Closed aleksmaus closed 5 days ago
Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)
To see the full report comment with /test benchmark fullreport
Do we want to handle
observer.ip
as well?
I don't know what are the rules. Do we usually add that related.ip
?
The original ticket doesn't say anything about this.
I poked around other integrations. While we're not great at setting related fields, I am seeing other integrations adding observer fields to the related fields, so we should do the same here. If you don't want to mess with the painless script, you could add an append processor for observer.ip instead.
This is what ECS says about related.ip:
Added observer.ip to related.ip
Issues
0 New issues
0 Fixed issues
0 Accepted issues
Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code
cc @aleksmaus
Package netflow - 2.19.0 containing this change is available at https://epr.elastic.co/search?package=netflow
Proposed commit message
Append all ip addresses found to the related.ip field.
I was not sure if the original issue meant specific fields, if yes then ipv6 was not included in the list.
Anyways, in the first cut appending all the fields that end with
*_ipv4_address
or*_ipv6_address
. Can redo if the list of the fields limited to just: netflow.post_nat_destination_ipv4_address , netflow.post_nat_source_ipv4_address, netflow.post_nat_destination_ipv6_address , netflow.post_nat_source_ipv6_address.Let me know.
Checklist
changelog.yml
file.Related issues