Skip to content

aws: optimise cloudtrail field retention work #14441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

aws: optimise cloudtrail field retention work #14441

wants to merge 9 commits into from
+144 −143

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Jul 8, 2025
edited
Loading

Proposed commit message

aws: optimise cloudtrail field retention work

In #14236 we allowed users to select which extended fields they wanted
to retain in order to reduce storage costs in cases where they did not
what the full set of capacities that the data stream can provide. We
did not however prevent the work of collecting those unwanted fields.
This change does that, avoiding retaining fields that will ultimately
not be kept if possible.

It is unfortunate that the wide variety of fields is needed at all, but
resolving that depends on improving platform support for the diversity
of fields that the data source provides and then making more efficient
use of those improvements in the detection rules. Until then, this is
what we have.

Note

Best reviewed commitwise.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Jul 8, 2025
@efd6 efd6 added enhancement New feature or request Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Jul 8, 2025
@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

romulets
romulets reviewed Jul 8, 2025
View reviewed changes
Copy link
Member

@romulets romulets left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work! A few comments, but I really love the consistency changes!

@efd6
Copy link
Contributor Author

efd6 commented Jul 8, 2025

/test

@efd6 efd6 marked this pull request as ready for review July 9, 2025 02:04
@efd6 efd6 requested review from a team as code owners July 9, 2025 02:04
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added the Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] label Jul 9, 2025
@Mikaayenson
Copy link
Contributor

Mikaayenson commented Jul 9, 2025
edited
Loading

@efd6 qq: Can you use the required_fields that are autogenerated and populated with the AWS rules artifact and sent upstream to Kibana (vs statically using a list in the integration)?

@efd6
Copy link
Contributor Author

efd6 commented Jul 9, 2025
edited
Loading

It's not clear to me how that would be achieved.

@cpascale43
Copy link

Hey @efd6 - if they remove fields will this have an impact on dashboards/rules? If so, can we make a plan to document this somewhere?

@efd6
Copy link
Contributor Author

efd6 commented Jul 14, 2025

@cpascale43 This change does not remove fields. That was already done in #14236. This just changes the time that the removal is done, from being a post facto remove, to a preemptive non-add. The change linked above shows the documentation that is presented to the user.

@efd6
Copy link
Contributor Author

efd6 commented Jul 14, 2025

This change is already starting to rot due to the complexity of the code here.

@efd6
Copy link
Contributor Author

efd6 commented Jul 14, 2025

/test

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
99.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @efd6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romulets romulets romulets approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

@efd6 efd6

Labels
enhancement New feature or request Integration:aws AWS Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

aws: optimise cloudtrail ingest pipeline for cases where fruitless work is done
6 participants
@efd6 @elasticmachine @Mikaayenson @cpascale43 @romulets @andrewkroh