Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][microsoft][m365_defender] Error processing when alerts.entities is an empty list #31223

Closed
leehinman opened this issue Apr 7, 2022 · 1 comment · Fixed by #31227
Closed

[Filebeat][microsoft][m365_defender] Error processing when alerts.entities is an empty list #31223

leehinman opened this issue Apr 7, 2022 · 1 comment · Fixed by #31227
Assignees
@leehinman
Labels
bug

Comments

@leehinman
Copy link
Contributor

When json.alerts.entities is an empty list, we get the error message:

    "error": {
      "message": "Illegal list shortcut value [url]."
    },

most likely from

- rename:
    field: json.alerts.entities.url
    target_field: url.full
    ignore_missing: true
    if: ctx?.json?.alerts?.entities?.url != null
@leehinman leehinman self-assigned this Apr 7, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@leehinman leehinman mentioned this issue Apr 7, 2022
Merged
3 tasks
leehinman added a commit that referenced this issue Apr 11, 2022
@leehinman
[Filebeat] fix m365_defender pipeline bug (#31227)
60fcf9d 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223
mergify bot pushed a commit that referenced this issue Apr 11, 2022
@leehinman
[Filebeat] fix m365_defender pipeline bug (#31227)
0ca4ed7 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)

# Conflicts:
#	x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json
mergify bot pushed a commit that referenced this issue Apr 11, 2022
@leehinman
[Filebeat] fix m365_defender pipeline bug (#31227)
739608f 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)
leehinman added a commit that referenced this issue Apr 12, 2022
@leehinman
[Filebeat] fix m365_defender pipeline bug (#31227)
cf2c984 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)
leehinman added a commit that referenced this issue Apr 12, 2022
@mergify @leehinman
[Filebeat] fix m365_defender pipeline bug (#31227) (#31253)
886108a 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)

Co-authored-by: Lee E Hinman <57081003+leehinman@users.noreply.github.com>
leehinman added a commit that referenced this issue Apr 12, 2022
@leehinman
[Filebeat] fix m365_defender pipeline bug (#31227)
a19eafa 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)
leehinman added a commit that referenced this issue Apr 13, 2022
@mergify @leehinman
[Filebeat] fix m365_defender pipeline bug (#31227) (#31252)
9526317 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223

(cherry picked from commit 60fcf9d)

Co-authored-by: Lee E Hinman <57081003+leehinman@users.noreply.github.com>
kush-elastic pushed a commit to kush-elastic/beats that referenced this issue May 2, 2022
@leehinman @kush-elastic
[Filebeat] fix m365_defender pipeline bug (elastic#31227)
4815785 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes elastic#31223
chrisberkhout pushed a commit that referenced this issue Jun 1, 2023
@leehinman @chrisberkhout
[Filebeat] fix m365_defender pipeline bug (#31227)
4cc5523 
- remove `alerts.entities` when it is an empty list.  Prevents errors
where `alerts.entities` is assumed to be a Map.

Closes #31223
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] fix m365_defender pipeline bug leehinman/beats
2 participants
@elasticmachine @leehinman