Open arvchristos opened 3 days ago
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@arvchristos ISTM that we can just set darktrace.model_breach_alert.is_acknowledged
to true if acknowledged.time
exists and is in the past. Would that work for you?
I was unable to find any documentation for the logging format/fields used by Darktrace, that is not published by someone else. Are you aware of any? Are you able to donate some sanitised logs for testing?
Hello,
While using the Darktrace integration for Elastic, we encountered several parsing errors while ingesting model breaches. These errors refer to the
acknowledged
field of the JSON stream, which is a JSON field with the following format:However, as you can see in the lines below, this is treated as boolean: https://github.com/elastic/integrations/blob/main/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml#L493-L497
This parser seems quite off. The error messages we get are the following:
This value is useful, however it does not add too much value as it is only a snapshot of the model breach at the time of ingestion. As far as I know, elastic agent cannot update documents already ingested and a breach that is not acknowledged on ingestion may be acknowledged later on so by the time of query this field is already stale.
I suggest either removing it completely or fixing the parsing.
Thank you for the great integration,