Cloudtrail add actor and target #12685
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
2 times, most recently
from
7d7e716 to
d73751c
Compare
🚀 Benchmarks reportTo see the full report comment with |
efd6
approved these changes
Mar 2, 2025
romulets
force-pushed
the
cloudtrail-add-origin-and-target
branch
from
869b298 to
2b77cd8
Compare
andrewkroh
reviewed
Mar 11, 2025
packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
|
andrewkroh
added
Integration:aws
|
For the pipeline segment, do you still want to keep it? This may be irrelevant following the change mentioned here. Please re-check |
agithomas
reviewed
Mar 18, 2025
packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsHistory
|
|
Package aws - 2.44.0 containing this change is available at https://epr.elastic.co/package/aws/2.44.0/ |
flexitrev
pushed a commit
that referenced
this pull request
Mar 28, 2025
* Add Cloudtrail Actor and Target * Update toggle description * Fix accountId typo * Add versioning * Fix ec2 events without complete response elements * Improve error handling * Improve error handling (add tag to the document on error) * Use onBehalfOf in case of arn is not available in the user identity section * Bump manifest version
flexitrev
pushed a commit
that referenced
this pull request
Mar 28, 2025
* Add Cloudtrail Actor and Target * Update toggle description * Fix accountId typo * Add versioning * Fix ec2 events without complete response elements * Improve error handling * Improve error handling (add tag to the document on error) * Use onBehalfOf in case of arn is not available in the user identity section * Bump manifest version
flexitrev
added a commit
that referenced
this pull request
Mar 28, 2025
* Add Cloudtrail Actor and Target * Update toggle description * Fix accountId typo * Add versioning * Fix ec2 events without complete response elements * Improve error handling * Improve error handling (add tag to the document on error) * Use onBehalfOf in case of arn is not available in the user identity section * Bump manifest version <!-- Type of change Please label this PR with one of the following labels, depending on the scope of your change: - Bug - Enhancement - Breaking change - Deprecation --> ## Proposed commit message <!-- Mandatory Explain here the changes you made on the PR. Please explain: - WHAT: patterns used, algorithms implemented, design architecture, message processing, etc. - WHY: the rationale/motivation for the changes This text will be pasted into the squash dialog when the change is committed and will be a long term historical record of the change to help future contributors understand the change, please help them by making it clear and comprehensive, they may be you. If the commit title is adequate to describe both of these things, The text here may be omitted or replaced with "See title". The title of the PR will be used as the commit message title when the merge is made and the "See title" marker will be removed if present. The text here and the PR title will be subject to the PR review process. --> ## Checklist - [ ] I have reviewed [tips for building integrations](https://github.com/elastic/integrations/blob/main/docs/tips_for_building_integrations.md) and this pull request is aligned with them. - [ ] I have verified that all data streams collect metrics or logs. - [ ] I have added an entry to my package's `changelog.yml` file. - [ ] I have verified that Kibana version constraints are current according to [guidelines](https://github.com/elastic/elastic-package/blob/master/docs/howto/stack_version_support.md#when-to-update-the-condition). - [ ] I have verified that any added dashboard complies with Kibana's [Dashboard good practices](https://docs.elastic.dev/ux-guidelines/data-viz/dashboard-good-practices) ## Author's Checklist <!-- Recommended Add a checklist of things that are required to be reviewed in order to have the PR approved --> - [ ] ## How to test this PR locally <!-- Recommended Explain here how this PR will be tested by the reviewer: commands, dependencies, steps, etc. --> ## Related issues <!-- Recommended Link related issues below. Insert the issue link or reference after the word "Closes" if merging this should automatically close it. - Closes #123 - Relates #123 - Requires #123 - Supersedes #123 --> - ## Screenshots <!-- Optional Add here screenshots presenting: - Kibana UI forms presenting configuration options exposed by the integration - dashboards with collected metrics or logs -->
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a re-open of #11245, that had to be closed because a full commit history rewrite in the integration main.
Background
Elastic Cloud Security Team has been focusing, this past year, on Cloud Detection and Response (CDR). One of the first steps towards the CDR vision is to enhance investigation workflows for the Cloud Security use-case in SIEM.
As part of enhancing investigation workflows it's necessary to be able to correlate events and entities. Meaning, if an alert is triggered on the ec2 instance i-000000000, it is of great value to easily be able to search all the events related to that entity, across multiple indices, with one query. Therefore we are working on extracting entities and enabling them to be correlated.
What is an entity?
An "entity" in our context refers to any discrete component within an IT environment that can be uniquely identified and monitored. This broad term encompasses both managed and unmanaged elements.
The term "entity" is broader than the current set of available fields under related. Although ip, user and hosts can be identities, there is a lack of space to represent messaging queues, load balancers, storage systems, databases and others. Therefore the proposal to add a new field.
The proposed structure
There are two fields being added on this PR:
actor.entity.idcaptures entities that started the event, the actorstarget.entity.idcaptures entities that were affected by the event. Being that created, updated, listed. We try to do as much as possible with the data present in the event.Decisions made on the Painless Script
Structure
The painless script turned very large. There are essentially three parts to it:
related,actorandtarget).requestParametersandrepsonseElements, there is, usually a somewhat coherent structure per AWS service. I believe such separation brings better reading, creates a better headspace once working in a specific service and also breaks down the hugeif elsechain present in the previous state of the codeWhy TreeSet as datastructure to hold
related,actor,target.There are two properties that this script must have:
Previously I had ensured both properties on "post processing", at the end of the script. Now it's ensured by the data structure itself.
I have not performance tested myself, but the usage of TreeSet should improve the time complexity of the algorithm, since we sort data on
add, and previously we had tosortafterwards. I couldn't find a reliable source for time complexity ofTreeSet.addvsCollections.sort- and honestly, the size of the list is so small that might not even matter.Amount of tests
The testing was essential to me to validate what I was doing, to verify each output. And I would like to keep the tests for future reference and ensuring we are not changing anything by mistake. But the tests are starting to get slow. Specially if you compare with other integrations, such as
okta.