Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Defender for Endpoint: Logstash compatibility. Remove message field if event.original exists #9522

Merged
merged 4 commits into from Apr 4, 2024
Merged

Microsoft Defender for Endpoint: Logstash compatibility. Remove message field if event.original exists #9522

merged 4 commits into from Apr 4, 2024

Conversation

haam3r
Copy link
Contributor

@haam3r haam3r commented Apr 4, 2024
edited

  • Bug

Proposed commit message

In instances where the event.original field already exists when received by the ingest pipeline, such as when the sender is Logstash with ecs_compatibility set to either v1 or v8, not specifically removing the message field breaks the rename processor where json.title is moved to the message field.

To solve that issue, this PR adds a separate remove processor that remove the message field, if the event.original field is present. This then allows the later json.title rename processor to work.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

@haam3r
Remove message field if event.original exists
652dfc7 
In instances where the event.original field already exists, not specifically removing the message field breaks the rename processor where json.title is moved to the message field.
@haam3r haam3r requested a review from a team as a code owner April 4, 2024 05:28
@cla-checker-service CLA Checker Service
Copy link

cla-checker-service bot commented Apr 4, 2024
edited

💚 CLA has been signed

efd6
efd6 reviewed Apr 4, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a changelog entry and bump the version in the manifest.

@haam3r
Copy link
Contributor Author

haam3r commented Apr 4, 2024

Please add a changelog entry and bump the version in the manifest.

Done

@efd6
Copy link
Contributor

efd6 commented Apr 4, 2024

/test

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% 100.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 merged commit d4c60a9 into elastic:main Apr 4, 2024
5 checks passed
@elasticmachine
Copy link

Package microsoft_defender_endpoint - 2.24.2 containing this change is available at https://epr.elastic.co/search?package=microsoft_defender_endpoint

@haam3r haam3r deleted the microsoft_defender_pipeline_compatibility branch April 5, 2024 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@haam3r @efd6 @elasticmachine