Skip to content

Handle events without event_data properly #13571

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 25, 2025
Merged

Handle events without event_data properly #13571

merged 1 commit into from
Apr 25, 2025

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented Apr 16, 2025

Proposed commit message

Handle events without event_data properly

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

@marc-gr marc-gr added Integration:windows Windows Integration:system System Integration:sysmon_linux Sysmon for Linux bugfix Pull request that fixes a bug issue Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Apr 16, 2025
@marc-gr marc-gr force-pushed the fix/handle-no-eventdata branch from 75818c9 to e102b7a Compare April 16, 2025 12:10
@marc-gr marc-gr marked this pull request as ready for review April 16, 2025 12:10
@marc-gr marc-gr requested review from a team as code owners April 16, 2025 12:10
@marc-gr marc-gr requested review from AndersonQ and belimawr April 16, 2025 12:10
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
70.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

belimawr
belimawr approved these changes Apr 16, 2025
View reviewed changes
Copy link
Contributor

@belimawr belimawr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving the changes in the files owned by @elastic/elastic-agent-data-plane

@andrewkroh andrewkroh added the Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform] label Apr 16, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@marc-gr marc-gr enabled auto-merge (squash) April 17, 2025 08:11
ishleenk17
ishleenk17 reviewed Apr 17, 2025
View reviewed changes
...ata_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json
@@ -64,7 +64,6 @@
"NewSdDacl0": "Local system :Access Allowed ([Generic All])",
"NewSdDacl1": "OW :Access Allowed ([Read Permissions])",
"NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])",
"ObjectName": "-",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what resulted in this change ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I made the event_data empty values handling consistent across all pipelines that were doing it. So the more complete ones were also removing not only empty or null values, but what it is considered empty by the events context, (-, {0000....0000}, etc). This is the result of a more thorough cleanup of empty fields

ishleenk17
ishleenk17 approved these changes Apr 21, 2025
View reviewed changes
Copy link
Member

@ishleenk17 ishleenk17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@marc-gr marc-gr merged commit 451750a into elastic:main Apr 25, 2025
6 of 7 checks passed
@marc-gr marc-gr deleted the fix/handle-no-eventdata branch April 25, 2025 08:45
@elastic-vault-github-plugin-prod
Copy link

Package sysmon_linux - 1.8.1 containing this change is available at https://epr.elastic.co/package/sysmon_linux/1.8.1/

@elastic-vault-github-plugin-prod
Copy link

Package system - 1.68.2 containing this change is available at https://epr.elastic.co/package/system/1.68.2/

@elastic-vault-github-plugin-prod
Copy link

Package windows - 2.5.5 containing this change is available at https://epr.elastic.co/package/windows/2.5.5/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@nfritts nfritts nfritts approved these changes

@ricardo-estc ricardo-estc ricardo-estc approved these changes

@ishleenk17 ishleenk17 ishleenk17 approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees
No one assigned
Labels
bugfix Pull request that fixes a bug issue Integration:sysmon_linux Sysmon for Linux Integration:system System Integration:windows Windows Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[windows.sysmon] Handle events without winlog.event_data
7 participants
@marc-gr @elasticmachine @belimawr @nfritts @ricardo-estc @ishleenk17 @andrewkroh