-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cisco_secure_endpoint] Fix propagation of information from host.name #2915
Conversation
Referenced pull request
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
…/ingest_pipeline/default.yml Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
…/ingest_pipeline/default.yml Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
/test |
[git-generate] cd packages/cisco_secure_endpoint elastic-package build elastic-package test pipeline -g
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need some test data to validate the new command_line parsing script processors.
I pushed some updates to make the pipeline valid, added descriptions, added two missing event.* fields, and generated the pipeline test data.
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
/test |
Changed the script processor to fix a bug. The backing array is immutable to removeIf fails. Unhandled Exception unsupported_operation_exception remove Stack: [ "java.base/java.util.Iterator.remove(Iterator.java:102)", "java.base/java.util.Collection.removeIf(Collection.java:577)", "arg -> (arg == \"\"));\n ", "^---- HERE" ]
...cisco_secure_endpoint/data_stream/event/_dev/test/pipeline/test-cisco-amp1.log-expected.json
Outdated
Show resolved
Hide resolved
[git-generate] cd packages/cisco_secure_endpoint elastic-package test pipeline -g
What does this PR do?
Propagating information from the host.name field.
Also taking into account that
Install Started
events use thecisco.secure_endpoint.hostname
field.Adding
process.command_line
,process.args
,process.args_count
andprocess.executable
fromcisco.secure_endpoint.command_line.arguments
field.Checklist
changelog.yml
file.