[AWS VPC Flow] Add support for v6, v7 and v8 vpcflow logs#15077
[AWS VPC Flow] Add support for v6, v7 and v8 vpcflow logs#15077moxarth-rathod merged 5 commits intoelastic:mainfrom
Conversation
moxarth-rathod
added
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
andrewkroh
added
the
documentation
| field: aws.vpcflow.packets_lost_ttl_expired | ||
| - set: | ||
| field: orchestrator.cluster.id | ||
| copy_from: aws.vpcflow.cs_cluster_arn |
There was a problem hiding this comment.
s/\.cs_cluster_arn/.ecs_cluster_arn/g
|
|
||
| * The default pattern of 14 version 2 fields | ||
| * A custom pattern including all 29 fields, version 2 though 5: | ||
| * A custom pattern including all 39 fields, version 2 though 7: |
There was a problem hiding this comment.
There is one v8 field, reject-reason. Should we add support for that now too?
https://docs.aws.amazon.com/vpc/latest/userguide/flow-log-records.html#flow-logs-fields
There was a problem hiding this comment.
We also need to document support for the default transit gateway vpc flow format covering v2-6.
There was a problem hiding this comment.
There is one v8 field, reject-reason. Should we add support for that now too?
Yes, i've added a support for the v8 field.
packages/aws/data_stream/vpcflow/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
🚀 Benchmarks reportTo see the full report comment with |
moxarth-rathod
changed the title
packages/aws/changelog.yml
Outdated
| - version: "3.15.0" | ||
| changes: | ||
| - description: Add support for v6 and v7 vpcflow logs. | ||
| - description: Add support for v6, v7 and v8 vpcflow logs. |
There was a problem hiding this comment.
| - description: Add support for v6, v7 and v8 vpcflow logs. | |
| - description: Add support for v6, v7, and v8 vpcflow logs. |
There was a problem hiding this comment.
I think the Oxford actually breaks the semantics here; it goes from ((v6 v7 v8) × vpcflow-logs) to ((v6 v7) (v8 vpcflow-logs)).
There was a problem hiding this comment.
I don't think the semantics are changed by the addition of the comma. Both sentences are ((v6, v7, v8) × vpcflow-logs). The comma is only clarifying where one list item ends and the next begins, not which items are affected by the "vpcflow logs" modifier.
I think this one sounds more natural, and has the same intention ((VPC-Flow-logs × (versions-6, versions-7, versions-8))). Is there any issue with this wording?
Add support for VPC Flow logs versions 6, 7, and 8.
There was a problem hiding this comment.
Add support for VPC Flow logs versions 6, 7, and 8.
@andrewkroh @efd6 should I update the description to this?
There was a problem hiding this comment.
The latter is unambiguous. I'm happy with that.
💚 Build Succeeded
History
|
|
|
Package aws - 3.15.0 containing this change is available at https://epr.elastic.co/package/aws/3.15.0/ |
…R) workflow (#15230) aws: Add transforms to Config and Inspector data streams for extended protections (CDR) workflow. - Add latest transform to Config and Inspector data streams to help with Cloud Native Vulnerability Management (CNVM)[1] and Cloud Security Posture Management (CSPM)[2] workflows. - Add ILM policy to AWS Config as it does full sync every interval. - Update minimum kibana version to "^8.19.0 || ^9.1.0" to ensure necessary permissions for transform[3]. - Re-add 3.14.2 changelog entry as it is overwritten in VPC Flow PR[4]. - Skip system tests for securityhub* data streams to avoid fleet health degradation due to empty template values by httpjson. This is fixed in 8.19.4 and 9.1.4 by beats#45810[5] and beats#46332[6]. This skip can be removed when the stack version is upgraded to ones containing the fix. [1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html [2] https://www.elastic.co/docs/solutions/security/cloud/cloud-security-posture-management [3] elastic/elasticsearch#128350 [4] #15077 [5] elastic/beats#45810 [6] elastic/beats#46332
|
/test benchmark fullreport |
…R) workflow (elastic#15230) aws: Add transforms to Config and Inspector data streams for extended protections (CDR) workflow. - Add latest transform to Config and Inspector data streams to help with Cloud Native Vulnerability Management (CNVM)[1] and Cloud Security Posture Management (CSPM)[2] workflows. - Add ILM policy to AWS Config as it does full sync every interval. - Update minimum kibana version to "^8.19.0 || ^9.1.0" to ensure necessary permissions for transform[3]. - Re-add 3.14.2 changelog entry as it is overwritten in VPC Flow PR[4]. - Skip system tests for securityhub* data streams to avoid fleet health degradation due to empty template values by httpjson. This is fixed in 8.19.4 and 9.1.4 by beats#45810[5] and beats#46332[6]. This skip can be removed when the stack version is upgraded to ones containing the fix. [1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html [2] https://www.elastic.co/docs/solutions/security/cloud/cloud-security-posture-management [3] elastic/elasticsearch#128350 [4] elastic#15077 [5] elastic/beats#45810 [6] elastic/beats#46332
5 participants
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Related issues