Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auto Import] Improve the ECS mapping extraction logic #195167

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[Auto Import] Improve the ECS mapping extraction logic #195167

wants to merge 4 commits into from
+157 −36

Conversation

ilyannn
Copy link
Contributor

@ilyannn ilyannn commented Oct 5, 2024
edited
Loading

Release Notes

Automatic Import is more forgiving if an LLM returns an ECS mapping in a slightly unexpected format.

Summary

When implementing #194386 an issue has been encountered where Claude returns the field name date_format instead of expected date_formats and the ECS chain breaks down.

We add this case as a test to x-pack/plugins/integration_assistant/server/graphs/ecs/validate.test. Without the changes in this PR the list returned by findInvalidEcsFields is

      [
        'Reserved ECS field mapping identified for event.created : ai_postgres_202410050058.logs.column1.target',
        'Invalid ECS field mapping identified for 0.9 : ai_postgres_202410050058.logs.column1.confidence, ai_postgres_202410050058.logs.column5.confidence',
        'Invalid ECS field mapping identified for date : ai_postgres_202410050058.logs.column1.type, ai_postgres_202410050058.logs.column9.type',
        'Invalid ECS field mapping identified for 0.95 : ai_postgres_202410050058.logs.column12.confidence',
        'Invalid ECS field mapping identified for string : ai_postgres_202410050058.logs.column12.type, ai_postgres_202410050058.logs.column14.type, ai_postgres_202410050058.logs.column24.type, ai_postgres_202410050058.logs.column5.type, ai_postgres_202410050058.logs.column3.type, ai_postgres_202410050058.logs.column2.type',
        'Invalid ECS field mapping identified for 0.8 : ai_postgres_202410050058.logs.column9.confidence, ai_postgres_202410050058.logs.column3.confidence',
        'Invalid ECS field mapping identified for 0.7 : ai_postgres_202410050058.logs.column14.confidence, ai_postgres_202410050058.logs.column2.confidence',
        'Invalid ECS field mapping identified for 0.85 : ai_postgres_202410050058.logs.column24.confidence'
      ]

while with these changes the result does not contain any Invalid ECS field messages.

The key changes are in the processMapping function:

  1. We made function more forgiving in regards to the input, accepting date_format in lieu of date_formats.
  2. We have removed the collection of "other paths", that is, the reverse index for simple values like 0.8.

The latter change generally limits the impact of any other format issues in the ECS mapping in the future.

Additionally, the function has been renamed to extractECSMapping, its output type validated, and documentation has been added.

Checklist

@ilyannn ilyannn added Feature:AutomaticImport Team:Security-Scalability Team label for Security Integrations Scalability Team release_note:fix labels Oct 5, 2024
@ilyannn ilyannn changed the title Fix the ecs mapping extraction logic Improve the ecs mapping extraction logic Oct 5, 2024
@ilyannn ilyannn changed the title Improve the ecs mapping extraction logic Improve the ECS mapping extraction logic Oct 5, 2024
@ilyannn ilyannn self-assigned this Oct 5, 2024
@ilyannn ilyannn marked this pull request as ready for review October 5, 2024 15:10
@ilyannn ilyannn requested a review from a team as a code owner October 5, 2024 15:10
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-scalability (Team:Security-Scalability)

@ilyannn ilyannn added the backport:skip This commit does not require backporting label Oct 5, 2024
@ilyannn ilyannn changed the title Improve the ECS mapping extraction logic [Auto Import] Improve the ECS mapping extraction logic Oct 5, 2024
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

✅ unchanged

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ilyannn

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@ilyannn ilyannn

Labels
backport:skip This commit does not require backporting Feature:AutomaticImport release_note:fix Team:Security-Scalability Team label for Security Integrations Scalability Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ilyannn @elasticmachine @kibana-ci