Skip to content

f5_bigip: handle Bot Defense and DoS event with quoted device_product value#18890

Merged
efd6 merged 2 commits into
elastic:mainfrom
efd6:e27973-f5_bigip
May 14, 2026
Merged

f5_bigip: handle Bot Defense and DoS event with quoted device_product value#18890
efd6 merged 2 commits into
elastic:mainfrom
efd6:e27973-f5_bigip

Conversation

@efd6
Copy link
Copy Markdown
Contributor

@efd6 efd6 commented May 8, 2026

Proposed commit message

f5_bigip: handle Bot Defense and DoS event with quoted device_product value

Sometimes, this is quoted, so extend the pattern match for the pipeline
routing to handle that.

Note

🎁

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this May 8, 2026
@efd6 efd6 added enhancement New feature or request Integration:f5_bigip F5 BIG-IP Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] labels May 8, 2026
@efd6
f5_bigip: handle Bot Defense and DoS event with quoted device_product…
28af5f9 
… value

Sometimes, this is quoted, so extend the pattern match for the pipeline
routing to handle that.
@efd6 efd6 force-pushed the e27973-f5_bigip branch from 38c95e2 to 28af5f9 Compare May 8, 2026 07:45
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 8, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review May 8, 2026 08:42
@efd6 efd6 requested a review from a team as a code owner May 8, 2026 08:42
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 8, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

haetamoudi
haetamoudi reviewed May 14, 2026
View reviewed changes
Comment thread packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigip_bot_and_dos.yml
value_split: =
target_field: kv
if: ctx.event.original.contains('device_product=ASM')
if: ctx.event.original.contains('device_product=ASM') || ctx.event.original.contains('device_product="ASM"')
Copy link
Copy Markdown
Contributor

@haetamoudi haetamoudi May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx.event.original.contains('device_product=ASM') || ctx.event.original.contains('device_product="ASM"')
strip_brackets: true
if: ctx.event.original.contains('device_product=ASM') || ctx.event.original.contains('device_product="ASM"')

To ensure device_product="ASM" is parsed as ASM (not "ASM" with literal quotes). It also matches the first KV processor's behavior

@efd6 efd6 requested a review from haetamoudi May 14, 2026 09:51
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 14, 2026

TL;DR

f5_bigip CI is failing in pipeline tests after normalizing DoS kv parsing with strip_brackets: true. That change now strips quotes from device_product="ASM", but the expected pipeline fixture still asserts the old quoted value.

Remediation

  • Update packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-dos-and-bot.log-expected.json for the quoted DoS sample to match normalized output ("ASM" -> ASM) in:
    • f5_bigip.log.device.product (currently at line 351)
    • observer.product (currently at line 412)
  • Re-run the package check for f5_bigip (same Buildkite step: .buildkite/scripts/test_one_package.sh packages/f5_bigip origin/main 2e9f3dafda25696deea7378c855d4425c059eb7c).
Investigation details

Root Cause

The last PR commit (2e9f3dafda25696deea7378c855d4425c059eb7c) changed the DoS KV processor in packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigip_bot_and_dos.yml:

  • line 19: strip_brackets: true added
  • line 20: condition expanded to include device_product="ASM"

With strip_brackets: true, the parsed value for quoted inputs is normalized to ASM (without embedded quotes). The fixture file still expects "ASM" for the quoted test record.

Evidence

  • Build: https://buildkite.com/elastic/integrations/builds/42837
  • Job/step: Check integrations f5_bigip
  • Key log excerpt:
    • --- [f5_bigip] failed
    • 🚨 Error: The command exited with status 1
  • Code evidence:
    • packages/f5_bigip/data_stream/log/elasticsearch/ingest_pipeline/pipeline_bigip_bot_and_dos.yml:19-20
    • packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-dos-and-bot.log-expected.json:351
    • packages/f5_bigip/data_stream/log/_dev/test/pipeline/test-pipeline-bigip-dos-and-bot.log-expected.json:412

Verification

  • Not run in this environment: the repository Buildkite wrapper depends on CI env vars/tools (.buildkite/scripts/common.sh failed locally with YQ_VERSION: unbound variable).

Follow-up

If quote-preserving behavior is intentional, remove strip_brackets: true instead and keep fixture expectations unchanged.

Note

🔒 Integrity filter blocked 4 items

The following items were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@efd6 efd6 force-pushed the e27973-f5_bigip branch from 2e9f3da to d15d9b1 Compare May 14, 2026 10:26
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 14, 2026

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 merged commit 143bb68 into elastic:main May 14, 2026
8 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 14, 2026

Package f5_bigip - 1.28.0 containing this change is available at https://epr.elastic.co/package/f5_bigip/1.28.0/

@github-actions github-actions Bot mentioned this pull request May 15, 2026
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haetamoudi haetamoudi haetamoudi approved these changes

Assignees

@efd6 efd6

Labels

enhancement New feature or request Integration:f5_bigip F5 BIG-IP Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@efd6 @elasticmachine @haetamoudi