-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[multiple integrations] Lowercase host.name field #6057
Conversation
Ready for discussions and test |
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
🌐 Coverage report
|
packages/cisco_secure_endpoint/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/fortinet_fortigate/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
...soft_defender_endpoint/data_stream/log/_dev/test/pipeline/test-defenderatp.log-expected.json
Show resolved
Hide resolved
...point/kibana/dashboard/microsoft_defender_endpoint-65402c30-ca6a-11ea-9d4d-9737a63aaa55.json
Show resolved
Hide resolved
packages/panw/data_stream/panos/elasticsearch/ingest_pipeline/globalprotect.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Krishna Chaitanya Reddy Burri <krish.reddy91@gmail.com>
/test |
Well that's some awkward test results for panw. I am getting this locally:
|
Found the error. Generating new test results and will commit when done. |
Ready for another test |
Any updates regarding this? Do we have blockers? |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor nits, then LGTM. Will also wait for approval from @jamiehynds.
packages/microsoft_defender_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
…arch/ingest_pipeline/default.yml Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
/test |
/test |
LGTM |
/test |
Hard to say, depends on the usecase and how long its used:
I feel we should still merge, but its just good to know. The current status before we merge, is that it causes issues already due to the mix of lower/upper case, so its fixing much more. |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package cisco_secure_endpoint - 2.12.0 containing this change is available at https://epr.elastic.co/search?package=cisco_secure_endpoint |
Package cisco_umbrella - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella |
Package fortinet_fortigate - 1.11.0 containing this change is available at https://epr.elastic.co/search?package=fortinet_fortigate |
Package m365_defender - 1.9.0 containing this change is available at https://epr.elastic.co/search?package=m365_defender |
Package microsoft_defender_endpoint - 2.11.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_defender_endpoint |
Package microsoft_dhcp - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_dhcp |
Package panw - 3.8.0 containing this change is available at https://epr.elastic.co/search?package=panw |
Package panw_cortex_xdr - 1.10.0 containing this change is available at https://epr.elastic.co/search?package=panw_cortex_xdr |
What does this PR do?
As defined in ECS 8.7,
host.name
is preferably lowercase.The below integrations have been edited to support this.
Cisco Secure Endpoint
host.name
Cisco Umbrella
host.name
PANW Cortex XDR
host.name
PANW
host.name
Fortinet Fortigate
event.type: denied
when action is denyhost
fieldhost.name
Microsoft DHCP
host.name
Microsoft Defender Endpoint
host.name
M365 Defender
host
fieldsdeviceDnsName
tohost.name
host.name
host
fieldsDeviceName
tohost.name
in pipelines: alert, app and identity, devicehost.name
host
fieldsdeviceDnsName
tohost.name
host.name
Checklist
changelog.yml
file.