Skip to content

aws.cloudtrail: Fix lambda events parsing of vpcConfig.securityGroupIds and vpcConfig.subnetIds fields#16991

Merged
kcreddy merged 2 commits intoelastic:mainfrom
kcreddy:cloudtrail-related-entity
Jan 19, 2026
Merged

aws.cloudtrail: Fix lambda events parsing of vpcConfig.securityGroupIds and vpcConfig.subnetIds fields#16991
kcreddy merged 2 commits intoelastic:mainfrom
kcreddy:cloudtrail-related-entity

Conversation

@kcreddy
Copy link
Copy Markdown
Contributor

@kcreddy kcreddy commented Jan 19, 2026
edited
Loading

Proposed commit message

Fields "vpcConfig.securityGroupIds" and "vpcConfig.subnetIds" are arrays 
as confirmed from docs here[1] and here[2].

This PR fixes their parsing into "related.entity" by using "addValues" function
instead of "addFields" function. "addValues" is used to copy a list of values
whereas "addFields" is for a scalar value.

This prevents the error - 
"Processor 'script' with tag 'script_append_related_entity' failed with message 
'cannot implicitly cast def [java.util.ArrayList] to java.lang.String'"

[1]: https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html
[2]: https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Add sample log containing the fields vpcConfig.securityGroupIds and vpcConfig.subnetIds as array of strings.

Before: Fails with error - [0] unexpected pipeline error: Processor 'script' with tag 'script_append_related_entity' failed with message 'cannot implicitly cast def [java.util.ArrayList] to java.lang.String'

│ aws     │ cloudtrail  │ pipeline  │ test-update-lambda-json.log  │ FAIL: test case failed: one or more problems with fields found in documents │  43.865708ms │

After: (Succeeds)

│ aws     │ cloudtrail  │ pipeline  │ test-update-lambda-json.log  │ PASS   │  45.728333ms │

@kcreddy kcreddy self-assigned this Jan 19, 2026
@kcreddy kcreddy added Integration:aws AWS bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jan 19, 2026
@kcreddy kcreddy marked this pull request as ready for review January 19, 2026 07:11
@kcreddy kcreddy requested review from a team as code owners January 19, 2026 07:11
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 19, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@kcreddy kcreddy changed the title aws.cloudtrail: Fix lambda event parsing of vpcConfig.securityGroupIds and vpcConfig.subnetIds fields aws.cloudtrail: Fix lambda events parsing of vpcConfig.securityGroupIds and vpcConfig.subnetIds fields Jan 19, 2026
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Jan 19, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 19, 2026

💚 Build Succeeded

cc @kcreddy

@kcreddy kcreddy merged commit 6dc7c1a into elastic:main Jan 19, 2026
8 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Jan 19, 2026

Package aws - 5.6.1 containing this change is available at https://epr.elastic.co/package/aws/5.6.1/

@kcreddy kcreddy mentioned this pull request Jan 27, 2026
Merged
5 tasks
kcreddy added a commit that referenced this pull request Jan 27, 2026
@kcreddy
aws.cloudtrail: Fix lambda events parsing of vpcConfig.securityGroupI…
efa3658 
…ds and vpcConfig.subnetIds fields (#17064)

* Fix Cloudtrail's Lambda event parsing of `vpcConfig.securityGroupIds` and `vpcConfig.subnetIds` fields.

* Backport of #16991
jakubgalecki0 pushed a commit to jakubgalecki0/integrations that referenced this pull request Feb 19, 2026
@kcreddy @jakubgalecki0
aws.cloudtrail: Fix lambda events parsing of `vpcConfig.securityGroup…
4db525e 
…Ids` and `vpcConfig.subnetIds` fields (elastic#16991)

Fields "vpcConfig.securityGroupIds" and "vpcConfig.subnetIds" are arrays 
as confirmed from docs here[1] and here[2].

This PR fixes their parsing into "related.entity" by using "addValues" function
instead of "addFields" function. "addValues" is used to copy a list of values
whereas "addFields" is for a scalar value.

This prevents the error - 
"Processor 'script' with tag 'script_append_related_entity' failed with message 
'cannot implicitly cast def [java.util.ArrayList] to java.lang.String'"

[1]: https://docs.aws.amazon.com/lambda/latest/api/API_CreateFunction.html
[2]: https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionCode.html
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chemamartinez chemamartinez chemamartinez approved these changes

Assignees

@kcreddy kcreddy

Labels

bugfix Pull request that fixes a bug issue Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kcreddy @elasticmachine @chemamartinez