Skip to content

mimecast: fix source.domain collision for av events in siem_logs#19344

Merged
efd6 merged 1 commit into
elastic:mainfrom
efd6:19032-mimecast
Jun 3, 2026
Merged

mimecast: fix source.domain collision for av events in siem_logs#19344
efd6 merged 1 commit into
elastic:mainfrom
efd6:19032-mimecast

Conversation

@efd6
Copy link
Copy Markdown
Contributor

@efd6 efd6 commented Jun 3, 2026

Proposed commit message

mimecast: fix source.domain collision for av events in siem_logs

The v2 pipeline incorrectly renamed mimecast.senderDomainInternal
(a boolean indicator) to source.domain. When av events also contained
mimecast.senderDomain, the later rename to the same target field
failed with "field [source.domain] already exists".

Replace the rename with a boolean convert that keeps the field in the
mimecast namespace. Add av-type test events modelled on the sample
event from #19032, adapted to use the same account, domains, and
GeoIP test IPs as the existing v2 test data.

Fixes #19032

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jun 3, 2026
@efd6 efd6 added Integration:mimecast Mimecast (Partner supported) bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jun 3, 2026
@efd6 efd6 force-pushed the 19032-mimecast branch from 428bbda to a3649b7 Compare June 3, 2026 03:59
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 3, 2026

TL;DR

Check integrations mimecast failed because packages/mimecast/docs/README.md is stale relative to generated docs. Update/regenerate the README and push the docs change.

Remediation

  • Regenerate package docs and commit the updated packages/mimecast/docs/README.md (the failing row is mimecast.senderDomainInternal).
  • Re-run the package check for mimecast (same step Buildkite runs) to confirm the README is in sync.
Investigation details

Root Cause

The failure is a docs drift check (README.md is outdated) rather than a runtime/test logic issue. The generated README expects:

| mimecast.senderDomainInternal | Whether the sender domain is a registered internal domain. | keyword |

but the committed docs currently contain:

| mimecast.senderDomainInternal | The sender domain is a registered internal domain. | keyword |

This mismatch is in packages/mimecast/docs/README.md:858, and it causes elastic-package readme-sync validation to fail.

Evidence

README.md is outdated. Rebuild the package with 'elastic-package build'
@@ -857,3 +857,3 @@
-| mimecast.senderDomainInternal | The sender domain is a registered internal domain. | keyword |
+| mimecast.senderDomainInternal | Whether the sender domain is a registered internal domain. | keyword |
Error: checking package failed: checking readme files are up-to-date failed: files do not match

Verification

  • Not run in this detective workflow (read-only analysis).

Follow-up

  • If you intentionally want the old wording, align the source field description in packages/mimecast/data_stream/siem_logs/fields/field.yml and regenerate docs so both files match.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@efd6
mimecast: fix source.domain collision for av events in siem_logs
15c8efe 
The v2 pipeline incorrectly renamed mimecast.senderDomainInternal
(a boolean indicator) to source.domain. When av events also contained
mimecast.senderDomain, the later rename to the same target field
failed with "field [source.domain] already exists".

Replace the rename with a boolean convert that keeps the field in the
mimecast namespace. Add av-type test events modelled on the sample
event from elastic#19032, adapted to use the same account, domains, and
GeoIP test IPs as the existing v2 test data.

Fixes elastic#19032
@efd6 efd6 force-pushed the 19032-mimecast branch from a3649b7 to 15c8efe Compare June 3, 2026 05:09
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Jun 3, 2026

🚀 Benchmarks report

Package mimecast 👍(3) 💚(3) 💔(5)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
ttp_url_logs 10309.28 7518.8 -2790.48 (-27.07%) 💔
archive_search_logs 10101.01 5882.35 -4218.66 (-41.76%) 💔
audit_events 3367 2493.77 -873.23 (-25.93%) 💔
siem_logs 4608.29 3289.47 -1318.82 (-28.62%) 💔
ttp_ap_logs 11904.76 6993.01 -4911.75 (-41.26%) 💔

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jun 3, 2026

💚 Build Succeeded

History

cc @efd6

@efd6 efd6 marked this pull request as ready for review June 3, 2026 05:57
@efd6 efd6 requested review from a team as code owners June 3, 2026 05:57
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented Jun 3, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jun 3, 2026
ShourieG
ShourieG approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ShourieG ShourieG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 merged commit d1759b2 into elastic:main Jun 3, 2026
10 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Jun 3, 2026

Package mimecast - 3.4.1 containing this change is available at https://epr.elastic.co/package/mimecast/3.4.1/

@github-actions github-actions Bot mentioned this pull request Jun 4, 2026
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ShourieG ShourieG ShourieG approved these changes

Assignees

@efd6 efd6

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:mimecast Mimecast (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[mimecast]: Pipeline error for avlog events in siem_logs dataset

4 participants

@efd6 @elasticmachine @ShourieG @andrewkroh