siem: p1 integrations esql fixes and ingest script improvements#19932
siem: p1 integrations esql fixes and ingest script improvements#19932JordanSh wants to merge 2 commits into
Conversation
- Fix dataset names in azure_openai and azure_ai_foundry evaluations (were matching azure.open_ai / azure.ai_foundry; actual datasets are azure_openai.logs / azure_ai_foundry.logs) - Add m365_defender.alert.title as event.action for alert stream, overriding ingest-time detectionStatus with the human-readable alert name - Fix m365_defender host.target conditions to require user.name to avoid spurious host-as-target matches on non-user events - Extend m365_defender user.name fallback to event stream via process.user.name - Ingest script: handle nanosecond Unix timestamps (fixes sysdig alerts/event) - Ingest script: expand dotted config keys to nested dicts (fixes salesforce pipeline routing) - Ingest script: inject data_stream.dataset when absent from fixtures (fixes Azure, ForgeRock) - Ingest script: rewrite YAML parser to handle nested mappings (fixes microsoft_dhcp) - Ingest script: inject log.file.path from fixture config (fixes cisco_umbrella routing) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Tick the box to add this pull request to the merge queue (same as
|
TL;DRBuildkite failed before uploading the pipeline because the PR branch no longer merges cleanly into Remediation
Investigation detailsRoot CauseThe failed step is
The overlapping areas include helper/config handling near Evidence
VerificationNot run: CI cannot reach tests until the merge conflict is resolved. What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
Reverts the use of m365_defender.alert.title as event.action for the alert stream. The ingest-time event.action (detectionStatus) is preserved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
💔 Build Failed
Failed CI StepsHistory
|
Summary
azure_openaiandazure_ai_foundryevaluations (were matchingazure.open_ai/azure.ai_foundry; actual datasets areazure_openai.logs/azure_ai_foundry.logs)m365_defender.alert.titleasevent.actionfor the alert stream, overriding ingest-timedetectionStatuswith the human-readable alert namem365_defenderhost.targetconditions to requireuser.nameto avoid spurious host-as-target matches on non-user eventsm365_defenderuser.namefallback to the event stream viaprocess.user.namesysdig.alertsandsysdig.eventstreams which were silently producing 0 docssalesforcepipeline routingdata_stream.datasetwhen absent from fixtures — fixes Azure, ForgeRock and others invisible in Kibana Discovermicrosoft_dhcprouting configlog.file.pathfrom fixture config — fixescisco_umbrellaroutingTest plan
azure_openaiandazure_ai_foundrygraph nodes appear with correct dataset matchingm365_defender.alertnodes show alert title as action labelsysdig.alertsandsysdig.eventingest successfully after nanosecond timestamp fixsalesforcepipeline routing produces actor fields correctly🤖 Generated with Claude Code