[stormshield] Add ECS event categorization and network mappings#20031
[stormshield] Add ECS event categorization and network mappings#20031arenard wants to merge 2 commits into
Conversation
|
💚 CLA has been signed |
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
🚀 Benchmarks reportTo see the full report comment with |
a0275dc to
59232a6
Compare
11084e6 to
d5a60c4
Compare
d5a60c4 to
069f288
Compare
Fix the copy-pasted descriptions of the default and count ingest pipelines, remove field definitions that never appear in events (the pipeline consumes tz into event.timezone, converts duration into event.duration, renames msg to message, and drops origdst/origdstport after converting them to destination fields), and correct the documentation: the agent syslog processor is configured for RFC5424, so the README no longer presents the Legacy format as supported, and the compatibility section now covers SNS 4.x and 5.x, which share the same WELF key-value audit log format. Also document how to collect SNS IPFIX flow records with the NetFlow integration, update vendor links to the SNS v5 documentation, and use arrows for menu paths per the documentation style guide.
069f288 to
a1623ea
Compare
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
| params: | ||
| logtypes: | ||
| alarm: { kind: alert, category: [intrusion_detection, network], type: [info] } | ||
| auth: { kind: event, category: [authentication], type: [start] } |
There was a problem hiding this comment.
Severity: 🟡 Medium confidence: medium path: packages/stormshield/data_stream/log/elasticsearch/ingest_pipeline/default.yml:661
Authentication events never set event.outcome, so successful and failed logins are indistinguishable by outcome; derive event.outcome from the auth error field.
Details
The new categorization maps the auth family to event.kind: event, event.category: [authentication], event.type: [start] for every auth record regardless of result. The pipeline never sets event.outcome, so a successful login (error=0, message "User authenticated") and a failed login (error=1, message "Authentication failed") produce identical categorization — this is visible in the new test fixture, where both auth events emit event.type: [start] and no event.outcome. For the authentication category, event.outcome (success/failure) is the field detection rules and dashboards use to isolate failed logins, and the raw error flag (0 = success, 1 = failure) is already parsed into stormshield.metadata.error. Without it, an auth-failure panel or rule cannot be built on this data.
Recommendation:
Set event.outcome for the auth family from the error flag before it is moved under stormshield.metadata. For example:
- set:
tag: set_event_outcome_auth_success
field: event.outcome
value: success
if: ctx.stormshield?.logtype == 'auth' && ctx.stormshield?.error == '0'
- set:
tag: set_event_outcome_auth_failure
field: event.outcome
value: failure
if: ctx.stormshield?.logtype == 'auth' && ctx.stormshield?.error != null && ctx.stormshield.error != '0'🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
There was a problem hiding this comment.
Good catch, this is implemented in the follow-up PR #20085 (stacked on this one), which derives event.outcome from the vendor error return code on the auth, server and xvpn families (the exact families the vendor documentation lists for that field) with pipeline test coverage for both outcomes.
| changes: | ||
| - description: Fix ingest pipeline descriptions and remove field definitions that never appear in events (`stormshield.tz`, `stormshield.duration`, `stormshield.msg`, `stormshield.origdst`, `stormshield.origdstport`). | ||
| type: bugfix | ||
| link: https://github.com/elastic/integrations/pull/20030 |
There was a problem hiding this comment.
Severity: 🟡 Medium confidence: high path: packages/stormshield/changelog.yml:23
Changelog links a different PR number
Details
This changelog entry's link: points at pull/20030, but it was added in PR #20031. It is likely a leftover template placeholder or a copy from another PR.
Recommendation:
Point the changelog link at this PR:
link: https://github.com/elastic/integrations/pull/20031🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
| link: https://github.com/elastic/integrations/pull/20030 | ||
| - description: Correct the syslog format and SNS version compatibility statements in the documentation, and document IPFIX flow collection through the NetFlow integration. | ||
| type: bugfix | ||
| link: https://github.com/elastic/integrations/pull/20030 |
There was a problem hiding this comment.
Severity: 🟡 Medium confidence: high path: packages/stormshield/changelog.yml:26
Changelog links a different PR number
Details
This changelog entry's link: points at pull/20030, but it was added in PR #20031. It is likely a leftover template placeholder or a copy from another PR.
Recommendation:
Point the changelog link at this PR:
link: https://github.com/elastic/integrations/pull/20031🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
Set event.kind, event.category and event.type for every SNS log family through a table-driven Painless script keyed on logtype, with allowed/denied event.type modifiers derived case-insensitively from the rule action. The periodic statistics families (monitor, filterstat, count, routerstat, authstat, ipsecstat) are tagged event.kind: metric so health telemetry can be excluded from detection scopes with a single filter. Unknown families fall back to event/network/info, covered by a dedicated test sample. The script only runs on documents without an error, so the pipeline_error kind set by sub-pipeline failure handlers is preserved. Add the ECS network mappings tracked in elastic#10114: rcvd to destination.bytes (mirroring the existing sent mapping), network.bytes as the sum of both, srcif/srcifname/dstif/dstifname copied to observer.ingress and observer.egress interface fields, and network.direction computed with private ranges as internal networks. Promote alarm fields (alarmid to event.code, risk to event.risk_score, pri to event.severity on the alarm scale where 1 is major and 4 is minor), HTTP proxy fields (arg to url.original, url.domain from destination.domain), and populate related.hosts. All mappings are copies; no stormshield.* field moves or changes location. Guard the ASN geoip processors with null checks, matching the geo processors. Fix the count sub-pipeline, which failed on every count log since creation: the script called splitByToken, which does not exist in Painless, and collapsed all rules into a single map. Rule counters are now a sorted array under stormshield.metadata.rule_stats. Extend the metadata move list with the documented alarm, proxy, vpn and auth fields so they land under stormshield.metadata instead of being left unmapped. Add pipeline test samples for the alarm, auth, web, vpn, xvpn, count and filter families, derived from the log format examples in the official Stormshield documentation with sanitized addresses, including uppercase and empty action values. Add an Alarms (IPS) dashboard keyed on the new categorization fields. Document the categorization table in the README.
a1623ea to
4ce4236
Compare
|
Changelog link mismatch — expected
Tip If expected, add the |
💔 Build Failed
Failed CI StepsHistory
|
| changes: | ||
| - description: Fix ingest pipeline descriptions and remove field definitions that never appear in events (`stormshield.tz`, `stormshield.duration`, `stormshield.msg`, `stormshield.origdst`, `stormshield.origdstport`). | ||
| type: bugfix | ||
| link: https://github.com/elastic/integrations/pull/20030 |
There was a problem hiding this comment.
Severity: 🟡 Medium confidence: high path: packages/stormshield/changelog.yml:23
Changelog links a different PR number
Details
This changelog entry's link: points at pull/20030, but it was added in PR #20031. It is likely a leftover template placeholder or a copy from another PR.
Recommendation:
Point the changelog link at this PR:
link: https://github.com/elastic/integrations/pull/20031🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
| link: https://github.com/elastic/integrations/pull/20030 | ||
| - description: Correct the syslog format and SNS version compatibility statements in the documentation, and document IPFIX flow collection through the NetFlow integration. | ||
| type: bugfix | ||
| link: https://github.com/elastic/integrations/pull/20030 |
There was a problem hiding this comment.
Severity: 🟡 Medium confidence: high path: packages/stormshield/changelog.yml:26
Changelog links a different PR number
Details
This changelog entry's link: points at pull/20030, but it was added in PR #20031. It is likely a leftover template placeholder or a copy from another PR.
Recommendation:
Point the changelog link at this PR:
link: https://github.com/elastic/integrations/pull/20031🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
Review summaryIssues found across the latest commits 4ce4236 — 2 mediumIssues found across earlier commits a1623ea — 3 medium
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
|
Proposed commit message
Set
event.kind,event.categoryandevent.typefor every SNS log family through a table-driven Painless script keyed onlogtype, withallowed/deniedevent.typemodifiers derived case-insensitively from the rule action (pass/block; an empty action corresponds to a rule set to Log and adds no modifier). The periodic statistics families (monitor,filterstat,count,routerstat,authstat,ipsecstat) are taggedevent.kind: metricso health telemetry can be excluded from detection scopes with a single filter. Unknown families fall back toevent/network/info, covered by a dedicated test sample. The script only runs on documents without an error, so thepipeline_errorkind set by sub-pipeline failure handlers is preserved.Add the ECS network mappings tracked in #10114:
rcvdtodestination.bytes(mirroring the existingsentmapping),network.bytesas the sum of both,srcif/srcifname/dstif/dstifnamecopied toobserver.ingress/observer.egressinterface fields, andnetwork.directioncomputed with private ranges as internal networks. Promote alarm fields (alarmidtoevent.code,risktoevent.risk_score,pritoevent.severityon the alarm scale where 1 is major and 4 is minor), HTTP proxy fields (argtourl.original,url.domainfromdestination.domain), and populaterelated.hosts. Guard the ASN geoip processors with null checks, matching the geo processors.Fix the count sub-pipeline, which failed on every count log since the package was created: the script called
splitByToken, which does not exist in Painless (runtime error:dynamic method [java.lang.String, splitByToken/2] not found), and collapsed all rules into a single map. Rule counters now form a sorted array understormshield.metadata.rule_stats, and a counter that does not parse (non-numeric value, out-of-range category or unexpected key shape) is skipped instead of sending the whole document topipeline_error.Add pipeline test samples for the alarm, auth, web, vpn, xvpn, count and filter families plus an unknown-family sample, an Alarms (IPS) dashboard keyed on the new categorization fields, and the categorization table in the README.
Design notes
stormshield.*field is renamed, moved or removed, andevent.actionkeeps the verbatim vendor value, so existing dashboards and saved queries are unaffected. This keeps the change a minor version bump.logdata stream is kept, following the fortinet_fortigate / cisco_asa / sonicwall_firewall precedent for multi-family syslog firewall packages; the categorization script follows the sonicwall_firewall table-driven pattern.event.outcomederivation and deeper per-family enrichment (vpn IKE fields, sandboxing verdicts, the v5 restapi family) are planned as follow-ups.Block), lowercase (pass) and empty action values, and the unknown-family fallback.Checklist
changelog.ymlfile.Author's Checklist
elastic-package check,test pipeline,test staticandtest system(udp, tcp, tls) all pass against stack 9.4.3data_stream.datasetandstormshield.logtypefilters, and every aggregated field is aggregatable and declared in the package field filessample_event.jsonregenerated throughelastic-package test system --generateevent.action,log.syslog.severity.name,stormshield.fw,stormshield.logtype,stormshield.in_bytes,stormshield.out_bytes) are untouchedHow to test this PR locally
Related issues