-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cisco FTD | Create security_event
fields from flattened security
field
#8490
Conversation
🌐 Coverage report
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
security_event
fields from flattened security
field
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/cisco_ftd/data_stream/log/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ISTM that this could be claimed to be a breaking change; if a user has an @custom
pipeline that copies fields out of cisco.ftd.security.*
and they are in the set of fields that are now moved to cisco.ftd.security_event.*
then their custom pipeline will fail to result in documents whose structure downstream analysis may depend on.
I am not sure how we can handle this problem efficiently because |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if a user has an
@custom
pipeline that copies fields out of cisco.ftd.security.* and they are in the set of fields that are now moved to cisco.ftd.security_event.* then their custom pipeline will fail.I am not sure how we can handle this problem efficiently because
@custom
pipeline is always applied at the very end of the pipeline. Instead of moving, we can just copy the fields intocisco.ftd.security_event.*
, thus keeping existing fields intact, but that creates a lot of duplicates. We could possibly inform the users that this upgrade will be a breaking change from the Fleet UI if thats how breaking changes are handled.
I think we should ensure it is in the changelog title at least, as that is more prominent in the UI now compared to before, so that people know exactly what is going on.
We could keep the fields as well, but with that amount of fields it is a bit waste. I think we should just let @jamiehynds conclude on which approach we should take.
From my side its all good as long as its shown in the changelog and readme 👍
Updated the changelog title with |
cc @jamiehynds |
@kcreddy sorry I missed the original ping from Marius. As long as we're reflecting the breaking change in the changelog (and thus appearing in the UI when a user upgrades the integration), all good with me. |
Hey @jamie @P1llus , I have added following to the changelog description: |
Package cisco_ftd - 3.0.0 containing this change is available at https://epr.elastic.co/search?package=cisco_ftd |
Proposed commit message
cisco.ftd.security
into new fieldcisco.ftd.security_event
.cisco.ftd.security_event
which was not possible due to flattenedcisco.ftd.security
field.Checklist
changelog.yml
file.How to test this PR locally
Run this command for pipeline tests:
$ elastic-package stack down && elastic-package build && elastic-package stack up --version=8.10.3 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v
Expected files are now updated with new field
cisco.ftd.security_event
containing the fields listed from the linked issue.Related issues
cisco.ftd.security
asflattened
#5769