Skip to content

[prisma_access] Remove CEF hyphen replace workaround#17986

Merged
andrewkroh merged 1 commit intoelastic:mainfrom
andrewkroh:prisma_access/remove-cef-replace-workaround
Mar 24, 2026
Merged

[prisma_access] Remove CEF hyphen replace workaround#17986
andrewkroh merged 1 commit intoelastic:mainfrom
andrewkroh:prisma_access/remove-cef-replace-workaround

Conversation

@andrewkroh
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh commented Mar 24, 2026
edited
Loading

Proposed commit message

Remove the three agent-side replace processors that normalized hyphenated CEF
field names (PanOSX-Forwarded-ForIP, PanOSX-Forwarded-For,
PanOSSplit-tunnelconfiguration) before decode_cef. The underlying decode_cef
bug (elastic/beats#40348) is fixed in Elastic Agent 8.16.0, so the minimum
kibana version is bumped to 8.16.0.

The normalization now happens in the ingest pipeline via rename processors,
keeping downstream field references unchanged.

The remaining replace processor for '\=' in URLs is retained with a
'when.contains' guard so it only runs when the message actually contains '\='.

Removing three of the four replace fields and adding the conditional avoids
unnecessary regex and event clone allocations on every event.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

Screenshot 2026-03-24 at 00 57 20 heap-replace-processors

@andrewkroh
[prisma_access] Remove CEF hyphen replace workaround
88f4984 
Remove the three agent-side replace processors that normalized
hyphenated CEF field names (PanOSX-Forwarded-ForIP,
PanOSX-Forwarded-For, PanOSSplit-tunnelconfiguration) before
decode_cef. The underlying decode_cef bug (elastic/beats#40348)
is fixed in Elastic Agent 8.16.0, so the minimum kibana version
is bumped to 8.16.0.

The normalization now happens in the ingest pipeline via rename
processors, keeping downstream field references unchanged.

The remaining replace processor for '\=' in URLs is retained
with a 'when.contains' guard so it only runs when the message
actually contains '\='. In heap profiling, the four regex
replace processors accounted for 137 MB (10.4%) from
regexp.ReplaceAllString allocations, plus additional overhead
from event.Clone on every invocation due to fail_on_error.
Removing three of the four fields and adding the conditional
eliminates most of this cost.
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Mar 24, 2026

💚 Build Succeeded

@andrewkroh andrewkroh marked this pull request as ready for review March 24, 2026 04:59
@andrewkroh andrewkroh requested a review from a team as a code owner March 24, 2026 04:59
@andrewkroh andrewkroh added Integration:prisma_access Palo Alto Prisma Access Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Mar 24, 2026
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Mar 24, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh merged commit 3ec6d0a into elastic:main Mar 24, 2026
10 checks passed
andrewkroh added a commit to andrewkroh/integrations that referenced this pull request Mar 24, 2026
@andrewkroh
[prisma_access] Add changelog and version bump for v1.7.0
6278301 
The changelog entry and version bump were omitted from elastic#17986.
andrewkroh added a commit to andrewkroh/integrations that referenced this pull request Mar 24, 2026
@andrewkroh
[prisma_access] Add changelog and version bump for v1.7.0
b5a172a 
The changelog entry and version bump were omitted from elastic#17986.
@andrewkroh andrewkroh mentioned this pull request Mar 24, 2026
Merged
andrewkroh added a commit that referenced this pull request Mar 24, 2026
@andrewkroh
[prisma_access] Add changelog and version bump for v1.7.0 (#17988)
692d67d 
The changelog entry and version bump were omitted from #17986.
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Mar 24, 2026

Package prisma_access - 1.7.0 containing this change is available at https://epr.elastic.co/package/prisma_access/1.7.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

No one assigned

Labels

Integration:prisma_access Palo Alto Prisma Access Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewkroh @elasticmachine @efd6