sei: ensure packages set error.kind to "pipeline_error" in on_failure processor

efd6 commented 1 year ago

SEI package style now requires that the global on_failure sets error.kind to "pipeline_error". New package generally have this behaviour, but existing packages need to be brought up to date.

Current packages (identified by CODEOWNERS) that do not do this are (package, data stream name and file):

[x] 1password #6599
- [x] item_usages: default.yml
- [x] signin_attempts: default.yml
[x] akamai #6599
- [x] siem: default.yml
[x] atlassian_bitbucket #6599
- [x] audit: default.yml
[x] atlassian_confluence #6599
- [x] audit: cloud.yml
- [x] audit: self-hosted.yml
- [x] audit: default.yml
[x] atlassian_jira #6599
- [x] audit: cloud.yml
- [x] audit: self-hosted.yml
- [x] audit: default.yml
[x] auditd #6599
- [x] log: default.yml
[x] auditd_manager #6599
- [x] auditd: default.yml
[x] auth0 #6599
- [x] logs: default.yml
[x] azure_frontdoor #6599
- [x] access: default.yml
- [x] waf: default.yml
[x] barracuda_cloudgen_firewall #6599
- [x] log: firewall.yml
- [x] log: web.yml
- [x] log: threat.yml
- [x] log: default.yml
[x] bitdefender #6599
- [x] push_configuration: default.yml
- [x] push_statistics: default.yml
[x] bluecoat #6599
- [x] director: default.yml
[x] box_events #6599
- [x] events: default.yml
[x] carbon_black_cloud #6613
- [x] alert: default.yml
- [x] asset_vulnerability_summary: default.yml
- [x] audit: default.yml
- [x] endpoint_event: default.yml
- [x] watchlist_hit: default.yml
[x] carbonblack_edr #6613
- [x] log: default.yml
[x] cef #6613
- [x] log: fp-pipeline.yml
- [x] log: default.yml
- [x] log: cp-pipeline.yml
[x] cisco_aironet #6600
- [x] log: default.yml
[x] cisco_asa #6600
- [x] log: default.yml
[x] cisco_secure_email_gateway #6600
- [x] log: pipeline_gui_logs.yml
- [x] log: pipeline_consolidated_event.yml
- [x] log: pipeline_system.yml
- [x] log: pipeline_bounce.yml
- [x] log: pipeline_authentication.yml
- [x] log: pipeline_status.yml
- [x] log: pipeline_content_scanner.yml
- [x] log: pipeline_amp.yml
- [x] log: default.yml
- [x] log: pipeline_anti_spam.yml
- [x] log: pipeline_text_mail_logs.yml
- [x] log: pipeline_error_logs.yml
[x] cisco_duo #6600
- [x] admin: default.yml
- [x] auth: default.yml
- [x] offline_enrollment: default.yml
- [x] summary: default.yml
- [x] telephony: default.yml
[x] cisco_ftd #6600
- [x] log: default.yml
[x] cisco_ise #6600
- [x] log: pipeline_ad_connector.yml
- [x] log: pipeline_authentication_flow_diagnostics.yml
- [x] log: pipeline_administrative_and_operational_audit.yml
- [x] log: pipeline_identity_stores_diagnostics.yml
- [x] log: pipeline_posture_and_client_provisioning_audit.yml
- [x] log: pipeline_radius_diagnostics.yml
- [x] log: pipeline_mydevices.yml
- [x] log: pipeline_failed_attempts.yml
- [x] log: pipeline_policy_diagnostics.yml
- [x] log: pipeline_tacacs_accounting.yml
- [x] log: pipeline_system_statistics.yml
- [x] log: pipeline_internal_operations_diagnostics.yml
- [x] log: pipeline_radius_accounting.yml
- [x] log: pipeline_passed_authentications.yml
- [x] log: pipeline_threat_centric_nac.yml
- [x] log: pipeline_guest.yml
- [x] log: default.yml
[x] cisco_meraki #6600
- [x] events: default.yml
- [x] log: airmarshal.yml
- [x] log: events.yml
- [x] log: idsalerts.yml
- [x] log: flows.yml
- [x] log: urls.yml
- [x] log: ipflows.yml
- [x] log: default.yml
- [x] log: security.yml
[x] cisco_nexus #6600
- [x] log: pipeline_extract_message.yml
[x] cisco_secure_endpoint #6600
- [x] event: default.yml
[x] cisco_umbrella #6600
- [x] log: default.yml
[x] citrix_waf #6613
- [x] log: default.yml
- [x] log: cef.yml
- [x] log: native.yml
[x] cloudflare #6613
- [x] audit: default.yml
- [x] logpull: http.yml
[x] crowdstrike #6613
- [x] falcon: remote_response_session_end.yml
- [x] falcon: firewall_match.yml
- [x] falcon: remote_response_session_start.yml
- [x] falcon: auth_activity_audit.yml
- [x] falcon: user_activity_audit.yml
- [x] falcon: incident_summary.yml
- [x] falcon: default.yml
- [x] falcon: detection_summary.yml
- [x] fdr: default.yml
[x] cylance #6613
- [x] protect: default.yml
[x] darktrace #6614
- [x] ai_analyst_alert: default.yml
- [x] model_breach_alert: default.yml
- [x] system_status_alert: default.yml
[x] f5 #6614
- [x] bigipafm: default.yml
- [x] bigipapm: default.yml
[x] f5_bigip #6614
- [x] log: pipeline_bigipapm.yml
- [x] log: pipeline_bigipltm.yml
- [x] log: pipeline_bigipafm.yml
- [x] log: pipeline_bigipasm.yml
- [x] log: default.yml
- [x] log: pipeline_bigipavr.yml
[x] fim #6614
- [x] event: default.yml
[x] fireeye #6614
- [x] nx: renaming-raws.yml
- [x] nx: default.yml
[x] forcepoint_web #6614
- [x] logs: default.yml
[x] fortinet_forticlient #6614
- [x] log: default.yml
[x] fortinet_fortiedr #6614
- [x] log: default.yml
[x] fortinet_fortigate #6614
- [x] log: event.yml
- [x] log: traffic.yml
- [x] log: default.yml
- [x] log: utm.yml
[x] fortinet_fortimail #6614
- [x] log: pipeline_system.yml
- [x] log: pipeline_encryption.yml
- [x] log: pipeline_mail.yml
- [x] log: pipeline_history.yml
- [x] log: pipeline_antispam.yml
- [x] log: pipeline_antivirus.yml
[x] gcp #6614
- [x] audit: default.yml
- [x] cloudrun_metrics: default.yml
- [x] compute: default.yml
- [x] dataproc: default.yml
- [x] dns: default.yml
- [x] firestore: default.yml
- [x] firewall: default.yml
- [x] gke: default.yml
- [x] loadbalancing_logs: default.yml
- [x] loadbalancing_metrics: default.yml
- [x] pubsub: default.yml
- [x] redis: default.yml
- [x] storage: default.yml
- [x] vpcflow: default.yml
[x] github #6614
- [x] audit: default.yml
- [x] code_scanning: default.yml
- [x] dependabot: default.yml
- [x] issues: default.yml
- [x] secret_scanning: default.yml
[x] google_workspace #6614
- [x] admin: default.yml
- [x] alert: default.yml
- [x] drive: default.yml
- [x] groups: default.yml
- [x] login: default.yml
- [x] rules: default.yml
- [x] saml: default.yml
- [x] user_accounts: default.yml
[x] hashicorp_vault #6616
- [x] audit: default.yml
- [x] log: json.yml
- [x] log: default.yml
- [x] metrics: default.yml
[x] hid_bravura_monitor #6616
- [x] log: default.yml
- [x] winlog: default.yml
[x] imperva #6616
- [x] securesphere: default.yml
[x] infoblox_bloxone_ddi #6616
- [x] dhcp_lease: default.yml
- [x] dns_config: default.yml
- [x] dns_data: default.yml
[x] infoblox_nios #6616
- [x] log: pipeline_dns.yml
- [x] log: pipeline_dhcp.yml
- [x] log: pipeline_audit.yml
- [x] log: default.yml
[x] iptables #6642 (attempted in #6616 — see note in revert)
- [x] log: default.yml
[x] jamf_compliance_reporter #6615
- [x] log: pipeline_hardware_event.yml
- [x] log: pipeline_gatekeeper_info_event.yml
- [x] log: pipeline_audio_video_device_event.yml
- [x] log: pipeline_aue_bind_and_aue_connect.yml
- [x] log: pipeline_signal_event.yml
- [x] log: pipeline_gatekeeper_manual_overrides.yml
- [x] log: pipeline_aue_chdir.yml
- [x] log: pipeline_aue_listen.yml
- [x] log: pipeline_aue_fork.yml
- [x] log: pipeline_aue_unmount.yml
- [x] log: pipeline_aue_tasknameforpid.yml
- [x] log: pipeline_aue_pidfortask.yml
- [x] log: pipeline_aue_accept.yml
- [x] log: pipeline_aue_remove_from_group_and_aue_mac_set_proc.yml
- [x] log: pipeline_aue_ptrace.yml
- [x] log: pipeline_aue_arguments.yml
- [x] log: pipeline_aue_execve.yml
- [x] log: pipeline_aue_exit.yml
- [x] log: pipeline_aue_socketpair.yml
- [x] log: pipeline_process_object.yml
- [x] log: pipeline_aue_ssauthint.yml
- [x] log: pipeline_exec_chain_child_object.yml
- [x] log: pipeline_audit_class_verification_event.yml
- [x] log: pipeline_aue_posix_spawn.yml
- [x] log: pipeline_prohibited_app_blocked.yml
- [x] log: pipeline_preference_list_event.yml
- [x] log: pipeline_xprotect_definitions_version_info.yml
- [x] log: pipeline_gatekeeper_quarantine_log.yml
- [x] log: pipeline_compliance_reporter_tamper_event_and_file_event_info.yml
- [x] log: pipeline_aue_session.yml
- [x] log: pipeline_aue_taskforpid.yml
- [x] log: pipeline_identity_object.yml
- [x] log: pipeline_unified_log_event.yml
- [x] log: pipeline_event.yml
- [x] log: pipeline_aue_mount.yml
- [x] log: pipeline_aue_kill.yml
- [x] log: pipeline_app_metrics.yml
- [x] log: pipeline_xprotect_event_log.yml
- [x] log: pipeline_print_event_information.yml
- [x] log: pipeline_aue_wait4.yml
- [x] log: pipeline_license_info_event.yml
- [x] log: default.yml
- [x] log: pipeline_aue_logout.yml
- [x] log: pipeline_aue_chroot.yml
- [x] log: pipeline_audit.yml
- [x] log: pipeline_aue_setpriority.yml
- [x] log: pipeline_aue_auth.yml
[x] jumpcloud #6617
- [x] events: default.yml
[x] juniper_junos #6617
- [x] log: default.yml
[x] juniper_netscreen #6617
- [x] log: default.yml
[x] keycloak #6617
- [x] log: default.yml
- [x] log: events.yml
[x] lastpass #6617
- [x] detailed_shared_folder: default.yml
- [x] event_report: default.yml
- [x] user: default.yml
[x] lyve_cloud #6617
- [x] audit: default.yml
- [x] audit: audit_lc.yml
[x] m365_defender #6661
- [x] event: pipeline_device.yml
- [x] event: pipeline_email.yml
- [x] event: pipeline_app_and_identity.yml
- [x] event: default.yml
- [x] event: pipeline_alert.yml
- [x] incident: default.yml
- [x] log: default.yml
[x] mattermost #6661
- [x] audit: default.yml
[x] microsoft_defender_endpoint #6661
- [x] log: default.yml
[x] microsoft_dhcp #6661
- [x] log: default.yml
- [x] log: dhcpv6.yml
- [x] log: dhcp.yml
[x] microsoft_exchange_online_message_trace #6661
- [x] log: default.yml
[x] mimecast #6627
- [x] audit_events: default.yml
- [x] dlp_logs: default.yml
- [x] siem_logs: default.yml
- [x] threat_intel_malware_customer: default.yml
- [x] threat_intel_malware_grid: default.yml
- [x] ttp_ap_logs: default.yml
- [x] ttp_ip_logs: default.yml
- [x] ttp_url_logs: default.yml
[x] modsecurity #6672
- [x] auditlog: apache-modsec.yml
- [x] auditlog: nginx-modsec.yml
[x] mysql_enterprise #6661
- [x] audit: default.yml
[x] netflow #6628
- [x] log: default.yml
[x] netscout #6662
- [x] sightline: default.yml
[x] netskope #6662
- [x] alerts: default.yml
- [x] events: default.yml
[x] network_traffic #6641
- [x] amqp: default.yml
- [x] amqp: geoip.yml
- [x] cassandra: geoip.yml
- [x] cassandra: default.yml
- [x] dhcpv4: default.yml
- [x] dhcpv4: geoip.yml
- [x] dns: default.yml
- [x] dns: geoip.yml
- [x] flow: geoip.yml
- [x] flow: default.yml
- [x] http: default.yml
- [x] http: geoip.yml
- [x] icmp: default.yml
- [x] icmp: geoip.yml
- [x] memcached: default.yml
- [x] memcached: geoip.yml
- [x] mongodb: default.yml
- [x] mongodb: geoip.yml
- [x] mysql: default.yml
- [x] mysql: geoip.yml
- [x] nfs: default.yml
- [x] nfs: geoip.yml
- [x] pgsql: default.yml
- [x] pgsql: geoip.yml
- [x] redis: default.yml
- [x] redis: geoip.yml
- [x] sip: default.yml
- [x] sip: geoip.yml
- [x] thrift: geoip.yml
- [x] thrift: default.yml
- [x] tls: default.yml
- [x] tls: geoip.yml
[x] o365 #6626
- [x] audit: default.yml
[x] osquery #6640
- [x] result: default.yml
[x] panw_cortex_xdr #6662
- [x] alerts: default.yml
[x] panw #6662
- [x] panos: sctp.yml
- [x] panos: hipmatch.yml
- [x] panos: authentication.yml
- [x] panos: correlated_event.yml
- [x] panos: config.yml
- [x] panos: ip_tag.yml
- [x] panos: system.yml
- [x] panos: traffic.yml
- [x] panos: gtp.yml
- [x] panos: userid.yml
- [x] panos: globalprotect.yml
- [x] panos: tunnel_inspection.yml
- [x] panos: threat.yml
- [x] panos: decryption.yml
- [x] panos: default.yml
[x] pfsense #6662
- [x] log: ipsec.yml
- [x] log: openvpn.yml
- [x] log: haproxy.yml
- [x] log: php-fpm.yml
- [x] log: squid.yml
- [x] log: unbound.yml
- [x] log: firewall.yml
- [x] log: default.yml
- [x] log: dhcp.yml
[x] ping_one #6662
- [x] audit: default.yml
[x] proofpoint_tap #6662
- [x] clicks_blocked: default.yml
- [x] clicks_permitted: default.yml
- [x] message_blocked: default.yml
- [x] message_delivered: default.yml
[x] pulse_connect_secure #6662
- [x] log: default.yml
[x] qnap_nas #6663
- [x] log: default.yml
[x] radware #6663
- [x] defensepro: default.yml
[x] santa #6663
- [x] log: default.yml
[x] sentinel_one #6663
- [x] activity: default.yml
- [x] agent: default.yml
- [x] alert: default.yml
- [x] group: default.yml
- [x] threat: default.yml
[x] slack #6663
- [x] audit: default.yml
[x] snort #6663
- [x] log: json.yml
- [x] log: plaintext.yml
- [x] log: default.yml
[x] snyk #6663
- [x] audit: default.yml
- [x] vulnerabilities: default.yml
[x] sonicwall_firewall #6663
- [x] log: default.yml
[x] sophos #6663
- [x] utm: default.yml
- [x] xg: idp.yml
- [x] xg: event.yml
- [x] xg: waf.yml
- [x] xg: wifi.yml
- [x] xg: sandstorm.yml
- [x] xg: antispam.yml
- [x] xg: systemhealth.yml
- [x] xg: firewall.yml
- [x] xg: atp.yml
- [x] xg: default.yml
- [x] xg: cfilter.yml
- [x] xg: antivirus.yml
[x] sophos_central #6663
- [x] alert: default.yml
- [x] event: default.yml
[x] squid #6663
- [x] log: default.yml
[x] suricata #6625
- [x] eve: dns.yml
- [x] eve: tls.yml
- [x] eve: dns-answer-v2.yml
- [x] eve: dns-answer-v1.yml
- [x] eve: default.yml
[x] symantec_endpoint #6663
- [x] log: default.yml
[x] sysmon_linux #6663
- [x] log: default.yml
[x] system_audit #6639
- [x] package: default.yml
[x] tanium #6660
- [x] action_history: default.yml
- [x] client_status: default.yml
- [x] discover: default.yml
- [x] endpoint_config: default.yml
- [x] reporting: default.yml
- [x] threat_response: default.yml
- [x] threat_response: pipeline_payload.yml
[x] tenable_sc #6659
- [x] asset: default.yml
- [x] plugin: default.yml
- [x] vulnerability: default.yml
[x] thycotic_ss #6658
- [x] logs: default.yml
[x] ti_abusech #6629
- [x] malware: default.yml
- [x] malwarebazaar: default.yml
- [x] threatfox: default.yml
- [x] url: default.yml
[x] ti_anomali #6630
- [x] threatstream: default.yml
[x] ti_cif3 #6631
- [x] feed: default.yml
[x] ti_cybersixgill #6632
- [x] threat: default.yml
[x] ti_misp #6633
- [x] threat: default.yml
- [x] threat_attributes: default.yml
[x] ti_otx #6634
- [x] threat: default.yml
[x] ti_rapid7_threat_command #6635
- [x] alert: default.yml
- [x] ioc: default.yml
- [x] vulnerability: default.yml
- [x] ti_rapid7_command-cve-rule-transform-pipeline.yml
- [x] ti_rapid7_command-ioc-rule-transform-pipeline.yml
- [x] ti_rapid7_command-uinque-ioc-transform-pipeline.yml
[x] ti_recordedfuture #6636
- [x] threat: decode_csv.yml
- [x] threat: default.yml
[x] ti_threatq #6637
- [x] threat: default.yml
[x] tines #6655
- [x] audit_logs: default.yml
- [x] time_saved: default.yml
[x] trendmicro #6656
- [x] deep_security: malware-event.yml
- [x] deep_security: log-inspection.yml
- [x] deep_security: system-event.yml
- [x] deep_security: integrity-monitoring-event.yml
- [x] deep_security: web-reputation.yml
- [x] deep_security: default.yml
- [x] deep_security: application-control-event.yml
- [x] deep_security: intrusion-prevention-event.yml
- [x] deep_security: firewall-event.yml
[x] trend_micro_vision_one #6657
- [x] alert: default.yml
- [x] audit: default.yml
- [x] detection: default.yml
[x] windows #6612
- [x] forwarded: default.yml
[x] zeek #6638
- [x] capture_loss: default.yml
- [x] capture_loss: third-party.yml
- [x] connection: third-party.yml
- [x] connection: default.yml
- [x] dce_rpc: third-party.yml
- [x] dce_rpc: default.yml
- [x] dhcp: default.yml
- [x] dhcp: third-party.yml
- [x] dnp3: third-party.yml
- [x] dnp3: default.yml
- [x] dns: third-party.yml
- [x] dns: default.yml
- [x] dpd: third-party.yml
- [x] dpd: default.yml
- [x] files: third-party.yml
- [x] files: default.yml
- [x] ftp: third-party.yml
- [x] ftp: default.yml
- [x] http: third-party.yml
- [x] http: default.yml
- [x] intel: third-party.yml
- [x] intel: default.yml
- [x] irc: third-party.yml
- [x] irc: default.yml
- [x] kerberos: third-party.yml
- [x] kerberos: default.yml
- [x] known_certs: default.yml
- [x] known_hosts: default.yml
- [x] known_services: default.yml
- [x] modbus: third-party.yml
- [x] modbus: default.yml
- [x] mysql: default.yml
- [x] mysql: third-party.yml
- [x] notice: third-party.yml
- [x] notice: default.yml
- [x] ntlm: third-party.yml
- [x] ntlm: default.yml
- [x] ntp: third-party.yml
- [x] ntp: default.yml
- [x] ocsp: third-party.yml
- [x] ocsp: default.yml
- [x] pe: third-party.yml
- [x] pe: default.yml
- [x] radius: third-party.yml
- [x] radius: default.yml
- [x] rdp: third-party.yml
- [x] rdp: default.yml
- [x] rfb: default.yml
- [x] rfb: third-party.yml
- [x] signature: third-party.yml
- [x] signature: default.yml
- [x] sip: default.yml
- [x] sip: third-party.yml
- [x] smb_cmd: third-party.yml
- [x] smb_cmd: default.yml
- [x] smb_files: third-party.yml
- [x] smb_files: default.yml
- [x] smb_mapping: third-party.yml
- [x] smb_mapping: default.yml
- [x] smtp: third-party.yml
- [x] smtp: default.yml
- [x] snmp: third-party.yml
- [x] snmp: default.yml
- [x] socks: third-party.yml
- [x] socks: default.yml
- [x] software: default.yml
- [x] ssh: third-party.yml
- [x] ssh: default.yml
- [x] ssl: third-party.yml
- [x] ssl: default.yml
- [x] stats: third-party.yml
- [x] stats: default.yml
- [x] syslog: third-party.yml
- [x] syslog: default.yml
- [x] traceroute: third-party.yml
- [x] traceroute: default.yml
- [x] tunnel: default.yml
- [x] tunnel: third-party.yml
- [x] weird: third-party.yml
- [x] weird: default.yml
- [x] x509: default.yml
- [x] x509: third-party.yml
[x] zerofox #6654
- [x] alerts: default.yml
[x] zoom #6653
- [x] webhook: chat_message.yml
- [x] webhook: webinar.yml
- [x] webhook: meeting.yml
- [x] webhook: zoomroom.yml
- [x] webhook: account.yml
- [x] webhook: user.yml
- [x] webhook: recording.yml
- [x] webhook: chat_channel.yml
- [x] webhook: default.yml
- [x] webhook: phone.yml
[x] zscaler_zia #6652
- [x] alerts: default.yml
- [x] dns: default.yml
- [x] firewall: default.yml
- [x] tunnel: default.yml
- [x] web: default.yml
[x] zscaler_zpa #6651
- [x] app_connector_status: default.yml
- [x] audit: default.yml
- [x] browser_access: default.yml
- [x] user_activity: default.yml
- [x] user_status: default.yml
[x] zeronetworks #6650
- [x] audit: default.yml

elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

MakoWish commented 1 year ago

@efd6,

Want me to start knocking some of these out? I won't have permissions to check boxes above, but I could refer to this issue for whichever PR's I create.

efd6 commented 1 year ago

@MakoWish You are welcome to pick up any that are important to you.

MakoWish commented 1 year ago

Submit PR's for pretty much all that we use. Will see if I can get more time later to knock out a few more just to assist.

MakoWish commented 1 year ago

Didn't see modsecurity in your m* PR, so just knocked that one out. That should wrap this up, yeah?

efd6 commented 1 year ago

Many thanks to @MakoWish.

ishleenk17 commented 1 year ago

@MakoWish : Thanks for your contributions here.

@efd6: As I discussed with you, this change will basically help us in using error.message to store errors other than pipeline errors as well, but it requires a change in Elastic Package as well since EP uses it for pipeline errors. Could you please share the ticket where the EP task is being tracked?

That will help us in pursuing the change done by @MakoWish to non-sei integrations.

cc: @andrewkroh

efd6 commented 1 year ago

There is no ticket for this in EP. @jsoriano Do you have any information to add here?

jsoriano commented 1 year ago

Do you mean that elastic-package pipeline tests currently fail if they find an error.message? Probably we can make it to fail only when error.kind is pipeline_error if we are going to use this field in all packages to indicate an actual pipeline error.

If the on_failure part should be included in all packages, I wonder if it should be filled by elastic-package on build time, or by Fleet on install time.

Please open an issue with details about this use case.

efd6 commented 1 year ago

I have filed https://github.com/elastic/elastic-package/issues/1392.

jsoriano commented 1 year ago

I have filed elastic/elastic-package#1392.

Thanks!

elastic / integrations

sei: ensure packages set error.kind to "pipeline_error" in on_failure processor #6582