Updated expected logs

elastic · May 25, 2021 · 9d13513 · 9d13513
1 parent 0a62f45
commit 9d13513
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 3 deletions.
diff --git a/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml
@@ -241,7 +241,7 @@ processors:
     lang: painless
     description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
     source: |-
-      void addRelatedUser(def x) {
+      void addRelatedUser(def ctx, def x) {
         if (ctx?.related == null) {
           Map map = new HashMap();
           ctx.put("related", map);
@@ -255,8 +255,8 @@ processors:
         }
       }
       for (cisco_identity in ctx.cisco.umbrella.identities) {
-        if (cisco_identity_contains('@')) {
-          addRelatedUser(cisco_identity);
+        if (cisco_identity.contains('@')) {
+          addRelatedUser(ctx, cisco_identity);
         }
       }
 

diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json
@@ -88,5 +88,52 @@
         "source.address": "some other identity",
         "source.domain": "some other identity",
         "source.user.name": "elasticuser"
+    },
+    {
+        "@timestamp": "2021-05-14T19:39:58.000Z",
+        "cisco.umbrella.categories": "Infrastructure",
+        "cisco.umbrella.identities": [
+            "Elastic User (ElasticUser@elastic.co)",
+            "elastic_machine"
+        ],
+        "cisco.umbrella.identity_types": "Roaming Computers,AD Users",
+        "cisco.umbrella.policy_identity_type": "Roaming Computers",
+        "destination.address": "2.2.2.2",
+        "destination.domain": "elastic.co.",
+        "destination.ip": "2.2.2.2",
+        "dns.question.type": "1 (A)",
+        "dns.response_code": "NOERROR",
+        "dns.type": "query",
+        "event.action": "dns-request-Allowed",
+        "event.category": "network",
+        "event.dataset": "cisco.umbrella",
+        "event.module": "cisco",
+        "event.original": "\\\"2021-05-14 19:39:58\\\",\\\"elastic_machine\\\",\\\"elastic_machine,Elastic User (ElasticUser@elastic.co)\\\",\\\"1.1.1.1\\\",\\\"2.2.2.2\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Infrastructure\\\",\\\"Roaming Computers\\\",\\\"Roaming Computers,AD Users\\\",\\\"\\\"",
+        "event.type": [
+            "allowed",
+            "connection"
+        ],
+        "fileset.name": "umbrella",
+        "input.type": "log",
+        "log.offset": 487,
+        "message": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User (ElasticUser@elastic.co)\",\"1.1.1.1\",\"2.2.2.2\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"",
+        "observer.product": "Umbrella",
+        "observer.type": "dns",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "elastic.co."
+        ],
+        "related.ip": [
+            "1.1.1.1",
+            "2.2.2.2"
+        ],
+        "related.user": [
+            "Elastic User (ElasticUser@elastic.co)",
+            "elastic_machine"
+        ],
+        "service.type": "cisco",
+        "source.address": "1.1.1.1",
+        "source.ip": "1.1.1.1",
+        "source.user.name": "elastic_machine"
     }
 ]