[sysdig] Add support for cspm datastream by brijesh-elastic · Pull Request #14907 · elastic/integrations

brijesh-elastic · 2025-08-12T10:14:07Z

Proposed commit message

sysdig: add support for cspm data stream to collect compliance results.

The CSPM data stream logs provide an overview of the evaluation results of your
Cloud and Kubernetes environment’s adherence to specific security standards,
regulations, and policies. The findings highlight areas where your organization
is meeting or failing to meet the required security controls and procedures.

Sanitized test case inputs were obtained from live Sysdig Secure instance
using the Sysdig API.

Note

The dashboard will be added once the vulnerability PR is merged.

Checklist

I have reviewed tips for building integrations and this pull request is aligned with them.
I have verified that all data streams collect metrics or logs.
I have added an entry to my package's changelog.yml file.
I have verified that Kibana version constraints are current according to guidelines.
I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Clone integrations repo.
Install elastic package locally.
Start elastic stack using elastic-package.
Move to integrations/packages/sysdig directory.
Run the following command to run tests.

elastic-package test

Related issues

Closes [Sysdig Secure] New data stream: CSPM #12271

elasticmachine · 2025-08-12T10:14:11Z

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

elastic-vault-github-plugin-prod · 2025-08-12T10:40:45Z

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6

nit only, otherwise LGTM

packages/sysdig/changelog.yml

packages/sysdig/data_stream/cspm/elasticsearch/ingest_pipeline/default.yml

…urrent API

packages/sysdig/_dev/build/docs/README.md

packages/sysdig/data_stream/cspm/agent/stream/cel.yml.hbs

out of date

packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json

kcreddy · 2025-09-15T12:09:11Z

packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json

@@ -0,0 +1,702 @@
+{


Can you try best to all Must Have mappings from https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide#misconfiguration-findings-1 ?

Most of the MUST HAVE fields (such as resource.id, resource.name, host.name, user.name) aren't possible because resource details aren't coming in the API response.

It seems we are only ingesting a bunch of rules. Is there any other API to ingest resources from that are evaluated by these rules?
I don't think ingesting rules without resources will add any value.

We are receiving the resource_api_endpoint field, which can be used to call another API to get the affected resources. However, since we have 40k controls, this would result in 40k calls in one iteration, which is excessively high.

There is summary information inside *Count fields, indicating overall pass/fail along with severities.

I will leave it to @chemamartinez if the requirement is satisfied for this data stream.

Added a comment at the issue.

packages/sysdig/data_stream/cspm/_dev/test/pipeline/test-cspm.log-expected.json

packages/sysdig/_dev/build/docs/README.md

efd6

LGTM after @kcreddy's concerns are addressed.

elasticmachine · 2025-09-16T08:00:00Z

💚 Build Succeeded

Buildkite Build
Commit: f2d4b37

History

💚 Build #31322 succeeded a016792
💚 Build #31279 succeeded d70dc43
💚 Build #31278 succeeded dccbc87
💚 Build #30864 succeeded a982f8e
💚 Build #30794 succeeded 272ccb1
💚 Build #29931 succeeded b40ab97

cc @brijesh-elastic

elastic-sonarqube · 2025-09-16T08:00:09Z

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
97.8% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

kcreddy

Waiting on #14907 (comment). Rest LGTM.

kcreddy

LGTM

elastic-vault-github-plugin-prod · 2025-09-18T11:10:56Z

Package sysdig - 2.2.0 containing this change is available at https://epr.elastic.co/package/sysdig/2.2.0/

Add support for cspm datastream

6246416

brijesh-elastic self-assigned this Aug 12, 2025

brijesh-elastic requested a review from a team as a code owner August 12, 2025 10:14

Update changelog entry

b40ab97

efd6 reviewed Aug 14, 2025

View reviewed changes

packages/sysdig/changelog.yml Outdated Show resolved Hide resolved

packages/sysdig/data_stream/cspm/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved

address Dan's comment

272ccb1

efd6 approved these changes Sep 3, 2025

View reviewed changes

brijesh-elastic added 2 commits September 5, 2025 15:29

Resolve conflicts

31315ba

Update readme markdown

a982f8e

efd6 previously approved these changes Sep 7, 2025

View reviewed changes

brijesh-elastic marked this pull request as draft September 8, 2025 05:50

brijesh-elastic added 2 commits September 13, 2025 14:18

Add CSPM Overview dashboard

dccbc87

Add the URL parameter for the CSPM data stream, which uses Sysdig's C…

d70dc43

…urrent API

brijesh-elastic marked this pull request as ready for review September 13, 2025 10:05

brijesh-elastic requested a review from efd6 September 13, 2025 10:05

efd6 reviewed Sep 14, 2025

View reviewed changes

Address Dan's comment

a016792

brijesh-elastic requested a review from efd6 September 15, 2025 08:32

andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Sep 15, 2025

kcreddy reviewed Sep 15, 2025

View reviewed changes

packages/sysdig/_dev/build/docs/README.md Outdated Show resolved Hide resolved

efd6 reviewed Sep 16, 2025

View reviewed changes

Address Krishna's comments

67ec86b

brijesh-elastic requested a review from kcreddy September 16, 2025 07:16

resolve conflict

f2d4b37

kcreddy reviewed Sep 16, 2025

View reviewed changes

kcreddy mentioned this pull request Sep 16, 2025

[Sysdig Secure] New data stream: CSPM #12271

Closed

kcreddy approved these changes Sep 17, 2025

View reviewed changes

brijesh-elastic merged commit 03b6ee7 into elastic:main Sep 18, 2025
9 checks passed

brijesh-elastic mentioned this pull request Oct 8, 2025

[33 integrations] Downgrade format_version if possible #15147

Open

35 tasks

Conversation

brijesh-elastic commented Aug 12, 2025

Proposed commit message

Checklist

How to test this PR locally

Related issues

Uh oh!

elasticmachine commented Aug 12, 2025

Uh oh!

elastic-vault-github-plugin-prod bot commented Aug 12, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Benchmarks report

Uh oh!

efd6 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

kcreddy Sep 15, 2025

Choose a reason for hiding this comment

Uh oh!

brijesh-elastic Sep 16, 2025

Choose a reason for hiding this comment

Uh oh!

kcreddy Sep 16, 2025

Choose a reason for hiding this comment

Uh oh!

brijesh-elastic Sep 16, 2025

Choose a reason for hiding this comment

Uh oh!

kcreddy Sep 16, 2025

Choose a reason for hiding this comment

Uh oh!

chemamartinez Sep 17, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

efd6 left a comment

Choose a reason for hiding this comment

Uh oh!

elasticmachine commented Sep 16, 2025

💚 Build Succeeded

History

Uh oh!

elastic-sonarqube bot commented Sep 16, 2025

Quality Gate passed

Uh oh!

kcreddy left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

kcreddy left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

elastic-vault-github-plugin-prod bot commented Sep 18, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

elastic-vault-github-plugin-prod bot commented Aug 12, 2025 •

edited

Loading

kcreddy left a comment •

edited

Loading