Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Prisma Cloud] Fix ingest pipeline processors with tags create_user_name_and_user_domain and convert_ip_address_to_ip that fails for some values #12752

Merged
merged 2 commits into from
Feb 13, 2025
Merged

[Prisma Cloud] Fix ingest pipeline processors with tags create_user_name_and_user_domain and convert_ip_address_to_ip that fails for some values #12752

merged 2 commits into from
Feb 13, 2025
+207 −3

Conversation

leandrojmp
Copy link
Contributor

Proposed commit message

This commits fix a dissect processor that uses the pattern %{user.name}@%{user.domain} on the field user.email, but the processor that creates the field user.email does not have a conditional to check if the value is indeed an email.

This also fix a convert processor the converts the field json.ipAddress into an IP Address, but this field sometimes is populate with a string value that makes reference to an internal IP Address used by Prisma Cloud.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@leandrojmp leandrojmp requested a review from a team as a code owner February 12, 2025 17:26
efd6
efd6 reviewed Feb 12, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add tests for the behaviour.

These will do:

diff --git a/packages/prisma_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/prisma_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log
index ed7b90bb7d..e6081ba1c3 100644
--- a/packages/prisma_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log
+++ b/packages/prisma_cloud/data_stream/audit/_dev/test/pipeline/test-audit.log
@@ -1 +1,5 @@
-{"timestamp":1693819702240,"user":"john.user@google.com","ipAddress":"81.2.69.142","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}
\ No newline at end of file
+{"timestamp":1693819702240,"user":"john.user@google.com","ipAddress":"81.2.69.142","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}
+{"timestamp":1693819702240,"user":"john.user@google.com","ipAddress":"RedLock Internal IP","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}
+{"timestamp":1693819702240,"user":"john.user@google.com","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}
+{"timestamp":1693819702240,"user":"john.user","ipAddress":"81.2.69.142","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}
+{"timestamp":1693819702240,"ipAddress":"81.2.69.142","actionType":"LOGIN","resourceName":"john.user@google.com","action":"'john.user@google.com'(with role 'System Admin':'System Admin') logged in via access key.","resourceType":"Login","result":"fail"}

packages/prisma_cloud/changelog.yml Outdated Show resolved Hide resolved
packages/prisma_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/prisma_cloud/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
@leandrojmp leandrojmp requested a review from efd6 February 12, 2025 23:31
@leandrojmp
Copy link
Contributor Author

@efd6 thanks!

just added the tests and made the suggested changes.

@efd6
Copy link
Contributor

efd6 commented Feb 13, 2025

/test

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

efd6
efd6 approved these changes Feb 13, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6 efd6 merged commit 34075df into elastic:main Feb 13, 2025
6 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package prisma_cloud - 2.0.1 containing this change is available at https://epr.elastic.co/package/prisma_cloud/2.0.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Prisma Cloud]: A dissect and a convert processor are failing because of incompatible values.
3 participants
@leandrojmp @efd6 @elasticmachine