Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mimecast: Handle empty events in a time window inside threat events. #12937

Merged
merged 5 commits into from
Mar 4, 2025
Merged

mimecast: Handle empty events in a time window inside threat events. #12937

merged 5 commits into from
Mar 4, 2025

Conversation

kcreddy
Copy link
Contributor

@kcreddy kcreddy commented Mar 3, 2025
edited
Loading

Proposed commit message

Mimecast threat events return fail message 
containing `err_threat_intel_feed_no_result_found` 
when no events within the query time window. 
Handle this by saving empty events array and 
not report error.

Note

Can be merged after #12936 (2.6.1) do avoid version conflict

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

System tests pass

--- Test results for package: mimecast - START ---
╭──────────┬───────────────────────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE  │ DATA STREAM                   │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├──────────┼───────────────────────────────┼───────────┼───────────┼────────┼───────────────┤
│ mimecast │ threat_intel_malware_customer │ system    │ v1        │ PASS   │ 43.552097958s │
│ mimecast │ threat_intel_malware_customer │ system    │ v2        │ PASS   │ 42.339401042s │
│ mimecast │ threat_intel_malware_grid     │ system    │ v1        │ PASS   │ 44.028190167s │
│ mimecast │ threat_intel_malware_grid     │ system    │ v2        │ PASS   │ 38.120921666s │
╰──────────┴───────────────────────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: mimecast - END   ---
Done

@kcreddy kcreddy self-assigned this Mar 3, 2025
@kcreddy kcreddy added Integration:mimecast Mimecast bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Mar 3, 2025
@kcreddy kcreddy changed the title mimecast: Handle empty events within a time window. mimecast: Handle empty events in a time window. Mar 3, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 3, 2025
edited
Loading

🚀 Benchmarks report

Package mimecast 👍(5) 💚(3) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
audit_events 3012.05 2298.85 -713.2 (-23.68%) 💔
message_release_logs 4854.37 2747.25 -2107.12 (-43.41%) 💔
ttp_ap_logs 8196.72 4651.16 -3545.56 (-43.26%) 💔

To see the full report comment with /test benchmark fullreport

@kcreddy kcreddy changed the title mimecast: Handle empty events in a time window. mimecast: Handle empty events in a time window inside threat events. Mar 3, 2025
@kcreddy kcreddy marked this pull request as ready for review March 3, 2025 13:25
@kcreddy kcreddy requested a review from a team as a code owner March 3, 2025 13:25
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Mar 3, 2025
View reviewed changes
packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs Outdated
Comment on lines 110 to 141
:
// Mimecast can return failure states with a 200. This
// is detected by a non-empty fail array at the root
// of the response body. Don't attempt to parse this
// out, just dump the whole body into the error message.
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST " + state.path + ": " + string(resp.Body), // We know this is not empty.
// of the response body.

// Mimecast threat events return fail message
// containing `err_threat_intel_feed_no_result_found`
// when no events within the query time window.
// Handle this by saving empty events array and
// not report error.
(body.?fail[?0].errors[?0].code.orValue("") == "err_threat_intel_feed_no_result_found") ?
{
"events": [],
// Override cursor to remove cursor.token if present.
"cursor": {
"last": state.?cursor.last,
},
},
"want_more": false,
}
"want_more": false,
}
:
// Don't attempt to parse this out, just dump the whole
// body into the error message.
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST " + state.path + ": " + string(resp.Body), // We know this is not empty.
},
},
"want_more": false,
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest instead

diff --git a/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs b/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs
index c0b6b57272..b65f136681 100644
--- a/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs
+++ b/packages/mimecast/data_stream/threat_intel_malware_customer/agent/stream/cel.yml.hbs
@@ -107,9 +107,23 @@ program: |
               },
               "want_more": resp.?Header["X-Mc-Threat-Feed-Next-Token"].hasValue(),
             }
+          : (body.?fail[0].errors[0].code.orValue("") == "err_threat_intel_feed_no_result_found") ?
+            // Mimecast threat events return fail message
+            // containing 'err_threat_intel_feed_no_result_found'
+            // when no events within the query time window.
+            // Handle this by saving empty events array but
+            // do not report an error.
+            {
+              "events": [],
+              // Override cursor to remove cursor.token if present.
+              "cursor": {
+                "last": state.?cursor.last,
+              },
+              "want_more": false,
+            }
           :
-            // Mimecast can return failure states with a 200. This
-            // is detected by a non-empty fail array at the root
+            // Mimecast can also return other failure states with a 200.
+            // This is detected by a non-empty fail array at the root
             // of the response body. Don't attempt to parse this
             // out, just dump the whole body into the error message.
             {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 57c77b4

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @kcreddy

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@kcreddy kcreddy merged commit 0a84ae1 into elastic:main Mar 4, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package mimecast - 2.6.2 containing this change is available at https://epr.elastic.co/package/mimecast/2.6.2/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

@efd6 efd6 efd6 approved these changes

Assignees

@kcreddy kcreddy

Labels
bugfix Pull request that fixes a bug issue Integration:mimecast Mimecast Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kcreddy @elasticmachine @chrisberkhout @efd6