-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cisco_umbrella: handle user identities with full email address values #6119
Conversation
f03a544
to
6070009
Compare
🌐 Coverage report
|
6070009
to
094acaa
Compare
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
d11bafd
to
c75de24
Compare
c75de24
to
2ae9535
Compare
if (!ctx.cisco.umbrella.identity.contains(',')) { | ||
// No comma, so we are done. | ||
return; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we could add this into processor if
condition itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pipeline tests seem to be failing
The tests are failing because of an update to the stack version and the break in registered domain processor behaviour. I'll fix that tomorrow and update the condition. |
The Umbrella identities list is a comma-separated list of values mapped to type by reference to the identity_types list (also comma-separated). When an identity is the "AD User" type the identity value may be an RFC822 email address. This value may legally include a comma. Unfortunately, this breaks the current approach to resolving the mapping between the identities and identity_types. Umbrella does provide what appears to be a primary identity in the identity field. This appears to match the "AD User" identity value when present, and in cases that are available, the "AD User" identity appears first in the identities list. This allows us to treat the identity specially by removing it from identities if it contains confounding commas, treat the remainder as previously and then reconstruct the array. If the "AD User identity does not appear in the first position, or does not match the value in the identity field, work would degenerate to searching for an RFC822 email address while maintaining the invariant that the length of the identities list matches the length of the identity_types list. This is not feasible. None of this is documented.
2ae9535
to
a747727
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
Package cisco_umbrella - 1.11.1 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella |
What does this PR do?
The Umbrella
identities
list is a comma-separated list of values mapped to type by reference to theidentity_types
list (also comma-separated). When an identity is the "AD User" type the identity value may be an RFC822 email address. This value may legally include a comma. Unfortunately, this breaks the current approach to resolving the mapping between theidentities
andidentity_types
. Umbrella does provide what appears to be a primary identity in theidentity
field. This appears to match the "AD User" identity value when present, and in cases that are available, the "AD User" identity appears first in theidentities
list. This allows us to treat the identity specially by removing it fromidentities
if it contains confounding commas, treat the remainder as previously and then reconstruct the array. If the "AD User identity does not appear in the first position, or does not match the value in the identity field, work would degenerate to searching for an RFC822 email address while maintaining the invariant that the length of the identities list matches the length of theidentity_types
list. This is not feasible.None of this is documented.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots