New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Integration] Menlo Security #9315
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commenting about general settings, code owner team should also review this package
packages/menlo/manifest.yml
Outdated
@@ -0,0 +1,81 @@ | |||
format_version: 2.5.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could it be used here a newer version of package-spec ? At this moment, latest version is 3.1.2.
This would also ensure there are more validation checks performed.
elastic: | ||
subscription: "basic" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to add the capabilities
field if this package requires it for Serverless.
For instance, other security packages define this:
integrations/packages/ded/manifest.yml
Line 18 in 0da0ea5
capabilities: |
elastic: | |
subscription: "basic" | |
elastic: | |
subscription: "basic" | |
capabilities: | |
- security |
This would make this package available in Serverless just for Security projects (and not for Observability projects). cc @elastic/security-service-integrations
.github/CODEOWNERS
Outdated
@@ -223,6 +223,7 @@ | |||
/packages/m365_defender @elastic/security-service-integrations | |||
/packages/mattermost @elastic/security-service-integrations | |||
/packages/memcached @elastic/obs-infraobs-integrations | |||
/packages/menlo @elastic/security-external-integrations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just double checking, it has been set as a reviewer of this PR @elastic/security-service-integrations
but here it is set another team.
Which team should be used as a code owner?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this was a mistake on my part selecting the wrong team. The CODEOWNERS
is correct
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please change this to @elastic/security-service-integrations
?
Our older handle used to be @elastic/security-external-integrations
.
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
.github/CODEOWNERS
Outdated
@@ -223,6 +223,7 @@ | |||
/packages/m365_defender @elastic/security-service-integrations | |||
/packages/mattermost @elastic/security-service-integrations | |||
/packages/memcached @elastic/obs-infraobs-integrations | |||
/packages/menlo @elastic/security-external-integrations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you please change this to @elastic/security-service-integrations
?
Our older handle used to be @elastic/security-external-integrations
.
"version": "8.11.0" | ||
}, | ||
"event": { | ||
"action": "block", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have event.type
as denied
and event.action
as blocked
Reference: https://www.elastic.co/guide/en/ecs/8.11/ecs-allowed-values-event-type.html#ecs-event-type-denied
packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for clearing all the review comments. Just one last thing and we can merge 😄
- date: | ||
field: "json.event.event_time" | ||
formats: | ||
- "ISO8601" | ||
target_field: "event.created" | ||
timezone: "UTC" | ||
on_failure: | ||
- append: | ||
field: error.message | ||
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you are populating error.message with {{{_ingest.on_failure_processor_tag}}}
, add tag: <tag-name>
to the processor definition and also to render {{{_ingest.on_failure_processor_tag}}}
inside error.message.
💚 Build Succeeded
History
|
Quality Gate passedKudos, no new issues were introduced! 0 New issues |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
Dashboards will be a nice addition to this package next.
Package menlo - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=menlo |
What does this PR do?
This PR adds the Menlo Security integration for Web and DLP logs
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots