Validate fields based on their mappings and the dynamic templates set

[mrodm]

Relates #2207

Add support to validate mappings after ingesting documents based on dynamic templates.

It also updates how mappings not found in the preview are compared/validated with ECS fields.

Assumptions:

• Filtered out dynamic templates created by import_mappings
• Filtered out dynamic templates created by ecs@mappings component template
• Filtered out the field definitions added via appendECSMappingMultifields function.
• All the mappings present in the actual mappings (after ingesting documents) must fulfill one of these conditions to be valid:
  • All the fields from the actual mapping must be present in the preview (not viceversa).
  • All the fields from the actual mapping must be present in the dynamic template (not viceversa).
• Multi-fields are just validated with the definitions in the preview (not in ECS or in dynamic templates).

Author's Checklist

• Clean log/debug statements
• Run tests on packages from integration repository

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

As a reference, this is the previous errors found without support of dynamic templates: #2214 (comment)

Looking at the errors in this build: https://buildkite.com/elastic/integrations/builds/19707

There are some packages that are failing due to missing parameters:

• auditd_manager: auditd.data.a0, auditd.data.a1, auditd.data.a2 and auditd.data.a3
• teleport: some examples: teleport.audit.account_id, teleport.audit.aws_host, teleport.audit.aws_region, teleport.audit.instance_id,...
• docker: some examples: docker.cpu.core.0.norm.pct, docker.cpu.core.2.ticks, docker.cpu.core.3.pct, ...
  • incorrect field definitions? https://github.com/elastic/integrations/blob/51460fb00b85968f3f987cf73683946f0d821d37/packages/docker/data_stream/cpu/fields/fields.yml#L81-L99

There are packages that fail due to different types comparing with ECS:

• box_events: different type for threat.enrichments.indicator.first_seen and threat.enrichments.indicator.last_seen
• claroty_ctd: different type for threat.indicator.modified_at
• mimecast: different type for threat.indicator.first_seen and threat.indicator.modified_at
• ti_anomali: different type for threat.indicator.modified_at

Packages with issues related to multi_fields:

• fortinet_fortimail: missing multi_field (probably due to ecs@mappings component template)
• cef: missing multi_field (probably due to ecs@mappings component template)

[mrodm]

Workaround to be able to filter multifieds generated here during the validation.

[mrodm]

Would it be a better approach for this ?

[jsoriano]

Do we have many failures if we don't do this? Maybe we can leave this for a separate change.

[mrodm]

As talked offline, we decided to ignore the validation of these multi-fields.
Added a comment about the reasoning behind this in https://github.com/elastic/elastic-package/pull/2285/files#diff-67b718cebdeb840d99361c07166f75df079827a75df20850ef6cada861304521R318-R322

[mrodm]

Does match_pattern applies also for unmatch ?

According to this, maybe it just applies for match.
https://www.elastic.co/guide/en/elasticsearch/reference/current/dynamic-templates.html#match-unmatch

WDYT ?

[jsoriano]

Yeah, the docs seem to indicate that it only applies to match, but it would be weird that it is not possible to set this option for unmatch. Maybe match_pattern applies to both?

In any case, do we generate templates with these options?

[mrodm]

Yeah, the docs seem to indicate that it only applies to match, but it would be weird that it is not possible to set this option for unmatch. Maybe match_pattern applies to both?

According to the tests it looks like it applies to both parameters
https://github.com/elastic/elasticsearch/blob/fe3a3cb70e3dd18b3e5ddaf6a63389b4cb16b776/server/src/test/java/org/elasticsearch/index/mapper/DynamicTemplatesTests.java#L2391-L2397

And also it looks like it could apply to path_match and path_unmatch, lookign at this test
https://github.com/elastic/elasticsearch/blob/75bf27c8b69b7c32fb200afd5a244e7b1f8aea32/x-pack/plugin/core/template-resources/src/main/resources/watch-history.json#L23

Currently, I think that math_pattern parameter is not used. Fleet does not generate that and currently the ECS component template does not use it neither.

[mrodm]

This code to load the external and local fields maybe can be removed. That would mean that just the schema set (optionally) via options is taken into account.

WDYT?

[jsoriano]

Yes, sounds good.

[mrodm]

Looks like that these options would be better to skip them, since they would require to have the original type before the documents are stored into Elasticsearch.

If there is no objection, this whole case could be left as empty (with a comment).

[jsoriano]

Yes, I think we can ignore this, but we should still check that the mapping type in the template matches with the actual mapping.

[mrodm]

Ok, then I'll remove the code and add a comment there about this.

Comparing and validating the type would be achieved via the validateObjectMappingAndParameters function once it is found a dynamic template that matches the given parameters.

[jsoriano]

Nit. This loop mixes parsing of the dynamic templates and its execution. Consider unmarshalling the dynamic templates first, so this loop becomes something like:

for _, template := dynamicTemplates {
    matches, err := template.Matches(currentPath, definition)
    if err != nil {
        return err
    }
    if matches {
        return nil
    }
}

The parsing of the dynamic templates could be done once, in validateMappingsNotInPreview.

[mrodm]

Separated that logic in two stages. First one parses the dynamic templates from map[string]any into a specific struct.

Once the dynamic templates are parsed, the required mappings are validated with those dynamic templates.

[jsoriano]

Yeah, the docs seem to indicate that it only applies to match, but it would be weird that it is not possible to set this option for unmatch. Maybe match_pattern applies to both?

In any case, do we generate templates with these options?

[jsoriano]

Yes, I think we can ignore this, but we should still check that the mapping type in the template matches with the actual mapping.

[jsoriano]

Do we have many failures if we don't do this? Maybe we can leave this for a separate change.

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

As the process to load the fields from the package and ECS has been removed, these parameters are not needed anymore.

The schema to be used to validate fields with ECS is the one set (optionally) via the method WithMappingValidatorFallbackSchema

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

test integrations

[elastic-vault-github-plugin-prod]

Created or updated PR in integrations repository to test this version. Check elastic/integrations#12164

[mrodm]

Follow-up of the above comment #2285 (comment)

Summary of the errors found in the build: https://buildkite.com/elastic/integrations/builds/20226

There are some packages that are failing due to missing parameters/definitions:

• auditd_manager: auditd.data.a0, auditd.data.a1, auditd.data.a2 and auditd.data.a3
• teleport: some examples: teleport.audit.account_id, teleport.audit.aws_host, teleport.audit.aws_region, teleport.audit.instance_id,...
• mongodb_atlas: missing definition for two fields mongodb_atlas.project.additional_info.hidden and mongodb_atlas.project.additional_info.is_mms_admin
  • They do not match the dynamic template since they are boolean and not string.
• crowdstrike: errors related to flattened type
  • https://github.com/elastic/integrations/blob/80d18e9d05055786dbca2dcff1a9a8c0abb95fb3/packages/crowdstrike/data_stream/fdr/fields/fields.yml#L31
  • this is the exact error: unexpected value found in mapping for field "crowdstrike.assessments.execution_blocking_custom_blocking_enabled_mac.type": preview mappings value ("flattened") different from the actual mappings value ("keyword")
  • probably it does not match the dynamic template created:

        {
          "crowdstrike.assessments.*": {
            "path_match": "crowdstrike.assessments.*",
            "mapping": {
              "type": "flattened"
            },
            "match_mapping_type": "object"
          }
        }

• sublime_security: field does not match the dynamic template sublime_security.email_message.headers.hops.fields.position
  • https://github.com/elastic/integrations/blob/80d18e9d05055786dbca2dcff1a9a8c0abb95fb3/packages/sublime_security/data_stream/email_message/fields/fields.yml#L644-L646
  • this is the exact error: unexpected value found in mapping for field "sublime_security.email_message.headers.hops.fields.position.type": preview mappings value ("keyword") different from the actual mappings value ("long")
  • It does not match the dynamic template:

        "sublime_security.email_message.headers.hops.fields": {
            "path_match": "sublime_security.email_message.headers.hops.fields.*",
            "mapping": {
              "type": "keyword"
            },
            "match_mapping_type": "string"
          }
        }

There are packages that fail due to different types comparing with ECS:

• box_events: different type for threat.enrichments.indicator.first_seen and threat.enrichments.indicator.last_seen
• claroty_ctd: different type for threat.indicator.modified_at
• mimecast: different type for threat.indicator.first_seen and threat.indicator.modified_at
• ti_anomali: different type for threat.indicator.modified_at
• cef: different type for url.original (keyword vs wildcard)

Packages that do not have any test failing now:

• docker: mappings were fixed in Kibana since 8.12.0 [Fleet] Add support for additional types for dynamic mappings kibana#168842
• fortinet_fortimail: multi-fields are ignored now

While inspecting the mappings and dynamic templates created for the docker package, I found some discrepancies in the mappings created
taking into account the definition in the package:

• field definition:

    - name: core.*.pct
      type: scaled_float
      format: percent
      unit: percent
      metric_type: gauge
      description: |
        Percentage of CPU time in this core.

• dynamic template created:

        {
          "docker.cpu.core.*.pct": {
            "path_match": "docker.cpu.core.*.pct",
            "match_mapping_type": "*",
            "mapping": {
              "scaling_factor": 1000,
              "type": "scaled_float"
            }
          }
        },

cc @jsoriano

[mrodm]

Among the errors mentioned above:

cef: different type for url.original (keyword vs wildcard)

One option to solve this error in cef package is to update the ECS mappings that elastic-package adds automatically via import_mappings setting.

Currently, the embedded dynamic template created by elastic-package when import_mappings is enabled does not take any effect (it does not match path_match):

        {
          "_embedded_ecs-url_original_to_multifield": {
            "path_match": "*.url.original",
            "mapping": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            }
          }
        },

This dynamic template could be updated as in the ecs@mappings component template (without unmatch_mapping_type parameter since it is not supported in 8.6.x):

        {
          "ecs_path_match_wildcard_and_match_only_text": {
            "path_match": [
              "*.body.content",
              "*url.full",
              "*url.original"
            ],
            "unmatch_mapping_type": "object",
            "mapping": {
              "fields": {
                "text": {
                  "type": "match_only_text"
                }
              },
              "type": "wildcard"
            }
          }
        },

The inconvenient is that it would be needed to do a new cef release in order to include these new dynamic templates, since they are included in the built package.

WDYT about updating the embedded dynamic templates (in a follow-up PR)? Should it be created a new "empty" release in cef (with the new embedded dynamic templates) if this change is applied? Or just wait for the next cef version whenever it is created? @jsoriano

EDIT:

• Possible follow-up PR updating dynamic templates created when import_mappings is enabled Update dynamic template for url.original and url.full (import_mappings setting) #2337

[jsoriano]

cef: different type for url.original (keyword vs wildcard)

Why is this issue not detected with current validation? 🤔

WDYT about updating the embedded dynamic templates (in a follow-up PR)?

We probably need to do that in any case.

Should it be created a new "empty" release in cef (with the new embedded dynamic templates) if this change is applied? Or just wait for the next cef version whenever it is created?

We will need this to apply the new validation in integrations, we can wait till then.

[mrodm]

cef: different type for url.original (keyword vs wildcard)

Why is this issue not detected with current validation? 🤔

Looking at the current logic to validate the fields (without mappings), IIUC wildcards are not validated or at least considered as not blocking due to this switch case (parseSingleElementValue function):

elastic-package/internal/fields/validate.go

Lines 1249 to 1252 in a7d863a

	// All other types are considered valid not blocking validation.
	default:
	return nil
	}

WDYT about updating the embedded dynamic templates (in a follow-up PR)?

We probably need to do that in any case.

Should it be created a new "empty" release in cef (with the new embedded dynamic templates) if this change is applied? Or just wait for the next cef version whenever it is created?

We will need this to apply the new validation in integrations, we can wait till then.

As this requires the ECS templates file to be updated in elastic-package, I'll move forward with this PR to prepare it for review.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 8fce0ec

History

• 💚 Build #4609 succeeded dbca4fe
• 💚 Build #4608 succeeded d96ffbf
• 💚 Build #4607 succeeded 8f36c18
• 💔 Build #4605 failed ebda859
• 💔 Build #4604 failed 9ff3d0c
• 💚 Build #4603 succeeded 0a5e775

cc @mrodm

[mrodm]

Created this PR elastic/integrations#12300 to start testing different approaches/workarounds that could be followed in the failing packages found in the integrations repository.

As a note, that integrations PR is just for testing purposes, and it is not going to be merged as it is.