-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TI_Anomali] Fix destination fields mapping conflicts #6514
[TI_Anomali] Fix destination fields mapping conflicts #6514
Conversation
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
🌐 Coverage report
|
Can you please link to the associated elastic-package bug issue in the PR description. |
Added issue to the description |
Does an issue already exist for elastic/kibana about Fleet only reading the contents of |
Yeah, I want to test it again to see if the problem is only the defined external fields are not getting expanded, or if multiple files not being honoured. I will update here. |
packages/ti_anomali/changelog.yml
Outdated
@@ -1,4 +1,9 @@ | |||
# newer versions go on top | |||
- version: "1.14.1" | |||
changes: | |||
- description: Fix destination fields sort order and mapping |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Somewhere (docs or changelog) I think we should mention that users should delete the logs-ti_anomali_latest.threatstream-1 after upgrading. (That is until we can automatically cleanup the old index).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the changelog to redirect to the docs. Added information about deleting older index and why we are doing it. Wording is generic enough to make users delete any future older versions. We could remove this doc section once the auto-cleanup is available.
I confirmed that multiple fields definition files inside transform folder is not working. I created the issue inside |
Package ti_anomali - 1.15.1 containing this change is available at https://epr.elastic.co/search?package=ti_anomali |
* Fix Anomali Destination field mapping * replace ingested with timestamp for accuracy * refactor * update readme * Add expanded ECS fields * Add assertion to system tests * Add notes for deleting dest index * update pipeline tests * update readme * update tests and readme
What does this PR do?
Field mapping conflicts exists between source and destination indices (created by transform) of Anomali. The issue happened because not all the files in the
elasticsearch/transform/latest_ioc/fields
folder is considered as destination fields. Only the fields inside thefields.yml
are taken into the mapping. Hence dynamic mapping is being applied for rest of the fields.elasticsearch/transform/latest_ioc/fields
folder and and copies corresponding fields intoelasticsearch/transform/latest_ioc/fields/fields.yml
NOTE: Due to issue in
elastic-package
not expanding the ECS fields underelasticsearch/transform/latest_ioc/fields/fields.yml
mapped with- external: ecs
definition, the ECS fields must be manually copied frombuild/packages/ti_anomali/<VERSION>/data_stream/threatstream/fields/ecs.yml
Reference Issue - elastic/elastic-package#1369
Checklist
changelog.yml
file.How to test this PR locally