Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[gcp]: Preserve gcp field data in flattened fields #3390

Merged
merged 12 commits into from
May 20, 2022
Merged

[gcp]: Preserve gcp field data in flattened fields #3390

merged 12 commits into from
May 20, 2022

Conversation

r00tu53r
Copy link
Contributor

@r00tu53r r00tu53r commented May 19, 2022
edited
Loading

What does this PR do?

  • Drop document if it is not an AuditLog type
  • Updates the pipeline and saves protoPayload.request and protoPayload.response in flattened fields
  • Re-arrange pipeline processors and group them by on AuditLog fields
  • Comment pipeline code with links to GCP object types
  • Add data to ECS fields
  • Add handling for LogEntryOperation (set event.category and event.type) for long running operations
  • Save operation.id to gcp.audit.logentry_operation.id only if it is not the same as .insertId
  • Set event.category and event.type to network,configuration =>
    allowed|denied based on authorization_info.resource[].granted

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Run pipeline and system tests -
    • elastic-package test pipeline -v -g
    • elastic-package test system -v -g

Related issues

Closes #2857

@r00tu53r
Update fields
9a7b097 
- Update protoPayload.request and protoPayload.response to flattened
- Update logic to convert callerIp to source.ip
- Remove request.proto_name or response.proto_name and use @type
@r00tu53r
remove extraneous spaces
b5b7e2f
@r00tu53r
* Pipeline refactor and ECS updates
609b8d4 
  - Drop document if it is not an AuditLog type
  - comment pipeline code with links to GCP object types
  - reordered pipeline consolidate processing for each object type
  - set event.provider (based on 4 documented types)
  - changed convert to rename where it was unnecessary
  - set orchestrator.type for gke_cluster (in addition to k8s_cluster)
  - authentication_info.principalemail -> client.user.email
  - authentication_info.principalSubject -> client.user.id
  - convert to source.ip only when it is not 'gce-internal-ip'
  - add handling for LogEntryOperation (set event.category and event.type)
    for long running operations
  - save operation.id to gcp.audit.logentry_operation.id only if it is
    not the same as .insertId
  - set event.category and event.type to network,configuration =>
    allowed|denied based on authorization_info.resource[].granted
  - add ecs fields
@r00tu53r
add .labels as flattened field
e64753f
@r00tu53r
add severity to log.level
26dbe3f
@r00tu53r
fix pipeline and system tests
707f579
@r00tu53r r00tu53r requested review from a team as code owners May 19, 2022 14:52
@r00tu53r r00tu53r self-assigned this May 19, 2022
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@r00tu53r r00tu53r mentioned this pull request May 19, 2022
Closed
@elasticmachine
Copy link

elasticmachine commented May 19, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-05-20T09:49:43.059+0000

  • Duration: 17 min 44 sec

Test stats 🧪

Test Results
Failed 0
Passed 24
Skipped 0
Total 24

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

efd6
efd6 reviewed May 20, 2022
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to run elastic-packge build.

packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
packages/gcp/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
packages/gcp/data_stream/audit/fields/fields.yml Show resolved Hide resolved
packages/gcp/data_stream/audit/fields/fields.yml Show resolved Hide resolved
@elasticmachine
Copy link

elasticmachine commented May 20, 2022
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (4/4) 💚
Files 100.0% (4/4) 💚 3.722
Classes 100.0% (4/4) 💚 3.722
Methods 98.246% (56/57) 👍 10.198
Lines 95.938% (1110/1157) 👍 6.434
Conditionals 100.0% (0/0) 💚

@efd6
Copy link
Contributor

efd6 commented May 20, 2022

/test

@r00tu53r
Copy link
Contributor Author

/test

@r00tu53r r00tu53r merged commit 2d380df into elastic:main May 20, 2022
This was referenced May 22, 2022
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@r00tu53r r00tu53r

Labels
8.3-candidate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[gcp] GKE audit log data differs between GCP integrations
3 participants
@r00tu53r @elasticmachine @efd6