From 9b47a639be25651da750a94a867a7661257ae9f6 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Wed, 7 Feb 2024 07:07:52 +1030 Subject: [PATCH 1/2] ping_one: fix handling of potentially null method call receivers --- packages/ping_one/changelog.yml | 5 ++++ .../elasticsearch/ingest_pipeline/default.yml | 30 +++++++++++-------- packages/ping_one/manifest.yml | 2 +- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/packages/ping_one/changelog.yml b/packages/ping_one/changelog.yml index 4290a941d1..9c615eba15 100644 --- a/packages/ping_one/changelog.yml +++ b/packages/ping_one/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.2" + changes: + - description: Fix ingest pipeline conditional field handling. + type: bugfix + link: https://github.com/elastic/integrations/pull/9076 - version: "1.13.1" changes: - description: Changed owners diff --git a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 26f69500c9..0bbe9e8609 100644 --- a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -21,51 +21,57 @@ processors: value: [iam] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('created') || ctx.json.action.type.toLowerCase().contains('deleted') || ctx.json.action.type.toLowerCase().contains('updated') || ctx.json.action.type.toLowerCase().contains('access_allowed') + if: >- + ctx.json?.action?.type != null && ( + ctx.json.action.type.toLowerCase().contains('created') || + ctx.json.action.type.toLowerCase().contains('deleted') || + ctx.json.action.type.toLowerCase().contains('updated') || + ctx.json.action.type.toLowerCase().contains('access_allowed') + ) value: [configuration] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('created') + if: ctx.json?.action?.type?.toLowerCase().contains('created') == true value: [creation] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('deleted') + if: ctx.json?.action?.type?.toLowerCase().contains('deleted') == true value: [deletion] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('updated') + if: ctx.json?.action?.type?.toLowerCase().contains('updated') == true value: [change] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('user') + if: ctx.json?.action?.type?.toLowerCase().contains('user') == true value: [user] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('group') + if: ctx.json?.action?.type?.toLowerCase().contains('group') == true value: [group] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('allowed') + if: ctx.json?.action?.type?.toLowerCase().contains('allowed') == true value: [info] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('denied') + if: ctx.json?.action?.type?.toLowerCase().contains('denied') == true value: [denied] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('started') + if: ctx.json?.action?.type?.toLowerCase().contains('started') == true value: [start] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') + if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') == true value: [access] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') + if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') == true value: [authentication] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('email') + if: ctx.json?.action?.type?.toLowerCase().contains('email') == true value: [email] - set: field: event.type diff --git a/packages/ping_one/manifest.yml b/packages/ping_one/manifest.yml index 81e8a60371..f9f7dd94aa 100644 --- a/packages/ping_one/manifest.yml +++ b/packages/ping_one/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.0" name: ping_one title: PingOne -version: "1.13.1" +version: "1.13.2" description: Collect logs from PingOne with Elastic-Agent. type: integration categories: From 5eb111077093968785e13578dc5e89af40faa27c Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Fri, 9 Feb 2024 08:49:46 +1030 Subject: [PATCH 2/2] address pr comment --- .../elasticsearch/ingest_pipeline/default.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 0bbe9e8609..c10a35aa0c 100644 --- a/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/ping_one/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -31,47 +31,47 @@ processors: value: [configuration] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('created') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('created') == true value: [creation] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('deleted') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('deleted') == true value: [deletion] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('updated') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('updated') == true value: [change] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('user') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('user') == true value: [user] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('group') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('group') == true value: [group] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('allowed') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('allowed') == true value: [info] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('denied') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('denied') == true value: [denied] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('started') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('started') == true value: [start] - append: field: event.type - if: ctx.json?.action?.type?.toLowerCase().contains('access_allowed') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('access_allowed') == true value: [access] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('password.check_succeeded') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('password.check_succeeded') == true value: [authentication] - append: field: event.category - if: ctx.json?.action?.type?.toLowerCase().contains('email') == true + if: ctx.json?.action?.type?.toLowerCase()?.contains('email') == true value: [email] - set: field: event.type