-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws.securityhub_findings: Add fields to _source
as needed by CDR workflows.
#11608
Conversation
…source as needed by CDR workflows.
_source
as needed by CDR workflows.
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
@andrewkroh in general there is quite a lot of code in Cloud Security that relies on the |
I think that would be the prudent course of action. We can add these fields into _source as a temporary workaround. Another important reason to avoid |
💚 Build Succeeded
cc @kcreddy |
Quality Gate passedIssues Measures |
To provide context, the relevant PR and comment are here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving as a work-around while the world is brought into order.
Package aws - 2.31.1 containing this change is available at https://epr.elastic.co/search?package=aws |
@andrewkroh here is the issue to track getting rid of |
Proposed commit message
Add
cloud.provider
,event.kind
, andobserver.vendor
fields to_source
as needed by CDR workflows.The commit here removed the fields from
_source
. But the fields are required to bepresent in
_source
for Cloud Detection and Response (CDR) workflows. This PR revertsthe changes made in that commit and re-adds the fields into the ingest pipeline.
Checklist
changelog.yml
file.How to test this PR locally
cd packages/aws && elastic-package stack down && elastic-package build && elastic-package stack up --version=8.16.0-SNAPSHOT -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v --data-streams=securityhub_findings
Related issues
Sample documents after the change: