search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 421 forks source link

[Cloudflare Logpush]: Firewall_event datastream is missing the cloudflare zone field #11113

Closed frconil closed 2 days ago

frconil commented 6 days ago

Integration Name

Cloudflare Logpush [cloudflare_logpush]

Dataset Name

firewall_event

Integration Version

1.23.0

Agent Version

8.14

Agent Output Type

elasticsearch

Elasticsearch Version

8.14

context

The ZoneName fields is not being parsed by the pipeline, like it is for http_request:

https://github.com/elastic/integrations/blob/main/packages/cloudflare_logpush/data_stream/http_request/elasticsearch/ingest_pipeline/default.yml#L815-L818

The sample logs used in the tests also do not include the original ZoneName like in the example below, which would explain the missing field processing.

I'm including a sanitized original event for review:

{"EdgeEndTimestamp":"2024-09-11T12:57:10Z","EdgeResponseBytes":7062,"EdgeResponseStatus":200,"EdgeStartTimestamp":"2024-09-11T12:57:10Z","ContentScanObjResults":[],"ContentScanObjSizes":[],"ContentScanObjTypes":[],"Cookies":{},"LeakedCredentialCheckResult":"none","ParentRayID":"00","RayID":"abcdef1234567890","RequestHeaders":{},"ResponseHeaders":{},"SmartRouteColoID":0,"UpperTierColoID":0,"ZoneName":"nota.real.name","ClientASN":12345,"ClientCountry":"ch","ClientDeviceType":"desktop","ClientIP":"192.168.1.1","ClientIPClass":"noRecord","ClientMTLSAuthCertFingerprint":"","ClientMTLSAuthStatus":"unknown","ClientRegionCode":"ZH","ClientRequestBytes":9942,"ClientRequestHost":"logs.nota.real.name","ClientRequestMethod":"GET","ClientRequestPath":"/foo/bar","ClientRequestProtocol":"HTTP/2","ClientRequestReferer":"https://logs.nota.real.name","ClientRequestScheme":"https","ClientRequestSource":"eyeball","ClientRequestURI":"/foo/bar","ClientRequestUserAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36","ClientSSLCipher":"AEAD-AES128-GCM-SHA256","ClientSSLProtocol":"TLSv1.3","ClientSrcPort":56450,"ClientTCPRTTMs":6,"ClientXRequestedWith":"","SecurityAction":"","SecurityActions":[],"SecurityRuleDescription":"","SecurityRuleID":"","SecurityRuleIDs":[],"SecuritySources":[],"OriginResponseDurationMs":0,"OriginResponseStatus":0,"OriginResponseTime":0}
elasticmachine commented 6 days ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)