-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SSI integrations] Set response.split.ignore_empty_value: true
#9974
[SSI integrations] Set response.split.ignore_empty_value: true
#9974
Conversation
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
🚀 Benchmarks reportTo see the full report comment with |
7e6f561
to
2627ac8
Compare
…bs-infraobs-integrations. This reverts commit 1466a801547efbbd78d048b29019e7d706acb247.
…lastic/obs-infraobs-integrations." This reverts commit a87cb514726ecc1be54042ca8877f357b4681176.
…s-infraobs-integrations, @elastic/obs-ds-hosted-services, @elastic/security-service-integrations.
…astic/obs-infraobs-integrations, @elastic/obs-ds-hosted-services, @elastic/security-service-integrations." This reverts commit df7a8d95adb9256c058f954cb372e0225ed87310.
…c/security-service-integrations.
2627ac8
to
bcc5991
Compare
Quality Gate passedIssues Measures |
💚 Build Succeeded
History
|
Package 1password - 1.28.0 containing this change is available at https://epr.elastic.co/search?package=1password |
Package atlassian_jira - 1.25.0 containing this change is available at https://epr.elastic.co/search?package=atlassian_jira |
Package bitwarden - 1.12.0 containing this change is available at https://epr.elastic.co/search?package=bitwarden |
Package carbon_black_cloud - 2.1.0 containing this change is available at https://epr.elastic.co/search?package=carbon_black_cloud |
Package cisa_kevs - 1.1.0 containing this change is available at https://epr.elastic.co/search?package=cisa_kevs |
Package cloudflare - 2.26.0 containing this change is available at https://epr.elastic.co/search?package=cloudflare |
Package forgerock - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=forgerock |
Package google_scc - 1.3.0 containing this change is available at https://epr.elastic.co/search?package=google_scc |
Package google_workspace - 2.22.0 containing this change is available at https://epr.elastic.co/search?package=google_workspace |
Package infoblox_bloxone_ddi - 1.17.0 containing this change is available at https://epr.elastic.co/search?package=infoblox_bloxone_ddi |
Package lumos - 1.1.0 containing this change is available at https://epr.elastic.co/search?package=lumos |
Package m365_defender - 2.10.0 containing this change is available at https://epr.elastic.co/search?package=m365_defender |
Package microsoft_exchange_online_message_trace - 1.20.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_exchange_online_message_trace |
Package mimecast - 1.25.0 containing this change is available at https://epr.elastic.co/search?package=mimecast |
Package panw_cortex_xdr - 1.26.0 containing this change is available at https://epr.elastic.co/search?package=panw_cortex_xdr |
Package ping_one - 1.15.0 containing this change is available at https://epr.elastic.co/search?package=ping_one |
Package proofpoint_tap - 1.20.0 containing this change is available at https://epr.elastic.co/search?package=proofpoint_tap |
Package rapid7_insightvm - 1.11.0 containing this change is available at https://epr.elastic.co/search?package=rapid7_insightvm |
Package sentinel_one - 1.21.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one |
Package slack - 1.20.0 containing this change is available at https://epr.elastic.co/search?package=slack |
Package snyk - 1.22.0 containing this change is available at https://epr.elastic.co/search?package=snyk |
Package tenable_sc - 1.22.0 containing this change is available at https://epr.elastic.co/search?package=tenable_sc |
Package ti_cif3 - 1.13.0 containing this change is available at https://epr.elastic.co/search?package=ti_cif3 |
Package ti_cybersixgill - 1.28.0 containing this change is available at https://epr.elastic.co/search?package=ti_cybersixgill |
Package ti_eset - 1.1.0 containing this change is available at https://epr.elastic.co/search?package=ti_eset |
Package ti_mandiant_advantage - 1.2.0 containing this change is available at https://epr.elastic.co/search?package=ti_mandiant_advantage |
Package ti_misp - 1.33.0 containing this change is available at https://epr.elastic.co/search?package=ti_misp |
Package ti_rapid7_threat_command - 1.16.0 containing this change is available at https://epr.elastic.co/search?package=ti_rapid7_threat_command |
Package ti_threatq - 1.27.0 containing this change is available at https://epr.elastic.co/search?package=ti_threatq |
Package trend_micro_vision_one - 1.18.0 containing this change is available at https://epr.elastic.co/search?package=trend_micro_vision_one |
Package zerofox - 1.24.0 containing this change is available at https://epr.elastic.co/search?package=zerofox |
Package zeronetworks - 1.14.0 containing this change is available at https://epr.elastic.co/search?package=zeronetworks |
…stic#9974) For integrations that use `response.split` options to split on a list, don't explicitly set the `ignore_empty_value` option, and don't keep parent fields, we usually don't want to index a document if the target list is empty. However, the default functionality is to index the whole document if the split target is empty, so this change sets `ignore_empty_value: true` explicitly. The [`response.split` documentation][1] says: > If the split target is empty the parent document will be kept. > If documents with empty splits should be dropped, the > `ignore_empty_value` option should be set to `true`. [1]: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#response-split
Proposed commit message
Discussion
The effects of the somewhat counterintuitive default split behavior are sometimes reported by users, as was the case in #9705.
I used the following Python script to identify and update relevant cases.
fix.py
It's summary was:
I left out the AWS Security Hub changes already handled in #9705.
Some minor formatting changes are included.
Checklist
changelog.yml
file.Related issues
response.split.ignore_empty_value: true
#9815