From de4ba06732793c31192abb01db0ae6a849d7919c Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 18 Feb 2025 13:55:10 +1030 Subject: [PATCH 1/4] digital_guardian: fix mapping of dg_alert.alert_wb field --- packages/digital_guardian/changelog.yml | 8 ++++ .../arc/_dev/test/pipeline/test-dg-arc.log | 1 + .../pipeline/test-dg-arc.log-expected.json | 39 ++++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 21 +++++++++- .../data_stream/arc/fields/fields.yml | 32 ++++++++++++++- packages/digital_guardian/docs/README.md | 12 +++++- packages/digital_guardian/manifest.yml | 2 +- 7 files changed, 110 insertions(+), 5 deletions(-) diff --git a/packages/digital_guardian/changelog.yml b/packages/digital_guardian/changelog.yml index d40b522f19d..28f0d867100 100644 --- a/packages/digital_guardian/changelog.yml +++ b/packages/digital_guardian/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "1.3.3" + changes: + - description: Fix mapping type of `dg_alert.alert_wb`. + type: bugfix + link: https://github.com/elastic/integrations/pull/12818 + - description: Fix dot expansion. + type: bugfix + link: https://github.com/elastic/integrations/pull/12818 - version: "1.3.2" changes: - description: Updated SSL description to be uniform and to include links to documentation. diff --git a/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log b/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log index 99586200dbd..1a00901aa69 100644 --- a/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log +++ b/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log @@ -1,3 +1,4 @@ {"dg_comment":"-","dg_description":"This file outlook.exe was going to [demo.digitalg@gmail.com]","dg_guid":"1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e","dg_name":"test has attached a Salesforce data to an email","dg_tenant":"279b59f3-02f3-44ea-a7c3-9bac2eb0224d","dg_utype":"Incident","inc_assign":"test@dgdemo","inc_creator":"dg","inc_id":"230523-WIQHA","inc_mtime":"2023-05-23 06:56:39","inc_sev":"Critical","inc_state":"Created"} {"dg_comment":"-","dg_description":"-","dg_guid":"c742c377-b429-428a-b0c9-515cbbf143be","dg_name":"Demo 10","dg_tenant":"279b59f3-02f3-44ea-a7c3-9bac2eb0224d","dg_utype":"Incident","inc_assign":"demo@dgdemo","inc_creator":"demo@dgdemo","inc_id":"230523-RG0AB","inc_mtime":"2023-05-23 11:53:11","inc_sev":"Critical","inc_state":"Escalated"} {"dg_comment":"-","dg_description":"-","dg_guid":"c742c377-b429-428a-b0c9-515cbbf143be","dg_name":"Demo 10","dg_tenant":"279b59f3-02f3-44ea-a7c3-9bac2eb0224d","dg_utype":"Incident","inc_assign":"demo@dgdemo","inc_creator":"demo@dgdemo","inc_id":"230523-RG0AB","inc_mtime":"2023-05-23 11:53:11","inc_sev":"Critical","inc_state":"Escalated","dg_time":"2024-11-05 07:20:41 PM","dg_processed_time":1730834913309,"dg_local_timestamp":"2024-11-05 02:20:41 PM","pi_fal":"2024-11-04 02:32:20 PM","pi_fcl":"2024-06-20 12:53:34 PM","pi_fml":"2024-11-04 09:37:26 AM","dg_attachments.dg_file_size":"1.8 MB","dg_file_size":"10.4 KB"} +{"dg_alert.alert_al":"High","dg_alert.alert_at":"Prompt","dg_alert.alert_bc":"User Decision","dg_alert.alert_did":"-","dg_alert.alert_etl":"2025-01-22 02:09:02 PM","dg_alert.alert_etu":"2025-01-22 07:09:02 PM","dg_alert.alert_ur":"Photo for team activity","dg_alert.alert_wb":"No","dg_alert.dg_category_name":"0 _MacPRD:AllComputerPol","dg_alert.dg_detection_source":"Alert","dg_alert.dg_name":"prompt-justify external file uploads (Mac)","dg_alert.dg_policy.dg_category_name":".01 MAC Prod Global","dg_alert.dg_policy.dg_name":"__Mac All Agents","dg_alert.dg_rule_action_type":"Prompt"} diff --git a/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log-expected.json b/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log-expected.json index b76764939b1..6536490bdf1 100644 --- a/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log-expected.json +++ b/packages/digital_guardian/data_stream/arc/_dev/test/pipeline/test-dg-arc.log-expected.json @@ -90,7 +90,10 @@ "@timestamp": "2024-11-05T19:20:41.000Z", "digital_guardian": { "arc": { - "dg_attachments.dg_file_size": "1.8 MB", + "dg_attachments": { + "dg_file_size": "1.8 MB", + "dg_file_size_bytes": 1800000 + }, "dg_file_size": "10.4 KB", "dg_file_size_bytes": 10400, "dg_guid": "c742c377-b429-428a-b0c9-515cbbf143be", @@ -136,6 +139,40 @@ "user": { "name": "demo@dgdemo" } + }, + { + "digital_guardian": { + "arc": { + "dg_alert": { + "alert_al": "High", + "alert_at": "Prompt", + "alert_bc": "User Decision", + "alert_etl": "2025-01-22T14:09:02.000Z", + "alert_etu": "2025-01-22T19:09:02.000Z", + "alert_ur": "Photo for team activity", + "alert_wb": "No", + "dg_category_name": "0 _MacPRD:AllComputerPol", + "dg_detection_source": "Alert", + "dg_name": "prompt-justify external file uploads (Mac)", + "dg_policy": { + "dg_category_name": ".01 MAC Prod Global", + "dg_name": "__Mac All Agents" + }, + "dg_rule_action_type": "Prompt" + } + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "kind": "alert", + "original": "{\"dg_alert.alert_al\":\"High\",\"dg_alert.alert_at\":\"Prompt\",\"dg_alert.alert_bc\":\"User Decision\",\"dg_alert.alert_did\":\"-\",\"dg_alert.alert_etl\":\"2025-01-22 02:09:02 PM\",\"dg_alert.alert_etu\":\"2025-01-22 07:09:02 PM\",\"dg_alert.alert_ur\":\"Photo for team activity\",\"dg_alert.alert_wb\":\"No\",\"dg_alert.dg_category_name\":\"0 _MacPRD:AllComputerPol\",\"dg_alert.dg_detection_source\":\"Alert\",\"dg_alert.dg_name\":\"prompt-justify external file uploads (Mac)\",\"dg_alert.dg_policy.dg_category_name\":\".01 MAC Prod Global\",\"dg_alert.dg_policy.dg_name\":\"__Mac All Agents\",\"dg_alert.dg_rule_action_type\":\"Prompt\"}" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } diff --git a/packages/digital_guardian/data_stream/arc/elasticsearch/ingest_pipeline/default.yml b/packages/digital_guardian/data_stream/arc/elasticsearch/ingest_pipeline/default.yml index 2f62299e0cd..f8a65976765 100644 --- a/packages/digital_guardian/data_stream/arc/elasticsearch/ingest_pipeline/default.yml +++ b/packages/digital_guardian/data_stream/arc/elasticsearch/ingest_pipeline/default.yml @@ -31,7 +31,8 @@ processors: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - dot_expander: - field: digital_guardian.arc + field: "*" + path: digital_guardian.arc - script: description: Drops null/empty/na values recursively. tag: script_to_remove_na_values @@ -189,6 +190,24 @@ processors: - "yyyy-MM-dd HH:mm:ss" - "ISO8601" if: ctx.digital_guardian?.arc?.inc_mtime != null + - date: + field: digital_guardian.arc.dg_alert.alert_etl + tag: date_dg_alert_alert_etl + target_field: digital_guardian.arc.dg_alert.alert_etl + formats: + - "yyyy-MM-dd hh:mm:ss a" + - "yyyy-MM-dd HH:mm:ss" + - "ISO8601" + if: ctx.digital_guardian?.arc?.dg_alert?.alert_etl != null + - date: + field: digital_guardian.arc.dg_alert.alert_etu + tag: date_dg_alert_alert_etu + target_field: digital_guardian.arc.dg_alert.alert_etu + formats: + - "yyyy-MM-dd hh:mm:ss a" + - "yyyy-MM-dd HH:mm:ss" + - "ISO8601" + if: ctx.digital_guardian?.arc?.dg_alert?.alert_etu != null # Choose a @timestamp value for the event - set: diff --git a/packages/digital_guardian/data_stream/arc/fields/fields.yml b/packages/digital_guardian/data_stream/arc/fields/fields.yml index 8391b3eaf05..37ae2964d2e 100644 --- a/packages/digital_guardian/data_stream/arc/fields/fields.yml +++ b/packages/digital_guardian/data_stream/arc/fields/fields.yml @@ -1,18 +1,48 @@ - name: digital_guardian.arc type: group fields: + - name: dg_alert.alert_al + type: keyword + description: Alert AL + - name: dg_alert.alert_at + type: keyword + description: Alert AT + - name: dg_alert.alert_bc + type: keyword + description: Alert BC - name: dg_alert.alert_did type: keyword description: Alert DID + - name: dg_alert.alert_etl + type: keyword + description: Alert ETL + - name: dg_alert.alert_etu + type: date + description: Alert ETU + - name: dg_alert.alert_ur + type: date + description: Alert UR - name: dg_alert.alert_wb - type: integer + type: keyword description: Alert WB + - name: dg_alert.dg_detection_source + type: keyword + description: Alert Detection Source - name: dg_alert.dg_category_name type: keyword description: Alert Category Name + - name: dg_alert.dg_name + type: keyword + description: Alert Name + - name: dg_alert.dg_policy.dg_category_name + type: keyword + description: Alert Policy Category Name - name: dg_alert.dg_policy.dg_name type: keyword description: Alert Policy Name + - name: dg_alert.dg_rule_action_type + type: keyword + description: Alert Rule Action Type - name: dg_attachments.dg_file_size_bytes type: long description: File Size in Bytes diff --git a/packages/digital_guardian/docs/README.md b/packages/digital_guardian/docs/README.md index c2a687e3713..64d32830518 100644 --- a/packages/digital_guardian/docs/README.md +++ b/packages/digital_guardian/docs/README.md @@ -157,10 +157,20 @@ An example event for `arc` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| digital_guardian.arc.dg_alert.alert_al | Alert AL | keyword | +| digital_guardian.arc.dg_alert.alert_at | Alert AT | keyword | +| digital_guardian.arc.dg_alert.alert_bc | Alert BC | keyword | | digital_guardian.arc.dg_alert.alert_did | Alert DID | keyword | -| digital_guardian.arc.dg_alert.alert_wb | Alert WB | integer | +| digital_guardian.arc.dg_alert.alert_etl | Alert ETL | keyword | +| digital_guardian.arc.dg_alert.alert_etu | Alert ETU | date | +| digital_guardian.arc.dg_alert.alert_ur | Alert UR | date | +| digital_guardian.arc.dg_alert.alert_wb | Alert WB | keyword | | digital_guardian.arc.dg_alert.dg_category_name | Alert Category Name | keyword | +| digital_guardian.arc.dg_alert.dg_detection_source | Alert Detection Source | keyword | +| digital_guardian.arc.dg_alert.dg_name | Alert Name | keyword | +| digital_guardian.arc.dg_alert.dg_policy.dg_category_name | Alert Policy Category Name | keyword | | digital_guardian.arc.dg_alert.dg_policy.dg_name | Alert Policy Name | keyword | +| digital_guardian.arc.dg_alert.dg_rule_action_type | Alert Rule Action Type | keyword | | digital_guardian.arc.dg_attachments.dg_file_size | File Size | keyword | | digital_guardian.arc.dg_attachments.dg_file_size_bytes | File Size in Bytes | long | | digital_guardian.arc.dg_comment | Comment | keyword | diff --git a/packages/digital_guardian/manifest.yml b/packages/digital_guardian/manifest.yml index 72aa911549e..9c92009229d 100644 --- a/packages/digital_guardian/manifest.yml +++ b/packages/digital_guardian/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: digital_guardian title: Digital Guardian -version: "1.3.2" +version: "1.3.3" description: Collect logs from Digital Guardian with Elastic Agent. type: integration categories: From 3ffc25eaa488e836cab64c55c44e68b6de39b9e5 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Tue, 18 Feb 2025 14:32:33 +1030 Subject: [PATCH 2/4] digital_guardian: add export profile guid to documents --- packages/digital_guardian/changelog.yml | 5 +++++ .../data_stream/arc/agent/stream/cel.yml.hbs | 6 ++++-- .../data_stream/arc/fields/fields.yml | 3 +++ .../data_stream/arc/sample_event.json | 19 ++++++++++--------- packages/digital_guardian/docs/README.md | 18 ++++++++++-------- packages/digital_guardian/manifest.yml | 2 +- 6 files changed, 33 insertions(+), 20 deletions(-) diff --git a/packages/digital_guardian/changelog.yml b/packages/digital_guardian/changelog.yml index 28f0d867100..f0c3b06545d 100644 --- a/packages/digital_guardian/changelog.yml +++ b/packages/digital_guardian/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.4.0" + changes: + - description: Add export profile GUID to documents. + type: enhancement + link: https://github.com/elastic/integrations/pull/12818 - version: "1.3.3" changes: - description: Fix mapping type of `dg_alert.alert_wb`. diff --git a/packages/digital_guardian/data_stream/arc/agent/stream/cel.yml.hbs b/packages/digital_guardian/data_stream/arc/agent/stream/cel.yml.hbs index c1057dc7076..53eaa11c255 100644 --- a/packages/digital_guardian/data_stream/arc/agent/stream/cel.yml.hbs +++ b/packages/digital_guardian/data_stream/arc/agent/stream/cel.yml.hbs @@ -19,12 +19,14 @@ auth.oauth2: client.secret: {{client_secret}} token_url: {{auth_server_url}}/as/token.oauth2 scopes: {{scope}} +state: + export_profile: {{export_profile}} redact: fields: ~ program: | state.with( request("POST", - state.url + "/rest/1.0/export_profiles/{{export_profile}}/export_and_ack" + state.url.trim_right("/") + "/rest/1.0/export_profiles/" + state.export_profile + "/export_and_ack" ).with({ "Header":{ "Accept": ["application/json"], @@ -34,7 +36,7 @@ program: | (has(body.fields) && has(body.data) ? body.fields.map(e, e.name).as(field_names, { "events": body.data.map(d, zip(field_names, d).as(e, { - "message": e.encode_json(), + "message": e.with({"export_profile": state.export_profile}).encode_json(), })) }) : diff --git a/packages/digital_guardian/data_stream/arc/fields/fields.yml b/packages/digital_guardian/data_stream/arc/fields/fields.yml index 37ae2964d2e..3113e256b2c 100644 --- a/packages/digital_guardian/data_stream/arc/fields/fields.yml +++ b/packages/digital_guardian/data_stream/arc/fields/fields.yml @@ -103,6 +103,9 @@ - name: dg_utype type: keyword description: Operation Type + - name: export_profile + type: keyword + description: Export Profile GUID for the Event - name: inc_assign type: keyword description: Incident Assignee diff --git a/packages/digital_guardian/data_stream/arc/sample_event.json b/packages/digital_guardian/data_stream/arc/sample_event.json index 08433b75133..8e032afbd17 100644 --- a/packages/digital_guardian/data_stream/arc/sample_event.json +++ b/packages/digital_guardian/data_stream/arc/sample_event.json @@ -1,15 +1,15 @@ { - "@timestamp": "2023-05-23T06:56:39.000Z", + "@timestamp": "2025-02-18T04:00:28.647Z", "agent": { - "ephemeral_id": "bc19c27a-7a31-4b0c-b04b-b3be2ab95a02", - "id": "1edfb948-2ef5-4b96-8747-225d782bb6dd", - "name": "docker-fleet-agent", + "ephemeral_id": "3d727e8f-6944-41c1-a55a-dd22db00d883", + "id": "8ae590fa-6e28-49e6-9e43-f64705ab4e6b", + "name": "elastic-agent-15774", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "digital_guardian.arc", - "namespace": "19912", + "namespace": "94938", "type": "logs" }, "digital_guardian": { @@ -19,6 +19,7 @@ "dg_name": "test has attached a Salesforce data to an email", "dg_tenant": "279b59f3-02f3-44ea-a7c3-9bac2eb0224d", "dg_utype": "Incident", + "export_profile": "abc123", "inc_assign": "test@dgdemo", "inc_creator": "dg", "inc_id": "230523-WIQHA", @@ -31,7 +32,7 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "1edfb948-2ef5-4b96-8747-225d782bb6dd", + "id": "8ae590fa-6e28-49e6-9e43-f64705ab4e6b", "snapshot": false, "version": "8.13.0" }, @@ -40,9 +41,9 @@ "agent_id_status": "verified", "dataset": "digital_guardian.arc", "id": "1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e", - "ingested": "2024-07-30T15:23:06Z", + "ingested": "2025-02-18T04:00:31Z", "kind": "alert", - "original": "{\"dg_comment\":\"-\",\"dg_description\":\"This file outlook.exe was going to [demo.digitalg@gmail.com]\",\"dg_guid\":\"1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e\",\"dg_name\":\"test has attached a Salesforce data to an email\",\"dg_tenant\":\"279b59f3-02f3-44ea-a7c3-9bac2eb0224d\",\"dg_utype\":\"Incident\",\"inc_assign\":\"test@dgdemo\",\"inc_creator\":\"dg\",\"inc_id\":\"230523-WIQHA\",\"inc_mtime\":\"2023-05-23 06:56:39\",\"inc_sev\":\"Critical\",\"inc_state\":\"Created\"}", + "original": "{\"dg_comment\":\"-\",\"dg_description\":\"This file outlook.exe was going to [demo.digitalg@gmail.com]\",\"dg_guid\":\"1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e\",\"dg_name\":\"test has attached a Salesforce data to an email\",\"dg_tenant\":\"279b59f3-02f3-44ea-a7c3-9bac2eb0224d\",\"dg_utype\":\"Incident\",\"export_profile\":\"abc123\",\"inc_assign\":\"test@dgdemo\",\"inc_creator\":\"dg\",\"inc_id\":\"230523-WIQHA\",\"inc_mtime\":\"2023-05-23 06:56:39\",\"inc_sev\":\"Critical\",\"inc_state\":\"Created\"}", "severity": 1 }, "input": { @@ -66,4 +67,4 @@ "user": { "name": "dg" } -} \ No newline at end of file +} diff --git a/packages/digital_guardian/docs/README.md b/packages/digital_guardian/docs/README.md index 64d32830518..61e42b7cdeb 100644 --- a/packages/digital_guardian/docs/README.md +++ b/packages/digital_guardian/docs/README.md @@ -79,17 +79,17 @@ An example event for `arc` looks as following: ```json { - "@timestamp": "2023-05-23T06:56:39.000Z", + "@timestamp": "2025-02-18T04:00:28.647Z", "agent": { - "ephemeral_id": "bc19c27a-7a31-4b0c-b04b-b3be2ab95a02", - "id": "1edfb948-2ef5-4b96-8747-225d782bb6dd", - "name": "docker-fleet-agent", + "ephemeral_id": "3d727e8f-6944-41c1-a55a-dd22db00d883", + "id": "8ae590fa-6e28-49e6-9e43-f64705ab4e6b", + "name": "elastic-agent-15774", "type": "filebeat", "version": "8.13.0" }, "data_stream": { "dataset": "digital_guardian.arc", - "namespace": "19912", + "namespace": "94938", "type": "logs" }, "digital_guardian": { @@ -99,6 +99,7 @@ An example event for `arc` looks as following: "dg_name": "test has attached a Salesforce data to an email", "dg_tenant": "279b59f3-02f3-44ea-a7c3-9bac2eb0224d", "dg_utype": "Incident", + "export_profile": "abc123", "inc_assign": "test@dgdemo", "inc_creator": "dg", "inc_id": "230523-WIQHA", @@ -111,7 +112,7 @@ An example event for `arc` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "1edfb948-2ef5-4b96-8747-225d782bb6dd", + "id": "8ae590fa-6e28-49e6-9e43-f64705ab4e6b", "snapshot": false, "version": "8.13.0" }, @@ -120,9 +121,9 @@ An example event for `arc` looks as following: "agent_id_status": "verified", "dataset": "digital_guardian.arc", "id": "1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e", - "ingested": "2024-07-30T15:23:06Z", + "ingested": "2025-02-18T04:00:31Z", "kind": "alert", - "original": "{\"dg_comment\":\"-\",\"dg_description\":\"This file outlook.exe was going to [demo.digitalg@gmail.com]\",\"dg_guid\":\"1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e\",\"dg_name\":\"test has attached a Salesforce data to an email\",\"dg_tenant\":\"279b59f3-02f3-44ea-a7c3-9bac2eb0224d\",\"dg_utype\":\"Incident\",\"inc_assign\":\"test@dgdemo\",\"inc_creator\":\"dg\",\"inc_id\":\"230523-WIQHA\",\"inc_mtime\":\"2023-05-23 06:56:39\",\"inc_sev\":\"Critical\",\"inc_state\":\"Created\"}", + "original": "{\"dg_comment\":\"-\",\"dg_description\":\"This file outlook.exe was going to [demo.digitalg@gmail.com]\",\"dg_guid\":\"1dc3c1fa-5474-4fc0-a7c3-74ff42d28e5e\",\"dg_name\":\"test has attached a Salesforce data to an email\",\"dg_tenant\":\"279b59f3-02f3-44ea-a7c3-9bac2eb0224d\",\"dg_utype\":\"Incident\",\"export_profile\":\"abc123\",\"inc_assign\":\"test@dgdemo\",\"inc_creator\":\"dg\",\"inc_id\":\"230523-WIQHA\",\"inc_mtime\":\"2023-05-23 06:56:39\",\"inc_sev\":\"Critical\",\"inc_state\":\"Created\"}", "severity": 1 }, "input": { @@ -191,6 +192,7 @@ An example event for `arc` looks as following: | digital_guardian.arc.dg_tenant | Tenant ID | keyword | | digital_guardian.arc.dg_time | Event Time | date | | digital_guardian.arc.dg_utype | Operation Type | keyword | +| digital_guardian.arc.export_profile | Export Profile GUID for the Event | keyword | | digital_guardian.arc.inc_assign | Incident Assignee | keyword | | digital_guardian.arc.inc_creator | Incident Creator | keyword | | digital_guardian.arc.inc_id | Incident ID | keyword | diff --git a/packages/digital_guardian/manifest.yml b/packages/digital_guardian/manifest.yml index 9c92009229d..ea4ba69d06c 100644 --- a/packages/digital_guardian/manifest.yml +++ b/packages/digital_guardian/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.3" name: digital_guardian title: Digital Guardian -version: "1.3.3" +version: "1.4.0" description: Collect logs from Digital Guardian with Elastic Agent. type: integration categories: From 380dc1cb180bdecc84b14fae138dc40d43d319c1 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 19 Feb 2025 08:14:58 +1030 Subject: [PATCH 3/4] remove redundant and unreachable version declaration --- packages/digital_guardian/changelog.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/digital_guardian/changelog.yml b/packages/digital_guardian/changelog.yml index f0c3b06545d..df9987afeb2 100644 --- a/packages/digital_guardian/changelog.yml +++ b/packages/digital_guardian/changelog.yml @@ -4,8 +4,6 @@ - description: Add export profile GUID to documents. type: enhancement link: https://github.com/elastic/integrations/pull/12818 -- version: "1.3.3" - changes: - description: Fix mapping type of `dg_alert.alert_wb`. type: bugfix link: https://github.com/elastic/integrations/pull/12818 From ab8fb25d5fd2d29d6cd92b81b29d003e5ae7eedb Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 20 Feb 2025 07:47:02 +1030 Subject: [PATCH 4/4] address pr comment --- packages/digital_guardian/data_stream/arc/fields/fields.yml | 4 ++-- packages/digital_guardian/docs/README.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/digital_guardian/data_stream/arc/fields/fields.yml b/packages/digital_guardian/data_stream/arc/fields/fields.yml index 3113e256b2c..219840679fe 100644 --- a/packages/digital_guardian/data_stream/arc/fields/fields.yml +++ b/packages/digital_guardian/data_stream/arc/fields/fields.yml @@ -14,13 +14,13 @@ type: keyword description: Alert DID - name: dg_alert.alert_etl - type: keyword + type: date description: Alert ETL - name: dg_alert.alert_etu type: date description: Alert ETU - name: dg_alert.alert_ur - type: date + type: keyword description: Alert UR - name: dg_alert.alert_wb type: keyword diff --git a/packages/digital_guardian/docs/README.md b/packages/digital_guardian/docs/README.md index 61e42b7cdeb..fdbfc254961 100644 --- a/packages/digital_guardian/docs/README.md +++ b/packages/digital_guardian/docs/README.md @@ -162,9 +162,9 @@ An example event for `arc` looks as following: | digital_guardian.arc.dg_alert.alert_at | Alert AT | keyword | | digital_guardian.arc.dg_alert.alert_bc | Alert BC | keyword | | digital_guardian.arc.dg_alert.alert_did | Alert DID | keyword | -| digital_guardian.arc.dg_alert.alert_etl | Alert ETL | keyword | +| digital_guardian.arc.dg_alert.alert_etl | Alert ETL | date | | digital_guardian.arc.dg_alert.alert_etu | Alert ETU | date | -| digital_guardian.arc.dg_alert.alert_ur | Alert UR | date | +| digital_guardian.arc.dg_alert.alert_ur | Alert UR | keyword | | digital_guardian.arc.dg_alert.alert_wb | Alert WB | keyword | | digital_guardian.arc.dg_alert.dg_category_name | Alert Category Name | keyword | | digital_guardian.arc.dg_alert.dg_detection_source | Alert Detection Source | keyword |