elasticmachine
commented
1 week ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
Closed aleksmaus closed 5 days ago
elasticmachine
commented
1 week ago Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
elastic-vault-github-plugin-prod[bot]
commented
1 week ago To see the full report comment with /test benchmark fullreport
aleksmaus
commented
5 days ago Do we want to handle
observer.ipas well?
I don't know what are the rules. Do we usually add that related.ip?
The original ticket doesn't say anything about this.
taylor-swanson
commented
5 days ago I poked around other integrations. While we're not great at setting related fields, I am seeing other integrations adding observer fields to the related fields, so we should do the same here. If you don't want to mess with the painless script, you could add an append processor for observer.ip instead.
taylor-swanson
commented
5 days ago This is what ECS says about related.ip:
aleksmaus
commented
5 days ago Added observer.ip to related.ip
elastic-sonarqube[bot]
commented
5 days ago 
Quality Gate passedIssues
0 New issues
0 Fixed issues
0 Accepted issues
Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code
elasticmachine
commented
5 days ago cc @aleksmaus
elastic-vault-github-plugin-prod[bot]
commented
5 days ago Package netflow - 2.19.0 containing this change is available at https://epr.elastic.co/search?package=netflow
Proposed commit message
Append all ip addresses found to the related.ip field.
I was not sure if the original issue meant specific fields, if yes then ipv6 was not included in the list.
Anyways, in the first cut appending all the fields that end with
*_ipv4_addressor*_ipv6_address. Can redo if the list of the fields limited to just: netflow.post_nat_destination_ipv4_address , netflow.post_nat_source_ipv4_address, netflow.post_nat_destination_ipv6_address , netflow.post_nat_source_ipv6_address.Let me know.
Checklist
changelog.ymlfile.Related issues