Trendmicro Integration

[emnp]

What does this PR do?

Add integration for TrendMicro deep security logs.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Deep Security
• Apex Central
• Kibana Visualizations & Dahsboards

How to test this PR locally

# cd integrations/packages/trendmicro
# elastic-package build
# elastic-package stack up -d -v
# eval "$(elastic-package stack shellinit)"
# elastic-package test  -v

Related issues

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-02-02T13:55:02.735+0000

• Duration: 16 min 31 sec

Test stats 🧪

Test	Results
Failed	0
Passed	6
Skipped	0
Total	6

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[P1llus]

@emnp the license checks is passing now which is great!
I will start the tests and review it tomorrow then, much appreciated!

[emnp]

@P1llus , sorry :( I left to update some files.

[P1llus]

/test

[P1llus]

I added as much as I could for a first review, we might need to require a bit more detailed README, and a few questions we still wonder about, but I am sure we can work it out!

Very much thanks for doing this PR, and I feel it already has pretty much everything we need! :)

[P1llus]

This parsing seems to have errors?

[emnp]

I got this when I test the pipeline but it worked well when I did system test and also when I tried to send the log file with elastic agent, it worked well.

[kcreddy]

@emnp the issue seems to be in signature_id which is being set to event.code, but the value of event.code is never populated in the pipeline. This is making signature_id as empty string and causing pipeline test failures

[kcreddy]

Resolved by changing pipeline tests log structure as it should be the step after cef_decode processor

[P1llus]

Could you change this from logfile to filestream?

[emnp]

I'm not clear with this one. Need to change logfile to filestream? I set it as logfile currently.

[kcreddy]

@emnp Please refer here for filestream input. The config is very similar to log input but its more efficient.

You will need to specify this in 2 places:
https://github.com/elastic/integrations/pull/4471/files#diff-5a93912aba1067c2a133245e39a2b8c338202478242669fa111607f603449eceR28
and
https://github.com/elastic/integrations/pull/4471/files#diff-79bde44df376a077217c8e85fa3e4e44cbf16aacb73ace2d101e4a7f4eb8d944R4

Refer existing integration:

integrations/packages/hid_bravura_monitor/manifest.yml

Line 46 in bbf0e61

- type: filestream

And this one:

integrations/packages/hid_bravura_monitor/data_stream/log/manifest.yml

Line 4 in bbf0e61

- input: filestream

[kcreddy]

Resolved by updating to filestream

[P1llus]

/test

[emnp]

Hello @P1llus, sorry for the delay. I've updated some files last night. Could you please help to check?

[andrewkroh]

/test

[P1llus]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (1/1)	💚
Files	22.222% (2/9)	👎 -61.111
Classes	22.222% (2/9)	👎 -61.111
Methods	33.333% (14/42)	👎 -56.14
Lines	23.007% (101/439)	👎 -62.756
Conditionals	100.0% (0/0)	💚

[kcreddy]

/test

[ShourieG]

@emnp Can you add an entry to .github/CODEOWNERS for this package? CI is failing otherwise.

[kcreddy]

@emnp Please refer here for filestream input. The config is very similar to log input but its more efficient.

You will need to specify this in 2 places:
https://github.com/elastic/integrations/pull/4471/files#diff-5a93912aba1067c2a133245e39a2b8c338202478242669fa111607f603449eceR28
and
https://github.com/elastic/integrations/pull/4471/files#diff-79bde44df376a077217c8e85fa3e4e44cbf16aacb73ace2d101e4a7f4eb8d944R4

Refer existing integration:

integrations/packages/hid_bravura_monitor/manifest.yml

Line 46 in bbf0e61

- type: filestream

And this one:

integrations/packages/hid_bravura_monitor/data_stream/log/manifest.yml

Line 4 in bbf0e61

- input: filestream

[kcreddy]

add ignore_missing to avoid failure

[kcreddy]

add ignore_missing

[kcreddy]

add ignore_missing

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[P1llus]

@kcreddy i think it might be good if we apply the last changes to the PR of thats okay?

[kcreddy]

/test

[P1llus]

@emnp we have added the last changes needed before a merge, just wanted to check in with you that this is okay?

Sorry for the unusual long waiting time here!

[kcreddy]

LGTM

[elasticmachine]

Package trendmicro - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=trendmicro