Skip to content

Commit

Permalink
Osquerybeat: Allow event.category to be set with ECS mapping to value (
Browse files Browse the repository at this point in the history 
…#28653) (#28913)

(cherry picked from commit 8177165)

Co-authored-by: Aleksandr Maus <[email protected]>
  • Loading branch information
@mergify @aleksmaus
mergify[bot] and aleksmaus authored Nov 11, 2021
1 parent 37a53e0 commit d1c0c0b
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions x-pack/osquerybeat/internal/pub/publisher.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,9 +117,17 @@ func hitToEvent(index, eventType, actionID, responseID string, hit map[string]in
}

// Add event.module for ECS
fields["event"] = map[string]string{
"module": eventModule,
// There could be already "event" properties set, preserve them and set the "event.module"
var evf map[string]interface{}
ievf, ok := fields["event"]
if ok {
evf, ok = ievf.(map[string]interface{})
}
if !ok {
evf = make(map[string]interface{})
}
evf["module"] = eventModule
fields["event"] = evf

fields["type"] = eventType
fields["action_id"] = actionID
Expand Down

0 comments on commit d1c0c0b

Please sign in to comment.