[RFC] Apple Platform specific fields #2338
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
txhaflaire
commented
May 2, 2024
txhaflaire
commented
- Have you signed the contributor license agreement?
- Yes
- Have you followed the contributor guidelines?
- Yes
- For proposing substantial changes or additions to the schema, have you reviewed the RFC process?
- Yes
|
This PR is stale because it has been open for 60 days with no activity. |
|
@jamiehynds can you help me getting this one visible? |
|
@smriti0321 Can you help me assigning this PR to be reviewed? |
|
@qcorporation could you please assign someone to review? @ricardoungureanu given your Mac experience, may be an interesting RFC for you to review also. The fields are being proposed by @txhaflaire from Jamf and came up during integration development with Jamf Protect. |
ricardoungureanu
approved these changes
Jul 4, 2024
mjwolf
approved these changes
Jul 4, 2024
|
Thanks for the suggestions @mjwolf - please review once more. |
trisch-me
reviewed
Jul 4, 2024
trisch-me
reviewed
Jul 4, 2024
mjwolf
approved these changes
Jul 8, 2024
|
I reviewed this again, LGTM, other than the file hash change that's needed |
trisch-me
reviewed
Jul 17, 2024
|
@txhaflaire could you please resolve all comments and move hashes back to hashes? thanks |
trisch-me
reviewed
Jul 18, 2024
trisch-me
reviewed
Jul 18, 2024
trisch-me
reviewed
Jul 18, 2024
trisch-me
approved these changes
Jul 18, 2024
|
@mjwolf Thanks for merging it in - is there any pending action left from my side? |
Hi, the next steps are to follow the RFC process again to advance the next stage: https://elastic.github.io/ecs/stages.html. If the changes will be limited to the fields you have already identified in this PR, I think you can consider combining stage 1 & 2, since the changes are fairly small. In stage 2, the fields would be added to the ECS schema with 'beta' tags. |
lksnyder0
added a commit
to huntresslabs/ecs
that referenced
this pull request
Oct 9, 2024
* Add .caseless subfield to process.name & process.executable (elastic#2341) Adds a subfield to the process.name and process.executable fields to improve the compatibility of data sources like System, Sysmon, etc., with our Elastic Defend data, which enables us to handle language limitations in KQL more effectively. * Revert "Add .caseless subfield to process.name & process.executable" (elastic#2350) This reverts commit 7815b3f from elastic#2341. This is being reverted due to storage concerns. The goal will be to advance the native querying capabilities (ES|QL, KQL) of the Elastic stack such that this extra normalized multi-field is not necessary. In the meantime, localized overrides of the ECS field definition will be used to add the additional multi-field where needed. The downside of localized overrides are that it creates inconsistency across usages of the this field. * [RFC] Apple Platform specific fields (elastic#2338) Adds RFS stage 0 --------- Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Add renovate.json (elastic#2352) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update template fields (elastic#2354) Update some templated fields that were missed before merging the RFC * Pin dependencies (elastic#2355) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency PyYAML to v6.0.2 (elastic#2356) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency gitpython to v3.1.43 (elastic#2358) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency yamllint to v1.35.1 (elastic#2361) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update stale PR message (elastic#2369) Add a friendlier stale PR message, based from the [Beats stale message](https://github.com/elastic/beats/blob/main/.github/stale.yml#L63-L74). This will hopefully also prompt contributors to respond, so we'll be better able to track PRs people are still interested in contributing. * Update actions/checkout action to v4 (elastic#2362) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update actions/github-script action to v7 (elastic#2363) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update actions/setup-python action to v5 (elastic#2364) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update actions/stale action to v9 (elastic#2365) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency mock to v5 (elastic#2367) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency ubuntu to v22 (elastic#2368) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency autopep8 to v1.7.0 (elastic#2359) Update dependency autopep8 to v1.7.0 --------- Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * Update dependency autopep8 to v2 (elastic#2366) * Update dependency autopep8 to v2 --------- Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * add license header (elastic#2377) * Update actions/setup-python digest to f677139 (elastic#2374) Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * [RFC] Stage 0: Introducing new field in rule namespace (elastic#2330) * Update 0000-rfc-template.md Updating the temaplate for RFC Stage 0 for adding 2 new rule fields: rule.tags and rule.remediation * Update 0000-rfc-template.md Incorporating review comments. * Renaming the template file with recommended name * Resolving conflicts * Removing Tag Field * Resolving comments from @trisch-me * Moving file to rfcs/text folder as per @trisch-me comment. using next number in series. * I saw number 44 was used in a recent RFC, using next number in series --------- Co-authored-by: Eric Beahan <eric.beahan@elastic.co> Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> * [RFC] Stage 2: Adding Apple Platform specific fields (elastic#2370) Updating the RFC and moving it to stage two. * code blocks specified language yaml (elastic#2380) Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * trim trailing whitespace in schema (elastic#2379) Co-authored-by: Michael Wolf <michael.wolf@elastic.co> * [RFC] Stage 0: Introducing new fields in ECS vulnerability field set (elastic#2331) * RFC to add new fields in ECS vulnerability field set RFC to add new fields in ECS vulnerability field set * Moving to separate file * set title and add stage 0 PR # * clean up fields table markdown * Moving to (rfcs/text) and renaming file to next number in series. * Resolving the comments from @trisch-me * Update rfcs/text/0045-additional-vulnerability-fields.md Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> * Update rfcs/text/0045-additional-vulnerability-fields.md Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> * Making changed to the date format as per comments from @trisch-me * Resolving @trisch-me comments * Resolving latest comments * Update rfcs/text/0045-additional-vulnerability-fields.md Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> --------- Co-authored-by: Eric Beahan <eric.beahan@elastic.co> Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> * Fix type in code signature (elastic#2382) Change the type of code_signature.flags to keyword, which is what it should be. Also add a unit test that will verify all types are valid. * Enforce yamllint in CI (elastic#2381) Start running and enforcing yamllint checks in CI. * Add Stage0 RFC for new fields for fileless execution on Linux (elastic#2322) * Add support for settings * Fix settings merging * Restrict test workflow * Fix merge conflicts * Less restrictive * Add docker files and pipeline * Make building more restrictive * Simplify build workflow * Update tagging strategy * Removing unused variable * Kick? * Anchors aren't supported 😭 * Fix role name * Test branch name * Remove extra default update (#3) * Remove extra default update * Fix role name * Add support for a top-level type (#4) * Add support for a top-level type * Actually, don't need to be all the complicated * Type needs to be nested within the field name (#5) * Add documention for parameters field (#6) * Add undocumented field argument * Remove the PR template --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co> Co-authored-by: Thijs Xhaflaire <thijsxhaflaire31@hotmail.com> Co-authored-by: Alexandra Konrad <alexandra.konrad@elastic.co> Co-authored-by: Michael Wolf <michael.wolf@elastic.co> Co-authored-by: elastic-renovate-prod[bot] <174716857+elastic-renovate-prod[bot]@users.noreply.github.com> Co-authored-by: Stefan Bischof <bipolis@bipolis.org> Co-authored-by: Smriti <152067238+smriti0321@users.noreply.github.com> Co-authored-by: Eric Beahan <eric.beahan@elastic.co> Co-authored-by: Michal Stanek <75310947+stanek-michal@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.