Skip to content

windows: reconcile forwarded event pipelines with their non-forwarded equivalents #7374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 29, 2023
Merged

windows: reconcile forwarded event pipelines with their non-forwarded equivalents #7374

merged 1 commit into from
Aug 29, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Aug 14, 2023

What does this PR do?

See title.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Aug 14, 2023
@efd6 efd6 force-pushed the 7174-windows-reconcile branch from 32915eb to 08cc775 Compare August 14, 2023 00:41
@elasticmachine
Copy link

elasticmachine commented Aug 14, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-08-28T23:04:21.671+0000

  • Duration: 18 min 24 sec

Test stats 🧪

Test Results
Failed 0
Passed 150
Skipped 0
Total 150

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented Aug 14, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (8/8) 💚
Files 91.667% (11/12) 👎 -8.333
Classes 91.667% (11/12) 👎 -8.333
Methods 85.156% (109/128) 👍 10.156
Lines 91.55% (5840/6379) 👎 -8.45
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review August 14, 2023 01:58
@efd6 efd6 requested review from a team as code owners August 14, 2023 01:58
@efd6 efd6 requested review from ycombinator and belimawr August 14, 2023 01:58
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 force-pushed the 7174-windows-reconcile branch from 08cc775 to 41528cc Compare August 24, 2023 01:01
kcreddy
kcreddy approved these changes Aug 28, 2023
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor suggestions. LGTM 👍🏼

packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/powershell_operational.yml
Comment on lines +185 to +194
- rename:
field: winlog.event_data._MemberUserName
target_field: user.name
ignore_failure: true
ignore_missing: true
- rename:
field: winlog.event_data._MemberDomain
target_field: user.domain
ignore_failure: true
ignore_missing: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these also have a condition when these fields don't already exist?
such as if: ctx.user?.name == null or ctx.user?.domain == null ?

Because these are already being set earlier in the pipeline. Maybe that way we can remove ignore_failure

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to leave those changes for a future PR. This is just to get the datastreams into consensus.

packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
@@ -256,26 +256,29 @@ processors:
target_field: error.code
ignore_failure: true
ignore_missing: true
if: ctx.event.code == "255"
if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != ""
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog?.event_data?.ID != ""
if: ctx.event.code == "255" && ctx.winlog?.event_data?.ID != null && ctx.winlog.event_data.ID != ""

Same for the other ifs in this pipeline.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same above.

@efd6 efd6 force-pushed the 7174-windows-reconcile branch from 41528cc to df5430b Compare August 28, 2023 09:39
@efd6 efd6 force-pushed the 7174-windows-reconcile branch from df5430b to a4658db Compare August 28, 2023 23:04
@efd6 efd6 merged commit 407ff92 into elastic:main Aug 29, 2023
@elasticmachine
Copy link

Package windows - 1.35.0 containing this change is available at https://epr.elastic.co/search?package=windows

@efd6 efd6 deleted the 7174-windows-reconcile branch February 5, 2025 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

@ycombinator ycombinator Awaiting requested review from ycombinator ycombinator is a code owner automatically assigned from elastic/elastic-agent-data-plane

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:windows Windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@efd6 @elasticmachine @kcreddy