Skip to content

[M365 Defender] Fix handling of DNS answers field #10772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
chemamartinez merged 5 commits into from
Aug 20, 2024
Merged

[M365 Defender] Fix handling of DNS answers field #10772

chemamartinez merged 5 commits into from
Aug 20, 2024

Conversation

@chemamartinez
Copy link
Contributor

@chemamartinez chemamartinez commented Aug 12, 2024

Proposed commit message

This PR fixes how the dns.answers ECS field is filled from the M365 Defender data. It was directly set from a keyword field so it was inheriting the same type, while ECS expects a JSON object.

In addition, TTLs are also added to the dns.answers field.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

Screenshot 2024-08-12 at 18 10 32

Screenshot 2024-08-12 at 18 10 10

@chemamartinez chemamartinez added Integration:m365_defender Microsoft Defender XDR bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Aug 12, 2024
@chemamartinez chemamartinez self-assigned this Aug 12, 2024
@elasticmachine
Copy link

elasticmachine commented Aug 12, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@chemamartinez chemamartinez marked this pull request as ready for review August 13, 2024 16:56
@chemamartinez chemamartinez requested a review from a team as a code owner August 13, 2024 16:56
@elasticmachine
Copy link

elasticmachine commented Aug 13, 2024

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@chemamartinez chemamartinez mentioned this pull request Aug 13, 2024
Closed
@chemamartinez chemamartinez requested review from a team and efd6 August 19, 2024 06:38
kcreddy
kcreddy approved these changes Aug 19, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some nits. Otherwise LGTM 👍🏼

@elasticmachine
Copy link

elasticmachine commented Aug 20, 2024

💚 Build Succeeded

History

cc @chemamartinez

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Aug 20, 2024

Quality Gate failed Quality Gate failed

Failed conditions
62.2% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

@chemamartinez chemamartinez merged commit 26ccc09 into elastic:main Aug 20, 2024
@elasticmachine
Copy link

elasticmachine commented Aug 20, 2024

Package m365_defender - 2.14.5 containing this change is available at https://epr.elastic.co/search?package=m365_defender

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@chemamartinez
[M365 Defender] Fix handling of DNS answers field (elastic#10772)
bd17ac0 
Fixes how the dns.answers ECS field is filled from the M365 Defender data. It was directly set from a keyword field so it was inheriting the same type, while ECS expects a JSON object.

In addition, TTLs are also added to the dns.answers field.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@chemamartinez
[M365 Defender] Fix handling of DNS answers field (elastic#10772)
717a141 
Fixes how the dns.answers ECS field is filled from the M365 Defender data. It was directly set from a keyword field so it was inheriting the same type, while ECS expects a JSON object.

In addition, TTLs are also added to the dns.answers field.
@chemamartinez chemamartinez deleted the 10562-fix-m365_defender-mapping branch February 6, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

@efd6 efd6 Awaiting requested review from efd6

Assignees

@chemamartinez chemamartinez

Labels

bugfix Pull request that fixes a bug issue Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[M365 Defender] Improve ECS mappings

4 participants

@chemamartinez @elasticmachine @kcreddy @efd6