignore_failure: true - script: @@ -354,7 +354,7 @@ processors: ignore_empty_value: true - append: field: related.hosts - value: '{{falco.hostname}}' + value: '{{{falco.hostname}}}' if: ctx.falco?.hostname != null allow_duplicates: false - set: @@ -364,12 +364,12 @@ processors: - set: field: file.path - value: '{{falco.output_fields.fd.name}}' + value: '{{{falco.output_fields.fd.name}}}' if: ctx.falco.output_fields.fd?.type != null && (ctx.falco.output_fields.fd.type == 'file' || ctx.falco.output_fields.fd.type == 'directory') tag: 'painless_set_file_path' - set: field: file.type - value: '{{falco.output_fields.fd.type}}' + value: '{{{falco.output_fields.fd.type}}}' if: ctx.falco.output_fields.fd?.type != null && (ctx.falco.output_fields.fd.type == 'file' || ctx.falco.output_fields.fd.type == 'directory') tag: 'painless_set_file_path' diff --git a/packages/falco/manifest.yml b/packages/falco/manifest.yml index 23a44d2961d..4b0f349d06b 100644 --- a/packages/falco/manifest.yml +++ b/packages/falco/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: falco title: Falco -version: 1.0.0 +version: 1.0.1 description: Collect events and alerts from Falco using Elastic Agent type: integration categories: diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index 682e74ca1dd..ad274f91640 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.23.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.23.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml index 3b962c375ca..47f16e454cf 100644 --- a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -158,21 +158,21 @@ processors: target_field: network.community_id - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: ctx.source?.ip != null - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" allow_duplicates: false if: ctx.destination?.ip != null - append: field: related.hash - value: "{{tls.server.ja3s}}" + value: "{{{tls.server.ja3s}}}" if: "ctx?.tls?.server?.ja3s != null" - append: field: related.hash - value: "{{tls.client.ja3}}" + value: "{{{tls.client.ja3}}}" if: "ctx?.tls?.client?.ja3 != null" allow_duplicates: false - remove: diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index fbb822585d5..ef0269add68 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: fireeye title: "FireEye Network Security" -version: "1.23.0" +version: "1.23.1" description: Collect logs from FireEye NX with Elastic Agent. type: integration categories: diff --git a/packages/forgerock/changelog.yml b/packages/forgerock/changelog.yml index c396f0c056b..fa522a946ce 100644 --- a/packages/forgerock/changelog.yml +++ b/packages/forgerock/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.18.3" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.18.2" changes: - description: Fix handling of idm_core object payloads. diff --git a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml index 971578f3dcd..b55bd2cc751 100644 --- a/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_access/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # am-access processing - set: field: event.type @@ -162,7 +162,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/am_activity/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_activity/elasticsearch/ingest_pipeline/default.yml index 6e91c7b966f..a84a9e097c7 100644 --- a/packages/forgerock/data_stream/am_activity/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_activity/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # parse am-activity - set: field: event.action @@ -103,7 +103,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml index ea4a0d27c37..64a35ca0525 100644 --- a/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_authentication/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # am-authentication processing - set: field: event.category @@ -107,7 +107,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/am_config/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_config/elasticsearch/ingest_pipeline/default.yml index f5b47c16d9e..e0fb445c1bb 100644 --- a/packages/forgerock/data_stream/am_config/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_config/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # am-config processing - set: field: event.category @@ -96,7 +96,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/am_core/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/am_core/elasticsearch/ingest_pipeline/default.yml index 0351ac9c099..a04628ac643 100644 --- a/packages/forgerock/data_stream/am_core/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/am_core/elasticsearch/ingest_pipeline/default.yml @@ -31,7 +31,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # am-core processing - set: field: event.reason @@ -99,7 +99,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml index f3e52548d7c..511dac91c1c 100644 --- a/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_access/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # idm-access processing - set: field: event.type @@ -146,7 +146,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_activity/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_activity/elasticsearch/ingest_pipeline/default.yml index b6e44bc8877..15e013b93a5 100644 --- a/packages/forgerock/data_stream/idm_activity/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_activity/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # idm-activity processing - set: field: user.id @@ -99,7 +99,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml index 432174f8f7e..6151233316f 100644 --- a/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_authentication/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # idm-authentication processing - set: field: event.category @@ -109,7 +109,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml index 00fc0b04b45..e9a9d93e4e7 100644 --- a/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_config/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # idm-config processing - set: field: event.category @@ -103,7 +103,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_core/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_core/elasticsearch/ingest_pipeline/default.yml index cb620c59823..d1634fbd76f 100644 --- a/packages/forgerock/data_stream/idm_core/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_core/elasticsearch/ingest_pipeline/default.yml @@ -24,7 +24,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.reason copy_from: forgerock.payload @@ -81,7 +81,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/data_stream/idm_sync/elasticsearch/ingest_pipeline/default.yml b/packages/forgerock/data_stream/idm_sync/elasticsearch/ingest_pipeline/default.yml index d5ec6442794..1dd073201fe 100644 --- a/packages/forgerock/data_stream/idm_sync/elasticsearch/ingest_pipeline/default.yml +++ b/packages/forgerock/data_stream/idm_sync/elasticsearch/ingest_pipeline/default.yml @@ -35,7 +35,7 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' # idm-sync processing - set: field: user.id @@ -126,7 +126,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/forgerock/manifest.yml b/packages/forgerock/manifest.yml index 2f952c53f1e..4efe819b933 100644 --- a/packages/forgerock/manifest.yml +++ b/packages/forgerock/manifest.yml @@ -1,6 +1,6 @@ name: forgerock title: "ForgeRock" -version: "1.18.2" +version: "1.18.3" description: Collect audit logs from ForgeRock with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/github/changelog.yml b/packages/github/changelog.yml index 9a45fbc9179..e78036aef2f 100644 --- a/packages/github/changelog.yml +++ b/packages/github/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.29.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.29.1" changes: - description: Fix definition of nested subfields diff --git a/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 37092428c1b..66a69360c39 100644 --- a/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -56,7 +56,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx.user?.name != null - rename: field: json.org @@ -68,7 +68,7 @@ processors: ignore_missing: true - append: field: related.user - value: "{{user.target.name}}" + value: "{{{user.target.name}}}" if: ctx.user?.target?.name != null - rename: field: json.repo @@ -138,7 +138,7 @@ processors: value: '{{{ _ingest.on_failure_message }}}' - append: field: related.ip - value: '{{github.actor_ip}}' + value: '{{{github.actor_ip}}}' if: ctx.github?.actor_ip != null - rename: field: json.hashed_token diff --git a/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml index 97b60010b63..e1ea3f267f7 100644 --- a/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/code_scanning/elasticsearch/ingest_pipeline/default.yml @@ -143,7 +143,7 @@ processors: ignore_missing: true - set: field: github.severity - value: "{{github.code_scanning.rule.security_severity_level}}" + value: "{{{github.code_scanning.rule.security_severity_level}}}" if: ctx.github.code_scanning.rule?.security_severity_level != null - set: field: github.severity @@ -151,7 +151,7 @@ processors: if: ctx.github.severity == null - set: field: github.state - value: "{{github.code_scanning.state}}" + value: "{{{github.code_scanning.state}}}" if: ctx.github.code_scanning.state != null - rename: target_field: _temp.dismissed_by @@ -231,7 +231,7 @@ processors: processor: append: field: tags - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true if: ctx.github.code_scanning.rule?.tags != null - remove: diff --git a/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml index 2154fc53bc0..9471c6a2d61 100644 --- a/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/issues/elasticsearch/ingest_pipeline/default.yml @@ -58,7 +58,7 @@ processors: ignore_missing: true - set: field: github.repository.name - value: "{{_temp_.repository}}" + value: "{{{_temp_.repository}}}" if: ctx._temp_?.repository != null - set: field: github.repository.html_url @@ -70,11 +70,11 @@ processors: if: ctx._temp_?.owner != null && ctx._temp_?.repository != null - set: field: github.repository.owner.login - value: "{{_temp_.owner}}" + value: "{{{_temp_.owner}}}" if: ctx._temp_?.owner != null - set: field: github.state - value: "{{github.issues.state}}" + value: "{{{github.issues.state}}}" if: ctx.github.issues.state != null - foreach: field: github.issues.assignees @@ -179,7 +179,7 @@ processors: ################### - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: ctx.user?.name != null allow_duplicates: false - foreach: @@ -188,7 +188,7 @@ processors: processor: append: field: related.user - value: "{{_ingest._value.login}}" + value: "{{{_ingest._value.login}}}" allow_duplicates: false ########### # Cleanup # diff --git a/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml b/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml index 43f7b832649..bb0c2628b9c 100644 --- a/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml +++ b/packages/github/data_stream/secret_scanning/elasticsearch/ingest_pipeline/default.yml @@ -182,7 +182,7 @@ processors: ignore_missing: true - set: field: github.state - value: "{{github.secret_scanning.state}}" + value: "{{{github.secret_scanning.state}}}" if: ctx.github.secret_scanning.state != null - set: field: github.severity diff --git a/packages/github/manifest.yml b/packages/github/manifest.yml index 7faf6aa6649..6a5fa80a3bf 100644 --- a/packages/github/manifest.yml +++ b/packages/github/manifest.yml @@ -1,6 +1,6 @@ name: github title: GitHub -version: "1.29.1" +version: "1.29.2" description: Collect logs from GitHub with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/gitlab/changelog.yml b/packages/gitlab/changelog.yml index e8ca13ec476..43e1fe5145a 100644 --- a/packages/gitlab/changelog.yml +++ b/packages/gitlab/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: 1.0.0 changes: - description: Release package as GA. diff --git a/packages/gitlab/data_stream/application/elasticsearch/ingest_pipeline/default.yml b/packages/gitlab/data_stream/application/elasticsearch/ingest_pipeline/default.yml index bfd6f58824a..308fb5188c2 100644 --- a/packages/gitlab/data_stream/application/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gitlab/data_stream/application/elasticsearch/ingest_pipeline/default.yml @@ -117,12 +117,12 @@ processors: ignore_missing: true - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' if: ctx.user?.id != null allow_duplicates: false - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' if: ctx.user?.name != null allow_duplicates: false - rename: @@ -202,7 +202,7 @@ processors: if: ctx.client?.ip != null - append: field: related.ip - value: '{{client.ip}}' + value: '{{{client.ip}}}' if: ctx.client?.ip != null allow_duplicates: false - append: diff --git a/packages/gitlab/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/gitlab/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index b1b52749d70..df4bc584444 100644 --- a/packages/gitlab/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gitlab/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -128,7 +128,7 @@ processors: if: ctx.client?.ip != null - append: field: related.ip - value: '{{client.ip}}' + value: '{{{client.ip}}}' if: ctx.client?.ip != null allow_duplicates: false - convert: @@ -155,27 +155,27 @@ processors: if: ctx.gitlab?.audit?.created_at != null - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' if: ctx.user?.id != null allow_duplicates: false - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' if: ctx.user?.name != null allow_duplicates: false - append: field: related.user - value: '{{gitlab.audit.target_id}}' + value: '{{{gitlab.audit.target_id}}}' if: ctx.gitlab?.audit?.target_id != null && ctx.gitlab.audit.target_type == "User" allow_duplicates: false - append: field: related.user - value: '{{gitlab.audit.target_details}}' + value: '{{{gitlab.audit.target_details}}}' if: ctx.gitlab?.audit?.target_details != null && ctx.gitlab.audit.target_type == "User" allow_duplicates: false - append: field: related.user - value: '{{gitlab.audit.entity_id}}' + value: '{{{gitlab.audit.entity_id}}}' if: ctx.gitlab?.auadit?.entity_id != null && ctx.gitlab.audit.entity_type == "User" allow_duplicates: false - append: diff --git a/packages/gitlab/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/gitlab/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index cbe37308727..c08f19a2c39 100644 --- a/packages/gitlab/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/gitlab/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -162,7 +162,7 @@ processors: if: ctx.client?.ip != null - append: field: related.ip - value: '{{client.ip}}' + value: '{{{client.ip}}}' if: ctx.client?.ip != null allow_duplicates: false - append: diff --git a/packages/gitlab/manifest.yml b/packages/gitlab/manifest.yml index aa841d78944..485243577ce 100644 --- a/packages/gitlab/manifest.yml +++ b/packages/gitlab/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.3 name: gitlab title: GitLab -version: 1.0.0 +version: 1.0.1 description: Collect logs from GitLab with Elastic Agent. type: integration categories: diff --git a/packages/google_workspace/changelog.yml b/packages/google_workspace/changelog.yml index 4a80d8ab3a5..a90728a1e99 100644 --- a/packages/google_workspace/changelog.yml +++ b/packages/google_workspace/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.25.3" changes: - description: Remove link to unpublished security-labs blog from README. diff --git a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml index ef4e886d6f2..a5f80d07fc6 100644 --- a/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -744,17 +744,17 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - append: field: related.user - value: "{{user.target.name}}" + value: "{{{user.target.name}}}" if: ctx?.user?.target?.name != null allow_duplicates: false - geoip: diff --git a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml index 4171f475e55..8716ba0321d 100644 --- a/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/drive/elasticsearch/ingest_pipeline/default.yml @@ -235,17 +235,17 @@ processors: ctx.file.owner = splitmail[0]; - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{file.owner}}" + value: "{{{file.owner}}}" if: ctx?.file?.owner != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - geoip: diff --git a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml index ede69b9d5ea..731c89db68c 100644 --- a/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/groups/elasticsearch/ingest_pipeline/default.yml @@ -121,12 +121,12 @@ processors: ctx.source.user.domain = splitmail[1]; - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - append: diff --git a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml index 8182d74413f..c0c8f76d34d 100644 --- a/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/login/elasticsearch/ingest_pipeline/default.yml @@ -115,12 +115,12 @@ processors: if: ctx?.source?.user?.id != null - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - append: diff --git a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml index 03a1056fadb..adc002c5e80 100644 --- a/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/saml/elasticsearch/ingest_pipeline/default.yml @@ -124,12 +124,12 @@ processors: ctx.source.user.domain = splitmail[1]; - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - set: diff --git a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml index d556b262051..9f27e25d1d0 100644 --- a/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/google_workspace/data_stream/user_accounts/elasticsearch/ingest_pipeline/default.yml @@ -148,12 +148,12 @@ processors: ctx.source.user.domain = splitmail[1]; - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx?.source?.ip != null allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: ctx?.source?.user?.name != null allow_duplicates: false - geoip: diff --git a/packages/google_workspace/manifest.yml b/packages/google_workspace/manifest.yml index 71f84735b39..bfcdb706047 100644 --- a/packages/google_workspace/manifest.yml +++ b/packages/google_workspace/manifest.yml @@ -1,6 +1,6 @@ name: google_workspace title: Google Workspace -version: "2.25.3" +version: "2.25.4" source: license: Elastic-2.0 description: Collect logs from Google Workspace with Elastic Agent. diff --git a/packages/infoblox_nios/changelog.yml b/packages/infoblox_nios/changelog.yml index 43be484691a..199ef0a153a 100644 --- a/packages/infoblox_nios/changelog.yml +++ b/packages/infoblox_nios/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.23.1" changes: - description: Fix handling of MARK log entries. diff --git a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml index d24aeafb017..9d81cb7eccd 100644 --- a/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml +++ b/packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_dns.yml @@ -204,7 +204,7 @@ processors: processor: append: field: related.hosts - value: '{{_ingest._value}}' + value: '{{{_ingest._value}}}' allow_duplicates: false ignore_failure: true - append: diff --git a/packages/infoblox_nios/manifest.yml b/packages/infoblox_nios/manifest.yml index 6d3deb8f0bf..629a7deb034 100644 --- a/packages/infoblox_nios/manifest.yml +++ b/packages/infoblox_nios/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: infoblox_nios title: Infoblox NIOS -version: "1.23.1" +version: "1.23.2" description: Collect logs from Infoblox NIOS with Elastic Agent. type: integration categories: diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml index 72279fcc6b2..b12efb2c973 100644 --- a/packages/jamf_protect/changelog.yml +++ b/packages/jamf_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.6.1" changes: - description: Fix definition of subfields of nested objects diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index 5a6b597aae9..9e7f287d27e 100644 --- a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -402,17 +402,17 @@ processors: ######################## - append: field: related.hosts - value: "{{ host.name }}" + value: "{{{ host.name }}}" if: ctx.host?.name != null allow_duplicates: false - append: field: related.user - value: "{{ user.name }}" + value: "{{{ user.name }}}" if: ctx.user?.name != null allow_duplicates: false # - append: # field: related.ip - # value: "{{ host.ip }}" + # value: "{{{ host.ip }}}" # if: ctx.host?.ip != null # allow_duplicates: false - foreach: @@ -425,22 +425,22 @@ processors: allow_duplicates: false - append: field: related.hash - value: "{{ file.hash.sha1 }}" + value: "{{{ file.hash.sha1 }}}" if: ctx.file?.hash?.sha1 != null allow_duplicates: false - append: field: related.hash - value: "{{ file.hash.sha256 }}" + value: "{{{ file.hash.sha256 }}}" if: ctx.file?.hash?.sha256 != null allow_duplicates: false - append: field: related.hash - value: "{{ process.hash.sha1 }}" + value: "{{{ process.hash.sha1 }}}" if: ctx.process?.hash?.sha1 != null allow_duplicates: false - append: field: related.hash - value: "{{ process.hash.sha256 }}" + value: "{{{ process.hash.sha256 }}}" if: ctx.process?.hash?.sha256 != null allow_duplicates: false diff --git a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml index b1098160011..0e1dfbfd7c4 100644 --- a/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml +++ b/packages/jamf_protect/data_stream/telemetry/elasticsearch/ingest_pipeline/pipeline_event_system_performance.yml @@ -18,4 +18,4 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml index 12cf8ae9493..ade4ab44bd8 100644 --- a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/default.yml @@ -51,4 +51,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml index 097f35f0c9a..a16bbf220ab 100644 --- a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml +++ b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_audit.yml @@ -354,4 +354,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml index a987e75035e..445ee14740a 100644 --- a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml +++ b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_event.yml @@ -80,4 +80,4 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml index 0fb4ea6fdc5..324062e4dc5 100644 --- a/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml +++ b/packages/jamf_protect/data_stream/telemetry_legacy/elasticsearch/ingest_pipeline/pipeline_system_performance_metrics.yml @@ -140,4 +140,4 @@ processors: on_failure: - append: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml index 1058b4adb1b..db76448a484 100644 --- a/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/web_threat_events/elasticsearch/ingest_pipeline/default.yml @@ -53,7 +53,7 @@ processors: if: ctx.jamf_protect?.threat?.event?.action != null - set: field: event.reason - value: '{{jamf_protect.threat.event.eventType.description}}' + value: '{{{jamf_protect.threat.event.eventType.description}}}' if: ctx.jamf_protect?.threat?.event?.eventType?.description != null # ignore_missing: true - rename: @@ -83,7 +83,7 @@ processors: ignore_missing: true - set: field: rule.description - value: '{{jamf_protect.threat.event.eventType.description}}' + value: '{{{jamf_protect.threat.event.eventType.description}}}' if: ctx.jamf_protect?.threat?.event?.eventType?.description != null # ignore_missing: true - rename: diff --git a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml index dc545ad450b..659b1b19797 100644 --- a/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jamf_protect/data_stream/web_traffic_events/elasticsearch/ingest_pipeline/default.yml @@ -54,11 +54,11 @@ processors: if: ctx.jamf_protect?.traffic?.event?.threat?.types == 'malware' - set: field: event.action - value: '{{jamf_protect.traffic.event.signatureId.name}}' + value: '{{{jamf_protect.traffic.event.signatureId.name}}}' if: ctx.jamf_protect?.traffic?.event?.signatureId?.name != null - set: field: event.reason - value: '{{jamf_protect.traffic.event.threat.result}}' + value: '{{{jamf_protect.traffic.event.threat.result}}}' if: ctx.jamf_protect?.traffic?.event?.threat?.result != null - append: field: event.outcome @@ -76,7 +76,7 @@ processors: ####################### - set: field: rule.name - value: '{{jamf_protect.traffic.event.signatureId.name}}' + value: '{{{jamf_protect.traffic.event.signatureId.name}}}' if: ctx.jamf_protect?.traffic?.event?.signatureId?.name != null # ignore_missing: true - rename: @@ -177,7 +177,7 @@ processors: if: ctx.jamf_protect?.traffic?.event?.dns?.ttl != null - set: field: dns.resolved_ip - value: '{{jamf_protect.traffic.event.destination.ip}}' + value: '{{{jamf_protect.traffic.event.destination.ip}}}' # ignore_missing: true if: ctx.jamf_protect?.traffic?.event?.destination?.ip != null diff --git a/packages/jamf_protect/manifest.yml b/packages/jamf_protect/manifest.yml index 94a4ab273e1..54fa5c17285 100644 --- a/packages/jamf_protect/manifest.yml +++ b/packages/jamf_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: jamf_protect title: Jamf Protect -version: "2.6.1" +version: "2.6.2" description: Receives events from Jamf Protect with Elastic Agent. type: integration categories: diff --git a/packages/jumpcloud/changelog.yml b/packages/jumpcloud/changelog.yml index 9194a366055..513500f064a 100644 --- a/packages/jumpcloud/changelog.yml +++ b/packages/jumpcloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.12.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.12.0" changes: - description: Populate 'event.outcome' based on 'sso_token_success', when present diff --git a/packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml index f1f5eebf86a..45cb8e7ed06 100644 --- a/packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/jumpcloud/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -225,47 +225,47 @@ processors: ### relateds - append: field: related.ip - value: "{{jumpcloud.event.jumpcloud_protect_device.ip}}" + value: "{{{jumpcloud.event.jumpcloud_protect_device.ip}}}" if: "ctx.jumpcloud?.event?.jumpcloud_protect_device?.ip != null" allow_duplicates: false - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: "ctx.source?.ip != null" allow_duplicates: false - append: field: client.ip - value: "{{client.ip}}" + value: "{{{client.ip}}}" if: "ctx.client?.ip != null" allow_duplicates: false - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" if: "ctx.destination?.ip != null" allow_duplicates: false - append: field: related.ip - value: "{{server.ip}}" + value: "{{{server.ip}}}" if: "ctx.server?.ip != null" allow_duplicates: false - append: field: related.user - value: "{{source.user.name}}" + value: "{{{source.user.name}}}" if: "ctx.source?.user?.name != null" allow_duplicates: false - append: field: related.user - value: "{{destination.user.name}}" + value: "{{{destination.user.name}}}" if: "ctx.destination?.user?.name != null" allow_duplicates: false - append: field: related.hosts - value: "{{destination.address}}" + value: "{{{destination.address}}}" if: "ctx.destination?.address != null" allow_duplicates: false - append: field: related.hosts - value: "{{source.address}}" + value: "{{{source.address}}}" if: "ctx.source?.address != null" allow_duplicates: false - remove: diff --git a/packages/jumpcloud/manifest.yml b/packages/jumpcloud/manifest.yml index 4ff6076c00e..3ca96349170 100644 --- a/packages/jumpcloud/manifest.yml +++ b/packages/jumpcloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: jumpcloud title: "JumpCloud" -version: "1.12.0" +version: "1.12.1" description: "Collect logs from JumpCloud Directory as a Service" type: integration categories: diff --git a/packages/keycloak/changelog.yml b/packages/keycloak/changelog.yml index 439986a8d74..48738c33f29 100644 --- a/packages/keycloak/changelog.yml +++ b/packages/keycloak/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.23.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.23.0" changes: - description: Make condition configurable to control when to apply the log data stream. diff --git a/packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json b/packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json index fd7e8dc1663..8b0917cf1da 100644 --- a/packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json +++ b/packages/keycloak/data_stream/log/_dev/test/pipeline/test-log.log-expected.json @@ -514,6 +514,7 @@ ], "url": { "domain": "www.example.com", + "extension": "sso/SAML2/POST", "original": "https://www.example.com/Shibboleth.sso/SAML2/POST", "path": "/Shibboleth.sso/SAML2/POST", "scheme": "https" diff --git a/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 5b97c65255a..febc5832abf 100644 --- a/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -17,13 +17,13 @@ processors: tag: grok_event_original - set: field: event.timezone - value: "{{_tmp.tz_offset}}" + value: "{{{_tmp.tz_offset}}}" if: ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local' tag: set_event_timezone - date: field: _tmp.timestamp target_field: '@timestamp' - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - yyyy-MM-dd HH:mm:ss,SSS if: ctx.event?.timezone != null diff --git a/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml b/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml index 387939ee53f..590edc6556b 100644 --- a/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml +++ b/packages/keycloak/data_stream/log/elasticsearch/ingest_pipeline/events.yml @@ -193,19 +193,19 @@ processors: if: ctx.keycloak?.admin?.resource == "USER" - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" if: ctx.source?.ip != null - append: field: related.user - value: "{{user.id}}" + value: "{{{user.id}}}" if: ctx.user?.id != null - append: field: related.user - value: "{{user.target.id}}" + value: "{{{user.target.id}}}" if: ctx.user?.target?.id != null - append: field: related.hosts - value: "{{url.domain}}" + value: "{{{url.domain}}}" if: ctx.url?.domain != null - remove: field: diff --git a/packages/keycloak/manifest.yml b/packages/keycloak/manifest.yml index 99968f4a274..06967b44ec1 100644 --- a/packages/keycloak/manifest.yml +++ b/packages/keycloak/manifest.yml @@ -1,6 +1,6 @@ name: keycloak title: Keycloak -version: "1.23.0" +version: "1.23.1" description: Collect logs from Keycloak with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/lyve_cloud/changelog.yml b/packages/lyve_cloud/changelog.yml index ee84f4bdf41..20838dc8630 100644 --- a/packages/lyve_cloud/changelog.yml +++ b/packages/lyve_cloud/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.14.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/lyve_cloud/data_stream/audit/elasticsearch/ingest_pipeline/audit_lc.yml b/packages/lyve_cloud/data_stream/audit/elasticsearch/ingest_pipeline/audit_lc.yml index ce2b2b2c0be..2c6237e5992 100755 --- a/packages/lyve_cloud/data_stream/audit/elasticsearch/ingest_pipeline/audit_lc.yml +++ b/packages/lyve_cloud/data_stream/audit/elasticsearch/ingest_pipeline/audit_lc.yml @@ -18,12 +18,12 @@ processors: field: user.email - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" allow_duplicates: false if: ctx.user?.name != null && ctx.user.name != "" - append: field: related.user - value: "{{user.id}}" + value: "{{{user.id}}}" allow_duplicates: false if: ctx.user?.name != null && ctx.user.name != "" @@ -141,7 +141,7 @@ processors: on_failure: - append: field: _failed_ips - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true - script: lang: painless diff --git a/packages/lyve_cloud/manifest.yml b/packages/lyve_cloud/manifest.yml index 422be489dc9..f47149a6e29 100644 --- a/packages/lyve_cloud/manifest.yml +++ b/packages/lyve_cloud/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: lyve_cloud title: Lyve Cloud -version: "1.14.0" +version: "1.14.1" description: Collect S3 API audit log from Lyve Cloud with Elastic Agent. type: integration categories: diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml index 8c39390a0fb..152a15f5df9 100644 --- a/packages/mattermost/changelog.yml +++ b/packages/mattermost/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.1.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 461ed79ac19..fa017badcfb 100644 --- a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -361,22 +361,22 @@ processors: } - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' allow_duplicates: false if: ctx.user?.name != null - append: field: related.user - value: '{{user.changes.name}}' + value: '{{{user.changes.name}}}' allow_duplicates: false if: ctx.user?.changes?.name != null - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' allow_duplicates: false if: ctx.user?.id != null - append: field: related.user - value: '{{user.target.id}}' + value: '{{{user.target.id}}}' allow_duplicates: false if: ctx.user?.target?.id instanceof String - foreach: @@ -384,28 +384,28 @@ processors: processor: append: field: related.user - value: '{{_ingest._value}}' + value: '{{{_ingest._value}}}' allow_duplicates: false ignore_missing: true if: ctx.user?.target?.id instanceof List - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' allow_duplicates: false if: ctx.source?.ip != null - append: field: mattermost.audit.related.channel - value: '{{mattermost.audit.post.channel.id}}' + value: '{{{mattermost.audit.post.channel.id}}}' allow_duplicates: false if: ctx.mattermost?.audit?.post?.channel?.id != null - append: field: mattermost.audit.related.channel - value: '{{mattermost.audit.channel.id}}' + value: '{{{mattermost.audit.channel.id}}}' allow_duplicates: false if: ctx.mattermost?.audit?.channel?.id != null - append: field: mattermost.audit.related.team - value: '{{mattermost.audit.team.id}}' + value: '{{{mattermost.audit.team.id}}}' allow_duplicates: false if: ctx.mattermost?.audit?.team?.id != null - remove: diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml index d556d7c21c2..d92c96df3ac 100644 --- a/packages/mattermost/manifest.yml +++ b/packages/mattermost/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: mattermost title: "Mattermost" -version: "2.1.0" +version: "2.1.1" description: Collect logs from Mattermost with Elastic Agent. type: integration categories: diff --git a/packages/menlo/changelog.yml b/packages/menlo/changelog.yml index 423c79404a2..0f460331f37 100644 --- a/packages/menlo/changelog.yml +++ b/packages/menlo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.1.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.1.0" changes: - description: Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml b/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml index 8329bd0d570..387ac2a62f3 100644 --- a/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml +++ b/packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml @@ -105,7 +105,7 @@ processors: ignore_missing: true - append: field: related.user - value: '{{json.event.userid}}' + value: '{{{json.event.userid}}}' allow_duplicates: false if: ctx.json?.event?.userid != null - rename: diff --git a/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml b/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml index 6da7be87255..7f51562ec19 100644 --- a/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml +++ b/packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml @@ -208,7 +208,7 @@ processors: ignore_missing: true - append: field: related.hash - value: "{{file.hash.sha256}}" + value: "{{{file.hash.sha256}}}" allow_duplicates: false if: ctx.file?.hash?.sha256 != null - rename: @@ -297,12 +297,12 @@ processors: if: ctx?.json?.event?.xff_ip != "NA" - append: field: related.ip - value: '{{source.ip}}' + value: '{{{source.ip}}}' if: ctx.source?.ip != null allow_duplicates: false - append: field: related.ip - value: '{{destination.ip}}' + value: '{{{destination.ip}}}' if: ctx.destination?.ip != null allow_duplicates: false - remove: diff --git a/packages/menlo/manifest.yml b/packages/menlo/manifest.yml index e93da73be5a..9cb73d27ce6 100644 --- a/packages/menlo/manifest.yml +++ b/packages/menlo/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: menlo title: "Menlo Security" -version: "1.1.0" +version: "1.1.1" source: license: "Elastic-2.0" description: "Collect logs from Menlo Security products with Elastic Agent" diff --git a/packages/microsoft_defender_endpoint/changelog.yml b/packages/microsoft_defender_endpoint/changelog.yml index f8335597db2..e2dd4380cd7 100644 --- a/packages/microsoft_defender_endpoint/changelog.yml +++ b/packages/microsoft_defender_endpoint/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.25.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 3f10b215665..8b6755c4f16 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -73,7 +73,7 @@ processors: value: azure - set: field: '@timestamp' - value: '{{json.alertUpdateTime}}' + value: '{{{json.alertUpdateTime}}}' if: ctx.json?.alertUpdateTime != null - rename: field: json.aadTenantId @@ -100,14 +100,14 @@ processors: value: UTC - set: field: event.action - value: '{{json.category}}' + value: '{{{json.category}}}' if: ctx.json?.category != null - set: field: event.provider value: defender_endpoint - set: field: event.created - value: '{{json.alertCreationTime}}' + value: '{{{json.alertCreationTime}}}' if: ctx.json?.alertCreationTime != null - append: field: event.category @@ -294,23 +294,23 @@ processors: ######################### - append: field: related.ip - value: '{{json.evidence.ipAddress}}' + value: '{{{json.evidence.ipAddress}}}' if: ctx.json?.evidence?.ipAddress != null - append: field: related.user - value: '{{user.name}}' + value: '{{{user.name}}}' if: ctx.user?.name != null - append: field: related.hash - value: '{{file.hash.sha1}}' + value: '{{{file.hash.sha1}}}' if: ctx.file?.hash?.sha1 != null - append: field: related.hash - value: '{{file.hash.sha256}}' + value: '{{{file.hash.sha256}}}' if: ctx.file?.hash?.sha256 != null - append: field: related.hosts - value: '{{host.name}}' + value: '{{{host.name}}}' if: ctx.host?.name != null && ctx.host.name != '' allow_duplicates: false diff --git a/packages/microsoft_defender_endpoint/manifest.yml b/packages/microsoft_defender_endpoint/manifest.yml index 121db9fcedb..8b457f57c32 100644 --- a/packages/microsoft_defender_endpoint/manifest.yml +++ b/packages/microsoft_defender_endpoint/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: microsoft_defender_endpoint title: Microsoft Defender for Endpoint -version: "2.25.0" +version: "2.25.1" description: Collect logs from Microsoft Defender for Endpoint with Elastic Agent. categories: - "security" diff --git a/packages/mimecast/changelog.yml b/packages/mimecast/changelog.yml index eadfb8111ea..520cb7be091 100644 --- a/packages/mimecast/changelog.yml +++ b/packages/mimecast/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.27.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.27.0" changes: - description: Add support for message release logs. diff --git a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml index 0af7e432aa7..f2a7bda98da 100644 --- a/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/audit_events/elasticsearch/ingest_pipeline/default.yml @@ -285,17 +285,17 @@ processors: ignore_missing: true - append: field: related.ip - value: "{{client.ip}}" + value: "{{{client.ip}}}" allow_duplicates: false if: 'ctx?.client?.ip !=null' - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" allow_duplicates: false if: 'ctx?.user?.name !=null' - append: field: related.user - value: "{{user.email}}" + value: "{{{user.email}}}" allow_duplicates: false if: ctx?.user?.email != null - lowercase: diff --git a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml index e2acb027ba2..04b0beed627 100644 --- a/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/dlp_logs/elasticsearch/ingest_pipeline/default.yml @@ -77,7 +77,7 @@ processors: if: 'ctx?.mimecast?.policy !=null' - set: field: event.created - value: "{{mimecast.eventTime}}" + value: "{{{mimecast.eventTime}}}" if: 'ctx?.mimecast?.eventTime != null' - lowercase: field: email.direction diff --git a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml index 385b312279e..0f8fb6b2d83 100644 --- a/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/siem_logs/elasticsearch/ingest_pipeline/default.yml @@ -410,7 +410,7 @@ processors: ignore_missing: true - set: field: event.created - value: "{{mimecast.datetime}}" + value: "{{{mimecast.datetime}}}" if: 'ctx?.mimecast?.datetime != null' - set: field: tls.established diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml index 509da3d9234..c488ed2f645 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_customer/elasticsearch/ingest_pipeline/default.yml @@ -83,11 +83,11 @@ processors: if: 'ctx.mimecast?.pattern != null' - set: field: mimecast.value - value: "{{_tmp.threatvalue}}" + value: "{{{_tmp.threatvalue}}}" if: 'ctx?._tmp?.threatvalue != null' - set: field: mimecast.hashtype - value: "{{mimecast.pattern_hash_type}}" + value: "{{{mimecast.pattern_hash_type}}}" if: 'ctx?.mimecast?.pattern_hash_type != null' - rename: field: _tmp.threattype @@ -111,17 +111,17 @@ processors: if: 'ctx?.mimecast?.hashtype == "MD-5"' - append: field: related.hash - value: "{{threat.indicator.file.hash.sha256}}" + value: "{{{threat.indicator.file.hash.sha256}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "SHA-256"' - append: field: related.hash - value: "{{threat.indicator.file.hash.sha1}}" + value: "{{{threat.indicator.file.hash.sha1}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "SHA-1"' - append: field: related.hash - value: "{{threat.indicator.file.hash.md5}}" + value: "{{{threat.indicator.file.hash.md5}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "MD-5"' - set: @@ -134,7 +134,7 @@ processors: processor: append: field: tags - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" allow_duplicates: false - grok: field: mimecast.description diff --git a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml index 1da773385c3..65d7e3bb268 100644 --- a/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/threat_intel_malware_grid/elasticsearch/ingest_pipeline/default.yml @@ -82,11 +82,11 @@ processors: if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - set: field: mimecast.value - value: "{{_tmp.threatvalue}}" + value: "{{{_tmp.threatvalue}}}" if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - set: field: mimecast.hashtype - value: "{{mimecast.pattern_hash_type}}" + value: "{{{mimecast.pattern_hash_type}}}" if: 'ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - rename: field: _tmp.threattype @@ -110,17 +110,17 @@ processors: if: 'ctx?.mimecast?.hashtype == "MD-5" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - append: field: related.hash - value: "{{threat.indicator.file.hash.sha256}}" + value: "{{{threat.indicator.file.hash.sha256}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "SHA-256" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - append: field: related.hash - value: "{{threat.indicator.file.hash.sha1}}" + value: "{{{threat.indicator.file.hash.sha1}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "SHA-1" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - append: field: related.hash - value: "{{threat.indicator.file.hash.md5}}" + value: "{{{threat.indicator.file.hash.md5}}}" allow_duplicates: false if: 'ctx?.mimecast?.hashtype == "MD-5" && ctx?.mimecast?.pattern != null && ctx?.mimecast?.type == "indicator"' - set: @@ -133,7 +133,7 @@ processors: processor: append: field: tags - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" allow_duplicates: false - grok: field: mimecast.description diff --git a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml index 37b8a8be76b..f56340326c2 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/elasticsearch/ingest_pipeline/default.yml @@ -100,7 +100,7 @@ processors: if: 'ctx?.mimecast?.fileType !=null' - set: field: event.created - value: "{{mimecast.date}}" + value: "{{{mimecast.date}}}" if: 'ctx?.mimecast?.date != null' - split: field: email.attachments.file.name diff --git a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml index d6c23baa7ca..6acd892572e 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/elasticsearch/ingest_pipeline/default.yml @@ -69,11 +69,11 @@ processors: ignore_missing: true - set: field: event.created - value: "{{mimecast.eventTime}}" + value: "{{{mimecast.eventTime}}}" if: 'ctx?.mimecast?.eventTime != null' - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: 'ctx?.source?.ip != null' - dissect: diff --git a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml index 36fb8e70d83..f79ce569fcf 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/elasticsearch/ingest_pipeline/default.yml @@ -83,11 +83,11 @@ processors: ignore_missing: true - set: field: event.created - value: "{{mimecast.date}}" + value: "{{{mimecast.date}}}" if: 'ctx?.mimecast?.date != null' - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: 'ctx?.source?.ip !=null' - dissect: diff --git a/packages/mimecast/manifest.yml b/packages/mimecast/manifest.yml index 8627abf7066..445ab4c383a 100644 --- a/packages/mimecast/manifest.yml +++ b/packages/mimecast/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: mimecast title: "Mimecast" -version: "1.27.0" +version: "1.27.1" description: Collect logs from Mimecast with Elastic Agent. type: integration categories: ["security", "email_security"] diff --git a/packages/netskope/changelog.yml b/packages/netskope/changelog.yml index 6a8e2cd2b82..986c24bd8af 100644 --- a/packages/netskope/changelog.yml +++ b/packages/netskope/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.20.0" changes: - description: Improve parsing of the message to add the related.user and user.name fields. diff --git a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json index 3ceb2033b60..d0fa124eaf5 100644 --- a/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json +++ b/packages/netskope/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json @@ -109,6 +109,7 @@ }, "type": "policy", "url": { + "extension": "com\\\\/open", "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", "path": "\\\\/\\\\/www.example.com\\\\/open", "query": "id=WLb5Mc7aPGx914gEyYNjJxTo32yjF8xKAcqIoN_klrGg", @@ -282,6 +283,7 @@ }, "type": "DLP", "url": { + "extension": "com\\\\/open", "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", "path": "\\\\/\\\\/www.example.com\\\\/open", "query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", @@ -468,6 +470,7 @@ }, "type": "quarantine", "url": { + "extension": "com\\\\/open", "original": "https:\\\\/\\\\/www.example.com\\\\/open?id=o3MyjFxoNAcb514WLYNjJTI9_klcx82rGg7aPGxKgEyq", "path": "\\\\/\\\\/www.example.com\\\\/open", "query": "id=o3MyjFxoNAcb514WLYNjJTI9_klcx82rGg7aPGxKgEyq", @@ -933,6 +936,7 @@ "page": { "site": "examplesecuritycheck", "url": { + "extension": "com/tests/execute/9", "original": "examplesecuritycheck.com/tests/execute/9", "path": "examplesecuritycheck.com/tests/execute/9" } @@ -1678,6 +1682,7 @@ "page": { "site": "examplesecuritycheck", "url": { + "extension": "com/tests/execute/9", "original": "examplesecuritycheck.com/tests/execute/9", "path": "examplesecuritycheck.com/tests/execute/9" } @@ -2446,6 +2451,7 @@ "page": { "site": "examplesecuritycheck", "url": { + "extension": "com/tests/execute/9", "original": "examplesecuritycheck.com/tests/execute/9", "path": "examplesecuritycheck.com/tests/execute/9" } @@ -3229,6 +3235,7 @@ }, "type": "DLP", "url": { + "extension": "com\\\\/open", "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", "path": "\\\\/\\\\/www.example.com\\\\/open", "query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", @@ -3403,6 +3410,7 @@ }, "type": "DLP", "url": { + "extension": "com\\\\/open", "original": "http:\\\\/\\\\/www.example.com\\\\/open?id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", "path": "\\\\/\\\\/www.example.com\\\\/open", "query": "id=14WLYNjJxKgEyqIoNAcb57aPGx9_klcxTo3MyjF82rGg", @@ -3621,6 +3629,7 @@ "page": { "site": "examplesecuritycheck", "url": { + "extension": "com/tests/execute/9", "original": "examplesecuritycheck.com/tests/execute/9", "path": "examplesecuritycheck.com/tests/execute/9" } @@ -4239,6 +4248,7 @@ }, "type": "policy", "url": { + "extension": "com/", "original": "www.example.com/", "path": "www.example.com/" } diff --git a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml index 9f1ff4beded..9952310e7c5 100644 --- a/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netskope/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml @@ -114,7 +114,7 @@ processors: on_failure: - set: field: '@timestamp' - value: "{{_ingest.timestamp}}" + value: "{{{_ingest.timestamp}}}" - append: field: error.message value: Unable to parse the value of Timestamp field, therefore setting the value of Timestamp field to current time. diff --git a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json index ef6f4d0e90c..bf1bfe49a61 100644 --- a/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json +++ b/packages/netskope/data_stream/events/_dev/test/pipeline/test-events.log-expected.json @@ -630,6 +630,7 @@ }, "type": "connection", "url": { + "extension": "com", "original": "some.example.com", "path": "some.example.com" }, @@ -1328,6 +1329,7 @@ }, "type": "connection", "url": { + "extension": "com", "original": "some.example.com", "path": "some.example.com" }, @@ -1631,6 +1633,7 @@ }, "type": "connection", "url": { + "extension": "com", "original": "some.example.com", "path": "some.example.com" }, @@ -2198,6 +2201,7 @@ }, "type": "connection", "url": { + "extension": "com", "original": "example.com", "path": "example.com" }, @@ -2311,6 +2315,7 @@ }, "type": "connection", "url": { + "extension": "com", "original": "example.com", "path": "example.com" }, diff --git a/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml b/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml index 709af059ae0..1314aca5914 100644 --- a/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml +++ b/packages/netskope/data_stream/events/elasticsearch/ingest_pipeline/default.yml @@ -138,7 +138,7 @@ processors: on_failure: - set: field: '@timestamp' - value: "{{_ingest.timestamp}}" + value: "{{{_ingest.timestamp}}}" - append: field: error.message value: Unable to parse the value of Timestamp field, therefore setting the value of Timestamp field to current time. diff --git a/packages/netskope/manifest.yml b/packages/netskope/manifest.yml index 382d8703223..5f60d0d09df 100644 --- a/packages/netskope/manifest.yml +++ b/packages/netskope/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: netskope title: "Netskope" -version: "1.20.0" +version: "1.20.1" description: Collect logs from Netskope with Elastic Agent. type: integration categories: diff --git a/packages/o365/changelog.yml b/packages/o365/changelog.yml index d5953b6fac1..c34e38b5077 100644 --- a/packages/o365/changelog.yml +++ b/packages/o365/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.6.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.6.0" changes: - description: Tighten IPv4 extraction from IPv4-mapped IPv6 addresses. diff --git a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 00030a105ed..eb5cbb24675 100644 --- a/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/o365/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -1044,32 +1044,32 @@ processors: if: 'ctx.network?.type == null && ctx.client?.ip != null' - append: field: related.ip - value: "{{client.ip}}" + value: "{{{client.ip}}}" allow_duplicates: false if: ctx.client?.ip != null - append: field: related.ip - value: "{{server.ip}}" + value: "{{{server.ip}}}" allow_duplicates: false if: ctx.server?.ip != null - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" allow_duplicates: false if: ctx.user?.name != null - append: field: related.user - value: "{{user.target.name}}" + value: "{{{user.target.name}}}" allow_duplicates: false if: ctx.user?.target?.name != null - append: field: related.user - value: "{{file.owner}}" + value: "{{{file.owner}}}" allow_duplicates: false if: ctx.file?.owner != null - append: field: related.user - value: "{{o365audit.Parameters.User}}" + value: "{{{o365audit.Parameters.User}}}" allow_duplicates: false if: ctx.o365audit?.Parameters?.User != null - rename: @@ -1214,22 +1214,22 @@ processors: if: ctx.o365audit?.Data?.ttdt != null - append: field: related.user - value: "{{o365audit.Data.f3u}}" + value: "{{{o365audit.Data.f3u}}}" allow_duplicates: false if: ctx.o365audit?.Data?.f3u?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.f3u.length() >= 3; - append: field: related.user - value: "{{o365audit.Data.suid}}" + value: "{{{o365audit.Data.suid}}}" allow_duplicates: false if: ctx.o365audit?.Data?.suid?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.suid.length() >= 3; - append: field: related.user - value: "{{o365audit.Data.tsd}}" + value: "{{{o365audit.Data.tsd}}}" allow_duplicates: false if: ctx.o365audit?.Data?.tsd?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.tsd.length() >= 3; - append: field: related.user - value: "{{o365audit.Data.trc}}" + value: "{{{o365audit.Data.trc}}}" allow_duplicates: false if: ctx.o365audit?.Data?.trc?.splitOnToken('@')?.length == 2 && ctx.o365audit.Data.trc.length() >= 3; - rename: diff --git a/packages/o365/manifest.yml b/packages/o365/manifest.yml index c6f942e49f2..e9ea024c7b4 100644 --- a/packages/o365/manifest.yml +++ b/packages/o365/manifest.yml @@ -1,6 +1,6 @@ name: o365 title: Microsoft Office 365 -version: "2.6.0" +version: "2.6.1" description: Collect logs from Microsoft Office 365 with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/okta/changelog.yml b/packages/okta/changelog.yml index e113d1143a7..cad6fb640d0 100644 --- a/packages/okta/changelog.yml +++ b/packages/okta/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.12.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.12.0" changes: - description: Allow user configuration of debug_data flattened use. diff --git a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml index 5a925fbf23e..3239326f3be 100644 --- a/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml +++ b/packages/okta/data_stream/system/elasticsearch/ingest_pipeline/default.yml @@ -165,12 +165,12 @@ processors: ignore_failure: true - set: field: source.user.name - value: "{{user.name}}" + value: "{{{user.name}}}" ignore_empty_value: true if: ctx?.user?.name != null - set: field: client.user.name - value: "{{user.name}}" + value: "{{{user.name}}}" ignore_empty_value: true if: ctx?.user?.name != null - rename: @@ -491,52 +491,52 @@ processors: ignore_missing: true - set: field: client.user.id - value: "{{okta.actor.id}}" + value: "{{{okta.actor.id}}}" ignore_empty_value: true if: ctx?.okta?.actor?.id != null - set: field: source.user.id - value: "{{okta.actor.id}}" + value: "{{{okta.actor.id}}}" ignore_empty_value: true if: ctx?.okta?.actor?.id != null - set: field: client.user.full_name - value: "{{okta.actor.display_name}}" + value: "{{{okta.actor.display_name}}}" ignore_empty_value: true if: ctx?.okta?.actor?.display_name != null - set: field: source.user.full_name - value: "{{okta.actor.display_name}}" + value: "{{{okta.actor.display_name}}}" ignore_empty_value: true if: ctx?.okta?.actor?.display_name != null - set: field: user.full_name - value: "{{okta.actor.display_name}}" + value: "{{{okta.actor.display_name}}}" ignore_empty_value: true if: ctx?.okta?.actor?.display_name != null - append: field: related.user - value: "{{okta.actor.display_name}}" + value: "{{{okta.actor.display_name}}}" allow_duplicates: false if: ctx?.okta?.actor?.display_name != null - append: field: related.user - value: "{{user.target.full_name}}" + value: "{{{user.target.full_name}}}" allow_duplicates: false if: ctx?.user?.target?.full_name != null - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" allow_duplicates: false if: ctx?.user?.name != null - append: field: related.ip - value: "{{source.ip}}" + value: "{{{source.ip}}}" allow_duplicates: false if: ctx?.source?.ip != null - append: field: related.ip - value: "{{destination.ip}}" + value: "{{{destination.ip}}}" allow_duplicates: false if: ctx?.destination?.ip != null - remove: diff --git a/packages/okta/manifest.yml b/packages/okta/manifest.yml index 2f8dfd80f75..ad9d28e960b 100644 --- a/packages/okta/manifest.yml +++ b/packages/okta/manifest.yml @@ -1,6 +1,6 @@ name: okta title: Okta -version: "2.12.0" +version: "2.12.1" description: Collect and parse event logs from Okta API with Elastic Agent. type: integration format_version: "3.1.0" diff --git a/packages/pulse_connect_secure/changelog.yml b/packages/pulse_connect_secure/changelog.yml index abeeac87f81..ae7aa4b4e7d 100644 --- a/packages/pulse_connect_secure/changelog.yml +++ b/packages/pulse_connect_secure/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.2.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.2.0" changes: - description: Allow domain separators to include extra backslash characters. diff --git a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 6b52d22ed32..e4d4aee4bd0 100644 --- a/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/pulse_connect_secure/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -28,7 +28,7 @@ processors: - date: field: _tmp.timestamp target_field: '@timestamp' - timezone: "{{ event.timezone }}" + timezone: "{{{ event.timezone }}}" formats: - ISO8601 if: ctx.event?.timezone != null diff --git a/packages/pulse_connect_secure/manifest.yml b/packages/pulse_connect_secure/manifest.yml index afd28a971e7..1fa6a118a81 100644 --- a/packages/pulse_connect_secure/manifest.yml +++ b/packages/pulse_connect_secure/manifest.yml @@ -1,6 +1,6 @@ name: pulse_connect_secure title: Pulse Connect Secure -version: "2.2.0" +version: "2.2.1" description: Collect logs from Pulse Connect Secure with Elastic Agent. type: integration icons: diff --git a/packages/santa/changelog.yml b/packages/santa/changelog.yml index de10c72dac4..ca8f8fdf1ca 100644 --- a/packages/santa/changelog.yml +++ b/packages/santa/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.19.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "3.19.0" changes: - description: Add support for team ID field. diff --git a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml index 7747932000e..98d81e005e6 100644 --- a/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/santa/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -33,7 +33,7 @@ processors: ignore_failure: true - set: field: '@timestamp' - value: '{{ process.start }}' + value: '{{{ process.start }}}' ignore_failure: true ignore_empty_value: true - split: @@ -51,14 +51,14 @@ processors: ignore_missing: true - append: field: process.args - value: "{{process.executable}}" + value: "{{{process.executable}}}" if: "ctx?.process?.executable != null" - foreach: field: santa.args processor: append: field: process.args - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true - remove: field: santa.args @@ -84,22 +84,22 @@ processors: if: "ctx?.santa?.decision == 'DENY'" - set: field: event.action - value: "{{santa.action}}" + value: "{{{santa.action}}}" ignore_empty_value: true - lowercase: field: event.action ignore_missing: true - append: field: related.user - value: "{{user.name}}" + value: "{{{user.name}}}" if: "ctx?.user?.name != null" - append: field: related.hash - value: "{{santa.certificate.sha256}}" + value: "{{{santa.certificate.sha256}}}" if: "ctx?.santa?.certificate?.sha256 != null" - append: field: related.hash - value: "{{process.hash.sha256}}" + value: "{{{process.hash.sha256}}}" if: "ctx?.process?.hash != null" - append: field: file.x509.issuer.common_name diff --git a/packages/santa/manifest.yml b/packages/santa/manifest.yml index 73201626cd4..dd7acc549b9 100644 --- a/packages/santa/manifest.yml +++ b/packages/santa/manifest.yml @@ -1,6 +1,6 @@ name: santa title: Google Santa -version: "3.19.0" +version: "3.19.1" description: Collect logs from Google Santa with Elastic Agent. type: integration icons: diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml index b8a54edc9bb..d846c87d295 100644 --- a/packages/slack/changelog.yml +++ b/packages/slack/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.21.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.21.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 5a3a649d99e..31447a9551b 100644 --- a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -146,7 +146,7 @@ processors: ignore_missing: true - append: field: related.hash - value: '{{slack.audit.details.md5}}' + value: '{{{slack.audit.details.md5}}}' allow_duplicates: false if: ctx.slack?.audit?.details?.md5 != null - set: diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml index 42fc10f6db4..9ec1e82ca8b 100644 --- a/packages/slack/manifest.yml +++ b/packages/slack/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: slack title: "Slack Logs" -version: "1.21.0" +version: "1.21.1" description: "Slack Logs Integration" type: integration categories: diff --git a/packages/snyk/changelog.yml b/packages/snyk/changelog.yml index 1a919153809..127fef4fa0f 100644 --- a/packages/snyk/changelog.yml +++ b/packages/snyk/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.25.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.25.1" changes: - description: Fix fingerprint in audit_logs. diff --git a/packages/snyk/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml b/packages/snyk/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml index f54642026ae..ff238755f6d 100644 --- a/packages/snyk/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml +++ b/packages/snyk/data_stream/vulnerabilities/elasticsearch/ingest_pipeline/default.yml @@ -147,8 +147,8 @@ processors: field: snyk.vulnerabilities.patches processor: rename: - field: "{{ _ingest._value.modificationTime }}" - target_field: "{{ _ingest._value.modification_time }}" + field: "{{{ _ingest._value.modificationTime }}}" + target_field: "{{{ _ingest._value.modification_time }}}" ignore_missing: true ignore_failure: true if: ctx?.snyk?.vulnerabilities?.patches != null @@ -157,7 +157,7 @@ processors: processor: append: field: snyk.related.projects - value: "{{_ingest._value.name }}" + value: "{{{_ingest._value.name }}}" ignore_failure: true ignore_failure: true if: ctx?.snyk?.projects != null diff --git a/packages/snyk/manifest.yml b/packages/snyk/manifest.yml index 81073b88c83..45ea095b7a3 100644 --- a/packages/snyk/manifest.yml +++ b/packages/snyk/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: snyk title: "Snyk" -version: "1.25.1" +version: "1.25.2" description: Collect logs from Snyk with Elastic Agent. type: integration categories: diff --git a/packages/symantec_endpoint_security/changelog.yml b/packages/symantec_endpoint_security/changelog.yml index f73c3d2899c..9da9f9c5d07 100644 --- a/packages/symantec_endpoint_security/changelog.yml +++ b/packages/symantec_endpoint_security/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.0.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.0.0" changes: - description: Release package as GA. diff --git a/packages/symantec_endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/symantec_endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/default.yml index 1c3dba50227..899d4c2f15f 100644 --- a/packages/symantec_endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/symantec_endpoint_security/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -497,7 +497,7 @@ processors: - append: field: related.ip tag: append_related_ip_from_device_subnet - value: '{{ses.device_subnet}}' + value: '{{{ses.device_subnet}}}' allow_duplicates: false if: ctx.ses?.device_subnet != null - date: diff --git a/packages/symantec_endpoint_security/manifest.yml b/packages/symantec_endpoint_security/manifest.yml index 02f6308d1e5..9d44554307d 100644 --- a/packages/symantec_endpoint_security/manifest.yml +++ b/packages/symantec_endpoint_security/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: symantec_endpoint_security title: Symantec Endpoint Security -version: "1.0.0" +version: "1.0.1" description: Collect logs from Symantec Endpoint Security with Elastic Agent. type: integration categories: diff --git a/packages/ti_abusech/changelog.yml b/packages/ti_abusech/changelog.yml index 1dc70a71d86..2e2da4efb3a 100644 --- a/packages/ti_abusech/changelog.yml +++ b/packages/ti_abusech/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.3.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "2.3.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml index 795fbf64a0c..c2128840aa1 100644 --- a/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/malwarebazaar/elasticsearch/ingest_pipeline/default.yml @@ -204,12 +204,12 @@ processors: } - append: field: related.hash - value: "{{ threat.indicator.file.pe.imphash }}" + value: "{{{ threat.indicator.file.pe.imphash }}}" allow_duplicates: false if: ctx?.threat?.indicator?.file?.pe?.imphash != null - append: field: related.hash - value: "{{ threat.indicator.file.elf.telfhash }}" + value: "{{{ threat.indicator.file.elf.telfhash }}}" allow_duplicates: false if: ctx?.threat?.indicator?.file?.elf?.telfhash != null - convert: diff --git a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json index e043fd8a27a..d601f5006a8 100644 --- a/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json +++ b/packages/ti_abusech/data_stream/url/_dev/test/pipeline/test-abusechurl-dump.log-expected.json @@ -3,7 +3,7 @@ { "abusech": { "url": { - "deleted_at": "2024-06-20T04:56:13.743Z", + "deleted_at": "2024-10-01T08:46:44.989Z", "id": "2786904", "threat": "malware_download", "url_status": "online" @@ -16,7 +16,7 @@ "category": [ "threat" ], - "ingested": "2024-06-20T03:57:43.743250436Z", + "ingested": "2024-10-01T07:48:14.989522569Z", "kind": "enrichment", "original": "{\"id\":\"2786904\",\"dateadded\":\"2024-03-19 11:34:09 UTC\",\"url\":\"http://115.55.244.160:41619/Mozi.m\",\"url_status\":\"online\",\"last_online\":\"2024-03-19 11:34:09 UTC\",\"threat\":\"malware_download\",\"tags\":[\"elf\",\"Mozi\"],\"urlhaus_link\":\"https://urlhaus.abuse.ch/url/2786904/\",\"reporter\":\"lrz_urlhaus\"}", "type": [ @@ -54,7 +54,7 @@ { "abusech": { "url": { - "deleted_at": "2024-06-20T04:56:13.743Z", + "deleted_at": "2024-10-01T08:46:44.989Z", "id": "2786903", "threat": "malware_download", "url_status": "online" @@ -67,7 +67,7 @@ "category": [ "threat" ], - "ingested": "2024-06-20T03:57:43.743264045Z", + "ingested": "2024-10-01T07:48:14.989533486Z", "kind": "enrichment", "original": "{\"id\":\"2786903\",\"dateadded\":\"2024-03-19 11:33:08 UTC\",\"url\":\"http://27.206.236.188:59429/i\",\"url_status\":\"online\",\"last_online\":\"2024-03-19 11:33:08 UTC\",\"threat\":\"malware_download\",\"tags\":[\"32-bit\",\"elf\",\"mips\",\"Mozi\"],\"urlhaus_link\":\"https://urlhaus.abuse.ch/url/2786903/\",\"reporter\":\"geenensp\"}", "type": [ diff --git a/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml index d1a67a9e4b3..4cde025393d 100644 --- a/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_abusech/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -113,7 +113,7 @@ processors: ignore_missing: true - set: field: event.ingested - value: '{{_ingest.timestamp}}' + value: '{{{_ingest.timestamp}}}' ###################### # IOC expiration # ###################### diff --git a/packages/ti_abusech/manifest.yml b/packages/ti_abusech/manifest.yml index 71ca716a893..0182ee3fd2b 100644 --- a/packages/ti_abusech/manifest.yml +++ b/packages/ti_abusech/manifest.yml @@ -1,6 +1,6 @@ name: ti_abusech title: AbuseCH -version: "2.3.3" +version: "2.3.4" description: Ingest threat intelligence indicators from URL Haus, Malware Bazaar, and Threat Fox feeds with Elastic Agent. type: integration format_version: "3.0.3" diff --git a/packages/ti_cif3/changelog.yml b/packages/ti_cif3/changelog.yml index 8f718045250..a06aaa1f2fa 100644 --- a/packages/ti_cif3/changelog.yml +++ b/packages/ti_cif3/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.14.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml index 64a2ba8a997..12364c5d9bd 100644 --- a/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cif3/data_stream/feed/elasticsearch/ingest_pipeline/default.yml @@ -280,7 +280,7 @@ processors: processor: append: field: tags - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" allow_duplicates: false if: ctx.cif3?.tags != null diff --git a/packages/ti_cif3/manifest.yml b/packages/ti_cif3/manifest.yml index 228bf6c4a67..624d233f0cb 100644 --- a/packages/ti_cif3/manifest.yml +++ b/packages/ti_cif3/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: ti_cif3 title: "Collective Intelligence Framework v3" -version: "1.14.3" +version: "1.14.4" description: "Ingest threat indicators from a Collective Intelligence Framework v3 instance with Elastic Agent." type: integration categories: diff --git a/packages/ti_custom/changelog.yml b/packages/ti_custom/changelog.yml index eccd3de4ebe..33e92a34405 100644 --- a/packages/ti_custom/changelog.yml +++ b/packages/ti_custom/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.1.2" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "0.1.1" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-file-ndjson.log-expected.json b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-file-ndjson.log-expected.json index ed9598ed1a6..e537b28ee82 100644 --- a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-file-ndjson.log-expected.json +++ b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-file-ndjson.log-expected.json @@ -76,7 +76,7 @@ "description": "https://app.any.run/tasks/5d55b048-87d5-4466-ae7f-631a2598f7a2/", "file": { "name": [ - "%TEMP%\\\\nsrCAAE.tmp\\\\nsExec.dll" + "%TEMP%\\nsrCAAE.tmp\\nsExec.dll" ] }, "first_seen": "2020-01-30T23:12:07.000Z", diff --git a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-windows-registry-ndjson.log-expected.json b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-windows-registry-ndjson.log-expected.json index 71087746adb..cb9c19fb87e 100644 --- a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-windows-registry-ndjson.log-expected.json +++ b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-windows-registry-ndjson.log-expected.json @@ -49,7 +49,7 @@ "name": "IMDDOS Infected Host", "registry": { "path": [ - "HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%" + "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SafePrec%" ] }, "type": "windows-registry-key" diff --git a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-x509-ndjson.log-expected.json b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-x509-ndjson.log-expected.json index d0ec659eafc..d05799552ae 100644 --- a/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-x509-ndjson.log-expected.json +++ b/packages/ti_custom/data_stream/indicator/_dev/test/pipeline/test-indicator-x509-ndjson.log-expected.json @@ -159,16 +159,16 @@ ], "subject": { "common_name": [ - "Hangil IT Co.\\\\, Ltd" + "Hangil IT Co.\\, Ltd" ], "country": [ "KR" ], "distinguished_name": [ - "C=KR, ST=Seoul, O=Hangil IT Co.\\\\, Ltd, CN=Hangil IT Co.\\\\, Ltd" + "C=KR, ST=Seoul, O=Hangil IT Co.\\, Ltd, CN=Hangil IT Co.\\, Ltd" ], "organization": [ - "Hangil IT Co.\\\\, Ltd" + "Hangil IT Co.\\, Ltd" ], "state_or_province": [ "Seoul" diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml index 6d3b8906af4..183d6f8ba2d 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml @@ -112,7 +112,7 @@ processors: processor: append: field: tags - value: '{{ _ingest._value }}' + value: '{{{ _ingest._value }}}' tag: append_tags ignore_missing: true ignore_failure: true diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-asn.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-asn.yml index 77e8518b2d2..a76d7b86d8b 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-asn.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-asn.yml @@ -12,7 +12,7 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.as.number - value: '{{ _tmp.as_number }}' + value: '{{{ _tmp.as_number }}}' if: ctx._tmp?.as_number != null - remove: field: _tmp diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-domain-name.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-domain-name.yml index 7a0410044d3..fc4ab23dae3 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-domain-name.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-domain-name.yml @@ -16,15 +16,15 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.url.original - value: '{{ _tmp.url }}' + value: '{{{ _tmp.url }}}' if: ctx._tmp?.url != null - append: field: threat.indicator.ip - value: '{{ _tmp.ip }}' + value: '{{{ _tmp.ip }}}' if: ctx._tmp?.ip != null - append: field: related.ip - value: '{{ _tmp.ip }}' + value: '{{{ _tmp.ip }}}' if: ctx._tmp?.ip != null allow_duplicates: false - remove: diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-email.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-email.yml index 0be30254c3d..90cfab1b9b9 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-email.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-email.yml @@ -14,7 +14,7 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.email.address - value: '{{ _tmp.email_addr }}' + value: '{{{ _tmp.email_addr }}}' if: ctx._tmp?.email_addr != null - remove: field: _tmp diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-file.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-file.yml index fa21b44631d..ff00db04150 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-file.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-file.yml @@ -14,34 +14,34 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.file.hash.md5 - value: '{{ _tmp.md5 }}' + value: '{{{ _tmp.md5 }}}' if: ctx._tmp?.md5 != null - append: field: threat.indicator.file.hash.sha1 - value: '{{ _tmp.sha1 }}' + value: '{{{ _tmp.sha1 }}}' if: ctx._tmp?.sha1 != null - append: field: threat.indicator.file.hash.sha256 - value: '{{ _tmp.sha256 }}' + value: '{{{ _tmp.sha256 }}}' if: ctx._tmp?.sha256 != null - append: field: threat.indicator.file.name - value: '{{ _tmp.filename }}' + value: '{{{ _tmp.filename }}}' if: ctx._tmp?.filename != null - append: field: related.hash - value: '{{ _tmp.md5 }}' + value: '{{{ _tmp.md5 }}}' if: ctx._tmp?.md5 != null allow_duplicates: false - append: field: related.hash - value: '{{ _tmp.sha1 }}' + value: '{{{ _tmp.sha1 }}}' if: ctx._tmp?.sha1 != null allow_duplicates: false - append: field: related.hash - value: '{{ _tmp.sha256 }}' + value: '{{{ _tmp.sha256 }}}' if: ctx._tmp?.sha256 != null allow_duplicates: false diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-ip.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-ip.yml index a508541e2ec..51d4da40da5 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-ip.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-ip.yml @@ -13,11 +13,11 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.ip - value: '{{ _tmp.ip }}' + value: '{{{ _tmp.ip }}}' if: ctx._tmp?.ip != null - append: field: related.ip - value: '{{ _tmp.ip }}' + value: '{{{ _tmp.ip }}}' if: ctx._tmp?.ip != null allow_duplicates: false - remove: diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-url.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-url.yml index 02c70027119..1846c61860b 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-url.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-url.yml @@ -11,7 +11,7 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.url.original - value: '{{ _tmp.url }}' + value: '{{{ _tmp.url }}}' if: ctx._tmp?.url != null - remove: field: _tmp diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-windows-registry.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-windows-registry.yml index 8d11268bed2..a0cfc3449a5 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-windows-registry.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-windows-registry.yml @@ -14,15 +14,15 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.registry.path - value: '{{ _tmp.reg_path }}' + value: '{{{ _tmp.reg_path }}}' if: ctx._tmp?.reg_path != null - append: field: threat.indicator.registry.key - value: '{{ _tmp.reg_key }}' + value: '{{{ _tmp.reg_key }}}' if: ctx._tmp?.reg_key != null - append: field: threat.indicator.registry.value - value: '{{ _tmp.reg_value }}' + value: '{{{ _tmp.reg_value }}}' if: ctx._tmp?.reg_value != null - remove: field: _tmp diff --git a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-x509.yml b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-x509.yml index 4eb1111a143..c79ab64e9d9 100644 --- a/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-x509.yml +++ b/packages/ti_custom/data_stream/indicator/elasticsearch/ingest_pipeline/indicator-x509.yml @@ -19,35 +19,35 @@ processors: # In cases of multiple patterns, it is necessary to append all IOCs so that they are not overwritten - append: field: threat.indicator.file.hash.md5 - value: '{{ _tmp.md5 }}' + value: '{{{ _tmp.md5 }}}' if: ctx._tmp?.md5 != null - append: field: threat.indicator.file.hash.sha1 - value: '{{ _tmp.sha1 }}' + value: '{{{ _tmp.sha1 }}}' if: ctx._tmp?.sha1 != null - append: field: threat.indicator.file.hash.sha256 - value: '{{ _tmp.sha256 }}' + value: '{{{ _tmp.sha256 }}}' if: ctx._tmp?.sha256 != null - append: field: threat.indicator.x509.serial_number - value: '{{ _tmp.serial_number }}' + value: '{{{ _tmp.serial_number }}}' if: ctx._tmp?.serial_number != null - append: field: threat.indicator.x509.signature_algorithm - value: '{{ _tmp.signature_algorithm }}' + value: '{{{ _tmp.signature_algorithm }}}' if: ctx._tmp?.signature_algorithm != null - append: field: threat.indicator.x509.version_number - value: '{{ _tmp.version_number }}' + value: '{{{ _tmp.version_number }}}' if: ctx._tmp?.version_number != null - append: field: threat.indicator.x509.issuer.distinguished_name - value: '{{ _tmp.issuer }}' + value: '{{{ _tmp.issuer }}}' if: ctx._tmp?.issuer != null - append: field: threat.indicator.x509.subject.distinguished_name - value: '{{ _tmp.subject }}' + value: '{{{ _tmp.subject }}}' if: ctx._tmp?.subject != null - kv: @@ -61,35 +61,35 @@ processors: - append: field: threat.indicator.x509.issuer.common_name - value: '{{ _tmp.issuer_fields.CN }}' + value: '{{{ _tmp.issuer_fields.CN }}}' if: ctx._tmp.issuer_fields?.CN != null - append: field: threat.indicator.x509.issuer.country - value: '{{ _tmp.issuer_fields.C }}' + value: '{{{ _tmp.issuer_fields.C }}}' if: ctx._tmp?.issuer_fields?.C != null - append: field: threat.indicator.x509.issuer.locality - value: '{{ _tmp.issuer_fields.L }}' + value: '{{{ _tmp.issuer_fields.L }}}' if: ctx._tmp?.issuer_fields?.L != null - append: field: threat.indicator.x509.issuer.organization - value: '{{ _tmp.issuer_fields.O }}' + value: '{{{ _tmp.issuer_fields.O }}}' if: ctx._tmp?.issuer_fields?.O != null - append: field: threat.indicator.x509.issuer.organizational_unit - value: '{{ _tmp.issuer_fields.OU }}' + value: '{{{ _tmp.issuer_fields.OU }}}' if: ctx._tmp?.issuer_fields?.OU != null - append: field: threat.indicator.x509.issuer.state_or_province - value: '{{ _tmp.issuer_fields.S }}' + value: '{{{ _tmp.issuer_fields.S }}}' if: ctx._tmp?.issuer_fields?.S != null - append: field: threat.indicator.x509.issuer.state_or_province - value: '{{ _tmp.issuer_fields.ST }}' + value: '{{{ _tmp.issuer_fields.ST }}}' if: ctx._tmp?.issuer_fields?.ST != null - append: field: threat.indicator.x509.issuer.state_or_province - value: '{{ _tmp.issuer_fields.P }}' + value: '{{{ _tmp.issuer_fields.P }}}' if: ctx._tmp?.issuer_fields?.P != null - kv: @@ -103,50 +103,50 @@ processors: - append: field: threat.indicator.x509.subject.common_name - value: '{{ _tmp.subject_fields.CN }}' + value: '{{{ _tmp.subject_fields.CN }}}' if: ctx._tmp?.subject_fields?.CN != null - append: field: threat.indicator.x509.subject.country - value: '{{ _tmp.subject_fields.C }}' + value: '{{{ _tmp.subject_fields.C }}}' if: ctx._tmp?.subject_fields?.C != null - append: field: threat.indicator.x509.subject.locality - value: '{{ _tmp.subject_fields.L }}' + value: '{{{ _tmp.subject_fields.L }}}' if: ctx._tmp?.subject_fields?.L != null - append: field: threat.indicator.x509.subject.organization - value: '{{ _tmp.subject_fields.O }}' + value: '{{{ _tmp.subject_fields.O }}}' if: ctx._tmp?.subject_fields?.O != null - append: field: threat.indicator.x509.subject.organizational_unit - value: '{{ _tmp.subject_fields.OU }}' + value: '{{{ _tmp.subject_fields.OU }}}' if: ctx._tmp?.subject_fields?.OU != null - append: field: threat.indicator.x509.subject.state_or_province - value: '{{ _tmp.subject_fields.S }}' + value: '{{{ _tmp.subject_fields.S }}}' if: ctx._tmp?.subject_fields?.S != null - append: field: threat.indicator.x509.subject.state_or_province - value: '{{ _tmp.subject_fields.ST }}' + value: '{{{ _tmp.subject_fields.ST }}}' if: ctx._tmp?.subject_fields?.ST != null - append: field: threat.indicator.x509.subject.state_or_province - value: '{{ _tmp.subject_fields.P }}' + value: '{{{ _tmp.subject_fields.P }}}' if: ctx._tmp?.subject_fields?.P != null - append: field: related.hash - value: '{{ _tmp.md5 }}' + value: '{{{ _tmp.md5 }}}' if: ctx._tmp?.md5 != null allow_duplicates: false - append: field: related.hash - value: '{{ _tmp.sha1 }}' + value: '{{{ _tmp.sha1 }}}' if: ctx._tmp?.sha1 != null allow_duplicates: false - append: field: related.hash - value: '{{ _tmp.sha256 }}' + value: '{{{ _tmp.sha256 }}}' if: ctx._tmp?.sha256 != null allow_duplicates: false diff --git a/packages/ti_custom/manifest.yml b/packages/ti_custom/manifest.yml index b2e33024cd5..a6a55e8302e 100644 --- a/packages/ti_custom/manifest.yml +++ b/packages/ti_custom/manifest.yml @@ -3,7 +3,7 @@ name: ti_custom title: Custom Threat Intelligence description: Ingest threat intelligence data in STIX 2.1 format with Elastic Agent type: integration -version: 0.1.1 +version: 0.1.2 categories: - custom - security diff --git a/packages/ti_cybersixgill/changelog.yml b/packages/ti_cybersixgill/changelog.yml index 6f8b1899943..29277fc1f5d 100644 --- a/packages/ti_cybersixgill/changelog.yml +++ b/packages/ti_cybersixgill/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.30.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.30.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 9d12234fa20..5fb8431a630 100644 --- a/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_cybersixgill/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -105,12 +105,12 @@ processors: processor: set: field: threat.indicator.type - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" override: false ignore_missing: true - set: field: threat.indicator.name - value: '{{_temp_.threatvalue}}' + value: '{{{_temp_.threatvalue}}}' ignore_empty_value: true - set: field: threat.indicator.name @@ -274,7 +274,7 @@ processors: processor: append: field: tags - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx._temp_?.tags != null diff --git a/packages/ti_cybersixgill/manifest.yml b/packages/ti_cybersixgill/manifest.yml index 265545d9f82..c3819e848a4 100644 --- a/packages/ti_cybersixgill/manifest.yml +++ b/packages/ti_cybersixgill/manifest.yml @@ -1,6 +1,6 @@ name: ti_cybersixgill title: Cybersixgill -version: "1.30.3" +version: "1.30.4" description: Ingest threat intelligence indicators from Cybersixgill with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/ti_eclecticiq/changelog.yml b/packages/ti_eclecticiq/changelog.yml index e8ddabb6fe7..b4e054246b0 100644 --- a/packages/ti_eclecticiq/changelog.yml +++ b/packages/ti_eclecticiq/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.2.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index 6f820915d43..15da7f3eb3c 100644 --- a/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eclecticiq/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -413,7 +413,7 @@ processors: - json.timestamp - set: field: _id - value: "{{ event.id }}" + value: "{{{ event.id }}}" - remove: field: threat.indicator if: 'ctx.threat.indicator?.type == null' diff --git a/packages/ti_eclecticiq/manifest.yml b/packages/ti_eclecticiq/manifest.yml index 84b894cc41b..81b792dad10 100644 --- a/packages/ti_eclecticiq/manifest.yml +++ b/packages/ti_eclecticiq/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eclecticiq title: EclecticIQ -version: "1.2.3" +version: "1.2.4" description: Ingest threat intelligence from EclecticIQ with Elastic Agent type: integration categories: diff --git a/packages/ti_eset/changelog.yml b/packages/ti_eset/changelog.yml index 1bd7dacb0ca..d4d4d641d89 100644 --- a/packages/ti_eset/changelog.yml +++ b/packages/ti_eset/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.5" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.2.4" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml index 99687e6838e..507622ce4e2 100644 --- a/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/apt/elasticsearch/ingest_pipeline/default.yml @@ -159,7 +159,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml index 092c626f7b2..aacf065fd66 100644 --- a/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/botnet/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -149,7 +149,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml index 4888a266b87..afc52530395 100644 --- a/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/cc/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -141,7 +141,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml index 6a2eb21d2b8..6b05027ff09 100644 --- a/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/domains/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -145,7 +145,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml index d9a64f4d2b4..eda74e0ec81 100644 --- a/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/files/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -142,7 +142,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml index 5756fe8c4e7..26bbc667178 100644 --- a/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/ip/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -142,7 +142,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml b/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml index 3485968b65a..58c70ead77a 100644 --- a/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_eset/data_stream/url/elasticsearch/ingest_pipeline/default.yml @@ -66,7 +66,7 @@ processors: processor: append: field: eset.labels - value: "{{_ingest._value}}" + value: "{{{_ingest._value}}}" ignore_missing: true ignore_failure: true if: ctx.eti?.labels != null @@ -140,7 +140,7 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' + value: '{{{ _ingest.on_failure_message }}}' - set: field: event.kind tag: set_pipeline_error_to_event_kind diff --git a/packages/ti_eset/manifest.yml b/packages/ti_eset/manifest.yml index 860c3b4e172..2237507c7bf 100644 --- a/packages/ti_eset/manifest.yml +++ b/packages/ti_eset/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: ti_eset title: "ESET Threat Intelligence" -version: "1.2.4" +version: "1.2.5" description: "Ingest threat intelligence indicators from ESET Threat Intelligence with Elastic Agent." type: integration categories: diff --git a/packages/ti_maltiverse/changelog.yml b/packages/ti_maltiverse/changelog.yml index 11a269f4c7c..6a11cda04b6 100644 --- a/packages/ti_maltiverse/changelog.yml +++ b/packages/ti_maltiverse/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.2.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.2.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml b/packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml index 4b9a9b98c04..8c66e26d563 100644 --- a/packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_maltiverse/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml @@ -302,7 +302,7 @@ processors: on_failure: - append: field: error.message - value: "{{ _ingest.on_failure_message }}" + value: "{{{ _ingest.on_failure_message }}}" - set: field: event.kind value: pipeline_error diff --git a/packages/ti_maltiverse/manifest.yml b/packages/ti_maltiverse/manifest.yml index 19f151e5e5d..2a537338b21 100644 --- a/packages/ti_maltiverse/manifest.yml +++ b/packages/ti_maltiverse/manifest.yml @@ -1,6 +1,6 @@ name: ti_maltiverse title: Maltiverse -version: "1.2.3" +version: "1.2.4" description: Ingest threat intelligence indicators from Maltiverse feeds with Elastic Agent type: integration format_version: 3.0.2 diff --git a/packages/ti_misp/changelog.yml b/packages/ti_misp/changelog.yml index 9d3272a49e6..fa88b5f4e6b 100644 --- a/packages/ti_misp/changelog.yml +++ b/packages/ti_misp/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.35.4" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.35.3" changes: - description: Fix labels.is_ioc_transform_source values diff --git a/packages/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml index b5123c87cec..c247ed3ab8f 100644 --- a/packages/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_misp/data_stream/threat/elasticsearch/ingest_pipeline/default.yml @@ -52,7 +52,7 @@ processors: if: ctx.misp?.event?.Orgc?.local != 'false' - set: field: threat.indicator.provider - value: "{{misp.event.Orgc.name}}" + value: "{{{misp.event.Orgc.name}}}" if: ctx.misp?.event?.Orgc?.local == 'false' ignore_empty_value: true @@ -238,7 +238,7 @@ processors: if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') - set: field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" + value: "{{{_tmp.hashvalue}}}" if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') && ctx._tmp?.hashvalue != null && ctx._tmp.hashtype != null" ## URL/URI indicator operations diff --git a/packages/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml b/packages/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml index cfff0c28ddf..f70f289b361 100644 --- a/packages/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ti_misp/data_stream/threat_attributes/elasticsearch/ingest_pipeline/default.yml @@ -266,7 +266,7 @@ processors: if: ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') - set: field: threat.indicator.file.hash.{{_tmp.hashtype}} - value: "{{_tmp.hashvalue}}" + value: "{{{_tmp.hashvalue}}}" if: "ctx.misp?.attribute?.type != null && ctx.misp.attribute.type.startsWith('filename|') && ctx._tmp?.hashvalue != null && ctx._tmp.hashtype != null" ## URL/URI indicator operations diff --git a/packages/ti_misp/manifest.yml b/packages/ti_misp/manifest.yml index 340c38d08d0..1b53368d689 100644 --- a/packages/ti_misp/manifest.yml +++ b/packages/ti_misp/manifest.yml @@ -1,6 +1,6 @@ name: ti_misp title: MISP -version: "1.35.3" +version: "1.35.4" description: Ingest threat intelligence indicators from MISP platform with Elastic Agent. type: integration format_version: "3.0.2" diff --git a/packages/tychon/changelog.yml b/packages/tychon/changelog.yml index af3a7cb9461..9b361bcaab6 100644 --- a/packages/tychon/changelog.yml +++ b/packages/tychon/changelog.yml @@ -1,3 +1,8 @@ +- version: "0.1.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: 0.1.0 changes: - description: Initial release of the TYCHON Agentless integration diff --git a/packages/tychon/data_stream/exposedservice/elasticsearch/ingest_pipeline/rest.yml b/packages/tychon/data_stream/exposedservice/elasticsearch/ingest_pipeline/rest.yml index 62b0775c384..1e9ca6e273d 100644 --- a/packages/tychon/data_stream/exposedservice/elasticsearch/ingest_pipeline/rest.yml +++ b/packages/tychon/data_stream/exposedservice/elasticsearch/ingest_pipeline/rest.yml @@ -20,7 +20,7 @@ processors: - set: tag: set_tychon_service_name field: tychon.service.name - value: '{{tychon.process.name}}' + value: '{{{tychon.process.name}}}' if: "ctx.tychon.service?.name == null" # ECS fields diff --git a/packages/tychon/data_stream/host/elasticsearch/ingest_pipeline/rest.yml b/packages/tychon/data_stream/host/elasticsearch/ingest_pipeline/rest.yml index 16fd4e65cd0..b327c31e1c5 100644 --- a/packages/tychon/data_stream/host/elasticsearch/ingest_pipeline/rest.yml +++ b/packages/tychon/data_stream/host/elasticsearch/ingest_pipeline/rest.yml @@ -23,7 +23,7 @@ processors: - set: tag: set_tychon_host_security_antivirus_exists_2 field: tychon.host.security.antivirus.exists - value: '{{_tmp_av.0}}' + value: '{{{_tmp_av.0}}}' - remove: tag: remove_tmp_av field: _tmp_av diff --git a/packages/tychon/manifest.yml b/packages/tychon/manifest.yml index 059052bef2b..e19fcd2a97b 100644 --- a/packages/tychon/manifest.yml +++ b/packages/tychon/manifest.yml @@ -2,7 +2,7 @@ format_version: 3.2.2 name: tychon type: integration title: "TYCHON Agentless" -version: 0.1.0 +version: 0.1.1 source: license: "Elastic-2.0" description: Collect complete master endpoint datasets including vulnerability and STIG to comply with DISA endpoint requirements and C2C without adding services to your endpoints. diff --git a/packages/zeronetworks/changelog.yml b/packages/zeronetworks/changelog.yml index 419ba71bd7c..455ee95b3b6 100644 --- a/packages/zeronetworks/changelog.yml +++ b/packages/zeronetworks/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.15.1" + changes: + - description: Use triple-brace Mustache templating when referencing variables in ingest pipelines. + type: bugfix + link: https://github.com/elastic/integrations/pull/11284 - version: "1.15.0" changes: - description: Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. diff --git a/packages/zeronetworks/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zeronetworks/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index d5253c586fd..b440b4e2b8e 100644 --- a/packages/zeronetworks/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeronetworks/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -71,12 +71,12 @@ processors: if: 'ctx.json?.details != null' - append: field: related.user - value: '{{user.id}}' + value: '{{{user.id}}}' allow_duplicates: false if: ctx.user?.id != null - append: field: related.user - value: '{{user.full_name}}' + value: '{{{user.full_name}}}' allow_duplicates: false if: ctx.user?.id != null - fingerprint: diff --git a/packages/zeronetworks/manifest.yml b/packages/zeronetworks/manifest.yml index e975ebe0f5f..d828b2610d9 100644 --- a/packages/zeronetworks/manifest.yml +++ b/packages/zeronetworks/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: zeronetworks title: "Zero Networks" -version: "1.15.0" +version: "1.15.1" source: license: "Elastic-2.0" description: "Zero Networks Logs integration"