Skip to content

cisco_umbrella: add support for log schema version v13 #15791

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 30, 2025
Merged

cisco_umbrella: add support for log schema version v13 #15791

merged 3 commits into from
Oct 30, 2025

Conversation

@navnit-elastic
Copy link
Contributor

@navnit-elastic navnit-elastic commented Oct 29, 2025
edited
Loading

Proposed commit message

cisco_umbrella: add support for log schema version v13

test samples are taken from the official Cisco Umbrella documentation.

Note

Documentation for log schema version v13: https://docs.umbrella.com/umbrella-user-guide/docs/log-format-and-versioning
The DNS logs appear to be ingesting as expected. We couldn't test the other logs due to the unavailability of logs in the instance. I'll raise an issue to expand tests coverage for the v13 logs to keep a note of this.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Pipeline test:

--- Test results for package: cisco_umbrella - START ---
╭────────────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE        │ DATA STREAM │ TEST TYPE │ TEST NAME                                                      │ RESULT │ TIME ELAPSED │
├────────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-auditlogs.log)         │ PASS   │ 365.699224ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-cloudfirewalllogs.log) │ PASS   │ 367.082079ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-dlplogs.log)           │ PASS   │ 327.656807ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-dnslogs.log)           │ PASS   │ 342.407749ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-intrusionlogs.log)     │ PASS   │ 322.970298ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-iplogs.log)            │ PASS   │ 320.470532ms │
│ cisco_umbrella │ log         │ pipeline  │ (ingest pipeline warnings test-umbrella-proxylogs.log)         │ PASS   │ 327.045787ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-auditlogs.log                                    │ PASS   │ 161.362581ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-cloudfirewalllogs.log                            │ PASS   │ 159.968892ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-dlplogs.log                                      │ PASS   │ 102.167404ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-dnslogs.log                                      │ PASS   │ 368.592677ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-intrusionlogs.log                                │ PASS   │ 105.917061ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-iplogs.log                                       │ PASS   │   92.70967ms │
│ cisco_umbrella │ log         │ pipeline  │ test-umbrella-proxylogs.log                                    │ PASS   │ 525.044848ms │
╰────────────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: cisco_umbrella - END   ---
Done

Related issues

Screenshots

cisco_umbrella-dns

@navnit-elastic navnit-elastic self-assigned this Oct 29, 2025
@navnit-elastic navnit-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cisco_umbrella Cisco Umbrella Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Oct 29, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 29, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

navnit-elastic
navnit-elastic commented Oct 29, 2025
View reviewed changes
...es/cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-dlplogs.log-expected.json
},
"network": {
"application": "Dropbox",
"application": "dropbox",
Copy link
Contributor Author

@navnit-elastic navnit-elastic Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Normalizing network.application field to lowercase as per ECS recommendation.

@navnit-elastic navnit-elastic marked this pull request as ready for review October 29, 2025 09:33
@navnit-elastic navnit-elastic requested a review from a team as a code owner October 29, 2025 09:33
@elasticmachine
Copy link

elasticmachine commented Oct 29, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide links to the specific log examples that you used?

efd6
efd6 reviewed Oct 29, 2025
View reviewed changes
@elasticmachine
Copy link

elasticmachine commented Oct 30, 2025

💚 Build Succeeded

History

cc @navnit-elastic

@navnit-elastic navnit-elastic merged commit 4b30a00 into elastic:main Oct 30, 2025
8 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 30, 2025

Package cisco_umbrella - 1.33.0 containing this change is available at https://epr.elastic.co/package/cisco_umbrella/1.33.0/

@navnit-elastic navnit-elastic mentioned this pull request Nov 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@navnit-elastic navnit-elastic

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:cisco_umbrella Cisco Umbrella Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@navnit-elastic @elasticmachine @efd6