When adding event.dataset to a package in base-fields.yml, there is no check or lint that complains if the value is not "package.datastream", for example
Package panw_cortex_xdr, datastream: alerts
- name: event.dataset
type: constant_keyword
description: Event dataset
value: panw_cortex.xdr
When starting the stack and testing the package manually, it complains that event.dataset is not set to panw_cortex_xdr.alerts, however it would be nice to do this check already on build/lint, saves time in the future, and makes sure no human error might cause it (like I did).
When adding event.dataset to a package in base-fields.yml, there is no check or lint that complains if the value is not "package.datastream", for example
Package panw_cortex_xdr, datastream: alertsWhen starting the stack and testing the package manually, it complains that
event.datasetis not set topanw_cortex_xdr.alerts, however it would be nice to do this check already on build/lint, saves time in the future, and makes sure no human error might cause it (like I did).