-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cef: improve documentation and testing #3465
Conversation
e67a37d
to
3b35fe9
Compare
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
The new inputs here were obtained from the golden files for the cef parser with some modification: - IP addresses were made to conform to the elastic-package requirements - invalid inputs were either edited or the events were removed
The new inputs here were obtained from the input files for the cef parser with some modification: - invalid inputs were either edited or the events were removed
description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | ||
- name: ad | ||
type: flattened | ||
- name: TrendMicroDsDetectionConfidence |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My assumption is that these TrendMicro*
keyword fields are added to make the tests pass. They don't add much value otherwise. If we had a way to ignore allow the tests to pass without defining these then I would say we should use it here. They would still get mapped as keyword dynamically, but they would not grow size of the template or mapping for the users that are not ingesting Trend Micro logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes this is exactly why they were added. Is there a way to ignore these?
What does this PR do?
This adds field descriptions to a number of ostensibly undocumented fields and adds other fields that were undocumented (some leaving out descriptions where they were not available).
It also adds pipeline and system tests for a variety of inputs that were not previously tested.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots