New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Defender for Endpoint: Logstash compatibility. Remove message field if event.original exists #9522
Microsoft Defender for Endpoint: Logstash compatibility. Remove message field if event.original exists #9522
Conversation
In instances where the event.original field already exists, not specifically removing the message field breaks the rename processor where json.title is moved to the message field.
💚 CLA has been signed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a changelog entry and bump the version in the manifest.
Done |
/test |
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
|
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
Package microsoft_defender_endpoint - 2.24.2 containing this change is available at https://epr.elastic.co/search?package=microsoft_defender_endpoint |
Proposed commit message
In instances where the event.original field already exists when received by the ingest pipeline, such as when the sender is Logstash with ecs_compatibility set to either v1 or v8, not specifically removing the message field breaks the rename processor where
json.title
is moved to themessage
field.To solve that issue, this PR adds a separate remove processor that remove the
message
field, if theevent.original
field is present. This then allows the laterjson.title
rename processor to work.Checklist
changelog.yml
file.