Skip to content

Commit 87e6e91

Browse files
chrisberkhoutchrisberkhout
authored
[proofpoint_tap] Clean up null handling (#9153)
- Combine 'is null or not contains' checks. - Combine 'not null and is/not value' checks. - Remove redundant null-safe operator.
1 parent e300934 commit 87e6e91

File tree

6 files changed

+50
-45
lines changed

6 files changed

+50
-45
lines changed

packages/proofpoint_tap/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.16.3"
3+
changes:
4+
- description: Clean up null handling
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/9153
27
- version: "1.16.2"
38
changes:
49
- description: Add error.message ECS field mapping.

packages/proofpoint_tap/data_stream/clicks_blocked/elasticsearch/ingest_pipeline/default.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,7 @@ processors:
182182
ignore_failure: true
183183
- remove:
184184
field: event.original
185-
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
185+
if: ctx.tags?.contains('preserve_original_event') != true
186186
ignore_failure: true
187187
ignore_missing: true
188188
- remove:

packages/proofpoint_tap/data_stream/clicks_permitted/elasticsearch/ingest_pipeline/default.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -182,7 +182,7 @@ processors:
182182
ignore_failure: true
183183
- remove:
184184
field: event.original
185-
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
185+
if: ctx.tags?.contains('preserve_original_event') != true
186186
ignore_failure: true
187187
ignore_missing: true
188188
- remove:

packages/proofpoint_tap/data_stream/message_blocked/elasticsearch/ingest_pipeline/default.yml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ processors:
9999
allow_duplicates: false
100100
ignore_failure: true
101101
ignore_failure: true
102-
if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List
102+
if: ctx.json?.messageParts instanceof List
103103
- foreach:
104104
field: json.messageParts
105105
processor:
@@ -109,7 +109,7 @@ processors:
109109
allow_duplicates: false
110110
ignore_failure: true
111111
ignore_failure: true
112-
if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List
112+
if: ctx.json?.messageParts instanceof List
113113
- rename:
114114
field: json.ccAddresses
115115
target_field: email.cc.address
@@ -168,7 +168,7 @@ processors:
168168
allow_duplicates: false
169169
ignore_failure: true
170170
ignore_failure: true
171-
if: ctx.json?.recipient != null && ctx.json.recipient instanceof List
171+
if: ctx.json?.recipient instanceof List
172172
- rename:
173173
field: json.xmailer
174174
target_field: email.x_mailer
@@ -191,7 +191,7 @@ processors:
191191
- _ingest._value.sandboxStatus
192192
ignore_missing: true
193193
ignore_failure: true
194-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
194+
if: ctx.email?.attachments instanceof List
195195
- foreach:
196196
field: email.attachments
197197
processor:
@@ -200,7 +200,7 @@ processors:
200200
target_field: _ingest._value.file.mime_type
201201
ignore_missing: true
202202
ignore_failure: true
203-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
203+
if: ctx.email?.attachments instanceof List
204204
- foreach:
205205
field: email.attachments
206206
processor:
@@ -209,7 +209,7 @@ processors:
209209
target_field: _ingest._value.file.hash.md5
210210
ignore_missing: true
211211
ignore_failure: true
212-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
212+
if: ctx.email?.attachments instanceof List
213213
- foreach:
214214
field: email.attachments
215215
processor:
@@ -218,7 +218,7 @@ processors:
218218
target_field: _ingest._value.file.hash.sha256
219219
ignore_missing: true
220220
ignore_failure: true
221-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
221+
if: ctx.email?.attachments instanceof List
222222
- foreach:
223223
field: email.attachments
224224
processor:
@@ -227,14 +227,14 @@ processors:
227227
target_field: _ingest._value.file.name
228228
ignore_missing: true
229229
ignore_failure: true
230-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
230+
if: ctx.email?.attachments instanceof List
231231
- script:
232232
description: Adding hash in related.hash from artifact field.
233233
lang: painless
234234
ignore_failure: true
235235
source: |
236236
if (ctx.json?.threatsInfoMap instanceof List) {
237-
for (artifact in ctx.json?.threatsInfoMap) {
237+
for (artifact in ctx.json.threatsInfoMap) {
238238
def flag = true;
239239
def str = artifact.threat.toLowerCase();
240240
if (str?.length() == 64) {
@@ -331,7 +331,7 @@ processors:
331331
- _ingest._value.sha256
332332
ignore_missing: true
333333
ignore_failure: true
334-
if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List
334+
if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List
335335
- foreach:
336336
field: proofpoint_tap.message_blocked.message_parts
337337
processor:
@@ -340,7 +340,7 @@ processors:
340340
target_field: _ingest._value.o_content_type
341341
ignore_missing: true
342342
ignore_failure: true
343-
if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List
343+
if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List
344344
- foreach:
345345
field: proofpoint_tap.message_blocked.message_parts
346346
processor:
@@ -349,7 +349,7 @@ processors:
349349
target_field: _ingest._value.sandbox_status
350350
ignore_missing: true
351351
ignore_failure: true
352-
if: ctx.proofpoint_tap?.message_blocked?.message_parts != null && ctx.proofpoint_tap.message_blocked.message_parts instanceof List
352+
if: ctx.proofpoint_tap?.message_blocked?.message_parts instanceof List
353353
- convert:
354354
field: json.messageSize
355355
target_field: proofpoint_tap.message_blocked.message_size
@@ -415,7 +415,7 @@ processors:
415415
target_field: _ingest._value.campaign_id
416416
ignore_missing: true
417417
ignore_failure: true
418-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
418+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
419419
- foreach:
420420
field: proofpoint_tap.message_blocked.threat_info_map
421421
processor:
@@ -424,7 +424,7 @@ processors:
424424
target_field: _ingest._value.threat.artifact
425425
ignore_missing: true
426426
ignore_failure: true
427-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
427+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
428428
- foreach:
429429
field: proofpoint_tap.message_blocked.threat_info_map
430430
processor:
@@ -433,7 +433,7 @@ processors:
433433
target_field: _ingest._value.threat.id
434434
ignore_missing: true
435435
ignore_failure: true
436-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
436+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
437437
- foreach:
438438
field: proofpoint_tap.message_blocked.threat_info_map
439439
processor:
@@ -442,7 +442,7 @@ processors:
442442
target_field: _ingest._value.threat.status
443443
ignore_missing: true
444444
ignore_failure: true
445-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
445+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
446446
- foreach:
447447
field: proofpoint_tap.message_blocked.threat_info_map
448448
processor:
@@ -453,15 +453,15 @@ processors:
453453
formats:
454454
- ISO8601
455455
ignore_failure: true
456-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
456+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
457457
- foreach:
458458
field: proofpoint_tap.message_blocked.threat_info_map
459459
processor:
460460
remove:
461461
field: _ingest._value.threatTime
462462
ignore_missing: true
463463
ignore_failure: true
464-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
464+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
465465
- foreach:
466466
field: proofpoint_tap.message_blocked.threat_info_map
467467
processor:
@@ -470,7 +470,7 @@ processors:
470470
target_field: _ingest._value.threat.type
471471
ignore_missing: true
472472
ignore_failure: true
473-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
473+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
474474
- foreach:
475475
field: proofpoint_tap.message_blocked.threat_info_map
476476
processor:
@@ -479,10 +479,10 @@ processors:
479479
target_field: _ingest._value.threat.url
480480
ignore_missing: true
481481
ignore_failure: true
482-
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map != null && ctx.proofpoint_tap.message_blocked.threat_info_map instanceof List
482+
if: ctx.proofpoint_tap?.message_blocked?.threat_info_map instanceof List
483483
- remove:
484484
field: event.original
485-
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
485+
if: ctx.tags?.contains('preserve_original_event') != true
486486
ignore_failure: true
487487
ignore_missing: true
488488
- remove:

packages/proofpoint_tap/data_stream/message_delivered/elasticsearch/ingest_pipeline/default.yml

Lines changed: 21 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -95,7 +95,7 @@ processors:
9595
allow_duplicates: false
9696
ignore_failure: true
9797
ignore_failure: true
98-
if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List
98+
if: ctx.json?.messageParts instanceof List
9999
- foreach:
100100
field: json.messageParts
101101
processor:
@@ -105,7 +105,7 @@ processors:
105105
allow_duplicates: false
106106
ignore_failure: true
107107
ignore_failure: true
108-
if: ctx.json?.messageParts != null && ctx.json.messageParts instanceof List
108+
if: ctx.json?.messageParts instanceof List
109109
- rename:
110110
field: json.ccAddresses
111111
target_field: email.cc.address
@@ -164,7 +164,7 @@ processors:
164164
allow_duplicates: false
165165
ignore_failure: true
166166
ignore_failure: true
167-
if: ctx.json?.recipient != null && ctx.json.recipient instanceof List
167+
if: ctx.json?.recipient instanceof List
168168
- rename:
169169
field: json.xmailer
170170
target_field: email.x_mailer
@@ -187,7 +187,7 @@ processors:
187187
- _ingest._value.sandboxStatus
188188
ignore_missing: true
189189
ignore_failure: true
190-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
190+
if: ctx.email?.attachments instanceof List
191191
- foreach:
192192
field: email.attachments
193193
processor:
@@ -196,7 +196,7 @@ processors:
196196
target_field: _ingest._value.file.mime_type
197197
ignore_missing: true
198198
ignore_failure: true
199-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
199+
if: ctx.email?.attachments instanceof List
200200
- foreach:
201201
field: email.attachments
202202
processor:
@@ -205,7 +205,7 @@ processors:
205205
target_field: _ingest._value.file.hash.md5
206206
ignore_missing: true
207207
ignore_failure: true
208-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
208+
if: ctx.email?.attachments instanceof List
209209
- foreach:
210210
field: email.attachments
211211
processor:
@@ -214,7 +214,7 @@ processors:
214214
target_field: _ingest._value.file.hash.sha256
215215
ignore_missing: true
216216
ignore_failure: true
217-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
217+
if: ctx.email?.attachments instanceof List
218218
- foreach:
219219
field: email.attachments
220220
processor:
@@ -223,14 +223,14 @@ processors:
223223
target_field: _ingest._value.file.name
224224
ignore_missing: true
225225
ignore_failure: true
226-
if: ctx.email?.attachments != null && ctx.email.attachments instanceof List
226+
if: ctx.email?.attachments instanceof List
227227
- script:
228228
description: Adding hash in related.hash from artifact field.
229229
lang: painless
230230
ignore_failure: true
231231
source: |
232232
if (ctx.json?.threatsInfoMap instanceof List) {
233-
for (artifact in ctx.json?.threatsInfoMap) {
233+
for (artifact in ctx.json.threatsInfoMap) {
234234
def flag = true;
235235
def str = artifact.threat.toLowerCase();
236236
if (str?.length() == 64) {
@@ -319,7 +319,7 @@ processors:
319319
- _ingest._value.sha256
320320
ignore_missing: true
321321
ignore_failure: true
322-
if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List
322+
if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List
323323
- foreach:
324324
field: proofpoint_tap.message_delivered.message_parts
325325
processor:
@@ -328,7 +328,7 @@ processors:
328328
target_field: _ingest._value.o_content_type
329329
ignore_missing: true
330330
ignore_failure: true
331-
if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List
331+
if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List
332332
- foreach:
333333
field: proofpoint_tap.message_delivered.message_parts
334334
processor:
@@ -337,7 +337,7 @@ processors:
337337
target_field: _ingest._value.sandbox_status
338338
ignore_missing: true
339339
ignore_failure: true
340-
if: ctx.proofpoint_tap?.message_delivered?.message_parts != null && ctx.proofpoint_tap.message_delivered.message_parts instanceof List
340+
if: ctx.proofpoint_tap?.message_delivered?.message_parts instanceof List
341341
- convert:
342342
field: json.messageSize
343343
target_field: proofpoint_tap.message_delivered.message_size
@@ -403,7 +403,7 @@ processors:
403403
target_field: _ingest._value.campaign_id
404404
ignore_missing: true
405405
ignore_failure: true
406-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
406+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
407407
- foreach:
408408
field: proofpoint_tap.message_delivered.threat_info_map
409409
processor:
@@ -412,7 +412,7 @@ processors:
412412
target_field: _ingest._value.threat.artifact
413413
ignore_missing: true
414414
ignore_failure: true
415-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
415+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
416416
- foreach:
417417
field: proofpoint_tap.message_delivered.threat_info_map
418418
processor:
@@ -421,7 +421,7 @@ processors:
421421
target_field: _ingest._value.threat.id
422422
ignore_missing: true
423423
ignore_failure: true
424-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
424+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
425425
- foreach:
426426
field: proofpoint_tap.message_delivered.threat_info_map
427427
processor:
@@ -430,7 +430,7 @@ processors:
430430
target_field: _ingest._value.threat.status
431431
ignore_missing: true
432432
ignore_failure: true
433-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
433+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
434434
- foreach:
435435
field: proofpoint_tap.message_delivered.threat_info_map
436436
processor:
@@ -441,15 +441,15 @@ processors:
441441
formats:
442442
- ISO8601
443443
ignore_failure: true
444-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
444+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
445445
- foreach:
446446
field: proofpoint_tap.message_delivered.threat_info_map
447447
processor:
448448
remove:
449449
field: _ingest._value.threatTime
450450
ignore_missing: true
451451
ignore_failure: true
452-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
452+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
453453
- foreach:
454454
field: proofpoint_tap.message_delivered.threat_info_map
455455
processor:
@@ -458,7 +458,7 @@ processors:
458458
target_field: _ingest._value.threat.type
459459
ignore_missing: true
460460
ignore_failure: true
461-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
461+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
462462
- foreach:
463463
field: proofpoint_tap.message_delivered.threat_info_map
464464
processor:
@@ -467,10 +467,10 @@ processors:
467467
target_field: _ingest._value.threat.url
468468
ignore_missing: true
469469
ignore_failure: true
470-
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map != null && ctx.proofpoint_tap.message_delivered.threat_info_map instanceof List
470+
if: ctx.proofpoint_tap?.message_delivered?.threat_info_map instanceof List
471471
- remove:
472472
field: event.original
473-
if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))
473+
if: ctx.tags?.contains('preserve_original_event') != true
474474
ignore_failure: true
475475
ignore_missing: true
476476
- remove:

0 commit comments

Comments
 (0)