Skip to content

prisma_access: fix wildfire file.name mapping for events with CEF header name#18695

Merged
kcreddy merged 2 commits intoelastic:mainfrom
kcreddy:prisma_access-bug-file.name
Apr 29, 2026
Merged

prisma_access: fix wildfire file.name mapping for events with CEF header name#18695
kcreddy merged 2 commits intoelastic:mainfrom
kcreddy:prisma_access-bug-file.name

Conversation

@kcreddy
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy commented Apr 29, 2026

Proposed commit message

prisma_access: fix wildfire file.name mapping for events with CEF header name

The wildfire-specific processors that map the CEF request field to
file.name instead of url.full only checked cef.extensions.Name. Real
customer logs carry the event name in the CEF header (cef.name), not
as an extension field. The conditions now check both locations so the
mapping works regardless of where the CEF parser places the name.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Pipeline tests run successfully populating file.name and not url.* fields

kcreddy added 2 commits April 29, 2026 11:46
@kcreddy
prisma_access: fix wildfire file.name mapping for events with CEF hea…
67aa769 
…der name

The wildfire-specific processors that map the CEF request field to
file.name instead of url.full only checked cef.extensions.Name. Real
customer logs carry the event name in the CEF header (cef.name), not
as an extension field. The conditions now check both locations so the
mapping works regardless of where the CEF parser places the name.
@kcreddy
update pr number
81c2948
@kcreddy kcreddy self-assigned this Apr 29, 2026
@kcreddy kcreddy added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:prisma_access Palo Alto Prisma Access labels Apr 29, 2026
macroscopeapp[bot]
macroscopeapp Bot reviewed Apr 29, 2026
View reviewed changes
Comment thread packages/prisma_access/changelog.yml
@kcreddy kcreddy marked this pull request as ready for review April 29, 2026 06:18
@kcreddy kcreddy requested a review from a team as a code owner April 29, 2026 06:18
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented Apr 29, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 29, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Apr 29, 2026

💚 Build Succeeded

cc @kcreddy

@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Open
4 tasks
bhapas
bhapas approved these changes Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@bhapas bhapas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kcreddy kcreddy merged commit 9798dcc into elastic:main Apr 29, 2026
9 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 29, 2026

Package prisma_access - 1.7.3 containing this change is available at https://epr.elastic.co/package/prisma_access/1.7.3/

@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@macroscopeapp macroscopeapp[bot] macroscopeapp[bot] left review comments

@chemamartinez chemamartinez chemamartinez approved these changes

@bhapas bhapas bhapas approved these changes

Assignees

@kcreddy kcreddy

Labels

bugfix Pull request that fixes a bug issue Integration:prisma_access Palo Alto Prisma Access Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kcreddy @elasticmachine @chemamartinez @bhapas