Skip to content

[tanium] Fix handling of differently formatted data #11797

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 0 commits into from
Nov 21, 2024
Merged

[tanium] Fix handling of differently formatted data #11797

merged 0 commits into from
Nov 21, 2024

Conversation

@chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Nov 20, 2024
edited
Loading

Proposed commit message

[tanium] Fix handling of differently formatted data (#) For the `threat_response` data stream: - Handle `state` when it's parsed JSON (as well as when it's stringified JSON). - Set `user.id` and `user.related` after processing 'User Id', so its value is used. - Handle `Match Details` data in its own field (the same as when it's in an encoded payload). For all data streams: - Add processor tags and improve `on_failure` handling.

Discussion

This can be reviewed commit-by-commit.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices
@chrisberkhout chrisberkhout added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Nov 20, 2024
@chrisberkhout chrisberkhout self-assigned this Nov 20, 2024
@chrisberkhout chrisberkhout requested a review from a team as a code owner November 20, 2024 19:26
@elasticmachine
Copy link

elasticmachine commented Nov 20, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 20, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
efd6
efd6 reviewed Nov 20, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a test case that I'm missing that exercises the json.state instanceof String case?
@chrisberkhout
Copy link
Contributor Author

chrisberkhout commented Nov 21, 2024

Is there a test case that I'm missing that exercises the json.state instanceof String case?

@efd6 Yes, that's the existing case. There are 5 examples ("state":") in data_stream/threat_response/_dev/test/pipeline/test-threat-response.log.
@chrisberkhout chrisberkhout requested a review from efd6 November 21, 2024 06:55
efd6
efd6 approved these changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks
@chrisberkhout chrisberkhout enabled auto-merge (squash) November 21, 2024 07:02
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Nov 21, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
88.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube
@chrisberkhout chrisberkhout merged commit fff365a into elastic:main Nov 21, 2024
4 checks passed
@elasticmachine
Copy link

elasticmachine commented Nov 21, 2024

💚 Build Succeeded

History

  • 💚 Build #18516 succeeded 3501276e56e1a07a277039d7c3e0686bcbed7610

cc @chrisberkhout
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 21, 2024

Package tanium - 1.10.2 containing this change is available at https://epr.elastic.co/package/tanium/1.10.2/
qcorporation pushed a commit that referenced this pull request Feb 3, 2025
@chrisberkhout @efd6 @flexitrev
[tanium] Fix handling of differently formatted data (#11797)
ebfcdc3 
For the `threat_response` data stream: - Handle `state` when it's parsed JSON (as well as when it's stringified JSON). - Set `user.id` and `user.related` after processing 'User Id', so its value is used. - Handle `Match Details` data in its own field (the same as when it's in an encoded payload). For all data streams: - Add processor tags and improve `on_failure` handling. --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@chrisberkhout @efd6
[tanium] Fix handling of differently formatted data (elastic#11797)
edde030 
For the `threat_response` data stream: - Handle `state` when it's parsed JSON (as well as when it's stringified JSON). - Set `user.id` and `user.related` after processing 'User Id', so its value is used. - Handle `Match Details` data in its own field (the same as when it's in an encoded payload). For all data streams: - Add processor tags and improve `on_failure` handling. --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
qcorporation pushed a commit that referenced this pull request Feb 4, 2025
@chrisberkhout @efd6 @flexitrev
[tanium] Fix handling of differently formatted data (#11797)
efff59b 
For the `threat_response` data stream: - Handle `state` when it's parsed JSON (as well as when it's stringified JSON). - Set `user.id` and `user.related` after processing 'User Id', so its value is used. - Handle `Match Details` data in its own field (the same as when it's in an encoded payload). For all data streams: - Add processor tags and improve `on_failure` handling. --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@chrisberkhout @efd6
[tanium] Fix handling of differently formatted data (elastic#11797)
4369763 
For the `threat_response` data stream: - Handle `state` when it's parsed JSON (as well as when it's stringified JSON). - Set `user.id` and `user.related` after processing 'User Id', so its value is used. - Handle `Match Details` data in its own field (the same as when it's in an encoded payload). For all data streams: - Add processor tags and improve `on_failure` handling. --------- Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes a bug issue Integration:tanium Tanium Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

3 participants

@chrisberkhout @elasticmachine @efd6