jamf_protect: fix up handling of alert facts

elastic · Sep 1, 2024 · 0d22e3f · 0d22e3f
1 parent c7f0479
commit 0d22e3f
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 10 deletions.
diff --git a/packages/jamf_protect/changelog.yml b/packages/jamf_protect/changelog.yml
@@ -4,6 +4,9 @@
     - description: Fix dashboard filters.
       type: bugfix
       link: https://github.com/elastic/integrations/pull/10927
+    - description: Fix handling of alert facts.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10927
     - description: Use contant keyword for `observer.product` and `observer.vendor`.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/10927

diff --git a/...a_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json b/...a_stream/alerts/_dev/test/pipeline/test-jamf-protect-alerts-sample-logs.log-expected.json
@@ -117,6 +117,10 @@
                     "root"
                 ]
             },
+            "rule": {
+                "description": "Application that uses custom url handler created",
+                "name": "CustomURLHandlerCreation"
+            },
             "tags": [
                 "Visibility"
             ]
@@ -235,6 +239,10 @@
                     "local-admin"
                 ]
             },
+            "rule": {
+                "description": "Application used deprecated elevation API",
+                "name": "User Elevated Action"
+            },
             "tags": [
                 "DefenseEvasion",
                 "T1548.004",
@@ -379,6 +387,9 @@
                     "john",
                     "root"
                 ]
+            },
+            "rule": {
+                "name": "terminal_persistence"
             }
         },
         {
@@ -486,6 +497,10 @@
                     "175.16.199.4"
                 ]
             },
+            "rule": {
+                "description": "New Dock Tile registered",
+                "name": "DockTileAdded"
+            },
             "tags": [
                 "Persistence",
                 "BootOrLogonAutostartExecution",
@@ -534,6 +549,10 @@
                     "175.16.199.5"
                 ]
             },
+            "rule": {
+                "description": "USB device inserted",
+                "name": "USBInserted"
+            },
             "tags": [
                 "Visibility"
             ],
@@ -611,6 +630,9 @@
                 "user": [
                     "local-admin"
                 ]
+            },
+            "rule": {
+                "name": "new_downloads"
             }
         },
         {
@@ -651,6 +673,10 @@
                     "175.16.199.7"
                 ]
             },
+            "rule": {
+                "description": "XProtect Remediator Scan Activity",
+                "name": "XProtect Remediator Scan Activity"
+            },
             "tags": [
                 "XProtect Remediator"
             ]
@@ -693,6 +719,10 @@
                     "175.16.199.8"
                 ]
             },
+            "rule": {
+                "description": "XProtect Remediator Scan Activity",
+                "name": "XProtect Remediator Scan Activity"
+            },
             "tags": [
                 "XProtect Remediator"
             ]
@@ -737,6 +767,10 @@
                     "175.16.199.18"
                 ]
             },
+            "rule": {
+                "description": "XProtect Remediator Scan Activity",
+                "name": "XProtect Remediator Scan Activity"
+            },
             "tags": [
                 "XProtect Remediator"
             ]
@@ -778,6 +812,10 @@
                 "ip": [
                     "175.16.199.10"
                 ]
+            },
+            "rule": {
+                "description": "JCDaemon TPE Reasoning",
+                "name": "JCDaemon TPE Reasoning"
             }
         },
         {
@@ -818,6 +856,10 @@
                     "175.16.199.11"
                 ]
             },
+            "rule": {
+                "description": "LoginWindow TouchID Success",
+                "name": "LoginWindow TouchID Success"
+            },
             "tags": [
                 "login",
                 "touchid"

diff --git a/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml b/packages/jamf_protect/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
@@ -47,16 +47,28 @@ processors:
         field: event.category
         value: file
         if: ctx.jamf_protect?.alerts?.input?.eventType == 'GPDownloadEvent'
-    - rename:
-        field: ctx.jamf_protect.alerts.input.match.facts[0].name
-        target_field: rule.name
-        if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].name != null
-        ignore_missing: true
-    - rename:
-        field: ctx.jamf_protect?.alerts.input.match.facts[0].name
-        target_field: rule.description 
-        if: ctx.jamf_protect?.alerts?.input?.match?.facts[0].human != null
-        ignore_missing: true
+    - script:
+        if: >
+          ctx.jamf_protect?.alerts?.input?.match?.facts instanceof List && 
+          ctx.jamf_protect.alerts.input.match.facts.length != 0 && 
+          ctx.jamf_protect.alerts.input.match.facts[0].name != null
+        lang: painless
+        source: |
+          if (ctx.rule == null) {
+            ctx.rule = new HashMap();
+          }
+          ctx.rule.name = ctx.jamf_protect.alerts.input.match.facts[0].name
+    - script:
+        if: >
+          ctx.jamf_protect?.alerts?.input?.match?.facts instanceof List && 
+          ctx.jamf_protect.alerts.input.match.facts.length != 0 && 
+          ctx.jamf_protect.alerts.input.match.facts[0].human != null
+        lang: painless
+        source: |
+          if (ctx.rule == null) {
+            ctx.rule = new HashMap();
+          }
+          ctx.rule.description = ctx.jamf_protect.alerts.input.match.facts[0].human
     - script:
         description: Populates event.action with the name of the event
         lang: painless