Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SentinelOne_Cloud_Funnel] Initial release for the SentinelOne Cloud Funnel #6386

Merged
merged 11 commits into from Jun 20, 2023
Merged

[SentinelOne_Cloud_Funnel] Initial release for the SentinelOne Cloud Funnel #6386

merged 11 commits into from Jun 20, 2023

Conversation

piyush-elastic
Copy link
Contributor

@piyush-elastic piyush-elastic commented May 31, 2023
edited

What does this PR do?

  • Updated data collection logic for the event data stream.
  • Updated the ingest pipeline for the event data stream.
  • Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
  • Added dashboards and visualizations.
  • Updated test for pipeline for the event data stream.
  • Updated system test cases for the event data stream.

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target is documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to: ^8.3.0

New Package

  • Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

  • Dashboards exists
  • Screenshots added or updated
  • Datastream filters added to visualizations

Log dataset changes

  • Pipeline tests exist (if applicable)
  • Generated output for at least 1 log file exists
  • Sample event (sample_event.json) exists

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one_cloud_funnel directory.
  • Run the following command to run tests.

elastic-package test

Related issues

Screenshots

Screenshot 2023-05-29 131348
Screenshot 2023-05-29 131306

2023/05/29 13:05:25 DEBUG Error: can't check latest release, GET https://api.github.com/repos/elastic/elastic-package/releases/latest: 403 API rate limit exceeded for 117.217.127.213. (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) [rate reset in 3m05s]
Run test suite for the package
Run pipeline tests for the package
--- Test results for package: sentinel_one_cloud_funnel - START ---
╭───────────────────────────┬─────────────┬───────────┬────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE                   │ DATA STREAM │ TEST TYPE │ TEST NAME                              │ RESULT │ TIME ELAPSED │
├───────────────────────────┼─────────────┼───────────┼────────────────────────────────────────┼────────┼──────────────┤
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-command-script.log                │ PASS   │ 190.869803ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-cross-process.log                 │ PASS   │  27.770119ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-dns.log                           │ PASS   │  34.706417ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-file.log                          │ PASS   │  25.355196ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-indicator.log                     │ PASS   │  27.550508ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-login.log                         │ PASS   │  14.970616ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-module.log                        │ PASS   │  15.957612ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-network-action.log                │ PASS   │  18.613347ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-process.log                       │ PASS   │  14.139338ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-registry.log                      │ PASS   │  14.955223ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-scheduled-task.log                │ PASS   │  12.350956ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-threat-intelligence-indicator.log │ PASS   │   16.33078ms │
│ sentinel_one_cloud_funnel │ event       │ pipeline  │ test-url.log                           │ PASS   │  10.554792ms │
╰───────────────────────────┴─────────────┴───────────┴────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: sentinel_one_cloud_funnel - END   ---
Done
Run static tests for the package
--- Test results for package: sentinel_one_cloud_funnel - START ---
╭───────────────────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE                   │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├───────────────────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ sentinel_one_cloud_funnel │ event       │ static    │ Verify sample_event.json │ PASS   │ 153.202407ms │
╰───────────────────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: sentinel_one_cloud_funnel - END   ---
Done
Run system tests for the package
--- Test results for package: sentinel_one_cloud_funnel - START ---
No test results
--- Test results for package: sentinel_one_cloud_funnel - END   ---
Done
Run asset tests for the package
2023/05/29 13:06:57 DEBUG installing package...
2023/05/29 13:06:57 DEBUG POST https://127.0.0.1:5601/api/fleet/epm/packages/sentinel_one_cloud_funnel-0.1.0
--- Test results for package: sentinel_one_cloud_funnel - START ---
╭───────────────────────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE                   │ DATA STREAM │ TEST TYPE │ TEST NAME                                                                          │ RESULT │ TIME ELAPSED │
├───────────────────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-008e94d0-facc-11ed-9768-a973b08e03b4 is loaded │ PASS   │      1.793µs │
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-42ecf8a0-fae3-11ed-a771-5bdf1dfe027b is loaded │ PASS   │        162ns │
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-724f8d70-f966-11ed-b51d-ef5658e04999 is loaded │ PASS   │        168ns │
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-afecde30-f966-11ed-b51d-ef5658e04999 is loaded │ PASS   │        190ns │
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-c90a2bc0-fa2e-11ed-b63a-6f5ce39a3d73 is loaded │ PASS   │        190ns │
│ sentinel_one_cloud_funnel │             │ asset     │ dashboard sentinel_one_cloud_funnel-dd209080-f967-11ed-b51d-ef5658e04999 is loaded │ PASS   │        220ns │
│ sentinel_one_cloud_funnel │             │ asset     │ search sentinel_one_cloud_funnel-6a9c9640-fa2e-11ed-b63a-6f5ce39a3d73 is loaded    │ PASS   │        263ns │
│ sentinel_one_cloud_funnel │ event       │ asset     │ index_template logs-sentinel_one_cloud_funnel.event is loaded                      │ PASS   │        643ns │
│ sentinel_one_cloud_funnel │ event       │ asset     │ ingest_pipeline logs-sentinel_one_cloud_funnel.event-0.1.0 is loaded               │ PASS   │        179ns │
╰───────────────────────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: sentinel_one_cloud_funnel - END   ---
Done

@elasticmachine
Copy link

elasticmachine commented May 31, 2023
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-06-20T07:14:55.716+0000

  • Duration: 13 min 26 sec

Test stats 🧪

Test Results
Failed 0
Passed 23
Skipped 0
Total 23

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

elasticmachine commented May 31, 2023
edited

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (1/1) 💚
Files 100.0% (14/14) 💚 2.936
Classes 100.0% (14/14) 💚 2.936
Methods 93.651% (59/63) 👍 0.914
Lines 89.886% (4008/4459) 👎 -1.938
Conditionals 100.0% (0/0) 💚

jamiehynds
jamiehynds reviewed May 31, 2023
View reviewed changes
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md
@@ -0,0 +1,71 @@
# SentinelOne Cloud Funnel

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reworded slightly: This Sentinel One Cloud Funnel integration enables your security team to securely stream XDR data to Elastic Security, via Amazon S3. When integrated with Elastic Security, this valuable data can be leveraged within Elastic for threat protection, detection and incident response.

jamiehynds
jamiehynds reviewed May 31, 2023
View reviewed changes
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Outdated

## Requirements

Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we expand on this? Users are sometimes confused on the need for agent, what it does and where it should be deployed. We should make it clearer that Elastic Agent is required to stream data from the S3 bucket and ship the data to Elastic, whereby the events will then be processing via the integration's ingest pipelines. Should also provide some guidance as to where agent should be installed, and state it can run on a host, a container, etc.

jamiehynds
jamiehynds reviewed May 31, 2023
View reviewed changes
packages/sentinel_one_cloud_funnel/manifest.yml Outdated
type: integration
categories: ["security", "edr_xdr"]
conditions:
kibana.version: ^8.3.0
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we set the version to ^8.7.1, inline with our current Sentinel One integration?

jamiehynds
jamiehynds reviewed May 31, 2023
View reviewed changes
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Outdated
## Requirements

Elastic Agent must be installed. For more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
The minimum **kibana.version** required is **8.3.0**.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we adjust to 8.7.1, inline with our current Sentinel One integration?

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@jamiehynds jamiehynds requested a review from a team June 6, 2023 11:04
efd6
efd6 reviewed Jun 8, 2023
View reviewed changes
packages/sentinel_one_cloud_funnel/LICENSE.txt Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? We have the same license in the root of the repo.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@efd6 As per new version of elastic-package license file is getting created at package creation level reference - elastic/elastic-package#898 and before that we had been using old elastic-package version. Had discussion on same before link

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, I know mechanically why it's there, but I'm not convinced that it's needed. It would be good to get another view on this.

packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Show resolved Hide resolved
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Show resolved Hide resolved
packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md Outdated Show resolved Hide resolved
...sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json Outdated Show resolved Hide resolved
...sentinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-module.log-expected.json Outdated Show resolved Hide resolved
..._one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json Outdated Show resolved Hide resolved
..._one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-network-action.log-expected.json Outdated Show resolved Hide resolved
...entinel_one_cloud_funnel/data_stream/event/_dev/test/pipeline/test-process.log-expected.json Outdated Show resolved Hide resolved
@piyush-elastic piyush-elastic requested a review from efd6 June 9, 2023 07:30
jamiehynds
jamiehynds approved these changes Jun 9, 2023
View reviewed changes
Copy link

@jamiehynds jamiehynds left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for implementing my suggested changes.

@piyush-elastic piyush-elastic force-pushed the sentinel_one_cloud_funnel-0.1.0 branch from 2df3cec to a3e19d4 Compare June 13, 2023 07:33
@piyush-elastic piyush-elastic requested a review from efd6 June 13, 2023 11:14
@piyush-elastic piyush-elastic force-pushed the sentinel_one_cloud_funnel-0.1.0 branch from 99bcffc to 2cd904c Compare June 15, 2023 11:31
efd6
efd6 reviewed Jun 18, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please address these unresolved comments:

packages/sentinel_one_cloud_funnel/changelog.yml Outdated
changes:
- description: Initial release.
type: enhancement
link: https://github.com/elastic/integrations/pull/1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
link: https://github.com/elastic/integrations/pull/1
link: https://github.com/elastic/integrations/pull/6386

@elasticmachine
Copy link

💚 Build Succeeded

History

@piyush-elastic piyush-elastic requested a review from efd6 June 19, 2023 08:24
efd6
efd6 reviewed Jun 19, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Only two remaining unresolved queries.

packages/sentinel_one_cloud_funnel/_dev/build/docs/README.md
You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes.

There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
The minimum **kibana.version** required is **8.7.1**.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's not quite my question; this particular bit of information is quite important and so it may benefit from being in its own paragraph to avoid eye-glide. Adding a newline before this would do that.

packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
efd6
efd6 approved these changes Jun 20, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@P1llus P1llus merged commit 26a3902 into elastic:main Jun 20, 2023
4 checks passed
@elasticmachine
Copy link

Package sentinel_one_cloud_funnel - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamiehynds jamiehynds jamiehynds approved these changes

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
New Integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SentinelOne Cloud Funnel
5 participants
@piyush-elastic @elasticmachine @jamiehynds @efd6 @P1llus