[Cyberarkpas] Update cyberarkpas to ECS 1.10.0 #1039
Conversation
P1llus
added
enhancement
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪 |
…g/manifest changes
| "severity": "Info", | ||
| "iso_timestamp": "2021-03-14T13:42:20Z", | ||
| "gateway_station": "10.0.1.20", | ||
| "raw": "\u003csyslog\u003e\n\n \u003caudit_record\u003e\n \u003cRfc5424\u003eyes\u003c/Rfc5424\u003e\n \u003cTimestamp\u003eMar 14 06:42:20\u003c/Timestamp\u003e\n \u003cIsoTimestamp\u003e2021-03-14T13:42:20Z\u003c/IsoTimestamp\u003e\n \u003cHostname\u003eVAULT\u003c/Hostname\u003e\n \u003cVendor\u003eCyber-Ark\u003c/Vendor\u003e\n \u003cProduct\u003eVault\u003c/Product\u003e\n \u003cVersion\u003e11.7.0000\u003c/Version\u003e\n \u003cMessageID\u003e124\u003c/MessageID\u003e\n \u003cDesc\u003eRename File\u003c/Desc\u003e\n \u003cSeverity\u003eInfo\u003c/Severity\u003e\n \u003cIssuer\u003eAdministrator\u003c/Issuer\u003e\n \u003cAction\u003eRename File\u003c/Action\u003e\n \u003cSourceUser\u003e\u003c/SourceUser\u003e\n \u003cTargetUser\u003e\u003c/TargetUser\u003e\n \u003cSafe\u003ePSM\u003c/Safe\u003e\n \u003cFile\u003eRoot\\Operating System-UnixSSH-34.123.103.115-PSMConnect\u003c/File\u003e\n \u003cStation\u003e127.0.0.1\u003c/Station\u003e\n \u003cLocation\u003e\u003c/Location\u003e\n \u003cCategory\u003e\u003c/Category\u003e\n \u003cRequestId\u003e\u003c/RequestId\u003e\n \u003cReason\u003e\u003c/Reason\u003e\n \u003cExtraDetails\u003e\u003c/ExtraDetails\u003e\n \u003cMessage\u003eRename File\u003c/Message\u003e\n \u003cGatewayStation\u003e10.0.1.20\u003c/GatewayStation\u003e\n \u003c/audit_record\u003e\n\n\u003c/syslog\u003e", |
There was a problem hiding this comment.
I wonder if we can drop this field given that we have the option of event.original?
There was a problem hiding this comment.
Would need to check with @adriansr as he was the one who added it, might be a reason around it?
There was a problem hiding this comment.
oh, this field isn't there by default.
It's added by the XSLT for debugging purposes if necessary, to keep the original XML before the XSLT converts it to JSON.
It's added if you toggle this flag to 1:
https://github.com/elastic/beats/blob/d97155072907d26eaa27707c038161767245f6ff/x-pack/filebeat/module/cyberarkpas/_meta/assets/elastic-json-v1.0.xsl#L11
The test data was captured with this flag set as I had it enabled during development.
There was a problem hiding this comment.
I think its safe to have it in the test data then, or I can remove it manually if needed?
There was a problem hiding this comment.
Will leave this in the testdata for now, the field itself won't be visible for end-users, but its good to have as a reference here.
* updating cyberarkpas ECS version and adding pipeline tests * updating cyberarkpas ECS version and adding pipeline tests * linting and formatting, generating new test files and adding changelog/manifest changes * Linting processors * updating docs * linting * More linting
What does this PR do?
Updates package ECS version to 1.10.
Sync module changes to packages if any.
Adds Preserve Raw event functionality if not already exists.
Adds pipeline tests if missing.
Checklist
changelog.ymlfile.manifest.ymlfile to point to the latest Elastic stack release (e.g.^7.13.0).Related issues