[sentinel_one] Migrate Threat Data stream to CEL#19881
Conversation
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
Elastic Docs Style Checker (Vale)Summary: 2 suggestions found 💡 Suggestions (2): Optional style improvements. Apply when helpful.
The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
|
Hold off on merging the PR until the public release of |
|
👀 I have started reviewing the PR |
| } | ||
| : | ||
| { | ||
| "events": [ |
There was a problem hiding this comment.
🟡 MEDIUM data_stream/threat/.../httpjson.yml.hbs:167
Array-shaped timeline errors indexed as malformed threat docs
On a timeline fetch that returns a status other than 200 or 404, the CEL program emits an array-shaped error event ("events": [{"error": {"code", "id", "message"}}]). Array-shaped errors use advance semantics: the event is passed to the ingest pipeline and indexed. The threat pipeline has no terminate processor (ES 8.16.0+) and no top-of-pipeline ctx.error guard, so this error event flows through as a normal document: it has no message/json, so the parsing processors are skipped, and it lands in the threat data stream as a document carrying only error.code/error.id/error.message, event.kind: alert, and ecs.version. The pipeline-level on_failure does not catch it because no processor throws. This is a new code path introduced by the CEL migration — the previous httpjson stream never delivered transport errors as documents. The single-object list-fetch error path is correct (retry/halt); only the array timeline-error path needs pipeline support.
Recommendation:
Add a guard near the top of the pipeline (after event.original is set) so CEL-emitted error events are surfaced and stop processing instead of being indexed as threat docs:
- terminate:
tag: terminate_on_cel_error
if: ctx.error?.message != null && ctx.json == null
description: Stop processing CEL-emitted error events so they are not indexed as malformed threat documents.Alternatively, if these timeline failures should not advance past the threat, switch the non-200/non-404 timeline branch to the single-object error shape ("events": {"error": {...}}, "want_more": false) so the agent retries from the last good cursor rather than emitting an indexable error document.
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
⚠️ Automated review — verify suggestions before applying.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
efd6
left a comment
There was a problem hiding this comment.
I think this probably should have been two PRs, one for the run_as_cel and one for the timeline enrichment.
There was a problem hiding this comment.
Please rename this file to httpjson_as_cel.yml.hbs
| ) | ||
| ) | ||
| tags: | ||
| {{#if preserve_original_event}} |
There was a problem hiding this comment.
| {{#if preserve_original_event}} | |
| - run_as_cel | |
| {{#if preserve_original_event}} |
| field: message | ||
| value: 'Threat Detected: {{{sentinel_one.threat.name}}} ({{{sentinel_one.threat.confidence_level}}})' | ||
| if: ctx.sentinel_one?.threat.name != null && ctx.sentinel_one?.threat?.confidence_level != null | ||
| if: ctx.sentinel_one?.threat?.name != null && ctx.sentinel_one?.threat?.confidence_level != null |
There was a problem hiding this comment.
Yes, I'll separate this with the threat timeline event enrichment into a follow-up PR.
🚀 Benchmarks reportTo see the full report comment with |
TL;DR
Remediation
Investigation detailsRoot CauseThe failing assertion is in The phase-2 mock in the same new script only serves that third threat when the request has this query param: That expected cursor is inconsistent with the phase-1 data and the previous httpjson cursor behavior. Phase 1 returns two threats sorted by The run then gets to three total documents only because CEL indexes a 404 error event from the unmatched phase-2 mock. The final jq output confirms the third document is not a threat document: it prints a leading empty/null value followed by only the first two threat IDs. Evidence
Verification
What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
@efd6 The PR has been updated to include only the changes required to migrate the threat data stream to CEL. I'll raise a follow-up PR for the threat timeline event enrichment changes. |
|
No issues across the latest commits c7b8296.
🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills
|
| "sortBy": ["updatedAt"], | ||
| "sortOrder": ["asc"], | ||
| "updatedAt__gte": [list_updated_at_gte], | ||
| ?"siteIds": state.?site_ids.optMap(v, [string(v)]), |
There was a problem hiding this comment.
Do we need the string conversion give that you coerce to string in the YAML?
There was a problem hiding this comment.
I can see its not required. Thanks!
|
Tick the box to add this pull request to the merge queue (same as
|
|
✅ All changelog entries have the correct PR link. |
💚 Build Succeeded
History
|
|
Package sentinel_one - 2.9.0 containing this change is available at https://epr.elastic.co/package/sentinel_one/2.9.0/ |
|
Here is the follow up PR for optional threat timeline collection - #19990 |
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally