Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Integration] Menlo Security #9315

Merged
merged 52 commits into from Apr 11, 2024
Merged

[New Integration] Menlo Security #9315

merged 52 commits into from Apr 11, 2024

Conversation

tehbooom
Copy link
Member

@tehbooom tehbooom commented Mar 8, 2024

  • Enhancement

What does this PR do?

This PR adds the Menlo Security integration for Web and DLP logs

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

tehbooom and others added 30 commits May 24, 2023 14:30
@tehbooom
package setup
3900d4e
@tehbooom
expected json for web and dlp
c8cae3e
@tehbooom
Added title and desc for lint
ad95d42
@tehbooom
Updated readme
0269620
@tehbooom
ignore dynamic field
3c7d06c
@tehbooom
Merge branch 'elastic:main' into main
d21e7f8
@tehbooom
Changed field description to unknown
03c4523
@tehbooom
Renamed to common
a2769ba
@tehbooom
Updated expected events
62c782d
@tehbooom
removed test.json for lint
6b4f8d3
@tehbooom
Updated change log
2912e3c
@tehbooom
added code owner
59874e0
@tehbooom
removed license
ab0aa2f
@tehbooom
updated git reference
44c14f3
@tehbooom
removed dynamic fields set by fleet
54fb3b0
@tehbooom
removed extra character
3b74bb2
@tehbooom
Removed duplicate logs
4275d09
@tehbooom
Unique groups
2b600b5
@tehbooom
removed extra group_id
24822cc
@tehbooom
Updated pipelines based on recommendations
bd23044
@tehbooom
Changed github owner
00b77d9
@tehbooom
Added test infrastructure
58f1ef4
@tehbooom
Tested with Menlo Security API
be5312b
@tehbooom
Merge branch 'elastic:main' into main
4c8ae66
@tehbooom
Updated version
3f5080f
@tehbooom
Updated version and syntax
ee7a48f
@tehbooom
Updated ecs version
c9f2ea5
@tehbooom
Syntax
d0cebe2
@tehbooom
Added missing fields
53e6898
@tehbooom
Removed conflicting agent fields
199e9e7
mrodm
mrodm reviewed Mar 11, 2024
View reviewed changes
Copy link
Contributor

@mrodm mrodm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commenting about general settings, code owner team should also review this package

packages/menlo/manifest.yml Outdated
@@ -0,0 +1,81 @@
format_version: 2.5.1
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could it be used here a newer version of package-spec ? At this moment, latest version is 3.1.2.

This would also ensure there are more validation checks performed.

packages/menlo/manifest.yml
Comment on lines +16 to +17
elastic:
subscription: "basic"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remember to add the capabilities field if this package requires it for Serverless.
For instance, other security packages define this:

integrations/packages/ded/manifest.yml

Line 18 in 0da0ea5

capabilities:

Suggested change
elastic:
subscription: "basic"
elastic:
subscription: "basic"
capabilities:
- security

This would make this package available in Serverless just for Security projects (and not for Observability projects). cc @elastic/security-service-integrations

.github/CODEOWNERS Outdated
@@ -223,6 +223,7 @@
/packages/m365_defender @elastic/security-service-integrations
/packages/mattermost @elastic/security-service-integrations
/packages/memcached @elastic/obs-infraobs-integrations
/packages/menlo @elastic/security-external-integrations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just double checking, it has been set as a reviewer of this PR @elastic/security-service-integrations but here it is set another team.

Which team should be used as a code owner?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this was a mistake on my part selecting the wrong team. The CODEOWNERS is correct

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please change this to @elastic/security-service-integrations?
Our older handle used to be @elastic/security-external-integrations.

@tehbooom tehbooom added the Team:Security-External Integrations Label for the Security External Integrations team label Mar 11, 2024
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@tehbooom tehbooom removed the Team:Security-Service Integrations Security Service Integrations Team label Mar 11, 2024
@jamiehynds jamiehynds added Team:Security-Service Integrations Security Service Integrations Team and removed Team:Security-External Integrations Label for the Security External Integrations team labels Mar 14, 2024
kcreddy
kcreddy reviewed Mar 15, 2024
View reviewed changes
.github/CODEOWNERS Outdated
@@ -223,6 +223,7 @@
/packages/m365_defender @elastic/security-service-integrations
/packages/mattermost @elastic/security-service-integrations
/packages/memcached @elastic/obs-infraobs-integrations
/packages/menlo @elastic/security-external-integrations
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please change this to @elastic/security-service-integrations?
Our older handle used to be @elastic/security-external-integrations.

packages/menlo/changelog.yml Outdated Show resolved Hide resolved
packages/menlo/_dev/build/docs/README.md Show resolved Hide resolved
packages/menlo/_dev/deploy/docker/config.yml Outdated Show resolved Hide resolved
packages/menlo/data_stream/dlp/_dev/test/pipeline/test-dlp.log-expected.json
"version": "8.11.0"
},
"event": {
"action": "block",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have event.type as denied and event.action as blocked
Reference: https://www.elastic.co/guide/en/ecs/8.11/ecs-allowed-values-event-type.html#ecs-event-type-denied

packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml Show resolved Hide resolved
packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/menlo/data_stream/web/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/menlo/manifest.yml Outdated Show resolved Hide resolved
@tehbooom tehbooom requested review from kcreddy, elasticitservice and a team and removed request for elasticitservice April 3, 2024 12:07
kcreddy
kcreddy reviewed Apr 11, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for clearing all the review comments. Just one last thing and we can merge 😄

packages/menlo/data_stream/dlp/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 24 to 33
- date:
field: "json.event.event_time"
formats:
- "ISO8601"
target_field: "event.created"
timezone: "UTC"
on_failure:
- append:
field: error.message
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When you are populating error.message with {{{_ingest.on_failure_processor_tag}}}, add tag: <tag-name> to the processor definition and also to render {{{_ingest.on_failure_processor_tag}}} inside error.message.

Example: https://github.com/elastic/integrations/blob/main/packages/ti_threatconnect/data_stream/indicator/elasticsearch/ingest_pipeline/default.yml#L77

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
87.7% 87.7% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@tehbooom tehbooom requested a review from a team April 11, 2024 13:06
kcreddy
kcreddy approved these changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏼
Dashboards will be a nice addition to this package next.

@kcreddy kcreddy merged commit 8d1d0ad into elastic:main Apr 11, 2024
5 checks passed
@elasticmachine
Copy link

Package menlo - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=menlo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mrodm mrodm mrodm left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees
No one assigned
Labels
Integration:Menlo Security New Integration Team:Security-Service Integrations Security Service Integrations Team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@tehbooom @elasticmachine @mrodm @kcreddy @chrisberkhout @jamiehynds