[Defend Workflows] [Osquery] Update field schemas (#150279)

2025-04-23 09:19:04 -04:00 · 2023-02-07 14:15:34 +01:00 · 2023-02-07 14:15:34 +01:00 · eabeb3f176
commit eabeb3f176
parent 807b402f0b
7 changed files with 14 additions and 7 deletions
--- a/x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json
+++ b/x-pack/plugins/osquery/public/common/schemas/ecs/v8.5.0.json
--- a/x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json
+++ b/x-pack/plugins/osquery/public/common/schemas/ecs/v8.7.0.json
--- a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json
+++ b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.5.1.json
--- a/x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json
+++ b/x-pack/plugins/osquery/public/common/schemas/osquery/v5.7.0.json
--- a/x-pack/plugins/osquery/public/editor/osquery_tables.ts
+++ b/x-pack/plugins/osquery/public/editor/osquery_tables.ts
@ -17,7 +17,7 @@ let osqueryTables: TablesJSON | null = null;
 export const getOsqueryTables = () => {
  if (!osqueryTables) {
    // eslint-disable-next-line @typescript-eslint/no-var-requires
-    osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.5.1.json'));
+    osqueryTables = normalizeTables(require('../common/schemas/osquery/v5.7.0.json'));
  }

  return osqueryTables;
--- a/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx
+++ b/x-pack/plugins/osquery/public/packs/queries/ecs_mapping_editor_field.tsx
@ -48,8 +48,8 @@ import {
  convertECSMappingToArray,
  convertECSMappingToObject,
 } from '../../../common/schemas/common/utils';
-import ECSSchema from '../../common/schemas/ecs/v8.5.0.json';
-import osquerySchema from '../../common/schemas/osquery/v5.5.1.json';
+import ECSSchema from '../../common/schemas/ecs/v8.7.0.json';
+import osquerySchema from '../../common/schemas/osquery/v5.7.0.json';

 import { FieldIcon } from '../../common/lib/kibana';
 import { OsqueryIcon } from '../../components/osquery_icon';
--- a/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts
+++ b/x-pack/plugins/osquery/scripts/schema_formatter/ecs_formatter.ts
@ -40,12 +40,19 @@ const RESTRICTED_FIELDS = [

 run(
  async ({ flags }) => {
-    const schemaPath = path.resolve(`./public/common/schemas/ecs/`);
+    const schemaPath = path.resolve(`../../public/common/schemas/ecs/`);
    const schemaFile = path.join(schemaPath, flags.schema_version as string);
    const schemaData = await require(schemaFile);

+    const transformToLowerCase = (obj: Record<string, unknown>) =>
+      Object.fromEntries(Object.entries(obj).map(([key, val]) => [key.toLowerCase(), val]));
+
+    const schemaDataWithLowerCaseFieldNames = schemaData.map((obj: Record<string, unknown>) =>
+      transformToLowerCase(obj)
+    );
+
    const filteredSchemaData = filter(
-      schemaData,
+      schemaDataWithLowerCaseFieldNames,
      (field) => !RESTRICTED_FIELDS.includes(field.field)
    );
    const formattedSchema = map(filteredSchemaData, partialRight(pick, ECS_COLUMN_SCHEMA_FIELDS));