Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[azure_network_watcher_vnet] Initial release of the azure network watcher vnet #9680

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[azure_network_watcher_vnet] Initial release of the azure network watcher vnet #9680

wants to merge 5 commits into from

Conversation

janvi-elastic
Copy link
Contributor

@janvi-elastic janvi-elastic commented Apr 23, 2024
edited

Proposed commit message

Create New integration package azure_network_watcher_vnet.

  • Added data stream.
  • Added data collection logic for log data stream.
  • Added the ingest pipeline for log data stream.
  • Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
  • Added dashboards and visualizations.
  • Added test for pipeline for log data stream.
  • Added system test cases for log data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/azure_network_watcher_vnet directory.
  • Run the following command to run tests.

elastic-package test

--- Test results for package: azure_network_watcher_vnet - START ---
╭────────────────────────────┬─────────────┬───────────┬───────────────┬────────┬──────────────╮
│ PACKAGE                    │ DATA STREAM │ TEST TYPE │ TEST NAME     │ RESULT │ TIME ELAPSED │
├────────────────────────────┼─────────────┼───────────┼───────────────┼────────┼──────────────┤
│ azure_network_watcher_vnet │ log         │ pipeline  │ test-vnet.log │ PASS   │    4.04771ms │
╰────────────────────────────┴─────────────┴───────────┴───────────────┴────────┴──────────────╯
--- Test results for package: azure_network_watcher_vnet - END   ---
Done
--- Test results for package: azure_network_watcher_vnet - START ---
╭────────────────────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE                    │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├────────────────────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ azure_network_watcher_vnet │ log         │ static    │ Verify sample_event.json │ PASS   │ 102.135753ms │
╰────────────────────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: azure_network_watcher_vnet - END   ---
Done
--- Test results for package: azure_network_watcher_vnet - START ---
╭────────────────────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE                    │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├────────────────────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ azure_network_watcher_vnet │ log         │ system    │ default   │ PASS   │ 37.890174557s │
╰────────────────────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: azure_network_watcher_vnet - END   ---
Done
--- Test results for package: azure_network_watcher_vnet - START ---
╭────────────────────────────┬─────────────┬───────────┬─────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE                    │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                           │ RESULT │ TIME ELAPSED │
├────────────────────────────┼─────────────┼───────────┼─────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ azure_network_watcher_vnet │             │ asset     │ dashboard azure_network_watcher_vnet-5ecce30b-1eba-4bd8-b440-cd266263449a is loaded │ PASS   │      1.093µs │
│ azure_network_watcher_vnet │             │ asset     │ search azure_network_watcher_vnet-0e5d4cba-9f41-4c45-b858-54d3e83df6e5 is loaded    │ PASS   │        118ns │
│ azure_network_watcher_vnet │             │ asset     │ search azure_network_watcher_vnet-51e7dbb1-2c87-429a-8ffa-f1c78ceb2eab is loaded    │ PASS   │        116ns │
│ azure_network_watcher_vnet │             │ asset     │ search azure_network_watcher_vnet-b52c9df2-cb7f-4ebe-af8b-569c213423cf is loaded    │ PASS   │        125ns │
│ azure_network_watcher_vnet │ log         │ asset     │ index_template logs-azure_network_watcher_vnet.log is loaded                        │ PASS   │        271ns │
│ azure_network_watcher_vnet │ log         │ asset     │ ingest_pipeline logs-azure_network_watcher_vnet.log-0.1.0 is loaded                 │ PASS   │        164ns │
╰────────────────────────────┴─────────────┴───────────┴─────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: azure_network_watcher_vnet - END   ---
Done

Screenshot

image
image

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@jamiehynds jamiehynds requested a review from a team April 24, 2024 14:58
@jamiehynds jamiehynds added the Team:Security-Service Integrations Security Service Integrations Team label Apr 24, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@narph narph added the Crest label Apr 26, 2024
kcreddy
kcreddy reviewed Apr 30, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description is following old format/template.
Please update PR description with repository PR template.

packages/azure_network_watcher_vnet/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/azure_network_watcher_vnet/_dev/build/docs/README.md Show resolved Hide resolved
packages/azure_network_watcher_vnet/data_stream/log/sample_event.json
"type": "filebeat",
"version": "8.12.0"
},
"azure": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are also other fields that can be derived from the resourceId path. Please refer to this pipeline: https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/activitylogs/elasticsearch/ingest_pipeline/azure-shared-pipeline.yml and its corresponding fields https://github.com/elastic/integrations/blob/main/packages/azure/data_stream/activitylogs/fields/package-fields.yml.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brijesh-elastic @janvi-elastic What I mean by this is you can apply similar grok processor on flow_log.resource_id field and extract azure* fields such as subscription_id, resource.group, resource.provider, etc,.

packages/azure_network_watcher_vnet/data_stream/log/_dev/test/system/test-default-config.yml Show resolved Hide resolved
packages/azure_network_watcher_vnet/_dev/build/build.yml Show resolved Hide resolved
packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 290 to 306
- foreach:
field: json.flowRecords.flows
tag: foreach_flowRecords_flow_to_append_protocol_to_network_iana_number
if: ctx.json?.flowRecords?.flows instanceof List
processor:
foreach:
tag: foreach_flowGroups_to_append_protocol_to_network_iana_number
field: _ingest._value.flowGroups
processor:
foreach:
field: _ingest._value.flowTuples
processor:
append:
field: network.iana_number
tag: append_protocol_to_network_iana_number
value: '{{_ingest._value.protocol}}'
allow_duplicates: false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since each of the below foreach processors are doing the same thing, it might be efficient to create one script processor to avoid multiple iterations of the same object/list.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can add this processor in above script but for foreach processor which we have used to convert to long or IP we have to write foreach processor.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It maybe okay for now as its beta integration, but in the next enhancements before GA, this requires refactor. Essentially within your existing script after receiving flowTupleParts, you can check if it can be converted to long, only then append into respective map, if not append error.message.

integrations/packages/azure_network_watcher_vnet/data_stream/log/elasticsearch/ingest_pipeline/default.yml

Lines 163 to 164 in 64ed7ab

for (String flowTuple: flowTuplesList) {
String[] flowTupleParts = flowTuple.splitOnToken(',');

packages/azure_network_watcher_vnet/data_stream/log/manifest.yml Outdated Show resolved Hide resolved
@kcreddy kcreddy mentioned this pull request May 2, 2024
Open
4 tasks
@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
92.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

kcreddy
kcreddy approved these changes May 6, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏼
Since this is similar to NSG PR, lets wait for Jamie's comments to be clarified: #9652 (comment) #9652 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brijesh-elastic brijesh-elastic brijesh-elastic left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees
No one assigned
Labels
Crest Integration:Azure-Network-Watcher-VNet New Integration Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@janvi-elastic @elasticmachine @kcreddy @brijesh-elastic @narph @jamiehynds