cef: improve documentation and testing #3465
Conversation
efd6
added
documentation
efd6
force-pushed
the
arcsight_cef
branch
2 times, most recently
from
e67a37d
to
3b35fe9
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsTo re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
The new inputs here were obtained from the golden files for the cef parser with some modification: - IP addresses were made to conform to the elastic-package requirements - invalid inputs were either edited or the events were removed
The new inputs here were obtained from the input files for the cef parser with some modification: - invalid inputs were either edited or the events were removed
| description: Identifies the Layer-4 protocol used. The possible values are protocols such as TCP or UDP. | ||
| - name: ad | ||
| type: flattened | ||
| - name: TrendMicroDsDetectionConfidence |
There was a problem hiding this comment.
My assumption is that these TrendMicro* keyword fields are added to make the tests pass. They don't add much value otherwise. If we had a way to ignore allow the tests to pass without defining these then I would say we should use it here. They would still get mapped as keyword dynamically, but they would not grow size of the template or mapping for the users that are not ingesting Trend Micro logs.
There was a problem hiding this comment.
Yes this is exactly why they were added. Is there a way to ignore these?
What does this PR do?
This adds field descriptions to a number of ostensibly undocumented fields and adds other fields that were undocumented (some leaving out descriptions where they were not available).
It also adds pipeline and system tests for a variety of inputs that were not previously tested.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots