elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Open terrancedejesus opened 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Related
Overview
There appear to be several data stream fields from the Google Workspace integration that are not mapped in their related data stream field files.
Example:
google_workspace.drive.owner_is_team_driveNot found in Drive data stream fields file: https://github.com/elastic/integrations/blob/main/packages/google_workspace/data_stream/drive/fields/fields.ymlThe detection rules repository leverages these schemas, beats and ECS to validate fields included in rule queries and if not found raises errors so PRs are unable to merge with new or tuned rules.
This is not a blocker since we have a
non-ecs.jsonfile that is loaded as well that let's us manually add fields and their associated field types.Since I have a heavily used Google Workspace lab already established, I can pull field mappings for each data stream and provide a list of fields that are not in the associated data stream field files so they can be added. I will update this comment once I have pulled those fields and finished a diff.