Error in parsing of acknowledged field for Darktrace integration #11505
Labels
Integration:darktrace
Darktrace
Team:Security-Service Integrations
Security Service Integrations Team [elastic/security-service-integrations]
Hello,
While using the Darktrace integration for Elastic, we encountered several parsing errors while ingesting model breaches. These errors refer to the
acknowledged
field of the JSON stream, which is a JSON field with the following format:However, as you can see in the lines below, this is treated as boolean:
https://github.com/elastic/integrations/blob/main/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml#L493-L497
This parser seems quite off. The error messages we get are the following:
This value is useful, however it does not add too much value as it is only a snapshot of the model breach at the time of ingestion. As far as I know, elastic agent cannot update documents already ingested and a breach that is not acknowledged on ingestion may be acknowledged later on so by the time of query this field is already stale.
I suggest either removing it completely or fixing the parsing.
Thank you for the great integration,
The text was updated successfully, but these errors were encountered: