Open mohitjha-elastic opened 8 months ago
andrewkroh
commented
8 months ago This isn't a problem with ECS AFAICT. I think the problem is that your index template for that data stream is missing a mapping for the those fields and they are defaulting to keyword.
brett-fitz
commented
8 months ago As @andrewkroh noted this isn't a problem with the ECS artifact but to double check that your index template includes the required threat field mappings and your index template is being applied to the backing datastream/indice (hint: check priority of your index template). If this is not the case then elasticsearch will default to dynamic mapping.
However, @mohitjha-elastic looks like you are using the Crowdstrike threat intel integration from elastic, this doesn't seem to include the threat fields for falcon or fdr? This could likely be the issue and an issue ticket for that repo may be more applicable.
mohitjha-elastic
commented
8 months ago @andrewkroh @brett-fitz
We have been facing this issue while developing the ti_crowdstrike integration for which we have already raised the PR in the integration repo.
We are using the import_mapping: true to dynamically map all the ECS fields according to their types.
As you can see here, we have used the date processor for parsing the created_on field and then used the set processor so it must set the threat.indicator.first_seen with the type date but it's coming as a keyword on kibana (Attached image for the same in the issue description).
Please let us know if you need anything more from our side.
brett-fitz
commented
8 months ago @mohitjha-elastic Unfortunately I haven't had any experience with the dynamic ECS mapping process but @P1llus would likely be a great resource here.
andrewkroh
commented
8 months ago I'm transferring this issue from elastic/ecs to elastic/elastic-package because I believe the problem is that when import_mappings is used that the included dynamic mappings may not include a mapping rule for {first,last}_seen and modified_at.
threat.indicator.first_seenis coming as akeywordon kibana. Its type is mentioned as adatein the ECS documentation- https://www.elastic.co/guide/en/ecs/current/ecs-threat.html#field-threat-indicator-first-seenTried the following ways:
dateprocessor.datefield to thethreat.indicator.first seenUsing both the above ways, we are getting
threat.indicator.first_seenas akeywordon kibana.We have also observed the same behavior in
threat.indicator.last_seenandthreat.indicator.modified_at. They are also coming as keyword on the kibana.Please find the attached screenshots for the same: