zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams #13904
Conversation
efd6
added
enhancement
efd6
force-pushed
the
10743-zscaler_zia
branch
2 times, most recently
from
eef8f0c to
8b4f86f
Compare
🚀 Benchmarks reportTo see the full report comment with |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
… input data streams This checks that the template version matches the current expected template version if the template specifies it, falling back to an assessment of the fields that are present in the message. The check is only performed when enabled, which is not the case by default.
packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/zscaler_zia/data_stream/web/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Needs syntax to link directly to the noted version.
| @@ -43,6 +43,32 @@ processors: | |||
| tag: rename_resp_event | |||
| target_field: json | |||
| ignore_missing: true | |||
| - script: | |||
| params: | |||
| pkg_version: 3.12.0 | |||
There was a problem hiding this comment.
Looks like we are not using this pkg_version param anywhere. Can w remove it?
There was a problem hiding this comment.
Waiting for feedback from docs for how I can link directly to the correct version; it will be used then, that's why this commit is a wip. Without a direct link to the correct version, I'd rather not link at all.
There was a problem hiding this comment.
Got it. My bad, I didn't expand the commit.
There was a problem hiding this comment.
I have confirmation that this is not possible. The new code links to the markdown. It's not friendly, but it is at least correct. I would prefer correctness over friendliness, but happy to hear your position.
There was a problem hiding this comment.
Got it. Yeah correctness makes much more sense. I am okay with this.
Its probably going to be slightly inconvenient to maintain this params.pkg_version flag as it needs to be bumped every PR on zscaler_zia.
Do you think we should document such exceptions into our wiki?
There was a problem hiding this comment.
I think at least adding a comment above the manifest.yml version field. Would that do for you?
packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
Still wip; the links are to raw MD and are not direct to the affected data stream.
There was a problem hiding this comment.
I think this is good.
I noted an idea about getting the package version for the error message.
I would prefer strict fields or something like it to always be on. It doesn't fail all the processing, it just adds an error message. That may cause some level of disruption, but if it's an advanced option that's off by default, I think we'll almost never get this information when it matters.
My preference would be to set the error message by default, and have an option to skip it or downgrade it to a warning (although I'm not sure we have a great ECS field for warnings).
packages/zscaler_zia/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
💚 Build Succeeded
History
cc @efd6 |
|
|
Package zscaler_zia - 3.12.0 containing this change is available at https://epr.elastic.co/package/zscaler_zia/3.12.0/ |
* main: (42 commits) [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985) [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977) zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904) apm: Add config for tail-based sampling discard on write (elastic#13950) [CI] Add dev/coverage into backport script (elastic#13987) Update configuration updatecli for 8.x snapshot (elastic#13981) [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969) o365: Ignore failures in rename processors for organization fields (elastic#13983) aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978) mimecast: resolve field data type conflicts between data streams (elastic#13825) [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947) [Cribl] Fix handling of metric event type (elastic#13930) zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755) Adding agentless deployment to the sublime security integration (elastic#13963) [integration/system] add use_performance_counters in system integration (elastic#13150) crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955) [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959) github: squelch errors from pagination ends (elastic#13965) cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964) [Cloud Security] Cloud Asset Inventory: fixed cloud formation URL (elastic#13971) ...
* feature/use-google-secrets: (43 commits) use -ci account [jamf_pro] Fix `flattened` field types for non-object values (#13985) [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (#13977) zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (#13904) apm: Add config for tail-based sampling discard on write (#13950) [CI] Add dev/coverage into backport script (#13987) Update configuration updatecli for 8.x snapshot (#13981) [Prometheus] Add username, password, and SSL related fields for query dataset (#13969) o365: Ignore failures in rename processors for organization fields (#13983) aws.firewall: Document ingested log types of AWS Network Firewall (#13978) mimecast: resolve field data type conflicts between data streams (#13825) [Infoblox NIOS] Handle the parsing of IPv6 address (#13947) [Cribl] Fix handling of metric event type (#13930) zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (#13755) Adding agentless deployment to the sublime security integration (#13963) [integration/system] add use_performance_counters in system integration (#13150) crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (#13955) [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (#13959) github: squelch errors from pagination ends (#13965) cisco_secure_endpoint: squelch errors from pagination ends (#13964) ...
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots