Skip to content

[corelight] initial release of Corelight #11288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 31, 2024
Merged

[corelight] initial release of Corelight #11288

merged 4 commits into from
Oct 31, 2024

Conversation

sharadcrest
Copy link
Contributor

Proposed commit message

Create New integration package corelight and add below four dashboards:

  • Name Resolution Insights
  • Remote Activity Insights
  • Secure Channel Insights
  • Security Posture

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/corelight directory.
  • Run the following command to run tests.

elastic-package test

--- Test results for package: corelight - START ---
╭───────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE   │ DATA STREAM │ TEST TYPE │ TEST NAME                                                          │ RESULT │ TIME ELAPSED │
├───────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ corelight │             │ asset     │ dashboard corelight-45197477-c13f-4e52-a5dd-fb4f53564963 is loaded │ PASS   │      1.146µs │
│ corelight │             │ asset     │ dashboard corelight-7c0946bc-acd0-4ec3-ab3b-8a92853f4a3b is loaded │ PASS   │        181ns │
│ corelight │             │ asset     │ dashboard corelight-8546a96c-86c9-4edf-9d46-88338d6ac40e is loaded │ PASS   │        185ns │
│ corelight │             │ asset     │ dashboard corelight-f4864774-ed73-4b78-b861-5b8235ec12cf is loaded │ PASS   │        164ns │
╰───────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: corelight - END   ---
Done

Screenshots

image
image

@cla-checker-service CLA Checker Service
Copy link

cla-checker-service bot commented Oct 1, 2024
edited
Loading

💚 CLA has been signed

@sharadcrest sharadcrest changed the title {corelight] initial release of Corelight [corelight] initial release of Corelight Oct 1, 2024
@andrewkroh andrewkroh added needs CLA User must sign the Elastic Contributor License before review. New Integration Issue or pull request for creating a new integration package. labels Oct 1, 2024
jamiehynds
jamiehynds reviewed Oct 2, 2024
View reviewed changes
packages/corelight/docs/README.md Outdated

## Prerequisites:

**Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub repository](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). These mappings will ensure that Corelight data is correctly formatted and aligned with Elastic's schema.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are users been asked to manually download an input ECS mappings from Github. The ingest pipeline can be included with the integration to avoid this additional step. Any reason why we can't include the ingest pipeline as part of the integration (inline with all other integrations?)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Corelight have mapped custom mapping differently in their GitHub repo, also they have Elastic as a configuration page where they have build pipeline along with ECS mapping for the fields, so the only ask from them is to build dashboards inline to dashboards for other vendors(Splunk, Looker etc..)

@kcreddy
Copy link
Contributor

kcreddy commented Oct 8, 2024

/test

@andrewkroh andrewkroh removed the needs CLA User must sign the Elastic Contributor License before review. label Oct 8, 2024
@sharadcrest
Copy link
Contributor Author

@jamiehynds Are we okay to start review for this PR, please?

@jamiehynds
Copy link

@kcreddy are you ok to review this PR for Corelight (developed by Crest). Would be great to understand if the work you had done previously with Corelight, could be leveraged here? The current workflow goes against the experience of most integrations, as you're required have to manually download the mappings from Github.

@kcreddy kcreddy added Crest Contributions from Crest developement team. Integration:corelight Corelight (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 16, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

kcreddy
kcreddy reviewed Oct 18, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The integration is unconventional and requests users to install assets such as mappings, settings, templates, ingest pipelines, etc. using an installation script provided by Corelight.

Although the Corelight repositories (providing the script and assets) are well-maintained, it should be noted and documented that this integration only provides dashboards and nothing more. The users are responsible for the updates and have to frequently check and update assets from the script provided by the Corelight repository. This should also be documented in the README.

Also it should be documented that any issues with the installation during initial setup or updates must be followed up with Corelight as we don't own them. This applies to any non-dashboard issues.

In the future, if we were to add some or all of these assets to our integration, users will need to manually delete existing stale Corelight assets.

cc: @jamiehynds

@kcreddy
Copy link
Contributor

kcreddy commented Oct 18, 2024
edited
Loading

@piyush-elastic, related to #11288 (comment), can you update Crest template for README with changes from #11210? This is to conform the README docs across integrations.

@sharadcrest sharadcrest requested a review from kcreddy October 22, 2024 10:19
@kcreddy
Copy link
Contributor

kcreddy commented Oct 22, 2024

/test

kcreddy
kcreddy reviewed Oct 25, 2024
View reviewed changes
@sharadcrest
Copy link
Contributor Author

/test

@sharadcrest sharadcrest requested a review from kcreddy October 25, 2024 09:41
@kcreddy
Copy link
Contributor

kcreddy commented Oct 25, 2024

/test

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
99.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

@kcreddy
Copy link
Contributor

kcreddy commented Oct 30, 2024

@jamiehynds, we have established a communication channel with Corelight for reporting any future bugs. If you have any other concerns, let me know or I can merge this PR.

@kcreddy kcreddy merged commit de60bef into elastic:main Oct 31, 2024
5 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package corelight - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=corelight

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@sharadcrest
[corelight] initial release of Corelight (elastic#11288)
f390850 
Create New integration package corelight and add below four dashboards:

- Name Resolution Insights
- Remote Activity Insights
- Secure Channel Insights
- Security Posture
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@sharadcrest
[corelight] initial release of Corelight (elastic#11288)
5de1595 
Create New integration package corelight and add below four dashboards:

- Name Resolution Insights
- Remote Activity Insights
- Secure Channel Insights
- Security Posture
@sharadcrest sharadcrest deleted the package_corelight branch February 10, 2025 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamiehynds jamiehynds jamiehynds left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees
No one assigned
Labels
Crest Contributions from Crest developement team. Integration:corelight Corelight (Partner supported) New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sharadcrest @kcreddy @jamiehynds @elasticmachine @andrewkroh