[Splunk] Initial release of the splunk#13085
[Splunk] Initial release of the splunk#13085kcreddy merged 10 commits intoelastic:mainfrom sharadcrest:package-splunk
Conversation
|
/test |
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
efd6
left a comment
There was a problem hiding this comment.
Error: there is no owner for "packages/splunk" in ".github/CODEOWNERS"
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
| "_time": "2025-02-10T06:20:16.000Z", | ||
| "annotations": { | ||
| "mitre_attack": { | ||
| "mitre_tactic": "mite", |
There was a problem hiding this comment.
Could some of these mitre fields be mapped the threat.* fields in ECS? https://www.elastic.co/guide/en/ecs/current/ecs-threat.html
| "app": "ssl-web", | ||
| "count": 5.0, | ||
| "dest_count": 1, | ||
| "friendly_name": "Access - Excessive Failed Logins - Rule", |
There was a problem hiding this comment.
Could rule.name be a suitable field for this one? Alternatively, we populate the message fields with this friendly name and use that as the Alert Name in our promotion rule, meaning users will see 'Access - Excessive Failed Logins' as the alert name in our UI.
| type: string | ||
| ignore_missing: true | ||
| - convert: | ||
| field: splunk.alert.risk_score |
There was a problem hiding this comment.
Should we also set event.risk_score with this value since event.risk_score is an ECS field?
There was a problem hiding this comment.
set event.risk_score mapping.👍
| - name: event.dataset | ||
| type: constant_keyword | ||
| description: Event dataset. | ||
| value: splunk.alert |
There was a problem hiding this comment.
Should this be splunk.alerts instead to be consistent with the endpoint integration where the value is set to endpoint.alerts?
There was a problem hiding this comment.
We used to follow the data stream name as singular as per the best practices. @kcreddy let me know your thoughts on this.
There was a problem hiding this comment.
There is no clear guidelines on this in any Elastic docs I can find.
I checked Integration guide, ECS definition, an introduction blog, and fleet docs, none of which mentions which is preferred.
In our current integrations alone:
find . -maxdepth 3 -type d -name "*alert*", we have 9 plural and 16 singular names for alert(s).
./prisma_cloud/data_stream/alert
./microsoft_sentinel/data_stream/alert
./cloud_defend/data_stream/alerts
./crowdstrike/data_stream/alert
./zerofox/data_stream/alerts
./trend_micro_vision_one/data_stream/alert
./darktrace/data_stream/ai_analyst_alert
./darktrace/data_stream/model_breach_alert
./darktrace/data_stream/system_status_alert
./ti_rapid7_threat_command/data_stream/alert
./sysdig/data_stream/alerts
./sophos_central/data_stream/alert
./google_secops/data_stream/alert
./m365_defender/data_stream/alert
./mongodb_atlas/data_stream/alert
./jamf_protect/data_stream/alerts
./google_workspace/data_stream/alert
./zscaler_zia/data_stream/alerts
./falco/data_stream/alerts
./blacklens/data_stream/alerts
./sentinel_one/data_stream/alert
./panw_cortex_xdr/data_stream/alerts
./netskope/data_stream/alerts
./carbon_black_cloud/data_stream/alert_v7
./carbon_black_cloud/data_stream/alert
I don't have a preference. We can go ahead with @peluja1012 suggestion.
@jamiehynds, any thoughts?
There was a problem hiding this comment.
Hi @sharadcrest, apologies for confusion. Please go ahead and use the singular form as you have it currently. Thanks!
|
/test |
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
packages/splunk/data_stream/alert/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/splunk/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Show resolved
Hide resolved
kcreddy
left a comment
There was a problem hiding this comment.
@sharadcrest could you address the review comments?
efd6
left a comment
There was a problem hiding this comment.
There are remaining unaddressed comments.
|
/test |
|
/test |
|
@sharadcrest Before this is merged, can you note where the test cases were obtained? |
@efd6 Test cases were derived from live data samples, which were subsequently sanitized. |
|
Thanks @sharadcrest. For whoever merges, I'll propose this commit message body (the title line looks fine to me) |
There was a problem hiding this comment.
@sharadcrest, I'm blocking the merge as some requirements are still being discussed.
cc: @jamiehynds @piyush-elastic
|
/test |
| "application/x-www-form-urlencoded", | ||
| { | ||
| "output_mode":["json"], | ||
| "search":["search index=notable AND " + state.?search.orValue('""')], |
There was a problem hiding this comment.
Does this search query work in Splunk?
search index=notable AND ""
There was a problem hiding this comment.
Good catch. I bet it doesn't.
There was a problem hiding this comment.
we removed the search parameter from the manifest to avoid confusion to the user as per the further discussions.
There was a problem hiding this comment.
@kcreddy, @efd6 – As per my last discussion with @jamiehynds, we’ve removed SPL support and retained only the notable index as the default value. We've also updated the logo and submitted the corresponding changes in the PR. Kindly review the latest commit when you get a chance.
There was a problem hiding this comment.
Thanks @piyush-elastic @sharadcrest
@jamiehynds let me know if this sounds good, I can merge the PR.
|
/test |
💚 Build Succeeded
History
|
|
|
Package splunk - 0.1.0 containing this change is available at https://epr.elastic.co/package/splunk/0.1.0/ |
Proposed commit message
The initial release includes an alert data stream and associated dashboard
and visualizations.
Splunk fields are mapped to their corresponding ECS fields where possible.
Test samples were derived from live data samples, which were subsequently
sanitized.
Checklist
changelog.ymlfile.How to test this PR locally
Screenshots