Skip to content

fix(m365_defender): propagate state variables on error #14722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
StacieClark-Elastic merged 5 commits into from
Jul 30, 2025
Merged

fix(m365_defender): propagate state variables on error #14722

StacieClark-Elastic merged 5 commits into from
Jul 30, 2025

Conversation

@StacieClark-Elastic
Copy link
Member

@StacieClark-Elastic StacieClark-Elastic commented Jul 28, 2025

Proposed commit message

Enhanced error handling in the CEL program to prevent "no such key: product_batch_size'" errors by ensuring proper propagation of the state data configuration during failures. This was accomplished by wrapping the objects returned from errors with state.with()

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@StacieClark-Elastic StacieClark-Elastic requested a review from a team as a code owner July 28, 2025 23:02
@StacieClark-Elastic StacieClark-Elastic added Integration:m365_defender Microsoft Defender XDR bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jul 28, 2025
@elasticmachine
Copy link

elasticmachine commented Jul 28, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@StacieClark-Elastic StacieClark-Elastic force-pushed the bugfix/m365-defender-failed-request-recovery branch from fb352df to 42f4f61 Compare July 28, 2025 23:02
@StacieClark-Elastic StacieClark-Elastic marked this pull request as draft July 28, 2025 23:17
@StacieClark-Elastic StacieClark-Elastic force-pushed the bugfix/m365-defender-failed-request-recovery branch from a261c20 to 7ad062a Compare July 29, 2025 15:59
@StacieClark-Elastic StacieClark-Elastic marked this pull request as ready for review July 29, 2025 16:00
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 29, 2025
edited
Loading

🚀 Benchmarks report

Package m365_defender 👍(3) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
vulnerability 2145.92 1730.1 -415.82 (-19.38%) 💔

To see the full report comment with /test benchmark fullreport

chrisberkhout
chrisberkhout requested changes Jul 29, 2025
View reviewed changes
Copy link
Contributor

@chrisberkhout chrisberkhout left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Some suggestions about closing things at the level of indentation at which they were opened.

packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs Outdated
Comment on lines 104 to 105
}
)
Copy link
Contributor

@chrisberkhout chrisberkhout Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
)
})

Avoids a half indentation and make it clearer that the following ) closes the .as( in line 63.

Copy link
Member Author

@StacieClark-Elastic StacieClark-Elastic Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used celfmt on the entire file. It won't allow ({ or }). This causes some changes on lines that weren't changed but it follows the convention that celfmt sets.

Copy link
Contributor

@efd6 efd6 Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, celfmt doesn't have the best taste, but it has simple taste. These no longer cuddle.

packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs Outdated
Comment on lines 169 to 170
}
)
)
Copy link
Contributor

@chrisberkhout chrisberkhout Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

Copy link
Member Author

@StacieClark-Elastic StacieClark-Elastic Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used celfmt on the entire file. It won't allow ({ or }). This causes some changes on lines that weren't changed but it follows the convention that celfmt sets.

packages/m365_defender/data_stream/vulnerability/agent/stream/cel.yml.hbs
Comment on lines 236 to 252
}
)
Copy link
Contributor

@chrisberkhout chrisberkhout Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
}
)
})

And here.

Copy link
Member Author

@StacieClark-Elastic StacieClark-Elastic Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used celfmt on the entire file. It won't allow ({ or }). This causes some changes on lines that weren't changed but it follows the convention that celfmt sets.

@StacieClark-Elastic
bugfix/m365-defender-failed-request-recovery
80689fc 
Enhanced error handling in the CEL program to prevent 'no such key: product_batch_size' errors by ensuring proper propagation of the state data configuration during failures. This was accomplished by wrapping the objects returned from errors with state.with()
@StacieClark-Elastic
bugfix/m365-defender-failed-request-recovery
e514aa3 
Added correct PR number
@StacieClark-Elastic
bugfix/m365-defender-failed-request-recovery Reset all state variable…
e220538 
…s on errors
@StacieClark-Elastic
bugfix/m365-defender-failed-request-recovery celfmted entire cel file
a46530c
@StacieClark-Elastic StacieClark-Elastic force-pushed the bugfix/m365-defender-failed-request-recovery branch from e52a839 to a46530c Compare July 29, 2025 18:16
@StacieClark-Elastic
bugfix/m365-defender-failed-request-recovery wrapped the entire progr…
9cd7e89 
…am with state.with()

instead of wrapping each error event with state.with()
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jul 29, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

elasticmachine commented Jul 29, 2025

💚 Build Succeeded

History

@StacieClark-Elastic StacieClark-Elastic merged commit 18748f2 into elastic:main Jul 30, 2025
9 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jul 30, 2025

Package m365_defender - 3.14.0 containing this change is available at https://epr.elastic.co/package/m365_defender/3.14.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chrisberkhout chrisberkhout chrisberkhout approved these changes

@efd6 efd6 efd6 approved these changes

@andrewkroh andrewkroh Awaiting requested review from andrewkroh

Assignees

No one assigned

Labels

bugfix Pull request that fixes a bug issue Integration:m365_defender Microsoft Defender XDR Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@StacieClark-Elastic @elasticmachine @chrisberkhout @andrewkroh @efd6