Add new AWS Config datastream. #13830
Conversation
andrewkroh
added
Crest
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
/test |
andrewkroh
added
the
Team:obs-ds-hosted-services
|
/test |
packages/aws/data_stream/config/_dev/deploy/docker/files/config.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/config/_dev/test/pipeline/test-common-config.yml
Outdated
Show resolved
Hide resolved
| ### Agentless Enabled Integration | ||
| Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). | ||
| Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. | ||
|
|
||
| ### Agent Based Installation | ||
| - Elastic Agent must be installed | ||
| - You can install only one Elastic Agent per host. | ||
| - Elastic Agent is required to stream data from the REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. |
There was a problem hiding this comment.
I think we need guidance from docs for how to provide this information.
packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
|
Also, need to add owner. |
1. Add config data stream entry in CODEOWNERS. 2. Update changelog entry. 3. Format CEL code as suggested. 4. Added fields into redact. 5. Changed transform version v1. 6. Used minify_json in config.yml file.
|
/test |
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
s3access |
4524.89 | 2375.3 | -2149.59 (-47.51%) | 💔 |
emr_logs |
22727.27 | 17241.38 | -5485.89 (-24.14%) | 💔 |
To see the full report comment with /test benchmark fullreport
|
Please address #13830 (comment). |
...elasticsearch/transform/latest_config_misconfigurations/fields/is-transform-source-false.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/config/fields/is-transform-source-true.yml
Outdated
Show resolved
Hide resolved
| "delete": { | ||
| "min_age": "7d", | ||
| "actions": { | ||
| "delete": {} | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
@maxcold, similar to this comment, this ILM policy is for security posture. Please confirm if the 7 days retention is okay on source data.
Also, this PR is adding the transform. Please confirm if you would like to test this before merging?
cc: @nick-alayil
There was a problem hiding this comment.
I think it definitely makes sense to test it before merging
On the ILM policy - if we ingest the full posture every 24h, then 7d retention for the source index is fine, we don't need old data in the source index.
For vulnerability data stream though it might be a different case as we have 90d retention on transform, I'm not sure how it will work with 7d on ILM, need to think about it
There was a problem hiding this comment.
On the ILM policy - if we ingest the full posture every 24h, then 7d retention for the source index is fine, we don't need old data in the source index.
@maxcold, Thanks for the confirmation. Let me know when the testing is done so we can move forward with merging.
Regarding vulnerability data_stream in https://github.com/elastic/integrations/pull/13595/files#r2079624821, what we have is a full ingestion (not incremental) every interval: 4h. So my understanding is that a similar 7d ILM on source data is going to be fine.
The CDR guides mentions 90d retention only incase the ingestion was incremental.
There was a problem hiding this comment.
I think it definitely makes sense to test it before merging
@muskan-agarwal26 @piyush-elastic, our cloud security team would like to test this feature before merging the PR. Once their testing is done, we can merge this.
cc: @nick-alayil
There was a problem hiding this comment.
@kcreddy will let you know regarding AWS Config testing
As for the retention - if transform have retention_policy.time.max_age: 24h then having retention period of 7d on source index should be ok. I just don't see transform on m365 PR at all, that's why wasn't sure what's the approach there.
There was a problem hiding this comment.
As for the retention - if transform have retention_policy.time.max_age: 24h then having retention period of 7d on source index should be ok.
Got it, thanks!
I just don't see transform on m365 PR at all, that's why wasn't sure what's the approach there.
Its also a full sync every interval default: 4h of vulnerabilities in case of M365 Defender/Defender for Endpoint PR: #13595. So, I believe a retention of 7d should be okay in that case as well.
The transform isn't added because there are still few missing MUST HAVE fields, but we did the best effort to populate fields based on CDR guide. Once we get to this integration (supporting CNVM), we can look into the missing MUST HAVE fields.
cc: @sharadcrest
packages/aws/elasticsearch/transform/latest_config_misconfigurations/transform.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json
Outdated
Show resolved
Hide resolved
packages/aws/elasticsearch/transform/latest_config_misconfigurations/manifest.yml
Outdated
Show resolved
Hide resolved
packages/aws/elasticsearch/transform/latest_config_misconfigurations/transform.yml
Outdated
Show resolved
Hide resolved
|
/test |
…tic#128350) Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges. This is required for the latest transform to work. Related: - elastic/integrations#13830 (comment) (cherry picked from commit 169527f)
There was a problem hiding this comment.
I built the integration from the PR, installed it on a cloud env 9.0.1. Here are the issues I found, we need to fix them before merging:
resource.name,resource.type,rule.numberare missing in the data, that's only what I can see in the data grid.- the flyout opens but has no data, most likely some of the data missing but I need to dig deeper to understand what exactly
@kcreddy @muskan-agarwal26 before implementing the changes for CDR flows we were doing spreadsheet mapping of the fields required by the guide https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide . This allows to understand what crucial fields are missing or the data format is different. Has this exercise been done for AWS Config?
) (#128443) Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges. This is required for the latest transform to work. Related: - elastic/integrations#13830 (comment) (cherry picked from commit 169527f)
) (#128446) Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges. This is required for the latest transform to work. Related: - elastic/integrations#13830 (comment) (cherry picked from commit 169527f)
) (#128444) Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges. This is required for the latest transform to work. Related: - elastic/integrations#13830 (comment) (cherry picked from commit 169527f)
) (#128460) Adding `logs-aws.config-*` data stream indices to the `kibana_system` privileges. This is required for the latest transform to work. Related: - elastic/integrations#13830 (comment) (cherry picked from commit 169527f)
|
/test |
There was a problem hiding this comment.
After an internal discussion, we decided not to create transform for now. This will remove the issue of #13830 (review).
@muskan-agarwal26 please remove the transform (and any related changes) from the PR.
|
/test |
1. Add category in manifest. 2. Update readme as suggested.
|
/test |
💚 Build Succeeded
History
|
|
|
Package aws - 3.4.0 containing this change is available at https://epr.elastic.co/package/aws/3.4.0/ |
This release includes the Config data stream for supporting config findings via REST API. AWS Config fields are mapped to their corresponding ECS fields where possible. Also added associated dashboards and visualizations. Test samples were derived from live logs.
Proposed commit message
This release includes the Config data stream for supporting config findings via REST API.
AWS Config fields are mapped to their corresponding ECS fields where possible. Also added associated dashboards and visualizations.
Test samples were derived from live logs.
Checklist
changelog.ymlfile.How to test this PR locally
Related issues
Screenshots