[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema#6328
[Rule Tuning] Migrate Phase 1 vendor fields to ECS and trim non-ecs schema#6328Mikaayenson wants to merge 3 commits into
Conversation
…chema Remove ECS duplicate entries from non-ecs-schema.json, add a guard test, and update rule queries to use ECS fields where integrations dual-write. Resolves #1776
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Schema Related Checks
|
1 similar comment
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Schema Related Checks
|
|
⛔️ Test failed Results
|
|
Note: |
Scope is rules/ and rules_building_block/ only.
|
⛔️ Test failed Results
|
Drop unrelated JumpCloud exclusion that referenced process.Ext fields outside the endpoint file schema. Apply ruff format to TestNonEcsSchema.
|
⛔️ Test failed Results
|
| event.code == "0100044547" and | ||
| fortinet.firewall.cfgpath == "firewall.policy" and | ||
| fortinet.firewall.action in ("Add", "Edit") and | ||
| event.action in ("Add", "Edit") and |
There was a problem hiding this comment.
I this this change will not work without updating integrations to support it.
It looks like the event pipeline consumes fortinet.firewall.action only to derive
event.outcome / event.type, not event.action:
event.yml— full pipeline (noevent.actionmapping)event.yml#L3-L17—processors:block + firstfortinet.firewall.actionusage (event.outcome)
After routing, the main pipeline sets event.action from
fortinet.firewall.event.type (only when still null). For config events that means
event.action becomes the event.type value, and Add/Edit/download are never copied:
Issue link(s):
Resolves #1776
Summary - What I changed
Removed ECS duplicate fields from
non-ecs-schema.jsonto catch future duplicates.Updated rules in
rules/andrules_building_block/to use ECS field names where integrations already dual-write the data (Azure, Okta, Kubernetes, winlog, Fortinet, GitHub, and related sources).Did not migrate
aws.cloudtrail.user_identity.arntouser.entity.idbecause stack validation failed onfilebeat-*.How To Test
Checklist
schema,Rule: Tuningmeta:rapid-mergelabel if planning to merge within 24 hours