Skip to content

[Entro Security] Initial release of the Entro Security Integration #14477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

[Entro Security] Initial release of the Entro Security Integration #14477

wants to merge 5 commits into from
+1,641 −0

Conversation

robester0403
Copy link

@robester0403 robester0403 commented Jul 10, 2025
edited
Loading

Proposed commit message

The initial release includes an audit data stream with its associated components:
Added data collection logic for the audit logs data stream.
Added the ingest pipeline for audit logs
Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
Added dashboards and visualizations.
Added test for pipeline for all the data stream.
Added system test cases for all the data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

Clone integrations repo.
Install elastic package locally.
Start elastic stack using elastic-package.
Move to integrations/packages/entro directory.
Run the following command to run tests.

elastic-package test

image image

Related issues

Screenshots

image image

@robester0403 robester0403 added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. New Integration Issue or pull request for creating a new integration package. labels Jul 10, 2025
@robester0403 robester0403 requested review from a team as code owners July 10, 2025 00:01
@robester0403 robester0403 added Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:entro [Integration not found in source] labels Jul 10, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Jul 10, 2025
View reviewed changes
packages/entro/_dev/build/docs/README.md Outdated
Comment on lines 17 to 23
## Requirements
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

This integration has the following third-party requirements:

An active Entro Security platform subscription.
An API Token generated from the Entro Security platform with permissions to access the audit log endpoints.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please make this match the conventions use in #13573.

packages/entro/_dev/deploy/docker/files/config.yml Outdated
"date": "2025-06-27T20:12:44.000Z"
}
]
`}}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add final new line.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not quite done; the file now has a final whitespace indent. I suspect your editor was being Helpful™.

packages/entro/data_stream/audit/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 60 to 63
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
on_failure:
- set:
field: error.message
value: '{{ _ingest.on_failure_message }}'
on_failure:
- set:
field: event.kind
value: pipeline_error
- append:
field: tags
value: preserve_original_event
allow_duplicates: false
- append:
field: error.message
value: >-
Processor '{{{ _ingest.on_failure_processor_type }}}'
{{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}'
{{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}'

and please make sure there is a final new line.

Copy link
Contributor

@efd6 efd6 Jul 11, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same file termination problem here.

packages/entro/data_stream/audit/fields/fields.yml Outdated
type: group
fields:
- name: value
type: keyword
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Final new line.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also here.

@elastic-vault-github-plugin-prod
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added the documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. label Jul 10, 2025
@robester0403
FIX: Updated minor issues in changelog, docker-compose, fixed spacing…
dac867d 
… issue, removed license, adjusted readme, regenerated tests, and fixed CEL & defa

ult.yml
@robester0403
Copy link
Author

@efd6 I resolved the more simple issues I fixed in my last commit and left open some. These are still fixed but might be good to keep open in the conversation thread.

@efd6
Copy link
Contributor

efd6 commented Jul 11, 2025

This will need to have elastic-package build run to update the docs.

efd6
efd6 reviewed Jul 11, 2025
View reviewed changes
packages/entro/data_stream/audit/_dev/test/system/test-common-config.yml Outdated
preserve_original_event: true
preserve_duplicate_custom_fields: true
assert:
hit_count: 8
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add final new line.

@robester0403 robester0403 force-pushed the entro_security-0.1.0 branch from 70bbbb5 to e9e520b Compare July 11, 2025 13:30
@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
97.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Integration:entro [Integration not found in source] New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Integration] Entro
4 participants
@robester0403 @elasticmachine @efd6 @andrewkroh