sei: packages potentially using incorrect mustache snippet escaping

[efd6]

The mustache templating system used by ingest pipelines has two levels of escaping available, not escaped (triple stache) and HTML escaped (double stache) — see man mustache under "tag types: variables". This can lead to data corruption, particularly in cases where an operating system has chosen to use a character requiring escaping in its path syntax (example here).

In general we should not be HTML escaping fields for ingestion, so it is nearly always the case that we should be using the triple stache. This is not the case; this is a list of SEI packages that have at least one instance of a double stache in a template snippet:

• [ ] 1password
• [ ] akamai
• [ ] atlassian_bitbucket
• [ ] atlassian_confluence
• [ ] atlassian_jira
• [ ] auditd
• [ ] aws
• [ ] barracuda
• [ ] bitdefender
• [ ] bluecoat
• [ ] carbonblack_edr
• [ ] cef
• [ ] checkpoint
• [ ] cisco_asa
• [ ] cisco_ios
• [ ] cisco_ise
• [ ] cisco_secure_endpoint
• [ ] cisco_umbrella
• [ ] citrix_waf
• [ ] cloudflare
• [ ] cloudflare_logpush
• [ ] crowdstrike
• [ ] cyberark_pta
• [ ] cylance
• [ ] entityanalytics_entra_id
• [ ] f5
• [ ] fireeye
• [ ] forcepoint_web
• [ ] forgerock
• [ ] fortinet_forticlient
• [ ] fortinet_fortiedr
• [ ] fortinet_fortigate
• [ ] gcp
• [ ] github
• [ ] google_workspace
• [ ] hid_bravura_monitor
• [ ] imperva
• [ ] infoblox_nios
• [ ] jumpcloud
• [ ] juniper_junos
• [ ] juniper_netscreen
• [ ] juniper_srx
• [ ] keycloak
• [ ] lyve_cloud
• [x] m365_defender #7522 #7707
• [ ] mattermost
• [ ] microsoft_defender_endpoint
• [ ] microsoft_dhcp
• [ ] microsoft_sqlserver
• [ ] mimecast
• [ ] modsecurity
• [ ] mysql_enterprise
• [ ] nagios_xi
• [ ] netflow
• [ ] netscout
• [ ] netskope
• [ ] network_traffic
• [ ] o365
• [ ] okta
• [ ] osquery
• [ ] pfsense
• [ ] pulse_connect_secure
• [ ] qnap_nas
• [ ] radware
• [ ] santa
• [ ] slack
• [ ] snort
• [ ] snyk
• [ ] sophos
• [ ] squid
• [ ] suricata
• [ ] symantec_endpoint
• [ ] sysmon_linux
• [ ] system
• [ ] system_audit
• [ ] tenable_io
• [ ] thycotic_ss
• [ ] ti_abusech
• [ ] ti_cif3
• [ ] ti_cybersixgill
• [ ] ti_maltiverse
• [ ] ti_misp
• [ ] trendmicro
• [ ] windows
• [x] zeek #7640
• [ ] zeronetworks
• [ ] zoom

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)