-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
checkpoint: improve parsing and expose origin_sic_name #5220
Conversation
fcc19ac
to
cd617e6
Compare
cd617e6
to
641a8ca
Compare
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just minor clarifications. Otherwise LGTM 👍🏼
...eckpoint/data_stream/firewall/_dev/test/pipeline/test-checkpoint-with-time.log-expected.json
Show resolved
Hide resolved
packages/checkpoint/data_stream/firewall/_dev/test/pipeline/test-r81x.log-expected.json
Show resolved
Hide resolved
Package checkpoint - 1.14.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint |
1 similar comment
Package checkpoint - 1.14.0 containing this change is available at https://epr.elastic.co/search?package=checkpoint |
* retain origin_sic_name in events * improve structured data handling and related.* deduplication * add additional test cases, clean up, and document fields
What does this PR do?
origin_sic_name
field undercheckpoint
related.ip
,related.hash
andrelated.user
entries are not duplicated.Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
originsicname
#5107Screenshots