diff --git a/packages/beaconing/changelog.yml b/packages/beaconing/changelog.yml index 6cc269bbbc8..2f1f217180a 100644 --- a/packages/beaconing/changelog.yml +++ b/packages/beaconing/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.4.0" + changes: + - description: Add source.ip to beaconing and fix indexing timestamp + type: enhancement + link: https://github.com/elastic/integrations/pull/16706/ - version: "1.3.3" changes: - description: Update documentation on configuring data view for dashboards diff --git a/packages/beaconing/elasticsearch/ingest_pipeline/ml_beaconing_ingest_pipeline.yml b/packages/beaconing/elasticsearch/ingest_pipeline/ml_beaconing_ingest_pipeline.yml index 05d944dc4d3..e79b15d762a 100644 --- a/packages/beaconing/elasticsearch/ingest_pipeline/ml_beaconing_ingest_pipeline.yml +++ b/packages/beaconing/elasticsearch/ingest_pipeline/ml_beaconing_ingest_pipeline.yml @@ -5,4 +5,9 @@ processors: - '@timestamp' - _id method: SHA-256 - target_field: _id \ No newline at end of file + target_field: _id + - date: + field: event.ingested + formats: + - UNIX + target_field: event.ingested \ No newline at end of file diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/fields/fields.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/fields/fields.yml index 34f3b2499ba..360108f3053 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/fields/fields.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/fields/fields.yml @@ -2,6 +2,8 @@ type: keyword - name: process.name type: keyword +- name: source.ip + type: ip - name: beacon_stats.autocovariance type: float - name: beacon_stats.beaconing_score diff --git a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml index 05210a05684..0ec637e8158 100644 --- a/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml +++ b/packages/beaconing/elasticsearch/transform/pivot_transform/transform.yml @@ -1,6 +1,6 @@ dest: - index: ml_beaconing-1.3.3 - pipeline: 1.3.3-ml_beaconing_ingest_pipeline + index: ml_beaconing-1.4.0 + pipeline: 1.4.0-ml_beaconing_ingest_pipeline aliases: - alias: ml_beaconing.latest move_on_creation: true @@ -347,6 +347,9 @@ pivot: 'process.name': terms: field: process.name + 'source.ip': + terms: + field: source.ip source: index: logs-* query: @@ -382,10 +385,12 @@ source: must_not: terms: 'destination.ip': ["10.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "127.0.0.0/8", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8", "13.64.0.0/11", "13.104.0.0/14", "13.96.0.0/13", "18.209.113.128/26", "20.33.0.0/16", "20.34.0.0/15", "20.36.0.0/14", "20.40.0.0/13", "20.48.0.0/12", "20.64.0.0/10", "20.128.0.0/16", "20.36.0.0/14", "20.34.0.0/15", "20.40.0.0/13", "20.128.0.0/16", "20.48.0.0/12", "20.33.0.0/16", "20.180.0.0/14", "20.184.0.0/13", "23.64.0.0/14", "23.32.0.0/11", "40.74.0.0/15", "40.76.0.0/14", "40.80.0.0/12", "40.96.0.0/12", "40.112.0.0/13", "40.120.0.0/14", "40.124.0.0/16", "40.126.0.0/18", "40.125.0.0/17", "52.132.0.0/14", "52.136.0.0/13", "52.148.0.0/14", "52.145.0.0/16", "52.146.0.0/15", "52.160.0.0/11", "52.152.0.0/13", "52.224.0.0/11"] +settings: + deduce_mappings: false sync: time: delay: 120s field: "@timestamp" _meta: - fleet_transform_version: 1.2.4 + fleet_transform_version: 1.4.0 run_as_kibana_system: false diff --git a/packages/beaconing/manifest.yml b/packages/beaconing/manifest.yml index 8b66f884dca..6c3d6c40c89 100644 --- a/packages/beaconing/manifest.yml +++ b/packages/beaconing/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: beaconing title: "Network Beaconing Identification" -version: 1.3.3 +version: 1.4.0 source: license: "Elastic-2.0" description: "Package to identify beaconing activity in your network events."