Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cisco_umbrella: add dashboards #9551

Merged
merged 14 commits into from
Apr 18, 2024
Merged

cisco_umbrella: add dashboards #9551

merged 14 commits into from
Apr 18, 2024

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Apr 8, 2024
edited
Loading

Proposed commit message

See title.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

overview
audit_logs
dns_logs
firewall_logs
intrusion_logs
proxy_logs

@efd6 efd6 added enhancement New feature or request Integration:cisco_umbrella Cisco Umbrella Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Apr 8, 2024
@efd6 efd6 self-assigned this Apr 8, 2024
efd6 added 2 commits April 9, 2024 08:40
@efd6
cisco_umbrella: add passing tests
60901d8 
Audit logs are omitted as these are not correctly handled due to the
presence of new-lines in CSV records.
@efd6
cisco_umbrella: work around over-zealous package linter
7a357e9
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6
Copy link
Contributor Author

efd6 commented Apr 12, 2024

/test

@efd6
cisco_umbrella: map audit.{before,after} into an array/object where h…
1dd8943 
…elpful

This is not done for global_settings as it is hierarchically organised in a way
that cannot be expressed here.
@efd6
cisco_umbrella: add audit logs dashboard
b94a6c7
@efd6
cisco_umbrella: generate sample and docs
62646e4
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% 100.0% Coverage on New Code
0.0% 0.0% Duplication on New Code

See analysis details on SonarQube

@efd6 efd6 marked this pull request as ready for review April 12, 2024 05:52
@efd6 efd6 requested a review from a team as a code owner April 12, 2024 05:52
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

kcreddy
kcreddy reviewed Apr 17, 2024
View reviewed changes
.../cisco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-auditlogs.log-expected.json
Comment on lines +149 to +151
"before_values": {
"deviceKey": "1111::2222222\\nlabel: 1787\\nbundle: minimal\\nphishing: 1\\ncreatedAt: 2023-03-16 09:37:31\\ntimeZoneName: GMT\\noriginId: 222222222\\ndeviceTypeId: 1\\nmaxBlockedDomains: 25\\nmaxNoredirectDomains: 25\\nmaxWhitelistDomains: 10\\norganizationId: 1111111\\noriginTypeId: 34\\nmodifiedAt: 2023-03-16 09:37:31\\n"
},
Copy link
Contributor

@kcreddy kcreddy Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think parsing is working as expected. This still has 1 key deviceKey with rest of the value in it.
If it has the correct split, shouldn't this look like:

"before_values": {
   "deviceKey": "1111::2222222",
   "label": 1787,
   "bundle": "minimal",
   "phishing": 1
......
},

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same for the after_values

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, this is expected. If you look at the equivalent in the system tests this does work. The issue is that Cisco have used actual CRLF in the strings, not \r\n escape sequences. This is possible to do in system tests, but it it not possible to represent in pipeline tests.

kcreddy
kcreddy approved these changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍🏼

@efd6 efd6 merged commit d416694 into elastic:main Apr 18, 2024
5 checks passed
@elasticmachine
Copy link

Package cisco_umbrella - 1.23.0 containing this change is available at https://epr.elastic.co/search?package=cisco_umbrella

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:cisco_umbrella Cisco Umbrella Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[cisco_umbrella] Pipeline errors while parsing audit logs
3 participants
@efd6 @elasticmachine @kcreddy