Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[aws] Bump package-spec version to 3.3.1 #11893

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
+87 −4
Open

[aws] Bump package-spec version to 3.3.1 #11893

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1f61902
Bump package-spec version to 3.3.0
zmoog Nov 27, 2024
223ced5
Fix package-spec validation errors
zmoog Nov 27, 2024
f72c95d
Add required nested subfields
zmoog Dec 30, 2024
fa6bea8
Bump to package-spec 3.3.1 (latest)
zmoog Dec 30, 2024
83eedc0
Update generated docs
zmoog Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/aws/data_stream/guardduty/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ processors:
target_field: event.original
ignore_missing: true
if: 'ctx.event?.original == null'
- remove:
field: message
ignore_missing: true
if: 'ctx.event?.original != null'
description: 'The `message` field is no longer required if the document has an `event.original` field.'
Comment on lines +18 to +22
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic of the rename processor above and the added remove processor is not straightforward to read. It looks like they may influence each other (but they don't):

Rename message to event.original (if we only have message).
Remove message (if we have both message and event.original, which is only true if both were present in the pipeline input).

I think it's slightly better if the remove is before the rename:

Remove message (if we have both message and event.original)
Rename message to event.original (if we only have message)

- json:
field: event.original
target_field: json
Expand Down
5 changes: 5 additions & 0 deletions packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ processors:
target_field: event.original
ignore_missing: true
if: 'ctx.event?.original == null'
- remove:
field: message
ignore_missing: true
if: 'ctx.event?.original != null'
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- json:
field: event.original
target_field: json
Expand Down
5 changes: 5 additions & 0 deletions packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,11 @@ processors:
target_field: event.original
ignore_missing: true
if: 'ctx.event?.original == null'
- remove:
field: message
ignore_missing: true
if: 'ctx.event?.original != null'
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- json:
field: event.original
target_field: json
Expand Down
5 changes: 5 additions & 0 deletions packages/aws/data_stream/securityhub_insights/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ processors:
target_field: event.original
ignore_missing: true
if: 'ctx.event?.original == null'
- remove:
field: message
ignore_missing: true
if: 'ctx.event?.original != null'
description: 'The `message` field is no longer required if the document has an `event.original` field.'
- json:
field: event.original
target_field: json
Expand Down
2 changes: 1 addition & 1 deletion packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -430,4 +430,4 @@
]
}
]
}
}
49 changes: 49 additions & 0 deletions packages/aws/data_stream/waf/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,48 @@
type: nested
description: |
The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match)
fields:
- name: action
type: keyword
- name: ruleId
type: keyword
- name: ruleMatchDetails
type: nested
fields:
- name: conditionType
type: keyword
- name: location
type: keyword
- name: matchedData
type: keyword
- name: rule_group_list
type: nested
fields:
- name: nonTerminatingMatchingRules
type: nested
fields:
- name: action
type: keyword
- name: ruleId
type: keyword
- name: ruleMatchDetails
type: nested
fields:
- name: conditionType
type: keyword
- name: location
type: keyword
- name: matchedData
type: keyword
- name: ruleGroupId
type: keyword
- name: terminatingRule
type: group
fields:
- name: action
type: keyword
- name: ruleId
type: keyword
- name: rate_based_rule_list
type: nested
description: |
Expand All @@ -37,3 +79,10 @@
type: nested
description: |
Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log.
fields:
- name: conditionType
type: keyword
- name: location
type: keyword
- name: matchedData
type: keyword
18 changes: 16 additions & 2 deletions packages/aws/docs/waf.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,13 +77,27 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| aws.s3.object.key | The AWS S3 Object key. | keyword |
| aws.waf.arn | AWS ARN of ACL | keyword |
| aws.waf.id | ID of ACL | keyword |
| aws.waf.non_terminating_matching_rules | The list of non-terminating rules in the rule group that match the request. These are always COUNT rules (non-terminating rules that match) | nested |
| aws.waf.non_terminating_matching_rules.action | | keyword |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it is a public documentation - we shouldn't leave those fields without description
https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html

wondering if it is maybe better to split version bump and waf PRs

| aws.waf.non_terminating_matching_rules.ruleId | | keyword |
| aws.waf.non_terminating_matching_rules.ruleMatchDetails.conditionType | | keyword |
| aws.waf.non_terminating_matching_rules.ruleMatchDetails.location | | keyword |
| aws.waf.non_terminating_matching_rules.ruleMatchDetails.matchedData | | keyword |
| aws.waf.rate_based_rule_list | The list of rate-based rules that acted on the request. | nested |
| aws.waf.request.headers | List of request headers | flattened |
| aws.waf.rule_group_list | The list of rule groups that acted on this request. | nested |
| aws.waf.rule_group_list.nonTerminatingMatchingRules.action | | keyword |
| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleId | | keyword |
| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.conditionType | | keyword |
| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.location | | keyword |
| aws.waf.rule_group_list.nonTerminatingMatchingRules.ruleMatchDetails.matchedData | | keyword |
| aws.waf.rule_group_list.ruleGroupId | | keyword |
| aws.waf.rule_group_list.terminatingRule.action | | keyword |
| aws.waf.rule_group_list.terminatingRule.ruleId | | keyword |
| aws.waf.source.id | The source ID. This field shows the ID of the associated resource. | keyword |
| aws.waf.source.name | The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync. | keyword |
| aws.waf.terminating_rule_match_details | Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. | nested |
| aws.waf.terminating_rule_match_details.conditionType | | keyword |
| aws.waf.terminating_rule_match_details.location | | keyword |
| aws.waf.terminating_rule_match_details.matchedData | | keyword |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/aws/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
format_version: 3.0.0
format_version: 3.3.1
name: aws
title: AWS
version: 2.36.2
Expand Down