Skip to content

fix(aws/securityhub_findings): event.kind as keyword#14251

Merged
andrewkroh merged 4 commits intoelastic:mainfrom
andrewkroh:aws/fix/securityhub_findings
Jun 19, 2025
Merged

fix(aws/securityhub_findings): event.kind as keyword#14251
andrewkroh merged 4 commits intoelastic:mainfrom
andrewkroh:aws/fix/securityhub_findings

Conversation

@andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented Jun 18, 2025
edited
Loading

Proposed commit message

Change event.kind to keyword instead of constant_keyword.
When a pipeline error occurs, event.kind was being set to
'pipeline_error' and this break ingestion because event.kind
was already assigned a value of 'state'.

The observed error was:

[constant_keyword] field [event.kind] only accepts values that are equal
to the value defined in the mappings [state], but got [pipeline_error]

Closes #12970

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Notes

This bug was detected in our internal demo deployment of the integration.

Logs

This will fix errors like:

{
  "type": "document_parsing_exception",
  "reason": "[1:7357] failed to parse field [event.kind] of type [constant_keyword] in document with id '2KqJqX41g3ygdMw5sXCzYx1Wb/Y='. Preview of field's value: 'pipeline_error'",
  "caused_by": {
    "type": "illegal_argument_exception",
    "reason": "[constant_keyword] field [event.kind] only accepts values that are equal to the value defined in the mappings [state], but got [pipeline_error]"
  }
}

@andrewkroh
fix(aws/securityhub_findings): event.kind as keyword
262e955 
Change event.kind to keyword instead of constant_keyword.
When a pipeline error occurs, event.kind was being set to
'pipeline_error' and this break ingestion because event.kind
was already assigned a value of 'state'.
@andrewkroh
cleanup(aws/securityhub_findings): run fydler
28c18dd 
Remove unused attributes.

Add 'external: ecs' to all ECS fields.

[git-generate]
go run github.com/andrewkroh/fydler@c7c7bae --fix packages/aws/data_stream/securityhub_findings/**/fields/*yml
@andrewkroh
build docs
d42f364 
[git-generate]
elastic-package -C packages/aws build
andrewkroh added a commit to andrewkroh/integrations that referenced this pull request Jun 18, 2025
@andrewkroh
add changelog
f331747 
[git-generate]
elastic-package -C packages/aws changelog add --link elastic#14251 --next patch --type bugfix --description 'Modify the data type of `event.kind` from a constant_keyword to a keyword to handle pipeline errors that send `event.kind` to `pipeline_error`.'
@andrewkroh andrewkroh force-pushed the aws/fix/securityhub_findings branch from f331747 to 948cccf Compare June 18, 2025 14:07
@andrewkroh
add changelog
ba5aa86 
[git-generate]
elastic-package -C packages/aws changelog add --link elastic#14251 --next patch --type bugfix --description 'Modify the data type of `event.kind` from a constant_keyword to a keyword to handle pipeline errors that send `event.kind` as `pipeline_error`.'
@andrewkroh andrewkroh force-pushed the aws/fix/securityhub_findings branch from 948cccf to ba5aa86 Compare June 18, 2025 14:11
@andrewkroh andrewkroh marked this pull request as ready for review June 18, 2025 14:12
@andrewkroh andrewkroh requested review from a team as code owners June 18, 2025 14:12
@andrewkroh andrewkroh added Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jun 18, 2025
@elasticmachine
Copy link

elasticmachine commented Jun 18, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added the bugfix Pull request that fixes a bug issue label Jun 18, 2025
kcreddy
kcreddy approved these changes Jun 18, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. but would be nice to get another opinion if the change is non-breaking.

@kcreddy kcreddy requested a review from efd6 June 18, 2025 15:16
@andrewkroh
Copy link
Member Author

andrewkroh commented Jun 18, 2025

From https://www.elastic.co/docs/reference/elasticsearch/mapping-reference/field-data-types

Types in the same family have exactly the same search behavior but may have different space usage or performance characteristics.

Changing constant_keyword to keyword should not break anything, but the performance characteristics may differ.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 18, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Jun 18, 2025

💚 Build Succeeded

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Jun 18, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
25.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@andrewkroh andrewkroh mentioned this pull request Jun 18, 2025
Closed
@andrewkroh andrewkroh linked an issue Jun 18, 2025 that may be closed by this pull request
[AWS Security Hub]: Event.kind should not be a constant keyword #12970
Closed
@efd6
Copy link
Contributor

efd6 commented Jun 18, 2025

Closes #14251

? Is there something else that it also closes?

efd6
efd6 approved these changes Jun 18, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but probably want to refer to the bug in the PR description.

@andrewkroh andrewkroh merged commit a264ad7 into elastic:main Jun 19, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jun 19, 2025

Package aws - 3.8.1 containing this change is available at https://epr.elastic.co/package/aws/3.8.1/

shmsr pushed a commit to shmsr/integrations that referenced this pull request Jun 30, 2025
@andrewkroh @shmsr
fix(aws/securityhub_findings): event.kind as keyword (elastic#14251)
9333a4f 
Change event.kind to keyword instead of constant_keyword.
When a pipeline error occurs, event.kind was being set to
'pipeline_error' and this break ingestion because event.kind
was already assigned a value of 'state'.

The observed error was:

    [constant_keyword] field [event.kind] only accepts values that are equal
    to the value defined in the mappings [state], but got [pipeline_error]

Closes elastic#12970
@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 1, 2025
@efd6 efd6 mentioned this pull request Feb 11, 2026
Closed
@efd6 efd6 mentioned this pull request Feb 25, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

@efd6 efd6 efd6 approved these changes

Assignees

No one assigned

Labels

bugfix Pull request that fixes a bug issue documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:aws AWS Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[AWS Security Hub]: Event.kind should not be a constant keyword

4 participants

@andrewkroh @elasticmachine @efd6 @kcreddy