Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ti_recordedfuture] Fix the parsing of providers info from evidence fields #8350

Merged
merged 3 commits into from Nov 2, 2023
Merged

[ti_recordedfuture] Fix the parsing of providers info from evidence fields #8350

merged 3 commits into from Nov 2, 2023

Conversation

chemamartinez
Copy link
Contributor

Proposed commit message

It fixes an error when parsing EvidenceString fields looking for providers that fill threat.indicator.provider list later in the pipeline. The gsub processor was looking for a specific pattern but didn't discard the whole field when it didn't match.

In order to fix that behavior, it has been modified the regex so that when the regex doesn't match it captures an empty string which is discarded in a subsequent string processor.

The changes related to this fix are applied in the ingest pipeline and the test file test-httpjson.log. Further changes in the pull request are a consequence of unrelated changes that fixed the format of some special characters when running pipeline tests.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • Added pipeline test case to verify the processors handle the provider info properly.

@chemamartinez chemamartinez self-assigned this Oct 31, 2023
@chemamartinez chemamartinez marked this pull request as ready for review October 31, 2023 12:09
@chemamartinez chemamartinez requested a review from a team as a code owner October 31, 2023 12:09
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Oct 31, 2023
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-11-01T17:21:23.404+0000

  • Duration: 17 min 56 sec

Test stats 🧪

Test Results
Failed 0
Passed 11
Skipped 0
Total 11

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (2/2) 💚
Classes 100.0% (2/2) 💚
Methods 100.0% (16/16) 💚
Lines 97.619% (205/210)
Conditionals 100.0% (0/0) 💚

@chemamartinez chemamartinez merged commit b93b686 into elastic:main Nov 2, 2023
4 checks passed
@elasticmachine
Copy link

Package ti_recordedfuture - 1.18.1 containing this change is available at https://epr.elastic.co/search?package=ti_recordedfuture

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chemamartinez chemamartinez

Labels
bugfix Integration:Recorded Future
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@chemamartinez @elasticmachine @efd6