Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OCSF1.1 Fixes #1439

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCSF1.1 Fixes #1439

wants to merge 1 commit into from

Conversation

toepkerd
Copy link
Contributor

@toepkerd toepkerd commented Dec 23, 2024

Description

Implements some fixes found in end-to-end validation of added OCSF1.1 field mappings on mock Security Lake data. Fixes include:

  1. Checking for an OCSF1.1 field mapping before checking for an OCSF1.0 field mapping. This resolves a confusion the static mappings had on how to map OCSF1.1 fields actor.user.uid, actor.user.uid_alt to ECS fields aws.cloudtrail.user_identity.principalId and aws.cloudtrail.user_identity.arn
  2. Removed [] from newly added WAF field mappings. The static mappings can parse fields in lists without being explicitly indicated that the field is a list, so the square brackets were being treated as part of the field name itself.

Also added an integration test for fix 1 above. The rest of the fixes were validated end-to-end on mock Security Lake data.

Check List

  • [Y] New functionality includes testing.
  • [N/A] New functionality has been documented.
  • [N/A] API changes companion pull request created.
  • [Y] Commits are signed per the DCO using --signoff.
  • [N/A] Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Signed-off-by: Dennis Toepker <[email protected]>
@toepkerd
Copy link
Contributor Author

CIs fail on IT org.opensearch.securityanalytics.alerts.AlertsIT.testMultipleAggregationAndDocRules_alertSuccess, a known flaky test that has occurred in past PRs/commits. Repeated local retries of the build and the test eventually allows it to succeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants