[problemchild] Ensure event.kind is correctly set for pipeline errors (…

…#7501)
elastic · Aug 29, 2023 · 1c48a89 · 1c48a89
1 parent fcc5971
commit 1c48a89
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/packages/problemchild/changelog.yml b/packages/problemchild/changelog.yml
@@ -1,3 +1,9 @@
+# newer versions go on top
+- version: "1.1.0"
+  changes:
+    - description: Ensure event.kind is correctly set for pipeline errors.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/7501
 - version: "1.0.1"
   changes:
     - description: Add the Advanced Analytics (UEBA) subcategory

diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_inference_pipeline.yml
@@ -394,3 +394,10 @@ processors:
   - script:
       lang: painless
       source: ctx.entrySet().removeIf(field -> field.getKey() =~ /feature_.*/);ctx['problemchild'].remove('prediction_score');ctx['problemchild'].remove('model_id');
+on_failure:
+  - append:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml b/packages/problemchild/elasticsearch/ingest_pipeline/problem_child_ingest_pipeline.yml
@@ -5,6 +5,9 @@ processors:
       if: ctx.containsKey('event') && ctx['event'].containsKey('kind')  && ctx['event'].containsKey('category') && ctx['event']['kind'] == 'event' && ctx['event']['category'].contains('process') && ctx.containsKey('host') && ctx['host'].containsKey('os') && (ctx['host']['os'].containsKey('type') || ctx['host']['os'].containsKey('family') || ctx['host']['os'].containsKey('platform')) && (ctx['host']['os']['type'] == 'windows' || ctx['host']['os']['type'] == 'Windows' || ctx['host']['os']['family'] == 'windows' || ctx['host']['os']['family'] == 'Windows' || ctx['host']['os']['platform'] == 'windows' || ctx['host']['os']['platform'] == 'Windows')
       name: '{{ IngestPipeline "problem_child_inference_pipeline" }}'
 on_failure:
-  - set:
+  - append:
+      field: event.kind
+      value: pipeline_error
+  - append:
       field: error.message
-      value: '{{ _ingest.on_failure_message }}'
+      value: '{{{ _ingest.on_failure_message }}}'
diff --git a/packages/problemchild/manifest.yml b/packages/problemchild/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: problemchild
 title: "Living off the Land Attack Detection"
-version: 1.0.1
+version: 1.1.0
 license: basic
 description: "ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription."
 type: integration