From 353b4921ad6f6e139528bc6d3dfa171c9fedabed Mon Sep 17 00:00:00 2001 From: Ian Date: Tue, 8 Oct 2024 15:05:54 -0400 Subject: [PATCH 1/8] Update problem_child_ingest_pipeline.yml --- .../ingest_pipeline/problem_child_ingest_pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml index 15191b62c362..ff0dd61d297b 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml @@ -2,7 +2,7 @@ description: "Pipelines for ProblemChild detection" processors: - pipeline: - if: ctx.containsKey('event') && ctx['event'].containsKey('kind') && ctx['event'].containsKey('category') && ctx['event']['kind'] == 'event' && ctx['event']['category'].contains('process') && ctx.containsKey('host') && ctx['host'].containsKey('os') && (ctx['host']['os'].containsKey('type') || ctx['host']['os'].containsKey('family') || ctx['host']['os'].containsKey('platform')) && (ctx['host']['os']['type'] == 'windows' || ctx['host']['os']['type'] == 'Windows' || ctx['host']['os']['family'] == 'windows' || ctx['host']['os']['family'] == 'Windows' || ctx['host']['os']['platform'] == 'windows' || ctx['host']['os']['platform'] == 'Windows') + if: ctx.containsKey('event') && ctx['event'].containsKey('kind') && ctx['event'].containsKey('category') && ctx['event']['kind'] == 'event' && ctx['event']['category'].contains('process') && ctx.containsKey('host') && ctx['host'].containsKey('os') && ((ctx['host']['os'].containsKey('type') && (ctx['host']['os']['type'] == 'windows' || ctx['host']['os']['type'] == 'Windows')) || (ctx['host']['os'].containsKey('family') && (ctx['host']['os']['family'] == 'windows' || ctx['host']['os']['family'] == 'Windows')) || (ctx['host']['os'].containsKey('platform') && (ctx['host']['os']['platform'] == 'windows' || ctx['host']['os']['platform'] == 'Windows'))) name: '{{ IngestPipeline "problem_child_inference_pipeline" }}' on_failure: - append: From 4f80da9861101bd6e8dfe777190c2d4dcfc25b12 Mon Sep 17 00:00:00 2001 From: Ian Date: Tue, 8 Oct 2024 15:19:07 -0400 Subject: [PATCH 2/8] Update manifest.yml --- packages/problemchild/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index fa9cdb2c76fd..cbce432d6f9f 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: problemchild title: "Living off the Land Attack Detection" -version: 2.1.5 +version: 2.1.6 source: license: "Elastic-2.0" description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription." From 19928c893bd3525686f8b020c18782b56ccac343 Mon Sep 17 00:00:00 2001 From: Ian Date: Tue, 8 Oct 2024 15:21:00 -0400 Subject: [PATCH 3/8] Update changelog.yml --- packages/problemchild/changelog.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index e9193a0405d0..fd46ebb0f232 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.6" + changes: + - description: Fixed bug in ingest pipeline + type: bugfix + link: - version: "2.1.5" changes: - description: Add fields for integration package testing From 956c1e7d68dfbdc94429871d23b07c68c7f3216d Mon Sep 17 00:00:00 2001 From: Ian Date: Tue, 8 Oct 2024 15:21:51 -0400 Subject: [PATCH 4/8] Update changelog.yml with PR link --- packages/problemchild/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index fd46ebb0f232..b866aa0f120a 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fixed bug in ingest pipeline type: bugfix - link: + link: https://github.com/elastic/integrations/pull/11367 - version: "2.1.5" changes: - description: Add fields for integration package testing From bdbf342a9919fd49da965a7529406a32c7556822 Mon Sep 17 00:00:00 2001 From: Ian Date: Wed, 9 Oct 2024 10:26:53 -0400 Subject: [PATCH 5/8] updated problem child ingest pipeline 'if' script with improved notation --- .../ingest_pipeline/problem_child_ingest_pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml index ff0dd61d297b..d4b81529f99f 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml @@ -2,7 +2,7 @@ description: "Pipelines for ProblemChild detection" processors: - pipeline: - if: ctx.containsKey('event') && ctx['event'].containsKey('kind') && ctx['event'].containsKey('category') && ctx['event']['kind'] == 'event' && ctx['event']['category'].contains('process') && ctx.containsKey('host') && ctx['host'].containsKey('os') && ((ctx['host']['os'].containsKey('type') && (ctx['host']['os']['type'] == 'windows' || ctx['host']['os']['type'] == 'Windows')) || (ctx['host']['os'].containsKey('family') && (ctx['host']['os']['family'] == 'windows' || ctx['host']['os']['family'] == 'Windows')) || (ctx['host']['os'].containsKey('platform') && (ctx['host']['os']['platform'] == 'windows' || ctx['host']['os']['platform'] == 'Windows'))) + if: ctx?.event?.kind == 'event' && ctx?.event?.category?.contains('process') && (ctx?.host?.os?.type?.toLowerCase() == 'windows' || ctx?.host?.os?.family?.toLowerCase() == 'windows' || ctx?.host?.os?.platform?.toLowerCase() == 'windows') name: '{{ IngestPipeline "problem_child_inference_pipeline" }}' on_failure: - append: From 907103d26e8c9bd13cf1c37a957dc04a6f743071 Mon Sep 17 00:00:00 2001 From: Ian Date: Wed, 9 Oct 2024 10:55:01 -0400 Subject: [PATCH 6/8] Update changelog.yml --- packages/problemchild/changelog.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index b866aa0f120a..f78daad5a77b 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,8 +1,8 @@ # newer versions go on top - version: "2.1.6" changes: - - description: Fixed bug in ingest pipeline - type: bugfix + - description: Improved notation of painless script if block in ingest pipeline + type: enhancement link: https://github.com/elastic/integrations/pull/11367 - version: "2.1.5" changes: From 811c124993b302c9ed0b5e4702ed8afc6ff6e5a1 Mon Sep 17 00:00:00 2001 From: Ian Perry Date: Wed, 9 Oct 2024 11:41:30 -0400 Subject: [PATCH 7/8] enhancement should have proper semver patch number and ctx can never be null --- packages/problemchild/changelog.yml | 2 +- .../ingest_pipeline/problem_child_ingest_pipeline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml index f78daad5a77b..4dfb1b038b4a 100644 --- a/packages/problemchild/changelog.yml +++ b/packages/problemchild/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "2.1.6" +- version: "2.2.0" changes: - description: Improved notation of painless script if block in ingest pipeline type: enhancement diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml index d4b81529f99f..8aafe21a93df 100644 --- a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml +++ b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml @@ -2,7 +2,7 @@ description: "Pipelines for ProblemChild detection" processors: - pipeline: - if: ctx?.event?.kind == 'event' && ctx?.event?.category?.contains('process') && (ctx?.host?.os?.type?.toLowerCase() == 'windows' || ctx?.host?.os?.family?.toLowerCase() == 'windows' || ctx?.host?.os?.platform?.toLowerCase() == 'windows') + if: ctx.event?.kind == 'event' && ctx.event?.category?.contains('process') && (ctx.host?.os?.type?.toLowerCase() == 'windows' || ctx.host?.os?.family?.toLowerCase() == 'windows' || ctx.host?.os?.platform?.toLowerCase() == 'windows') name: '{{ IngestPipeline "problem_child_inference_pipeline" }}' on_failure: - append: From ebfad244a36d219f3162c1167f0c4dea407933f9 Mon Sep 17 00:00:00 2001 From: Ian Perry Date: Wed, 9 Oct 2024 11:43:18 -0400 Subject: [PATCH 8/8] updated manifest with corrected semver patch number --- packages/problemchild/manifest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml index cbce432d6f9f..5ce072e67931 100644 --- a/packages/problemchild/manifest.yml +++ b/packages/problemchild/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: problemchild title: "Living off the Land Attack Detection" -version: 2.1.6 +version: 2.2.0 source: license: "Elastic-2.0" description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription."