[BeyondTrust EPM][Event] Add Event data stream#18707
Conversation
ReviewersBuildkite won't run for external contributors automatically; you need to add a comment:
NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details. |
| {{#if http_client_timeout}} | ||
| resource.timeout: {{http_client_timeout}} | ||
| {{/if}} | ||
| resource.url: {{url}} |
There was a problem hiding this comment.
🟠 HIGH data_stream/event/.../cel.yml.hbs:16
max_executions declared in event manifest but never rendered in CEL template
data_stream/event/manifest.yml (lines 33–40) declares the max_executions integration variable (type: integer, default: 1000), but data_stream/event/agent/stream/cel.yml.hbs does not render it anywhere. The sibling data_stream/audit/agent/stream/cel.yml.hbs:16-18 renders it with the standard {{#if max_executions}} max_executions: {{max_executions}} {{/if}} block, so the event stream silently drops the user-visible knob — users who change the value get no effect.
Recommendation:
Insert the {{#if max_executions}} block before resource.url: to match the audit stream, or remove the unused variable from data_stream/event/manifest.yml.
🤖 AI-Generated Review | Vera Review Bot
⚠️ Automated review — verify suggestions before applying.
| type: long | ||
| ignore_missing: true | ||
| on_failure: | ||
| - |
There was a problem hiding this comment.
🟡 MEDIUM data_stream/event/.../default.yml:11151
Dead preserve_duplicate_custom_fields guards left in event pipeline
Eight processors carry the guard if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') (lines 11151, 11163, 11182, 11194, 11210, 11229, 11241, 12254), but the event data stream never declares this variable in data_stream/event/manifest.yml and no test-common-config.yml sets the tag. The same PR explicitly removes this deprecated pattern from the audit data stream (manifest variable, test-common-config.yml, and pipeline guards all dropped), so leaving the guards only on the event side is inconsistent and propagates a deprecated pattern into newly introduced code.
Recommendation:
- foreach:
field: beyondtrust_epm.event.file.elf.sections
tag: foreach_file_elf_sections
if: ctx.beyondtrust_epm?.event?.file?.elf?.sections instanceof List
processor:
remove:
field:
- _ingest._value.chi2
# ...
tag: remove_custom_duplicate_fields_from_file_elf_sections
ignore_missing: trueRemove the if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') line from all 8 occurrences so the event pipeline matches the cleaned-up audit pipeline in this PR.
🤖 AI-Generated Review | Vera Review Bot
⚠️ Automated review — verify suggestions before applying.
| copy_from: beyondtrust_epm.event.client.geo.country_name | ||
| ignore_empty_value: true | ||
| - convert: | ||
| field: beyondtrust_epm.event.client.geo.location.lat |
There was a problem hiding this comment.
🟡 MEDIUM data_stream/event/.../default.yml:364
Geo lat/lon converted to double but geo.location geo_point never assembled
The pipeline contains convert processors that coerce raw beyondtrust_epm.event.*.geo.location.lat / .lon strings into double (around lines 364, 1211, 3662, 4248, 5436), and data_stream/event/fields/fields.yml declares beyondtrust_epm.event.*.geo.location as geo_point. But the pipeline never combines those lat/lon scalars into the { "lat": ..., "lon": ... } object that Elasticsearch needs to index a geo_point, and it never copies the result into the corresponding ECS client.geo.location / host.geo.location / source.geo.location. As a result the geo_point fields fail to populate and downstream geo enrichment / map visualizations never receive coordinates.
Recommendation:
- script:
tag: set_geo_location_from_lat_lon
lang: painless
if: ctx.beyondtrust_epm?.event?.client?.geo?.location?.lat != null && ctx.beyondtrust_epm?.event?.client?.geo?.location?.lon != null
source: |
ctx.beyondtrust_epm.event.client.geo.location = [
'lat': ctx.beyondtrust_epm.event.client.geo.location.lat,
'lon': ctx.beyondtrust_epm.event.client.geo.location.lon
];
- set:
field: client.geo.location
tag: set_client_geo_location
copy_from: beyondtrust_epm.event.client.geo.location
ignore_empty_value: trueApply the same pattern for host.geo.location, source.geo.location, etc. wherever raw lat/lon pairs are converted to double.
🤖 AI-Generated Review | Vera Review Bot
⚠️ Automated review — verify suggestions before applying.
7af56b1 to
2cb3a58
Compare
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
|
/test |
💚 Build Succeeded
History
|
|
Tick the box to add this pull request to the merge queue (same as
|
6d42ed9
into
elastic:feature/beyondtrust_epm-0.1.0
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
To test the BeyondTrust EPM package:
Related issues
Screenshots
Implementation Details
API Documentation: https://docs.beyondtrust.com/epm-wm/reference/get_v3-events-search
Default Config Values:
initial_interval: 24hinterval: 5mpage_size: 200Limitations:
Pagination.PageSize,TimePeriod.StartDate).Note: The entries in
fields.ymlare generated through an automation tool that uses the field mapping sheet as input.