Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Thanks for the ER @dkdavlar. I confirmed with Jamf that they only expose the OS number and we'll therefore have to do the normalisation on our end.

Our engineering team can look at what approach we can take, but will likely require a painless script in our pipeline to take the os.version ECS field and use those values to normalise the values to populate os.name. e.g. v15.* = Sequoia

For our engineering team's reference, here's the os version and OS names:

Thanks for looking into this @jamiehynds

Just to be clear, all I want is that Elastic normalize the version number so 15.1 becomes 15.1.0 (Or the other way around).

Ah, sorry. We can take a look as to how we'd manage that within the pipeline. Out of curiosity, would displaying the "friendly" OS name provide any value or you think the version numbers are typically ok?

Also having a field with the "friendly" name would also bring value for sure :)

Thanks for jumping on this one @efd6. Is it possible to also populate the os.full field based on converting the version numbers to "friendly" os name based on the table above?

Sure, I'll add that in.

Do we want that capitalisation, or lowercase?

Lowercase is probably easier when searching etc, so let's go with that.

@dkdavlar Please take a look at the PR.

@efd6 Looks good!