x-pack/filebeat/module/microsoft: drop empty api responses

This is a port of elastic/integrations#5164.
efd6 · Mar 22, 2023 · 140d22c · 140d22c
1 parent d8a9ec4
commit 140d22c
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -129,6 +129,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 - Allow the `misp` fileset in the Filebeat `threatintel` module to ignore CIDR ranges for an IP field. {issue}29949[29949] {pull}34195[34195]
 - Remove incorrect reference to CEL ext extensions package. {issue}34610[34610] {pull}34620[34620]
 - Fix handling of RFC5988 links' relation parameters by `getRFC5988Link` in HTTPJSON. {issue}34603[34603] {pull}34622[34622]
+- Drop empty API response events for Microsoft module. {issue}34786[34786] {pull}34893[34893]
 
 *Auditbeat*
 

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml b/x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
@@ -29,6 +29,7 @@ request.transforms:
 
 response.split:
   target: body.value
+  ignore_empty_value: true
   split:
     target: body.evidence
     keep_parent: true

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -1,6 +1,8 @@
 ---
 description: Pipeline for parsing microsoft atp logs
 processors:
+- drop:
+    if: ctx.json?.value != null && ctx.json.value.isEmpty()
 - set:
     field: event.ingested
     value: '{{_ingest.timestamp}}'

diff --git a/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml b/x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
@@ -24,6 +24,7 @@ request.transforms:
 
 response.split:
   target: body.value
+  ignore_empty_value: true
   split:
     target: body.alerts
     keep_parent: true

diff --git a/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml
@@ -1,6 +1,8 @@
 ---
 description: Pipeline for parsing microsoft atp logs
 processors:
+- drop:
+    if: ctx.json?.value != null && ctx.json.value.isEmpty()
 - set:
     field: event.ingested
     value: '{{_ingest.timestamp}}'

diff --git a/.../filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json b/.../filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json
@@ -31,7 +31,7 @@
         "microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv",
         "microsoft.m365_defender.alerts.devices": [
             {
-                "deviceDnsName": "TestServer5",
+                "deviceDnsName": "TestServer4",
                 "firstSeen": "2020-06-30T08:55:08.8320449Z",
                 "healthStatus": "Inactive",
                 "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
@@ -43,7 +43,7 @@
                 "version": "Other"
             },
             {
-                "deviceDnsName": "TestServer4",
+                "deviceDnsName": "TestServer5",
                 "firstSeen": "2020-06-30T08:55:08.8320449Z",
                 "healthStatus": "Inactive",
                 "mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",