Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jamf_protect: fix up dashboard filters #10927

Merged
merged 5 commits into from
Sep 1, 2024
Merged

jamf_protect: fix up dashboard filters #10927

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
10ba749
jamf_protect: fix up dashboard filters
efd6 Aug 29, 2024
f82ccdb
address pr comment
efd6 Sep 1, 2024
c994bdc
address pr comment
efd6 Sep 1, 2024
0bd487a
jamf_protect: fix up handling of alert facts
efd6 Sep 1, 2024
c408b36
fix typo
efd6 Sep 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
address pr comment
  • Loading branch information
@efd6
efd6 committed Sep 1, 2024
commit c994bdc45f6520479c7728c1feb54fbc6d936b66
5 changes: 4 additions & 1 deletion packages/jamf_protect/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,10 @@
# newer versions go on top
- version: "2.4.1"
- version: "2.5.0"
changes:
- description: Fix dashboard filters.
type: bugfix
link: https://github.com/elastic/integrations/pull/10927
- description: Use contant keyword for `observer.product` and `observer.vendor`.
efd6 marked this conversation as resolved.
Show resolved Hide resolved
type: enhancement
link: https://github.com/elastic/integrations/pull/10927
- version: "2.4.0"
Expand Down
44 changes: 0 additions & 44 deletions ...a_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,6 @@
"full": "Version 14.2 (Build 23C5030f)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper",
Expand Down Expand Up @@ -161,10 +157,6 @@
"full": "Version 14.0 (Build 23A344)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/usr/libexec/security_authtrampoline",
Expand Down Expand Up @@ -308,10 +300,6 @@
"full": "Version 14.3 (Build 23D56)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/usr/libexec/PlistBuddy",
Expand Down Expand Up @@ -440,10 +428,6 @@
"full": "Version 14.2 (Build 23C5030f)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/Users/thijs/Library/Application Support/Setapp/LaunchAgents/SetappUpdater.app/Contents/Frameworks/Sparkle.framework/Versions/B/Autoupdate",
Expand Down Expand Up @@ -545,10 +529,6 @@
"full": "Version 14.2 (Build 23C5030f)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"related": {
"ip": [
"175.16.199.5"
Expand Down Expand Up @@ -620,10 +600,6 @@
"full": "Version 14.0 (Build 23A344)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"related": {
"hash": [
"0a5f0aa7cbe904e687341e2eee453348e3a3760d",
Expand Down Expand Up @@ -665,10 +641,6 @@
"full": "Version 13.6.1 (Build 22G313)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"name": "XProtectRemediatorGreenAcre",
"pid": 6925,
Expand Down Expand Up @@ -711,10 +683,6 @@
"full": "Version 13.6.1 (Build 22G313)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"name": "XProtectRemediatorGreenAcre",
"pid": 6925,
Expand Down Expand Up @@ -758,10 +726,6 @@
"full": "Version 14.3 (Build 23D56)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"name": "XProtectRemediatorWaterNet",
"pid": 4052,
Expand Down Expand Up @@ -805,10 +769,6 @@
"full": "Version 14.2.1 (Build 23C71)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"name": "JCDaemon",
"pid": 2618,
Expand Down Expand Up @@ -848,10 +808,6 @@
"full": "Version 14.3 (Build 23D56)"
}
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"name": "loginwindow",
"pid": 7695,
Expand Down
34 changes: 12 additions & 22 deletions packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,16 +13,6 @@ processors:
target_field: jamf_protect.alerts
if: ctx.json != null

##########################
## ECS Observer Mapping ##
##########################
- set:
field: observer.product
value: Jamf Protect
- set:
field: observer.vendor
value: Jamf

#######################
## ECS Event Mapping ##
#######################
Expand Down Expand Up @@ -71,31 +61,31 @@ processors:
description: Populates event.action with the name of the event
lang: painless
source: >
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('name')) {
ctx.event.action = ctx.jamf_protect.alerts.input.match.facts[0].name;
}
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('name')) {
ctx.event.action = ctx.jamf_protect.alerts.input.match.facts[0].name;
}
}
ignore_failure: true
- script:
description: Populates event.reason with the name of the event
lang: painless
source: >
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('human')) {
ctx.event.reason = ctx.jamf_protect.alerts.input.match.facts[0].human;
}
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('human')) {
ctx.event.reason = ctx.jamf_protect.alerts.input.match.facts[0].human;
}
}
ignore_failure: true
- script:
description: Populates event.tags with tags from the event
lang: painless
source: >
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('tags')) {
ctx.tags = ctx.jamf_protect.alerts.input.match.facts[0].tags;
}
if (ctx.jamf_protect?.alerts?.input?.match?.facts != null && ctx.jamf_protect.alerts.input.match.facts.size() > 0) {
if (ctx.jamf_protect.alerts.input.match.facts[0].containsKey('tags')) {
ctx.tags = ctx.jamf_protect.alerts.input.match.facts[0].tags;
}
}
ignore_failure: true
- rename:
field: jamf_protect.alerts.input.match.uuid
Expand Down
8 changes: 8 additions & 0 deletions packages/jamf_protect/data_stream/alerts/fields/base-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,11 @@
type: constant_keyword
description: Event module.
value: jamf_protect
- name: observer.product
type: constant_keyword
external: ecs
value: Jamf Protect
- name: observer.vendor
type: constant_keyword
external: ecs
value: Jamf
20 changes: 8 additions & 12 deletions packages/jamf_protect/data_stream/alerts/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,24 +1,24 @@
{
"@timestamp": "2024-06-12T21:15:48.751Z",
"@timestamp": "2024-09-01T20:43:13.311Z",
"agent": {
"ephemeral_id": "f61f65a0-cfe1-43bc-8b7e-b2bec2ad3fe1",
"id": "8e815812-b6dc-4364-9622-da2462209a37",
"ephemeral_id": "17fd4566-0d6d-4a3b-870d-2b55cb00219b",
"id": "eb9762c2-ef0d-4e97-8e71-b8f31265d39c",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.2"
"version": "8.13.0"
},
"data_stream": {
"dataset": "jamf_protect.alerts",
"namespace": "ep",
"namespace": "46474",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8e815812-b6dc-4364-9622-da2462209a37",
"id": "eb9762c2-ef0d-4e97-8e71-b8f31265d39c",
"snapshot": false,
"version": "8.13.2"
"version": "8.13.0"
},
"event": {
"action": "CustomURLHandlerCreation",
Expand All @@ -29,7 +29,7 @@
],
"dataset": "jamf_protect.alerts",
"id": "6bdb0697-6d07-47bc-a37d-6c3348a5d953",
"ingested": "2024-06-12T21:15:58Z",
"ingested": "2024-09-01T20:43:23Z",
"kind": "alert",
"provider": "Jamf Protect",
"reason": "Application that uses custom url handler created",
Expand Down Expand Up @@ -68,10 +68,6 @@
"input": {
"type": "http_endpoint"
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper",
Expand Down
22 changes: 10 additions & 12 deletions packages/jamf_protect/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,26 +112,26 @@ An example event for `alerts` looks as following:

```json
{
"@timestamp": "2024-06-12T21:15:48.751Z",
"@timestamp": "2024-09-01T20:43:13.311Z",
"agent": {
"ephemeral_id": "f61f65a0-cfe1-43bc-8b7e-b2bec2ad3fe1",
"id": "8e815812-b6dc-4364-9622-da2462209a37",
"ephemeral_id": "17fd4566-0d6d-4a3b-870d-2b55cb00219b",
"id": "eb9762c2-ef0d-4e97-8e71-b8f31265d39c",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.13.2"
"version": "8.13.0"
},
"data_stream": {
"dataset": "jamf_protect.alerts",
"namespace": "ep",
"namespace": "46474",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8e815812-b6dc-4364-9622-da2462209a37",
"id": "eb9762c2-ef0d-4e97-8e71-b8f31265d39c",
"snapshot": false,
"version": "8.13.2"
"version": "8.13.0"
},
"event": {
"action": "CustomURLHandlerCreation",
Expand All @@ -142,7 +142,7 @@ An example event for `alerts` looks as following:
],
"dataset": "jamf_protect.alerts",
"id": "6bdb0697-6d07-47bc-a37d-6c3348a5d953",
"ingested": "2024-06-12T21:15:58Z",
"ingested": "2024-09-01T20:43:23Z",
"kind": "alert",
"provider": "Jamf Protect",
"reason": "Application that uses custom url handler created",
Expand Down Expand Up @@ -181,10 +181,6 @@ An example event for `alerts` looks as following:
"input": {
"type": "http_endpoint"
},
"observer": {
"product": "Jamf Protect",
"vendor": "Jamf"
},
"process": {
"args": [
"/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper",
Expand Down Expand Up @@ -279,6 +275,8 @@ An example event for `alerts` looks as following:
| input.type | Input type | keyword |
| jamf_protect.alerts.timestamp_nanoseconds | The timestamp in Epoch nanoseconds. | date |
| log.offset | Log offset | long |
| observer.product | The product name of the observer. | constant_keyword |
| observer.vendor | Vendor name of the observer. | constant_keyword |
| volume.bus_type | | keyword |
| volume.file_system_type | | keyword |
| volume.nt_name | | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/jamf_protect/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.3
name: jamf_protect
title: Jamf Protect
version: "2.4.1"
version: "2.5.0"
description: Receives events from Jamf Protect with Elastic Agent.
type: integration
categories:
Expand Down