Skip to content

[Recorded Future] Fix mapping for primary_entity#18325

Merged
moxarth-rathod merged 3 commits intoelastic:mainfrom
moxarth-rathod:recorded-future-fix
Apr 10, 2026
Merged

[Recorded Future] Fix mapping for primary_entity#18325
moxarth-rathod merged 3 commits intoelastic:mainfrom
moxarth-rathod:recorded-future-fix

Conversation

@moxarth-rathod
Copy link
Copy Markdown
Contributor

@moxarth-rathod moxarth-rathod commented Apr 10, 2026
edited
Loading

Proposed commit message

ti_recordedfuture: Fix mapping for primary_entity and use_case_deprecation

primary_entity is an object and was wrongly mapped as  keyword. 
To fix this, add primary_entity.id, primary_entity.name, and primary_entity.type
in fields.yml. No pipeline changes are needed, as all fields are keyword and 
the json is mapped directly to recordedfuture.triggered_alert.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@moxarth-rathod moxarth-rathod self-assigned this Apr 10, 2026
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner April 10, 2026 10:44
@moxarth-rathod moxarth-rathod added Integration:ti_recordedfuture Recorded Future bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Apr 10, 2026
@cla-checker-service
Copy link
Copy Markdown

cla-checker-service bot commented Apr 10, 2026
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 10, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 10, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 10, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Apr 10, 2026
kcreddy
kcreddy reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the issue follow-up comments:

recordedfuture.triggered_alert itself is currently mapped as a group (object), but one nested field appears mismatched: recordedfuture.triggered_alert.rule.use_case_deprecation is mapped as keyword while test/sample payloads provide an object ({"description": null}), which can trigger mapping conflicts.
Recommendation
Update recordedfuture.triggered_alert.rule.use_case_deprecation from keyword to group and define its child field(s), then regenerate package docs/assets and run package validation tests.

Can you fix this as well?

@moxarth-rathod moxarth-rathod requested a review from kcreddy April 10, 2026 12:28
kcreddy
kcreddy approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, after updating the commit message as well (include use_case_deprecation).

@moxarth-rathod moxarth-rathod enabled auto-merge (squash) April 10, 2026 12:34
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 10, 2026

💚 Build Succeeded

History

cc @moxarth-rathod

@moxarth-rathod moxarth-rathod merged commit 644b111 into elastic:main Apr 10, 2026
11 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Apr 10, 2026

Package ti_recordedfuture - 2.4.2 containing this change is available at https://epr.elastic.co/package/ti_recordedfuture/2.4.2/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@moxarth-rathod moxarth-rathod

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:ti_recordedfuture Recorded Future Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ti_recordedfuture: triggered_alert field is incorrectly mapped as keyword

4 participants

@moxarth-rathod @elasticmachine @kcreddy @andrewkroh