Handle events without event_data properly by marc-gr · Pull Request #13571 · elastic/integrations

marc-gr · 2025-04-16T12:09:26Z

Proposed commit message

Handle events without event_data properly

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Closes [windows.sysmon] Handle events without winlog.event_data #9580

elasticmachine · 2025-04-16T12:10:13Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

elastic-vault-github-plugin-prod · 2025-04-16T12:41:43Z

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

elastic-sonarqube · 2025-04-16T12:42:26Z

Quality Gate failed

Failed conditions
70.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

elasticmachine · 2025-04-16T12:42:30Z

💚 Build Succeeded

Buildkite Build
Commit: e102b7a

belimawr

Approving the changes in the files owned by @elastic/elastic-agent-data-plane

elasticmachine · 2025-04-16T16:00:42Z

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

ishleenk17 · 2025-04-17T10:38:04Z

...ata_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-expected.json

                    "NewSdDacl0": "Local system :Access Allowed ([Generic All])",
                    "NewSdDacl1": "OW :Access Allowed ([Read Permissions])",
                    "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])",
-                    "ObjectName": "-",


what resulted in this change ?

I made the event_data empty values handling consistent across all pipelines that were doing it. So the more complete ones were also removing not only empty or null values, but what it is considered empty by the events context, (-, {0000....0000}, etc). This is the result of a more thorough cleanup of empty fields

ishleenk17

Looks good!

elastic-vault-github-plugin-prod · 2025-04-25T08:59:47Z

Package sysmon_linux - 1.8.1 containing this change is available at https://epr.elastic.co/package/sysmon_linux/1.8.1/

elastic-vault-github-plugin-prod · 2025-04-25T08:59:48Z

Package system - 1.68.2 containing this change is available at https://epr.elastic.co/package/system/1.68.2/

elastic-vault-github-plugin-prod · 2025-04-25T08:59:49Z

Package windows - 2.5.5 containing this change is available at https://epr.elastic.co/package/windows/2.5.5/

marc-gr added Integration:windows Windows Integration:system System Integration:sysmon_linux Sysmon for Linux bugfix Pull request that fixes a bug issue Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Apr 16, 2025

Handle events without event_data properly

e102b7a

marc-gr force-pushed the fix/handle-no-eventdata branch from 75818c9 to e102b7a Compare April 16, 2025 12:10

marc-gr marked this pull request as ready for review April 16, 2025 12:10

marc-gr requested review from a team as code owners April 16, 2025 12:10

marc-gr requested review from AndersonQ and belimawr April 16, 2025 12:10

belimawr approved these changes Apr 16, 2025

View reviewed changes

andrewkroh added the Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform] label Apr 16, 2025

ricardo-estc approved these changes Apr 17, 2025

View reviewed changes

marc-gr enabled auto-merge (squash) April 17, 2025 08:11

ishleenk17 reviewed Apr 17, 2025

View reviewed changes

ishleenk17 approved these changes Apr 21, 2025

View reviewed changes

nfritts approved these changes Apr 25, 2025

View reviewed changes

marc-gr merged commit 451750a into elastic:main Apr 25, 2025
6 of 7 checks passed

marc-gr deleted the fix/handle-no-eventdata branch April 25, 2025 08:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle events without event_data properly#13571

Handle events without event_data properly#13571
marc-gr merged 1 commit intoelastic:mainfrom
marc-gr:fix/handle-no-eventdata

marc-gr commented Apr 16, 2025

Uh oh!

elasticmachine commented Apr 16, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 16, 2025

Uh oh!

elastic-sonarqube bot commented Apr 16, 2025

Uh oh!

elasticmachine commented Apr 16, 2025

Uh oh!

belimawr left a comment

Uh oh!

elasticmachine commented Apr 16, 2025

Uh oh!

ishleenk17 Apr 17, 2025

Uh oh!

marc-gr Apr 17, 2025

Uh oh!

ishleenk17 left a comment

Uh oh!

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

Conversation

marc-gr commented Apr 16, 2025

Proposed commit message

Checklist

Related issues

Uh oh!

elasticmachine commented Apr 16, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 16, 2025

🚀 Benchmarks report

Uh oh!

elastic-sonarqube bot commented Apr 16, 2025

Quality Gate failed

Uh oh!

elasticmachine commented Apr 16, 2025

💚 Build Succeeded

Uh oh!

belimawr left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Apr 16, 2025

Uh oh!

ishleenk17 Apr 17, 2025

Choose a reason for hiding this comment

Uh oh!

marc-gr Apr 17, 2025

Choose a reason for hiding this comment

Uh oh!

ishleenk17 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Apr 25, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants