[microsoft_dhcp] changes/fix to set values for source and the right values for host; #…

[xtruthx]

…7630

Type of change

• Bug
• Enhancement

What does this PR do?

Explainend in #7630

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Is the handling for the field object host complete and valid (not sure actually how they created normally)
• Not sure about the test *-expected.json i adapt the non DHCPv6 as example like i think it should bee

Related issues

• Closes [microsoft_dhcp] Wrong field name usage in processing conflict with the content host.name #7630

Pinging @elastic/integrations (Team:Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-11-02T07:04:25.120+0000

• Duration: 16 min 17 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6
Skipped	0
Total	6

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[xtruthx]

Can some one look into this please? If i am wrong with my thoughts and the thoughts behind the merge request please let me know that. Ping @elastic/security-external-integrations

[efd6]

This seems reasonable. Please resolve the conflict and I will run the test build.

[efd6]

Can you also resolve the conflict in the changelog (and ensure the manifest matches the resolution).

[xtruthx]

Is there still something to do? did i miss something?

[efd6]

/test

[efd6]

Please run elastic-package build.

[xtruthx]

i did a rebase with latest changes from main.
Ran the tests again and noticed that I just missed the failed tests for the pipeline The fields of the "host" object are filled by "observer", these are created by the agent. Do these also need to be in test-logs or where do I place these fields?

[efd6]

/test

[efd6]

/test

[efd6]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (3/3)	💚
Classes	100.0% (3/3)	💚
Methods	95.238% (20/21)	❕
Lines	97.585% (687/704)	❕
Conditionals	100.0% (0/0)	💚

[efd6]

/test

[efd6]

@xtruthx Please check that the changes that I've made match your expected semantics.

To answer your question, yes, the agent adds those fields in automatically. They don't need to be added into the tests, but the pipeline does need to be robust to their absence. These are the changes that I've made.

[xtruthx]

Thanks @efd6 . That looks great.
Ok I see, so it is better to work with "ignore_empty_value".
Also that the description of the fields must match with the ECS I got now.

Sorry for the stuttering in progress and thanks for the patience. In the next post I know now how to do it:) 😄

[efd6]

/test

[efd6]

The deconfliction needs to have an update to the manifest as well; this is an irritation with how merge conflict get resolved if you do it purely in a merge conflict editor.

[xtruthx]

/test

[xtruthx]

The deconfliction needs to have an update to the manifest as well; this is an irritation with how merge conflict get resolved if you do it purely in a merge conflict editor.

Done and sorry i forgot the manifest. Now i hope it looks good. Time hits me now.

[efd6]

/test

[efd6]

Thanks

[efd6]

@xtruthx I'm just wondering whether client wouldn't be better than source; this is the terminology used in the MS documentation.

[xtruthx]

@efd6 I first thought about putting it into the ECS object 'client'. But then I thought it might be better to use 'source' so that it is also used correctly in the SIEM/Security in the Network overview. I am not sure if the field 'client.source' is also asked. I'll have a look at it again in a moment.

Additional:
This would be an example I think:
https://github.com/elastic/kibana/blob/main/x-pack/plugins/security_solution/public/common/components/visualization_actions/lens_attributes/hosts/kpi_unique_ips_source_metric.ts#L26

But yes from the terminology it would not be wrong to use 'client'.

[efd6]

Thanks.

[xtruthx]

@efd6 as it thank last

Thanks.

@efd6 i think that means yes please do the change and i did so.

When building the integration I got the following validation error:

README.md file rendered: /home/daniel/git/elastic/integrations-fork/packages/microsoft_dhcp/docs/README.md
2023/11/02 06:23:30  INFO License text found in "/home/daniel/git/elastic/integrations-fork/LICENSE.txt" will be included in package
2023/11/02 06:23:30  INFO Skipped errors: found 1 validation error:
   1. conditions.kibana.version must be ^8.10.0 or greater to include saved object tags file: kibana/tags.yml (SVR00005)
Package built: /home/daniel/git/elastic/integrations-fork/build/packages/microsoft_dhcp-1.23.0.zip
Done

I think it makes sense to act accordingly and I have set the kibana version to ^8..10.0 only.

I hope now the merge is possible soon

[efd6]

i think that means yes please do the change and i did so.

Oh, sorry. "Thanks" was for the explanation. If source is commonly used in the rules then it makes sense to use it. But rather than more churn, I'll discuss this with others. So don't make any change on that yet.

I think it makes sense to act accordingly and I have set the kibana version to ^8..10.0 only.

We'd rather this wasn't done since it cuts off users. The validation error really should be noted as a warning rather than an error as it is not something that blocks the build.

Please revert that line change.

[efd6]

We've had a discussion; please revert the source to client change.

[xtruthx]

sorry reverted

[efd6]

/test

[efd6]

Thanks

[elasticmachine]

Package microsoft_dhcp - 1.23.0 containing this change is available at https://epr.elastic.co/search?package=microsoft_dhcp