Skip to content

[netflow]: Append all ip addresses found to the related.ip field. #11193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 23, 2024
Merged

[netflow]: Append all ip addresses found to the related.ip field. #11193

merged 4 commits into from
Sep 23, 2024

Conversation

aleksmaus
Copy link
Contributor

Proposed commit message

Append all ip addresses found to the related.ip field.

I was not sure if the original issue meant specific fields, if yes then ipv6 was not included in the list.

Anyways, in the first cut appending all the fields that end with *_ipv4_address or *_ipv6_address.
Can redo if the list of the fields limited to just: netflow.post_nat_destination_ipv4_address , netflow.post_nat_source_ipv4_address, netflow.post_nat_destination_ipv6_address , netflow.post_nat_source_ipv6_address.

Let me know.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

@aleksmaus aleksmaus added enhancement New feature or request Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Sep 19, 2024
@aleksmaus aleksmaus self-assigned this Sep 19, 2024
@aleksmaus aleksmaus requested a review from a team as a code owner September 19, 2024 21:21
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@andrewkroh andrewkroh added the Integration:netflow NetFlow Records label Sep 19, 2024
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

andrewkroh
andrewkroh reviewed Sep 19, 2024
View reviewed changes
@aleksmaus aleksmaus requested review from andrewkroh and a team September 19, 2024 21:51
taylor-swanson
taylor-swanson reviewed Sep 23, 2024
View reviewed changes
Copy link
Contributor

@taylor-swanson taylor-swanson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to handle observer.ip as well?

@aleksmaus
Copy link
Contributor Author

Do we want to handle observer.ip as well?

I don't know what are the rules. Do we usually add that related.ip?
The original ticket doesn't say anything about this.

@taylor-swanson
Copy link
Contributor

I poked around other integrations. While we're not great at setting related fields, I am seeing other integrations adding observer fields to the related fields, so we should do the same here. If you don't want to mess with the painless script, you could add an append processor for observer.ip instead.

@taylor-swanson
Copy link
Contributor

This is what ECS says about related.ip:

Screenshot 2024-09-23 at 8 37 24 AM

@aleksmaus
Copy link
Contributor Author

Added observer.ip to related.ip

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @aleksmaus

@aleksmaus aleksmaus merged commit 2d91393 into elastic:main Sep 23, 2024
5 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package netflow - 2.19.0 containing this change is available at https://epr.elastic.co/search?package=netflow

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@aleksmaus
[netflow]: Append all ip addresses found to the related.ip field. (el…
50b9747 
…astic#11193)

* [netflow]: Append all ip addresses found to related.ip field.

* Update changelog PR number

* Address code review

* Add observer.ip to related.ip
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@aleksmaus
[netflow]: Append all ip addresses found to the related.ip field. (el…
0919146 
…astic#11193)

* [netflow]: Append all ip addresses found to related.ip field.

* Update changelog PR number

* Address code review

* Add observer.ip to related.ip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylor-swanson taylor-swanson taylor-swanson approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees

@aleksmaus aleksmaus

Labels
enhancement New feature or request Integration:netflow NetFlow Records Team:Security-Deployment and Devices DEPRECATED Deployment and Devices Security team [elastic/sec-deployment-and-devices]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

NetFlow Records Integration: Append Network Address Translation IP fields to related.ip
4 participants
@aleksmaus @elasticmachine @taylor-swanson @andrewkroh