Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ti_crowdstrike: improve error reporting for unsuccessful API requests #9059

Merged
merged 1 commit into from Feb 9, 2024
Merged

ti_crowdstrike: improve error reporting for unsuccessful API requests #9059

merged 1 commit into from Feb 9, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Feb 6, 2024
edited

Proposed commit message

Previously, failed requests would continue through the standard happy path, potentially resulting in an uninformative CEL error when the data shape does not match the program's expectations. We have the HTTP status code, so make use of this to return an error object in the case that we get a non-success.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6
ti_crowdstrike: improve error reporting for unsuccessful API requests
6696eaf 
Previously, failed requests would continue through the standard happy
path, potentially resulting in an uninfortive CEL error when the data
shape does not match the program's expectations. We have the HTTP status
code, so make use of this to return an error object in the case that we
get a non-success.
@efd6 efd6 added enhancement New feature or request Integration:TI Crowdstrike Team:Security-Service Integrations Security Service Integrations Team labels Feb 6, 2024
@efd6 efd6 self-assigned this Feb 6, 2024
efd6
efd6 commented Feb 6, 2024
View reviewed changes
packages/ti_crowdstrike/data_stream/intel/agent/stream/cel.yml.hbs
},
}))
).do_request().as(resp,
resp.StatusCode == 200 ?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Query whether we know for sure that Crowdstrike always returns a 200 status for success.

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No Coverage information No data about Coverage
No Duplication information No data about Duplication

See analysis details on SonarQube

@efd6 efd6 marked this pull request as ready for review February 6, 2024 00:45
@efd6 efd6 requested a review from a team as a code owner February 6, 2024 00:45
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

chrisberkhout
chrisberkhout approved these changes Feb 9, 2024
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good if it is always 200 for success. If we can't confirm, I think 200 would be an okay assumption and 2XX would be a good assumption.

@chrisberkhout
Copy link
Contributor

This could be tested if system tests allowed us to tolerate errors and make assertions about index documents.

@NateUT99
Copy link

NateUT99 commented Feb 9, 2024
edited

Customer (and CrowdStrike user) here... per their API specification swagger page, it will always return a 200 for both API endpoints that I believe are being used by this integration. This corresponds to what I have seen in my testing as well. I hope this is helpful!

@efd6
Copy link
Contributor Author

efd6 commented Feb 9, 2024

@NateUT99 Thank you, this is very helpful.

@efd6 efd6 merged commit 3692c51 into elastic:main Feb 9, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:TI Crowdstrike Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ti_crowdstrike: authentication failure errors are not helpfully logged
4 participants
@efd6 @elasticmachine @chrisberkhout @NateUT99