Skip to content

siem: p1 integrations esql fixes and ingest script improvements#19932

Open
JordanSh wants to merge 2 commits into
siem/p1-integrations-mappingsfrom
yarden/siem-p1-integrations-mappings
Open

siem: p1 integrations esql fixes and ingest script improvements#19932
JordanSh wants to merge 2 commits into
siem/p1-integrations-mappingsfrom
yarden/siem-p1-integrations-mappings

Conversation

@JordanSh

@JordanSh JordanSh commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Fix dataset names in azure_openai and azure_ai_foundry evaluations (were matching azure.open_ai / azure.ai_foundry; actual datasets are azure_openai.logs / azure_ai_foundry.logs)
  • Add m365_defender.alert.title as event.action for the alert stream, overriding ingest-time detectionStatus with the human-readable alert name
  • Fix m365_defender host.target conditions to require user.name to avoid spurious host-as-target matches on non-user events
  • Extend m365_defender user.name fallback to the event stream via process.user.name
  • Ingest script: handle nanosecond Unix timestamps — fixes sysdig.alerts and sysdig.event streams which were silently producing 0 docs
  • Ingest script: expand dotted config keys to nested dicts — fixes salesforce pipeline routing
  • Ingest script: inject data_stream.dataset when absent from fixtures — fixes Azure, ForgeRock and others invisible in Kibana Discover
  • Ingest script: rewrite YAML parser to handle nested mappings — fixes microsoft_dhcp routing config
  • Ingest script: inject log.file.path from fixture config — fixes cisco_umbrella routing

Test plan

  • Verify azure_openai and azure_ai_foundry graph nodes appear with correct dataset matching
  • Verify m365_defender.alert nodes show alert title as action label
  • Verify sysdig.alerts and sysdig.event ingest successfully after nanosecond timestamp fix
  • Verify salesforce pipeline routing produces actor fields correctly

🤖 Generated with Claude Code

- Fix dataset names in azure_openai and azure_ai_foundry evaluations
  (were matching azure.open_ai / azure.ai_foundry; actual datasets are
  azure_openai.logs / azure_ai_foundry.logs)
- Add m365_defender.alert.title as event.action for alert stream,
  overriding ingest-time detectionStatus with the human-readable alert name
- Fix m365_defender host.target conditions to require user.name to avoid
  spurious host-as-target matches on non-user events
- Extend m365_defender user.name fallback to event stream via process.user.name
- Ingest script: handle nanosecond Unix timestamps (fixes sysdig alerts/event)
- Ingest script: expand dotted config keys to nested dicts (fixes salesforce pipeline routing)
- Ingest script: inject data_stream.dataset when absent from fixtures (fixes Azure, ForgeRock)
- Ingest script: rewrite YAML parser to handle nested mappings (fixes microsoft_dhcp)
- Ingest script: inject log.file.path from fixture config (fixes cisco_umbrella routing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@JordanSh JordanSh requested a review from a team as a code owner July 2, 2026 12:12
@mergify

mergify Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@JordanSh JordanSh requested a review from alexreal1314 July 2, 2026 12:15
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

TL;DR

Buildkite failed before uploading the pipeline because the PR branch no longer merges cleanly into siem/p1-integrations-mappings. Resolve the content conflict in dev/domain/install-p1-integrations/install_and_ingest.py, then rerun CI.

Remediation

  • Rebase or merge the latest siem/p1-integrations-mappings into yarden/siem-p1-integrations-mappings and resolve dev/domain/install-p1-integrations/install_and_ingest.py.
  • Preserve both sides' ingest-script behavior where needed: the target branch's config/agent metadata helpers and the PR's fixture parsing, timestamp, dataset, sample-event, and pipeline selection fixes.
  • Validate by running the relevant ingest-script checks locally, then rerun the Buildkite build.
Investigation details

Root Cause

The failed step is :pipeline::arrow_up: Upload Pipeline: .buildkite/pipeline.yml, but the pipeline upload never ran successfully because the repository post-checkout hook attempted to create the PR merge branch and hit a Git content conflict:

  • dev/domain/install-p1-integrations/install_and_ingest.py is modified by the PR commit bab1019eb3bbceaed1c2d108b7f123801960a6b8.
  • The target branch commit 467c7093e6c12981ddcdfb3d623c4dadfd14ce7f also changed the same file in overlapping areas.
  • Buildkite reports CONFLICT (content) for that file and exits the post-checkout hook with status 1.

The overlapping areas include helper/config handling near dev/domain/install-p1-integrations/install_and_ingest.py:298 on the PR head and dev/domain/install-p1-integrations/install_and_ingest.py:332 on the target branch version. The target branch has fixture_config_paths, apply_pipeline_config_fields, apply_fixture_configs, and apply_agent_metadata, while the PR introduces _parse_simple_yaml, _fixture_config_fields, sample-event discovery, nanosecond timestamp handling, data stream injection, and sample-event pipeline bypass in the same script.

Evidence

Auto-merging dev/domain/install-p1-integrations/install_and_ingest.py
CONFLICT (content): Merge conflict in dev/domain/install-p1-integrations/install_and_ingest.py
Automatic merge failed; fix conflicts and then commit the result.
Merge failed: 1
Error: running "repository post-checkout" shell hook: The repository post-checkout hook exited with status 1

Verification

Not run: CI cannot reach tests until the merge conflict is resolved.


What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Reverts the use of m365_defender.alert.title as event.action for the
alert stream. The ingest-time event.action (detectionStatus) is preserved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💔 Build Failed

Failed CI Steps

History

@teresaromero

teresaromero commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@JordanSh can you provide more context on this change? is this a new feature? thanks

cc @mrodm

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants