New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
m365_defender: remove invalid IP addresses #9060
Conversation
M365 Defender apparently sometimes sets empty fields to "-" rather than not setting them. This can cause errors in future processing and mapping, so attempt to convert and remove if not valid.
6c968b4
to
e3ed4c7
Compare
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
I don't believe sonarqube here. The two added tests are guaranteed to fail without the changes, so the coverage cannot be zero. Pipeline tests without the pipeline changes.
Mapping result in this case (
|
I wonder if this is complete. Is the scope for this to only handle some particular IP fields that get geoip enrichment? Looking for
Within the For example, the |
That was the original scope, but I think it will be worth doing the rest. I will add those changes. Thanks. |
|
💚 Build Succeeded
History
cc @efd6 |
Quality Gate failedFailed conditions0.0% Coverage on New Code (required ≥ 80%) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the extra info. What's in the diff is good and I don't want to hold that up.
A couple of observations about the unchanged handling of IP addresses:
- Most of the already handled cases append an error message on failure but don't remove the field or clear its contents. The convert processor will leave the original value if it can't successfully convert. So if it's a bad but non-empty value, it'll probably cause a failure later on.
- I think removing
field: _ingest._value
probably won't remove it from the thing being iterated over.
I've examined a representative subset (all of alert) of the foreach conversions and altering the input to be an invalid value results in the expected behaviour, so I think this is good to merge. |
Package m365_defender - 2.7.1 containing this change is available at https://epr.elastic.co/search?package=m365_defender |
Proposed commit message
M365 Defender apparently sometimes sets empty fields to "-" rather than not setting them. This can cause errors in future processing and mapping, so attempt to convert and remove if not valid.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots