Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding various OCSF 1.1 fields to log type static mappings #1403

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Adding various OCSF 1.1 fields to log type static mappings #1403

wants to merge 5 commits into from

Conversation

toepkerd
Copy link
Contributor

@toepkerd toepkerd commented Oct 30, 2024
edited
Loading

Description

Adds various OCSF 1.1 field mappings to the static mappings repository in Security Analytics, allowing for more automatic field mappings during detector creation on indices ingesting OCSF 1.1 logs from Security Lake.

Check List

  • New functionality includes testing.
  • New functionality has been documented.
  • API changes companion pull request created.
  • Commits are signed per the DCO using --signoff.
  • Public documentation issue/PR created.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@toepkerd toepkerd marked this pull request as ready for review October 30, 2024 19:00
sbcd90
sbcd90 reviewed Nov 4, 2024
View reviewed changes
src/test/java/org/opensearch/securityanalytics/resthandler/OCSFDetectorRestApiIT.java
// Verify unmapped index fields
List<String> unmappedIndexFields = (List<String>) respMap.get("unmapped_index_fields");
assertEquals(28, unmappedIndexFields.size());
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we need to change the count of these tests?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests check for the number of mapped and unmapped fields. Since we've added new static mappings, fields that didn't have mappings before now do, so the counts in the tests are adjusted to reflect this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbcd90 sbcd90 sbcd90 left review comments

@amsiglan amsiglan Awaiting requested review from amsiglan amsiglan is a code owner

@AWSHurneyt AWSHurneyt Awaiting requested review from AWSHurneyt AWSHurneyt is a code owner

@getsaurabh02 getsaurabh02 Awaiting requested review from getsaurabh02 getsaurabh02 is a code owner

@lezzago lezzago Awaiting requested review from lezzago lezzago is a code owner

@praveensameneni praveensameneni Awaiting requested review from praveensameneni praveensameneni is a code owner

@eirsep eirsep Awaiting requested review from eirsep eirsep is a code owner

@jowg-amazon jowg-amazon Awaiting requested review from jowg-amazon jowg-amazon is a code owner

@engechas engechas Awaiting requested review from engechas engechas is a code owner

@goyamegh goyamegh Awaiting requested review from goyamegh goyamegh is a code owner

@riysaxen-amzn riysaxen-amzn Awaiting requested review from riysaxen-amzn riysaxen-amzn is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@toepkerd @sbcd90 @toepkerd-zz