Skip to content

[windows] sysmon/operational registered_domain test failures #5958

Closed
#5964
Closed
[windows] sysmon/operational registered_domain test failures#5958
#5964
Assignees
efd6
Labels
Integration:windowsWindowsbugSomething isn't working, use only for issues
@ebeahan

Description

@ebeahan
ebeahan
opened on Apr 21, 2023

Beginning with Elasticsearch 8.4, the pipeline tests for windows/forwarded test-sysmon-operational-events.json and windows/sysmon_operational test-events.json began to fail due to a change in the results returned by the registered_domain ingest processor.

Test failures: 
Run pipeline tests for the package
--- Test results for package: windows - START ---
FAILURE DETAILS:
windows/forwarded test-sysmon-operational-events.json:
--- want
+++ got
@@ -847,8 +847,9 @@
                 ],
                 "question": {
                     "name": "confiant-integrations.global.ssl.fastly.net",
-                    "registered_domain": "confiant-integrations.global.ssl.fastly.net",
-                    "top_level_domain": "global.ssl.fastly.net"
+                    "registered_domain": "global.ssl.fastly.net",
+                    "subdomain": "confiant-integrations",
+                    "top_level_domain": "ssl.fastly.net"
                 },
                 "resolved_ip": [
                     "89.160.20.156",
@@ -2434,8 +2435,9 @@
                 ],
                 "question": {
                     "name": "clarium.freetls.fastly.net",
-                    "registered_domain": "clarium.freetls.fastly.net",
-                    "top_level_domain": "freetls.fastly.net"
+                    "registered_domain": "freetls.fastly.net",
+                    "subdomain": "clarium",
+                    "top_level_domain": "fastly.net"
                 },
                 "resolved_ip": [
                     "89.160.20.156",

windows/sysmon_operational test-events.json:
--- want
+++ got
@@ -723,8 +723,9 @@
                 ],
                 "question": {
                     "name": "confiant-integrations.global.ssl.fastly.net",
-                    "registered_domain": "confiant-integrations.global.ssl.fastly.net",
-                    "top_level_domain": "global.ssl.fastly.net"
+                    "registered_domain": "global.ssl.fastly.net",
+                    "subdomain": "confiant-integrations",
+                    "top_level_domain": "ssl.fastly.net"
                 },
                 "resolved_ip": [
                     "89.160.20.156",
@@ -2322,8 +2323,9 @@
                 ],
                 "question": {
                     "name": "clarium.freetls.fastly.net",
-                    "registered_domain": "clarium.freetls.fastly.net",
-                    "top_level_domain": "freetls.fastly.net"
+                    "registered_domain": "freetls.fastly.net",
+                    "subdomain": "clarium",
+                    "top_level_domain": "fastly.net"
                 },
                 "resolved_ip": [
                     "89.160.20.156",

Appears the registered_domain processor began extracting the subdomain field which it had not been in ES 8.3 and earlier.

Metadata

Metadata

Assignees

Labels

Integration:windowsWindowsbugSomething isn't working, use only for issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions