[jamf_pro] Various minor improvements and fixes

[chrisberkhout]

Proposed commit message

[jamf_pro] Various minor improvements and fixes

Mostly tidying of the README and pipelines, but also some small fixes.

Reviews should probably focus on the pipelines.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Related issues

• Relates Initial Release of Jamf Pro Integration #10470
• Relates [New Integration] Jamf Pro #10026

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 712edc6

History

• 💚 Build #15745 succeeded 8f8ca84
• 💚 Build #15718 succeeded b112c9a

cc @chrisberkhout

[elastic-sonarqube]

Quality Gate failed

Failed conditions
73.3% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[elasticmachine]

Package jamf_pro - 0.1.1 containing this change is available at https://epr.elastic.co/search?package=jamf_pro

[chrisberkhout]

Here is a summary of the main things that came up in this PR, which will help with future integration development.

Aligning input config, pipeline test input and pipeline logic:

• There was some config missing from http_endpoint.yml.hbs which meant that the rename at the start of the events pipeline wasn't being run, because the json key was never populated. It's tricky but very important to make sure that the pipeline test input data and the live events arrive at the pipeline in the same format.

• There was a related data structure/pipeline start error in the inventory pipeline where fingerprinting was attempted on fields in root that were actually nested in "message".

Painless and the null-safe operator

• The null-safe operator, and Painless in general, can only be used if a processor option allows it. It's okay for if options, but values for field or copy_from options should be plain names, not Painless fragments. If you need to account for a name not existing, you can use options like ignore_missing or add an if condition so the processor only runs under the correct conditions.

• Use the null-safe operator after a thing that may or may not exist (not before). It's okay to use one key that doesn't exist (that will return null). So, in the example ctx.jamf_pro.events.event?.ip_address != null, if event exists the null-safe operator is redundant.

Append to make arrays

The related.* ECS fields should be arrays regardless of how many items they have, so use append rather than set.

CEL formatting

There is a new tool for formatting CEL programs: https://github.com/efd6/celfmt We encourage using this now. I recommend using it via this bash alias.

README

I tidied up the README a bit. I added a little bit of text but mostly it was about cleaning up the formatting. Below there is an image showing the rendered versions side-by-side. The red arrows mark some of the more significant formatting improvements. The goal is to use structure, emphasis, etc. consistently to make it easier to read. Ideally the unrendered markdown will also be nicely formatted and readable.