[O365]Moving edge processing to ingest pipelines #983
Conversation
P1llus
added
Team:Security-External Integrations
Integration:o365
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
Trends 🧪 |
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
| copy_from: o365audit.ObjectId | ||
| if: ctx.event?.code == "AzureActiveDirectory" | ||
| ## AzureActiveDirectory Schema new user | ||
| - set: |
There was a problem hiding this comment.
just a suggestion, I'm OK merging as is.
It looks likeevent.code and event.action are used several times to set ECS categorization. I'm wondering if we could generalize to a script that takes parameters. Get all the logic to make those decisions in one place.
There was a problem hiding this comment.
Thanks for the feedback @leehinman. There is an ongoing discussion on exactly this, also for google_workspace, around things like performance and which way would be better.
If its okay with you I would like to do the same here, in which I leave it like this for now, as I feel it is better for performance, while keeping an eye on the overall discussion. If it turns out that there is no difference or the other way does not have any high impact on benchmarks I will go back and implement it on both.
|
run tests |
|
/test |
* adding pipeline tests * stashing changes * stashing changes * stashing changes again * stashing changes, need to pipe config tenant objects to pipeline still * first finalized version, ready for review * finalized version ready for review * update changelog and manifest * regenerating test files and merging with master * Fix config and test files Co-authored-by: Marc Guasch <[email protected]>
What does this PR do?
This PR removes all edge processing in favor of ingest pipelines
Checklist
changelog.ymlfile.Related issues