Skip to content

Make cyberark_epm.raw_event.evidences a flattened field#17835

Open
chrisberkhout wants to merge 2 commits intoelastic:mainfrom
chrisberkhout:cyberark_epm-flattened-evidences
Open

Make cyberark_epm.raw_event.evidences a flattened field#17835
chrisberkhout wants to merge 2 commits intoelastic:mainfrom
chrisberkhout:cyberark_epm-flattened-evidences

Conversation

@chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Mar 16, 2026
edited
Loading

Proposed commit message

Map `cyberark_epm.raw_event.evidences` as flattened

The documentation[1] is not specific about the structure of the objects.
A pipeline test has had a value added based on real-world data.

[1]: https://docs.cyberark.com/epm/latest/en/content/webservices/getdetailedrawevents.htm

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chrisberkhout chrisberkhout self-assigned this Mar 16, 2026
@chrisberkhout chrisberkhout requested a review from a team as a code owner March 16, 2026 15:22
@chrisberkhout chrisberkhout added Team:Service-Integrations Label for the Observability Service Integrations team bugfix Pull request that fixes a bug issue Integration:cyberark_epm CyberArk EPM labels Mar 16, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 16, 2026
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @chrisberkhout

@github-actions
Copy link
Contributor

github-actions bot commented Mar 16, 2026

Buildkite failure is caused by an out-of-date generated README after changing evidences field type.

Build: https://buildkite.com/elastic/integrations/builds/39723

What failed: Check integrations cyberark_epm (.buildkite/scripts/test_one_package.sh cyberark_epm origin/main 9b3c8f34e8541e8b53816082690fdbfac05d0994)

Error:
Error: checking package failed: checking readme files are up-to-date failed: files do not match

Log excerpt 
README.md is outdated. Rebuild the package with 'elastic-package build'
--- want
+++ got
@@ -232,3 +232,3 @@
 | cyberark_epm.raw_event.display_name | The file display name. | keyword |
-| cyberark_epm.raw_event.evidences | The evidence related to a Threat Protection event. | keyword |
+| cyberark_epm.raw_event.evidences | The evidence related to a Threat Protection event. | flattened |
Error: checking package failed: checking readme files are up-to-date failed: files do not match

Root cause:
packages/cyberark_epm/data_stream/raw_event/fields/fields.yml was changed so evidences is flattened (PR diff around line 66), but generated docs were not updated. packages/cyberark_epm/docs/README.md still has cyberark_epm.raw_event.evidences as keyword (line 233), so the CI README consistency check fails.

Recommended fix:
Regenerate and commit package docs after the field mapping change:

cd packages/cyberark_epm
elastic-package build

Then commit the resulting change(s), especially packages/cyberark_epm/docs/README.md, and re-run CI.

Verification:
I verified the failing Buildkite job log and matched it to the PR diff:

  • Buildkite job 019cf748-a42f-4764-9561-78c9c9dbd3e6 reports README mismatch for raw_event.evidences.
  • PR diff changes fields.yml type (keyword -> flattened) but does not include packages/cyberark_epm/docs/README.md update.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Mar 16, 2026
@elasticmachine
Copy link

elasticmachine commented Mar 16, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good after docs are regenerated.

packages/cyberark_epm/data_stream/raw_event/fields/fields.yml
description: The file display name.
- name: evidences
type: keyword
type: flattened
Copy link
Contributor

@efd6 efd6 Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs an elastic-package build.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@chrisberkhout chrisberkhout

Labels

bugfix Pull request that fixes a bug issue Integration:cyberark_epm CyberArk EPM Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Service-Integrations Label for the Observability Service Integrations team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chrisberkhout @elasticmachine @efd6 @andrewkroh