cisco_umbrella: handle user identities with full email address values #6119
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
efd6
added
bug
efd6
force-pushed
the
cisco_umbrella_rfc822
branch
from
f03a544
to
6070009
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
efd6
force-pushed
the
cisco_umbrella_rfc822
branch
from
6070009
to
094acaa
Compare
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
efd6
force-pushed
the
cisco_umbrella_rfc822
branch
3 times, most recently
from
d11bafd
to
c75de24
Compare
efd6
force-pushed
the
cisco_umbrella_rfc822
branch
from
c75de24
to
2ae9535
Compare
kcreddy
reviewed
May 22, 2023
Comment on lines
237
to
240
| if (!ctx.cisco.umbrella.identity.contains(',')) { | ||
| // No comma, so we are done. | ||
| return; | ||
| } |
There was a problem hiding this comment.
Maybe we could add this into processor if condition itself?
kcreddy
reviewed
May 22, 2023
|
The tests are failing because of an update to the stack version and the break in registered domain processor behaviour. I'll fix that tomorrow and update the condition. |
The Umbrella identities list is a comma-separated list of values mapped to type by reference to the identity_types list (also comma-separated). When an identity is the "AD User" type the identity value may be an RFC822 email address. This value may legally include a comma. Unfortunately, this breaks the current approach to resolving the mapping between the identities and identity_types. Umbrella does provide what appears to be a primary identity in the identity field. This appears to match the "AD User" identity value when present, and in cases that are available, the "AD User" identity appears first in the identities list. This allows us to treat the identity specially by removing it from identities if it contains confounding commas, treat the remainder as previously and then reconstruct the array. If the "AD User identity does not appear in the first position, or does not match the value in the identity field, work would degenerate to searching for an RFC822 email address while maintaining the invariant that the length of the identities list matches the length of the identity_types list. This is not feasible. None of this is documented.
efd6
force-pushed
the
cisco_umbrella_rfc822
branch
from
2ae9535
to
a747727
Compare
|
Package cisco_umbrella - 1.11.1 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
The Umbrella
identitieslist is a comma-separated list of values mapped to type by reference to theidentity_typeslist (also comma-separated). When an identity is the "AD User" type the identity value may be an RFC822 email address. This value may legally include a comma. Unfortunately, this breaks the current approach to resolving the mapping between theidentitiesandidentity_types. Umbrella does provide what appears to be a primary identity in theidentityfield. This appears to match the "AD User" identity value when present, and in cases that are available, the "AD User" identity appears first in theidentitieslist. This allows us to treat the identity specially by removing it fromidentitiesif it contains confounding commas, treat the remainder as previously and then reconstruct the array. If the "AD User identity does not appear in the first position, or does not match the value in the identity field, work would degenerate to searching for an RFC822 email address while maintaining the invariant that the length of the identities list matches the length of theidentity_typeslist. This is not feasible.None of this is documented.
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots