New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
windows: set host.os.type and host.os.family in forwarded events #6180
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
field: host.os.family | ||
value: windows | ||
override: false | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Since both fields are basically hard-coded, why do we need them both?
- Does this field exist for Linux and Mac too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that they are used in detection rules. Some rules will be based on family and some on name, it just happens that Windows was so good they named it twice.
Yes, these fields exist for other OSs, but they are not relevant here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM after the changelog entry is updated.
What does this PR do?
Set
host.os.type
andhost.os.family
to windows in forwarded events.Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots