Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

o365: fix mappings for dynamically mapped fields #7988

Merged
merged 1 commit into from Sep 28, 2023
Merged

o365: fix mappings for dynamically mapped fields #7988

merged 1 commit into from Sep 28, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Sep 26, 2023

What does this PR do?

  • o365.audit.ExchangeMetaData.*
  • o365.audit.ExceptionInfo.*
  • o365.audit.ExtendedProperties.*
  • o365.audit.Item.*
  • o365.audit.Item.*.*
  • o365.audit.ModifiedProperties.*.*
  • o365.audit.Parameters.*
  • o365.audit.SharePointMetaData.*

Remove o365.audit.Members.*; o365.audit.Members is already defined as a flattened field.

After this change the dynamic mappings are:

      "dynamic_templates": [
        {
          "container.labels": {
            "path_match": "container.labels.*",
            "match_mapping_type": "string",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.ExchangeMetaData.*": {
            "path_match": "o365.audit.ExchangeMetaData.*",
            "match_mapping_type": "long",
            "mapping": {
              "type": "long"
            }
          }
        },
        {
          "o365.audit.ExceptionInfo.*": {
            "path_match": "o365.audit.ExceptionInfo.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.ExtendedProperties.*": {
            "path_match": "o365.audit.ExtendedProperties.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.Item.*.*": {
            "path_match": "o365.audit.Item.*.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.ModifiedProperties.*.*": {
            "path_match": "o365.audit.ModifiedProperties.*.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.Parameters.*": {
            "path_match": "o365.audit.Parameters.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "o365.audit.SharePointMetaData.*": {
            "path_match": "o365.audit.SharePointMetaData.*",
            "mapping": {
              "type": "keyword"
            }
          }
        },
        {
          "strings_as_keyword": {
            "match_mapping_type": "string",
            "mapping": {
              "ignore_above": 1024,
              "type": "keyword"
            }
          }
        }
      ],

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6
o365: fix mappings for dynamically mapped fields
bd7ac7b 
* o365.audit.ExchangeMetaData.*
* o365.audit.ExceptionInfo.*
* o365.audit.ExtendedProperties.*
* o365.audit.Item.*
* o365.audit.Item.*.*
* o365.audit.ModifiedProperties.*.*
* o365.audit.Parameters.*
* o365.audit.SharePointMetaData.*

Remove o365.audit.Members.*; o365.audit.Members is already defined as a
flattened field.
@efd6 efd6 self-assigned this Sep 26, 2023
efd6
efd6 commented Sep 26, 2023
View reviewed changes
packages/o365/data_stream/audit/fields/fields.yml
Comment on lines 100 to +103
- name: Item.*
type: object
object_type: keyword
object_type_mapping_type: '*'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the dynamic templates, it looks like this is not necessary.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why didn't it show up in the dynamic_templates?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that's why I'm confused.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe in a bug in package-spec?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suspect Fleet. Like perhaps the dedupFields function (https://github.com/elastic/kibana/blob/ed8225f7bcb9f8d16b2241c8de26cd8103fcb942/x-pack/plugins/fleet/server/services/epm/fields/field.ts#L124). Given that this would appear to be a parent of the Item.*.* I wonder if it is being ignored.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logged an issue at elastic/kibana#167553.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can move forward without this being in the template because it's only purpose was to satisfy the field validation (all fields found in test cases must be defined) within elastic-package and it still does. The default dynamic mappings will work fine.

@elasticmachine
Copy link

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-09-26T23:57:04.456+0000

  • Duration: 19 min 9 sec

Test stats 🧪

Test Results
Failed 0
Passed 25
Skipped 0
Total 25

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (1/1) 💚
Classes 100.0% (1/1) 💚
Methods 100.0% (16/16) 💚 7.407
Lines 80.994% (733/905) 👎 -6.683
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review September 27, 2023 00:21
@efd6 efd6 requested a review from a team as a code owner September 27, 2023 00:21
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@andrewkroh andrewkroh mentioned this pull request Sep 28, 2023
Closed
andrewkroh
andrewkroh approved these changes Sep 28, 2023
View reviewed changes
packages/o365/data_stream/audit/fields/fields.yml
@@ -34,6 +34,9 @@
type: keyword
- name: ExchangeMetaData.*
type: object
# This object can also contain date fields, but we cannot express multiple dynamic mapping types here.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This object can also contain date fields

For these cases I assume the data has always been mapped as keyword because Fleet using "date_detection": false in templates. So this isn't a regression.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, this is just a note for why it is.

@efd6 efd6 merged commit cf7e633 into elastic:main Sep 28, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees

@efd6 efd6

Labels
bug Something isn't working Integration:o365
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[o365] Incorrect dynamic field definitions
3 participants
@efd6 @elasticmachine @andrewkroh