Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adding a for loop with script processor to add values from cisco.umbrella.identities to related.user field #25776

Merged
merged 7 commits into from
May 25, 2021
Merged

adding a for loop with script processor to add values from cisco.umbrella.identities to related.user field #25776

merged 7 commits into from
May 25, 2021

Conversation

hungnguyen-elastic
Copy link
Contributor

@hungnguyen-elastic hungnguyen-elastic commented May 18, 2021
edited
Loading

Enhancement Request

What does this PR do?

This PR added the foreach loop to append the value from cisco.umbrella.identities field to related.user field in cisco umbrella module pipeline

- script:
    if: ctx?.cisco?.umbrella?.identities != null && ctx?.related?.user!= null
    lang: painless
    description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
    source: |
      for (def x=0; x < ctx?.cisco?.umbrella?.identities.size(); x++) {
        def cisco_identity = ctx?.cisco?.umbrella?.identities[x];
        if (cisco_identity.contains('@') && !ctx?.related?.user.contains(cisco_identity)) {
          ctx?.related?.user.add(cisco_identity)
        }
      }

Why is it important?

There are instances where cisco.umbrella.identities actually contains the username that is involved with the action and is not included in the related.user field. This addition will make sure the values are added.

for example: event below will be missing the actual username in the related.user field

"message" : ""2021-05-14 19:39:58","hostname34P787","hostname34P787,User Name([email protected])","1.1.1.1","2.2.2.2","Allowed","1 (A)","NOERROR","v-google.com.","Infrastructure","Roaming Computers","Roaming Computers,AD Users","""

Output:

          "related" : {
              "user" : [
                "hostname34P787"
              ]
           }

With the script processor

          "related" : {
            "user" : [
              "hostname34P787",
              "User Name([email protected])"
            ]

Checklist

  • [ x ] My code follows the style guidelines of this project
  • [ x ] I have commented my code, particularly in hard-to-understand areas
  • [ x ] I have made corresponding changes to the documentation
  • [ x ] I have made corresponding change to the default configuration files
  • [ x ] I have added tests that prove my fix is effective or that my feature works
  • [ x ] I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 18, 2021
@hungnguyen-elastic hungnguyen-elastic added the Filebeat Filebeat label May 18, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented May 19, 2021
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #25776 updated

  • Start Time: 2021-05-25T15:09:22.262+0000

  • Duration: 99 min 54 sec

  • Commit: 9788abd

Test stats 🧪

Test Results
Failed 0
Passed 7193
Skipped 1193
Total 8386

Trends 🧪

Image of Build Times

Image of Tests

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 7193
Skipped 1193
Total 8386

leehinman
leehinman requested changes May 20, 2021
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank You.

Do you have any example logs we can add to the test directory that will exercise this?

For the script, I made a few changes:

  • will add related.user if it doesn't exist
  • will only iterate on cisco.umbrella.identities if it is a list

Can you test to see if this works?

- script:
    if: ctx?.cisco?.umbrella?.identites != null && ctx.cisco.umbrella.identites instanceof List
    lang: painless
    description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
    source: |-
      void addRelatedUser(def x) {
        if (ctx?.related == null) {
          Map map = new HashMap();
          ctx.put("related", map);
        }
        if (ctx?.related?.user == null) {
          ArrayList al = new ArrayList();
          ctx.related.put("user", al);
        }
        if (!ctx.related.user.contains(x)) {
          ctx.related.user.add(x);
        }
      }

      for (cisco_identity in ctx.cisco.umbrella.identities) {
        if (cisco_identity_contains('@')) {
          addRelatedUser(cisco_identity);
        }
      }

@leehinman leehinman self-assigned this May 20, 2021
@hungnguyen-elastic
Copy link
Contributor Author

Hi @leehinman , I like the changes. I tried your version and it complains with error below. Maybe you can spot what can be changed quick?

    "root_cause" : [
      {
        "type" : "script_exception",
        "reason" : "compile error",
        "processor_type" : "script",
        "script_stack" : [
          "... ) {\n              if (ctx?.related == null) {\n     ...",
          "                             ^---- HERE"
        ],
        "script" : "\n            void addRelatedUser(def x) {\n              if (ctx?.related == null) {\n                Map map = new HashMap();\n                ctx.put(\"related\", map);\n              }\n              if (ctx?.related?.user == null) {\n                ArrayList al = new ArrayList();\n                ctx.related.put(\"user\", al);\n              }\n              if (!ctx.related.user.contains(x)) {\n                ctx.related.user.add(x);\n              }\n            }\n      \n            for (cisco_identity in ctx.cisco.umbrella.identities) {\n              if (cisco_identity_contains('@')) {\n                addRelatedUser(cisco_identity);\n              }\n            }\n            ",
        "lang" : "painless",
        "position" : {
          "offset" : 63,
          "start" : 38,
          "end" : 88
        }
      }
    ],
    "type" : "script_exception",
    "reason" : "compile error",
    "processor_type" : "script",
    "script_stack" : [
      "... ) {\n              if (ctx?.related == null) {\n     ...",
      "                             ^---- HERE"
    ]

@leehinman
Copy link
Contributor

oops, need to pass in the context.

- script:
    if: ctx?.cisco?.umbrella?.identites != null && ctx.cisco.umbrella.identites instanceof List
    lang: painless
    description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
    source: |-
      void addRelatedUser(def ctx, def x) {
        if (ctx?.related == null) {
          Map map = new HashMap();
          ctx.put("related", map);
        }
        if (ctx?.related?.user == null) {
          ArrayList al = new ArrayList();
          ctx.related.put("user", al);
        }
        if (!ctx.related.user.contains(x)) {
          ctx.related.user.add(x);
        }
      }

      for (cisco_identity in ctx.cisco.umbrella.identities) {
        if (cisco_identity.contains('@')) {
          addRelatedUser(ctx, cisco_identity);
        }
      }

@hungnguyen-elastic
Copy link
Contributor Author

@leehinman There was a typo in the condition which I corrected and it works like a charm. identites --> identities. I will sanitize the sample logs and share it

- script:
    if: ctx?.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List
    lang: painless
    description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
    source: |-
      void addRelatedUser(def x) {
        if (ctx?.related == null) {
          Map map = new HashMap();
          ctx.put("related", map);
        }
        if (ctx?.related?.user == null) {
          ArrayList al = new ArrayList();
          ctx.related.put("user", al);
        }
        if (!ctx.related.user.contains(x)) {
          ctx.related.user.add(x);
        }
      }

      for (cisco_identity in ctx.cisco.umbrella.identities) {
        if (cisco_identity_contains('@')) {
          addRelatedUser(cisco_identity);
        }
      }

P1llus
P1llus approved these changes May 25, 2021
View reviewed changes
Copy link
Member

@P1llus P1llus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 25, 2021
@mergify
Copy link
Contributor

mergify bot commented May 25, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hnguyen/append_related_username upstream/hnguyen/append_related_username
git merge upstream/master
git push upstream hnguyen/append_related_username

4 similar comments
@mergify
Copy link
Contributor

mergify bot commented May 25, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hnguyen/append_related_username upstream/hnguyen/append_related_username
git merge upstream/master
git push upstream hnguyen/append_related_username

@mergify
Copy link
Contributor

mergify bot commented May 25, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hnguyen/append_related_username upstream/hnguyen/append_related_username
git merge upstream/master
git push upstream hnguyen/append_related_username

@mergify
Copy link
Contributor

mergify bot commented May 25, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hnguyen/append_related_username upstream/hnguyen/append_related_username
git merge upstream/master
git push upstream hnguyen/append_related_username

@mergify
Copy link
Contributor

mergify bot commented May 25, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b hnguyen/append_related_username upstream/hnguyen/append_related_username
git merge upstream/master
git push upstream hnguyen/append_related_username

@leehinman leehinman force-pushed the hnguyen/append_related_username branch from 1060d21 to 9788abd Compare May 25, 2021 15:09
@leehinman leehinman merged commit cec5906 into master May 25, 2021
mergify bot pushed a commit that referenced this pull request May 25, 2021
@hungnguyen-elastic
adding a for loop with script processor to add values from cisco.umbr…
831755c 
…ella.identities to related.user field (#25776)

* adding users from cisco.umbrella.identities to related.user field

Co-authored-by: Lee E. Hinman <[email protected]>
(cherry picked from commit cec5906)
@mergify mergify bot mentioned this pull request May 25, 2021
Merged
leehinman pushed a commit that referenced this pull request May 25, 2021
@mergify @hungnguyen-elastic
adding a for loop with script processor to add values from cisco.umbr…
cca43fb 
…ella.identities to related.user field (#25776) (#25856)

* adding users from cisco.umbrella.identities to related.user field

Co-authored-by: Lee E. Hinman <[email protected]>
(cherry picked from commit cec5906)

Co-authored-by: hungnguyen-elastic <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

@P1llus P1llus P1llus approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

@adriansr adriansr Awaiting requested review from adriansr

Assignees

@leehinman leehinman

Labels
backport-v7.14.0 Automated backport with mergify enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hungnguyen-elastic @elasticmachine @leehinman @P1llus