Skip to content

osquery_manager: update ECS mapping #16650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
mmahacek wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

osquery_manager: update ECS mapping #16650

mmahacek wants to merge 2 commits into from
+37 −11

Conversation

@mmahacek
Copy link
Contributor

@mmahacek mmahacek commented Dec 19, 2025

A number of ECS fields are not defined within the integration field mapping, which is causing them to map as object instead of the expected nested type. These fields are:

dll.pe.sections
file.macho.sections
file.pe.sections
process.parent.macho.sections
process.parent.pe.sections
threat.enrichments.indicator.file.pe.sections
threat.indicator.file.pe.sections

Additionally, the integration defines an error field as text, however this conflicts with the ECS error field that is expected to be an object.

Proposed commit message

osquery_manager: update ECS mapping and rename error to error.message

Please explain:

  • WHAT: patterns used, algorithms implemented, design architecture, message processing, etc.
  • WHY: the rationale/motivation for the changes

This text will be pasted into the squash dialog when the change is committed and will be
a long term historical record of the change to help future contributors understand the
change, please help them by making it clear and comprehensive, they may be you.

If the commit title is adequate to describe both of these things, The text here may be omitted
or replaced with "See title". The title of the PR will be used as the commit message title when
the merge is made and the "See title" marker will be removed if present.

The text here and the PR title will be subject to the PR review process.
-->
Update ECS mapping for the osquery_manager.results datastream.
Update osquery_manager.action_responses ingest pipeline to rename error to error.message

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

There are no special tests to run outside of elastic-package test

Related issues

Screenshots
@mmahacek
osquery_manager: update ECS mapping
f656558 
Rename error to error.message
@mmahacek mmahacek self-assigned this Dec 19, 2025
@mmahacek mmahacek added bug Something isn't working, use only for issues enhancement New feature or request Integration:osquery_manager Osquery Manager labels Dec 19, 2025
@elasticmachine
Copy link

elasticmachine commented Dec 19, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @mmahacek
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working, use only for issues enhancement New feature or request Integration:osquery_manager Osquery Manager

3 participants

@mmahacek @elasticmachine