New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Enhancement] [LastPass] Add support for event.outcome
field and new type of event.action
#4847
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor suggestions.
field: lastpass.event_report.data.original | ||
separator: ',' | ||
target_field: lastpass.event_report.data.user_email | ||
ignore_failure: true | ||
- script: | ||
description: Separate Shared Folder Name and User Email with comma(',') in Limit Shared Folder Event Type. | ||
description: Separate Shared Folder Name and User Email with comma(',') in limit shared folder Event Type. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This need not be changed as its not the value of field event.action
.
- set: | ||
field: event.action | ||
copy_from: lastpass.event_report.action | ||
ignore_failure: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you avoid ignore_failure
and instead use a conditional since ignore_failure
is costly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @kcreddy,
Do you mean to use ignore_empty_value instead of ignore_failure, or do you mean to use a condition statement for a null or empty value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could use ignore_empty_value
. I believe its a similar implementation/efficiency as adding if
option
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after change
Package lastpass - 0.2.4 containing this change is available at https://epr.elastic.co/search?package=lastpass |
Type of change
What does this PR do?
Failed login
event.event.outcome
field.Checklist
changelog.yml
file.How to test this PR locally
Related issues
event.action
. #4839Screenshots