New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ECS] Cleaning up unused ECS field usages for juniper_srx and netflow integrations #8011
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The scope of the changes is larger than I expected.
For review purposes I was hoping we could get a PR that only addresses the invalid usages of ECS (i.e. external: ecs
on fields that don't exist). Below are fields that are used incorrectly. If they don't appear in the ingest pipeline then they can be removed. Otherwise, the pipeline should be adjusted to use a valid ECS field.
Removing the unused fields can be its own change. That issue is not blocking the adoption of format_version: 3.0.0
. Determining whether a field is unused takes a bit more effort to review. For example, as a reviewer I need to consider if the removed field is generated by the ingest node pipeline, the fleet final pipeline, any of the inputs, filebeat itself, any of the implicit processors (add_host_metadata, add_cloud_metadata, add_kubernetes_metadata). That will take me a bit more time to ensure correctness so I would like to separate the changes.
# Netflow
as.organization.name
geo.city_name
geo.continent_name
geo.country_iso_code
geo.country_name
geo.location
geo.name
geo.region_iso_code
geo.region_name
hash.md5
hash.sha1
hash.sha256
hash.sha512
os.family
os.full
os.kernel
os.name
os.platform
os.version
# Juniper SRX
as.organization.name
code_signature.exists
code_signature.status
code_signature.subject_name
code_signature.trusted
code_signature.valid
hash.md5
hash.sha1
hash.sha256
hash.sha512
pe.architecture
pe.company
pe.description
pe.file_version
pe.imphash
pe.original_file_name
pe.product
b90041f
to
6fa71d4
Compare
/test |
@andrewkroh Updated the PR to only be the invalid fields. They do not exist in the pipelines, so it's just removals. |
Pretty sure the build is only unhappy due to docker issues https://www.dockerstatus.com/ , so will re-run when it looks like things are better |
/test |
1 similar comment
/test |
Package juniper_srx - 1.16.2 containing this change is available at https://epr.elastic.co/search?package=juniper_srx |
Package netflow - 2.15.2 containing this change is available at https://epr.elastic.co/search?package=netflow |
What does this PR do?
This is a further continuation of #7965 as there we some more unused ECS fields at the root-level (see comment)
Checklist
changelog.yml
file.Related issues