Add filebeat module autotest to check related.user field if user.name present

[leweafan]

Describe the enhancement:

Add filebeat module autotest to check related.user field if user.name present Sometimes field user.name present and related.user missing.

Describe a specific use case for the enhancement or feature:

Example RabbitMQ module. Check test.log-expected.json - user.name field present and related.user missing.

[jsoriano]

Hi @leweafan,

I am not sure if this field should be required in all modules. They probably need additional logic to find proper values, and maybe it doesn't make always sense to have it.

In the example of RabbitMQ, what values would you expect for related.user?

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[leweafan]

Hi @jsoriano! If we have *.ip field then there should exist related.ip field and if there is user.name field then related.user must exist. It's obvious from field description:

All the user names or other user identifiers seen on the event

In RabbitMQ case related.user = user.name

[jsoriano]

I see, you are right :+1: let's keep this open.

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[botelastic[bot]]

This issue doesn't have a Team:<team> label.