sei: packages potentially using incorrect mustache snippet escaping #7641
Description
The mustache templating system used by ingest pipelines has two levels of escaping available, not escaped (triple stache) and HTML escaped (double stache) — see man mustache under "tag types: variables". This can lead to data corruption, particularly in cases where an operating system has chosen to use a character requiring escaping in its path syntax (example here).
In general we should not be HTML escaping fields for ingestion, so it is nearly always the case that we should be using the triple stache. This is not the case; this is a list of SEI packages that have at least one instance of a double stache in a template snippet:
- 1password
- akamai
- atlassian_bitbucket
- atlassian_confluence
- atlassian_jira
- auditd
- aws
- barracuda
- bitdefender
- bluecoat
- carbonblack_edr
- cef
- checkpoint
- cisco_asa
- cisco_ios
- cisco_ise
- cisco_secure_endpoint
- cisco_umbrella
- citrix_waf
- cloudflare
- cloudflare_logpush
- crowdstrike
- cyberark_pta
- cylance
- entityanalytics_entra_id
- f5
- fireeye
- forcepoint_web
- forgerock
- fortinet_forticlient
- fortinet_fortiedr
- fortinet_fortigate
- gcp
- github
- google_workspace
- hid_bravura_monitor
- imperva
- infoblox_nios
- jumpcloud
- juniper_junos
- juniper_netscreen
- juniper_srx
- keycloak
- lyve_cloud
- m365_defender [M365 Defender] Improve ECS mapping and fix incorrect or missing fields #7522 m365_defender: fix template snippet escaping behaviour and add event.kind for pipeline errors #7707
- mattermost
- microsoft_defender_endpoint
- microsoft_dhcp
- microsoft_sqlserver
- mimecast
- modsecurity
- mysql_enterprise
- nagios_xi
- netflow
- netscout
- netskope
- network_traffic
- o365
- okta
- osquery
- pfsense
- pulse_connect_secure
- qnap_nas
- radware
- santa
- slack
- snort
- snyk
- sophos
- squid
- suricata
- symantec_endpoint
- sysmon_linux
- system
- system_audit
- tenable_io
- thycotic_ss
- ti_abusech
- ti_cif3
- ti_cybersixgill
- ti_maltiverse
- ti_misp
- trendmicro
- windows
- zeek zeek: ensure fields are not HTML escaped, and fix event.type value for sip #7640
- zeronetworks
- zoom