Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
- Allow the `misp` fileset in the Filebeat `threatintel` module to ignore CIDR ranges for an IP field. {issue}29949[29949] {pull}34195[34195]
- Remove incorrect reference to CEL ext extensions package. {issue}34610[34610] {pull}34620[34620]
- Fix handling of RFC5988 links' relation parameters by `getRFC5988Link` in HTTPJSON. {issue}34603[34603] {pull}34622[34622]
- Drop empty API response events for Microsoft module. {issue}34786[34786] {pull}34893[34893]

*Auditbeat*

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ request.transforms:

response.split:
target: body.value
ignore_empty_value: true

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any test cases in our logs that have an empty value field?

@efd6 efd6 Mar 27, 2023

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do in the integration, but not here. I looked into adding one, but it's not as easy as it is in the integrations.

@efd6 efd6 Mar 28, 2023

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've come up with an approach that serves to test this. It's not pretty, but it works.

split:
target: body.evidence
keep_parent: true
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
description: Pipeline for parsing microsoft atp logs
processors:
- drop:
if: ctx.json?.value != null && ctx.json.value.isEmpty()
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ request.transforms:

response.split:
target: body.value
ignore_empty_value: true
split:
target: body.alerts
keep_parent: true
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
description: Pipeline for parsing microsoft atp logs
processors:
- drop:
if: ctx.json?.value != null && ctx.json.value.isEmpty()
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv",
"microsoft.m365_defender.alerts.devices": [
{
"deviceDnsName": "TestServer5",
"deviceDnsName": "TestServer4",
"firstSeen": "2020-06-30T08:55:08.8320449Z",
"healthStatus": "Inactive",
"mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
Expand All @@ -43,7 +43,7 @@
"version": "Other"
},
{
"deviceDnsName": "TestServer4",
"deviceDnsName": "TestServer5",
"firstSeen": "2020-06-30T08:55:08.8320449Z",
"healthStatus": "Inactive",
"mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
Expand Down