Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[7.x] [Security Solution][Detections] Set default indicator path to reduce friction with new filebeat modules (#92081) #92751

Merged
merged 1 commit into from
Feb 25, 2021
Merged

[7.x] [Security Solution][Detections] Set default indicator path to reduce friction with new filebeat modules (#92081) #92751

merged 1 commit into from
Feb 25, 2021

Commits on Feb 25, 2021

  1. [Security Solution][Detections] Set default indicator path to reduce … 

    …friction with new filebeat modules (elastic#92081)

* Distinguish source and destination config for indicator matches

We were previously conflating the path to retrieve indicator fields with
the path to persist indicator fields, since they were the same value.

To reduce friction in use with the new filebeat modules, we've decided
to make the default source path threatintel.indicator. However, we still
want to persist to threat.indicator, so we add a new constant, here.

* Update our integration tests following change of default

These tests were assuming a default path of threat.indicator. Since that
is the ECS standard, we're not going to rewrite the tests but instead
just add this rule override. In the future if the default changes, this
parameter might be unnecessary.

* DRY up unit tests a bit

* Add a note for future devs

If/when that constant changes, I imagine this will be useful context.

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
    @rylnd @kibanamachine
    rylnd and kibanamachine committed Feb 25, 2021
    Configuration menu
    Copy the full SHA
    39523a9 View commit details
    Browse the repository at this point in the history