Added support for collecting audit logs via API #13972
Conversation
There was a problem hiding this comment.
Is there a reason to use HTTP JSON here? We would prefer to move to CEL if there is no concrete reason to use this.
There was a problem hiding this comment.
Was not aware of that one. I'll get it switched over and fixed. Thank you!
| vars: | ||
| preserve_original_event: true | ||
| assert: | ||
| hit_count: 1 |
There was a problem hiding this comment.
Add final new line.
Also, testing should exercise pagination; at least a first, middle and end page, with the first and middle having more than one event.
| ] | ||
| } | ||
| `}} | ||
|
|
| show_user: false | ||
| description: >- | ||
| Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. | ||
|
|
| @@ -7,4 +7,4 @@ data_stream: | |||
| symlinks: false | |||
|
|
|||
| assert: | |||
| hit_count: 1 | |||
| hit_count: 1 | |||
There was a problem hiding this comment.
Final new line and pagination.
| @@ -7,4 +7,4 @@ data_stream: | |||
| symlinks: false | |||
|
|
|||
| assert: | |||
| hit_count: 1 | |||
| hit_count: 1 | |||
There was a problem hiding this comment.
Final new line and pagination.
| @@ -7,4 +7,4 @@ data_stream: | |||
| symlinks: false | |||
|
|
|||
| assert: | |||
| hit_count: 1 | |||
| hit_count: 1 | |||
There was a problem hiding this comment.
Final new line and pagination.
andrewkroh
added
Integration:swimlane
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Proposed commit message
Added support for collecting audit logs from Turbine via the audit logs API endpoint.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Screenshots