From 6ae5cde15a0310a04a11c3fee9214b02a49b57fb Mon Sep 17 00:00:00 2001 From: Hanna Tamoudi Date: Thu, 19 Dec 2024 12:57:30 +0100 Subject: [PATCH 1/4] add timestamp to ECS constants --- .../server/graphs/ecs/constants.ts | 1 + .../server/graphs/ecs/prompts.ts | 1 + .../server/graphs/ecs/validate.test.ts | 48 +++++++++++++++++++ 3 files changed, 50 insertions(+) diff --git a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/constants.ts b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/constants.ts index 48cac5626f9fe..ea39910b5a4ee 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/constants.ts +++ b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/constants.ts @@ -1681,6 +1681,7 @@ export const ECS_TYPES: EcsFields = { }; export const ECS_FIELDS: EcsFields = { + '@timestamp': 'Date/time when the event originated.', 'as.number': 'Unique number allocated to the autonomous system.', 'as.organization.name': 'Organization name of the autonomous system.', 'client.address': 'Client network address.', diff --git a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/prompts.ts b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/prompts.ts index fab18e0decdbd..ed1962a856f11 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/prompts.ts +++ b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/prompts.ts @@ -37,6 +37,7 @@ Go through each value step by step and modify it with the following process: 9. When you want to use an ECS field as a value for a target, but another field already has the same ECS field as its target, try to find another fitting ECS field. If none is found then the one you are least confident about should have the object replaced with null. 10. If you are not confident for a specific field, you should always set the value to null. 11. These {package_name} log samples are based on source and destination type data, prioritize these compared to other related ECS fields like host.* and observer.*. +12. Whenever possible, map the @timestamp field to the relevant field that contains the event creation date. You ALWAYS follow these guidelines when writing your response: diff --git a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts index 39c4e3ac4bab3..d7d960ff94592 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts +++ b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts @@ -5,12 +5,15 @@ * 2.0. */ +import { ecsTestState } from '@kbn/integration-assistant-plugin/__jest__/fixtures/ecs_mapping'; import { ECS_RESERVED } from './constants'; +import { EcsMappingState } from '../../types'; import { extractECSMapping, findDuplicateFields, findInvalidEcsFields, + handleValidateMappings, removeReservedFields, } from './validate'; @@ -286,3 +289,48 @@ describe('removeReservedFields', () => { expect(ecsMapping).not.toEqual(result); }); }); + +describe('handleValidateMappings', () => { + it('should return empty missing fields if none found', () => { + const state: EcsMappingState = ecsTestState; + state.currentMapping = { + test: { + test: { + event: { target: 'event.action', confidence: 0.95, type: 'string' }, + }, + }, + }; + state.combinedSamples = JSON.stringify({ + test: { + test: { + event: 'cert.create', + }, + }, + }); + const { missingKeys } = handleValidateMappings({ state }); + + expect(missingKeys).toEqual([]); + }); + + it('should return missing fields list if any', () => { + const state: EcsMappingState = ecsTestState; + state.currentMapping = { + test: { + test: { + event: { target: 'event.action', confidence: 0.95, type: 'string' }, + }, + }, + }; + state.combinedSamples = JSON.stringify({ + test: { + test: { + event: 'cert.create', + version: '1', + }, + }, + }); + const { missingKeys } = handleValidateMappings({ state }); + + expect(missingKeys).toEqual(['test.test.version']); + }); +}); From 1ec452964af31d64e68a1a418d67c438fee0fe46 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 19 Dec 2024 12:37:11 +0000 Subject: [PATCH 2/4] [CI] Auto-commit changed files from 'node scripts/notice' --- .../plugins/shared/integration_assistant/tsconfig.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json b/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json index 94214e0e8fa4b..7d5be67730d0e 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json +++ b/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json @@ -43,6 +43,7 @@ "@kbn/kibana-utils-plugin", "@kbn/utils", "@kbn/zod", - "@kbn/tooling-log" + "@kbn/tooling-log", + "@kbn/integration-assistant-plugin" ] } From 434006aa88de6acc7dfc1ab7e68068ce3b9bc06e Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 19 Dec 2024 12:57:50 +0000 Subject: [PATCH 3/4] [CI] Auto-commit changed files from 'node scripts/eslint --no-cache --fix' --- .../integration_assistant/server/graphs/ecs/validate.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts index d7d960ff94592..a63819b4c83f9 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts +++ b/x-pack/platform/plugins/shared/integration_assistant/server/graphs/ecs/validate.test.ts @@ -5,7 +5,7 @@ * 2.0. */ -import { ecsTestState } from '@kbn/integration-assistant-plugin/__jest__/fixtures/ecs_mapping'; +import { ecsTestState } from '../../../__jest__/fixtures/ecs_mapping'; import { ECS_RESERVED } from './constants'; import { EcsMappingState } from '../../types'; From 95fd4485c8628e70860660f14637db7d6fbc78b8 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Thu, 19 Dec 2024 13:06:40 +0000 Subject: [PATCH 4/4] [CI] Auto-commit changed files from 'node scripts/yarn_deduplicate' --- .../platform/plugins/shared/integration_assistant/tsconfig.json | 1 - 1 file changed, 1 deletion(-) diff --git a/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json b/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json index 7d5be67730d0e..6af7a008e5093 100644 --- a/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json +++ b/x-pack/platform/plugins/shared/integration_assistant/tsconfig.json @@ -44,6 +44,5 @@ "@kbn/utils", "@kbn/zod", "@kbn/tooling-log", - "@kbn/integration-assistant-plugin" ] }