Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

symantec_endpoint: use ip_address field to populate related.ip #6549

Merged
merged 3 commits into from Jun 14, 2023
Merged

symantec_endpoint: use ip_address field to populate related.ip #6549

merged 3 commits into from Jun 14, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jun 13, 2023
edited

What does this PR do?

Uses the symantec_endpoint.log.ip_address and symantec_endpoint.log.remote_host_ip fields were possible. Also adds a test for the case where remote_host_ip is not contaminated with extra characters (waiting on provenance of the test case to determine whether the case should be cleaned or more effort should be put into extracting the address).

Does not convert the original fields to ip in case they are mal-formed, so users can examine them in those cases.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jun 13, 2023
@elasticmachine
Copy link

elasticmachine commented Jun 13, 2023
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-06-14T00:29:25.613+0000

  • Duration: 17 min 45 sec

Test stats 🧪

Test Results
Failed 0
Passed 24
Skipped 0
Total 24

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚
Classes 100.0% (1/1) 💚
Methods 100.0% (19/19) 💚
Lines 98.936% (837/846)
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review June 13, 2023 21:47
@efd6 efd6 requested a review from a team as a code owner June 13, 2023 21:47
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

andrewkroh
andrewkroh reviewed Jun 13, 2023
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This mentions the remote_host_ip field, but I don't see any change that would affect that field or related fields. Did I mess it?

packages/symantec_endpoint/data_stream/log/elasticsearch/ingest_pipeline/default.yml
@@ -1099,6 +1110,7 @@ processors:
- _conf
- _csv_array
- _fingerprint
- _temp
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is also a remove in the on_failure that performs the same cleanup. Can you update that too. I wish there was a finally block.

packages/symantec_endpoint/changelog.yml Outdated
changes:
- description: Use `ip_address` and `remote_host_ip` fields.
type: enhancement
link: https://github.com/elastic/integrations/pull/1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
link: https://github.com/elastic/integrations/pull/1
link: https://github.com/elastic/integrations/pull/6549

packages/symantec_endpoint/changelog.yml Outdated
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.7.0"
changes:
- description: Use `ip_address` and `remote_host_ip` fields.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like this is missing some detail like "Use ip_address to populate related.ip."

@efd6
Copy link
Contributor Author

efd6 commented Jun 14, 2023

You did not miss anything. Originally I thought remote_host_ip was not being used, but this was because of the dot after the IP in the test case that I added to.

@efd6 efd6 changed the title symantec_endpoint: use ip_address and remote_host_ip fields symantec_endpoint: use ip_address field to populate related.ip Jun 14, 2023
@efd6 efd6 requested a review from andrewkroh June 14, 2023 00:29
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 merged commit 514a5f7 into elastic:main Jun 14, 2023
4 checks passed
@elasticmachine
Copy link

Package symantec_endpoint - 2.7.0 containing this change is available at https://epr.elastic.co/search?package=symantec_endpoint

sodhikirti07 pushed a commit that referenced this pull request Jun 15, 2023
@efd6 @sodhikirti07
symantec_endpoint: use ip_address field to populate related.ip (#6549)
1b58904 
* remove all superfluous ctx null-safe operators
* use ip_address fields to populate related.ip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:Symantec-Endpoint
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[symantec_endpoint] symantec_endpoint.log.ip_address
3 participants
@efd6 @elasticmachine @andrewkroh