Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws: fix query range calculation for GuardDuty datastream #8882

Merged
merged 1 commit into from Jan 16, 2024
Merged

aws: fix query range calculation for GuardDuty datastream #8882

merged 1 commit into from Jan 16, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jan 15, 2024
edited

Proposed commit message

The calculations for findingCriteria.criterion.updatedAt.*Than included a time truncation with the resolution of an hour. This has the effect that if there was no successful execution of the last_execution_datetime template the greaterThan and lessThan values would be equal 1 in hour/initial_interval times, resulting in spurious requests that required satisfaction of a null set. The truncation also prevents progression of the criteria for 1 - (1 in hour/initial_interval) HTTPJSON periodic request cycles.

Not marking as closing the issue as I think there are still problems with the template evaluation that are not currently diagnosable with HTTPJSON's existing template logging (will be able to look at this when v8.11 is more prevalent ).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jan 15, 2024
@efd6
aws: fix query range calculation for GuardDuty datastream
a67598b 
The calculations for findingCriteria.criterion.updatedAt.*Than included
a time truncation with the resolution of an hour. This has the effect
that if there was no successful execution of the last_execution_datetime
template the greaterThan and lessThan values would be equal 1 in
hour/initial_interval times, resulting in spurious requests that
required satisfaction of a null set. The truncation also prevents
progession of the criteria for 1 - (1 in hour/initial_interval) HTTPJSON
periodic request cycles.
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6 efd6 marked this pull request as ready for review January 15, 2024 05:07
@efd6 efd6 requested review from a team as code owners January 15, 2024 05:07
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

ShourieG
ShourieG approved these changes Jan 16, 2024
View reviewed changes
Copy link
Contributor

@ShourieG ShourieG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 merged commit 0b694bd into elastic:main Jan 16, 2024
3 checks passed
@elasticmachine
Copy link

Package aws - 2.11.3 containing this change is available at https://epr.elastic.co/search?package=aws

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShourieG ShourieG ShourieG approved these changes

Assignees

@efd6 efd6

Labels
bug Something isn't working Integration:AWS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@efd6 @elasticmachine @ShourieG