New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
symantec_endpoint: use ip_address field to populate related.ip #6549
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This mentions the remote_host_ip
field, but I don't see any change that would affect that field or related fields. Did I mess it?
@@ -1099,6 +1110,7 @@ processors: | |||
- _conf | |||
- _csv_array | |||
- _fingerprint | |||
- _temp |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is also a remove
in the on_failure that performs the same cleanup. Can you update that too. I wish there was a finally
block.
changes: | ||
- description: Use `ip_address` and `remote_host_ip` fields. | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
link: https://github.com/elastic/integrations/pull/1 | |
link: https://github.com/elastic/integrations/pull/6549 |
@@ -1,4 +1,9 @@ | |||
# newer versions go on top | |||
- version: "2.7.0" | |||
changes: | |||
- description: Use `ip_address` and `remote_host_ip` fields. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I feel like this is missing some detail like "Use ip_address to populate related.ip."
You did not miss anything. Originally I thought remote_host_ip was not being used, but this was because of the dot after the IP in the test case that I added to. |
💚 Build Succeeded
Historycc @efd6 |
Package symantec_endpoint - 2.7.0 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint |
* remove all superfluous ctx null-safe operators * use ip_address fields to populate related.ip
What does this PR do?
Uses the
symantec_endpoint.log.ip_address
andsymantec_endpoint.log.remote_host_ip
fields were possible. Also adds a test for the case whereremote_host_ip
is not contaminated with extra characters (waiting on provenance of the test case to determine whether the case should be cleaned or more effort should be put into extracting the address).Does not convert the original fields to
ip
in case they are mal-formed, so users can examine them in those cases.Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots