[f5_bigip] Initial Release for the F5 BIG-IP

[vinit-chauhan]

What does this PR do?

• Generated the skeleton of the F5 BIG-IP integration package.
• Added data stream.
• Added data collection logic for the data stream.
• Added the ingest pipeline for the data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for the data stream.
• Added system test cases for the data stream.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target is documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to: ^7.17.0 || ^8.0.0

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/f5_bigip directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes F5 ASM #1310

Screenshots

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-11-10T09:08:16.532+0000

• Duration: 15 min 29 sec

Test stats 🧪

Test	Results
Failed	0
Passed	16
Skipped	0
Total	16

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	100.0% (6/6)	💚 2.318
Classes	100.0% (6/6)	💚 2.318
Methods	98.039% (50/51)	👍 6.845
Lines	95.786% (2682/2800)	👍 4.082
Conditionals	100.0% (0/0)	💚

[efd6]

Suggested change

The [F5 BIG-IP](https://www.f5.com) integration allows users to monitor LTM, AFM, APM, ASM, and AVR activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions.

The [F5](https://www.f5.com) BIG-IP integration allows users to monitor [LTM](https://www.f5.com/products/big-ip-services/local-traffic-manager), [AFM](https://www.f5.com/products/security/advanced-firewall-manager), [APM](https://www.f5.com/products/security/access-policy-manager), [ASM](https://www.f5.com/pdf/products/big-ip-application-security-manager-overview.pdf), and [AVR](https://clouddocs.f5.com/training/community/analytics/html/class1/class1.html) activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions.

Are there better links for ASM and AVR?

Alternatively maybe just...

Suggested change

	The [F5 BIG-IP](https://www.f5.com) integration allows users to monitor LTM, AFM, APM, ASM, and AVR activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions.
	The [F5 BIG-IP](https://www.f5.com/products/big-ip-services) integration allows users to monitor LTM, AFM, APM, ASM, and AVR activity. F5 BIG-IP covers software and hardware designed around application availability, access control, and security solutions.

and use any useful links in the set above in the "Data stream" section below.

[efd6]

GeoIP look-ups for destination and source in the common pipeline?

[vinit-chauhan]

As all the event categories doesn’t have a field that contains public IP, so we haven’t use GeoIP in default pipeline.

[efd6]

Ensure that hosts have had any ports removed?

[vinit-chauhan]

We noticed in the live log that the field value couldn't follow a specific pattern, therefore we decided it would be better to delete it from related.host in order to keep the related.host field's proper value.

[efd6]

Move ECS-defined fields into ecs.yml with external definitions where possible.

[efd6]

Is there documentation available for the definitions of the use of these fields in the f5 docs?

[vinit-chauhan]

We have gone through the Telemetry Streaming doc which contains the sample events having only field names but no description.

[efd6]

I'm wondering how many of these nested fields with no siblings need to be nested (there are a fair few of them).

[vinit-chauhan]

We are getting many other fields like “ResponseDuration” and we have grouped those fields under the name “response”, so we kept it as a type “group”.

[jamiehynds]

@vinit-elastic we currently have an F5 integration which supports 2 BIG-IP products. Rather than shipping a new package, do you think we could upgrade the current package with the new/updated pipelines? This avoids having to deprecate the current F5 package and ensures users can easily access the improved integration, without having to move to a new integration.

[vinit-chauhan]

Hey Jamie - The older integration uses the F5 default input (fetch logs directly from the F5 instance) and the new integration leverages the Telematry Streaming Service. Keeping both in the same package might lead to confusion. Therefore, we thought of keeping it a separate connector. Let me know if you think otherwise.

[jamiehynds]

Hey Jamie - The older integration uses the F5 default input (fetch logs directly from the F5 instance) and the new integration leverages the Telematry Streaming Service. Keeping both in the same package might lead to confusion. Therefore, we thought of keeping it a separate connector. Let me know if you think otherwise.

Discussed offline, and agreed that we'll stick with a new F5 BIG-IP integration as the current experimental integration relies on syslog directly from ASM/AFM, whereas the new integration leverages the Telemetry Streaming Services. We'll be deprecating the experimental F5 module and integration once this new one is available.

[P1llus]

I think some overall discussion has to be done around ignore_failure, but that is not related to this single package, the rest is LGTM for now.
Great job!

[elasticmachine]

Package f5_bigip - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=f5_bigip