diff --git a/packages/ping_one/changelog.yml b/packages/ping_one/changelog.yml index 4290a941d152..9c615eba1589 100644 --- a/packages/ping_one/changelog.yml +++ b/packages/ping_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.2" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9076 - version: "1.13.1" changes: - description: Changed owners diff --git a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 26f69500c9d4..c10a35aa0c62 100644 --- a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -21,51 +21,57 @@ processors: value: [iam] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('created') || ctx.json.action.type.toLowerCase().contains('deleted') || ctx.json.action.type.toLowerCase().contains('updated') || ctx.json.action.type.toLowerCase().contains('access_allowed') + if: >- + ctx.json?.action?.type != null && ( + ctx.json.action.type.toLowerCase().contains('created') || + ctx.json.action.type.toLowerCase().contains('deleted') || + ctx.json.action.type.toLowerCase().contains('updated') || + ctx.json.action.type.toLowerCase().contains('access_allowed') + ) value: [configuration] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('created') + if: ctx.json?.action?.type?.toLowerCase()?.contains('created') == true value: [creation] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('deleted') + if: ctx.json?.action?.type?.toLowerCase()?.contains('deleted') == true value: [deletion] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('updated') + if: ctx.json?.action?.type?.toLowerCase()?.contains('updated') == true value: [change] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('user') + if: ctx.json?.action?.type?.toLowerCase()?.contains('user') == true value: [user] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('group') + if: ctx.json?.action?.type?.toLowerCase()?.contains('group') == true value: [group] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('allowed') + if: ctx.json?.action?.type?.toLowerCase()?.contains('allowed') == true value: [info] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('denied') + if: ctx.json?.action?.type?.toLowerCase()?.contains('denied') == true value: [denied] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('started') + if: ctx.json?.action?.type?.toLowerCase()?.contains('started') == true value: [start] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') + if: ctx.json?.action?.type?.toLowerCase()?.contains('access_allowed') == true value: [access] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') + if: ctx.json?.action?.type?.toLowerCase()?.contains('password.check_succeeded') == true value: [authentication] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('email') + if: ctx.json?.action?.type?.toLowerCase()?.contains('email') == true value: [email] - set: field: event.type diff --git a/packages/ping_one/manifest.yml b/packages/ping_one/manifest.yml index 81e8a60371db..f9f7dd94aad0 100644 --- a/packages/ping_one/manifest.yml +++ b/packages/ping_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: ping_one title: PingOne -version: "1.13.1" +version: "1.13.2" description: Collect logs from PingOne with Elastic-Agent. type: integration categories: