Add file.origin_referrer_url and file.origin_url to FileEvent
#514
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pzl
requested review from
pzl
and removed request for
gergoabraham and
paul-tavares
pzl
reviewed
Jun 28, 2024
There was a problem hiding this comment.
- no worries about the change in windows_file_open, maybe something was left behind in a previous PR? either way, things in
custom_documentationhave no ill-effect to the package functionality, so easy 👍 from me
will not necessarily be included in all file events.
Therefore, I set it as default_field: false
I don't believe that's what that setting does, but people doing fieldless-queries against our indices is probably rare, so no harm in using that setting anyway
- can you add the sample data to
package/endpoint/data_stream/file/sample_event.json? Easy 👍 after that
|
Hi @pzl |
intxgo
approved these changes
Jun 28, 2024
|
Package endpoint - 8.15.0 containing this change is available at https://epr.elastic.co/search?package=endpoint |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
This PR adds new
file.origin_referrer_urlandfile.origin_urlto the file event mapping. These fields will also be added to the ECS. (level: extended). The following is the ECS side PR.To reviewers
Size of the fields
The two fields added in this PR are intended to store URL. Therefore, the default field size of 1024 bytes is insufficient. As a result, we want to set ignore_above to 8k bytes, if possible.
ignore_above: 8192Default Field
This field will not necessarily be included in all file events.
Therefore, I set it as
default_field: false, but please let me know if this is incorrect.About windows_file_open.md
As a result of running
make, process.command_line was added towindows_file_open.md. If this behavior is unexpected, please let me know.Sample values
Release Target
8.15
Q/A
For mapping changes:
makeafter making the schema changes, and committed all changes