Closed akshay-saraswat closed 2 years ago
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
@alexfrancoeur the OSquery Manager and Endpoint Security integrations are probably two edge cases we have, in that they aren't our typical event based integrations. Any objections to leaving them as-is? cc: @melissaburpo
This is what we have for the current packages owned by elastic/security-external-integrations
as of 2b9b33118ae471917c0b82b0adf81593cb3ddb12.
Title | Desc |
---|---|
Auditd | This Elastic integration collects and parses logs from the Audit daemon (auditd) |
Barracuda | This Elastic integration collects logs from Barracuda devices |
Blue Coat Director | This Elastic integration collects Blue Coat Director logs |
VMware Carbon Black EDR | Carbon Black EDR Integration |
CEF | This Elastic integration collects logs in common event format (CEF) |
Check Point | This Elastic integration collects logs from Check Point products |
Cisco - Deprecated | Cisco - Deprecated: Use the more specific Cisco packages available |
Cisco ASA | This Elastic integration collects logs from Cisco ASA network devices |
Cisco Duo | This Elastic integration collects logs from Cisco Duo |
Cisco FTD | This Elastic integration collects logs from Cisco Firepower Threat Defence (FTD) |
Cisco IOS | This Elastic integration collects logs from Cisco IOS devices |
Cisco Meraki | This Elastic integration collects logs from Cisco Meraki network devices |
Cisco Nexus | This Elastic integration collects logs from Cisco Nexus switches |
Cisco Secure Endpoint (AMP) | This Elastic integration collects logs from Cisco Secure Endpoint (formerly Cisco AMP) |
Cisco Umbrella | This Elastic integration collects logs from Cisco Umbrella |
Cloudflare | Cloudflare Integration |
CrowdStrike | This Elastic integration collects logs from CrowdStrike products |
Cyber-Ark - Deprecated | Cyber-Ark Integration - Deprecated: Use 'CyberArk Privileged Access Security' instead. |
CyberArk Privileged Access Security | This Elastic integration collects logs from CyberArk |
CylanceProtect | This Elastic integration collects logs from CylanceProtect |
F5 | This Elastic integration collects logs from F5 |
Fortinet | This Elastic integration collects logs from Fortinet instances |
Google Cloud Platform (GCP) | This Elastic integration collects logs from various Google Cloud Platform (GCP) services |
Google Workspace | This Elastic integration collects logs from Google Workspace APIs |
Hashicorp Vault | Collect logs and monitor Hashicorp Vault. |
Imperva SecureSphere | This Elastic integration collects logs from Imperva SecureSphere |
Infoblox NIOS | This Elastic integration collects logs from Infoblox NIOS |
Iptables | This Elastic integration collects logs from Iptables instances |
Juniper | This Elastic integration collects logs from Juniper |
Microsoft | This Elastic integration collects logs from Microsoft products |
Microsoft Defender for Endpoint | This Elastic integration collects logs from Microsoft Defender for Endpoint |
Microsoft DHCP | Collect logs from Microsoft DHCP. |
NetFlow | This Elastic integration collects logs from NetFlow |
Arbor Peakflow SP | This Elastic integration collects logs from Arbor Peakflow SP |
Network Packet Capture | This Elastic integration captures and analyzes network traffic. |
Office 365 | This Elastic integration collects events from Microsoft Office 365 |
Okta | This Elastic integration collects events from Okta |
Osquery Log Collection | This Elastic integration collects logs from Osquery instances |
Palo Alto Networks | Palo Alto Networks Integration |
Palo Alto Cortex XDR | Palo Alto Cortex XDR Integration |
pfSense | pfSense Integration |
Proofpoint Email Security | This Elastic integration collects logs from Proofpoint Email Security |
Radware DefensePro | This Elastic integration collects logs from Radware DefensePro |
Google Santa | This Elastic integration collects logs from Google Santa instances |
Snort | This Elastic integration collects events from Snort instances |
Sonicwall-FW | This Elastic integration collects logs from Sonicwall-FW |
Sophos | This Elastic integration collects logs from Sophos |
Squid | This Elastic integration collects logs from Squid |
Suricata | This Elastic integration collects events from Suricata instances |
Apache Tomcat | This Elastic integration collects logs from Apache Tomcat |
Custom Windows event logs | This Elastic integration collects custom Windows event logs |
Zeek | This Elastic integration collects logs from Zeek |
ZeroFox | ZeroFox Cloud Platform |
Zoom | This Elastic integration collects logs from Zoom |
Zscaler NSS | This Elastic integration collects logs from Zscaler |
Generated with yq eval -j '{"owner": .owner.github, "title": .title, "desc": .description}' */manifest.yml | jq -c | grep 'elastic/security-external-integrations' | jq '{"title": .title, "desc": .desc}' | jq -r '"|" + .title + "|" + .desc + "|"'
I have started a Sheet with this content above to use for tracking the proposed changes.
https://docs.google.com/spreadsheets/d/1R7Tx3Gpz8Ql5IRbC-fPEDM07rsTw69auA6g7JiGmEJ8/edit?usp=sharing
sorry for the bump @alexfrancoeur - just incase you missed this question on Endpoint/OSquery integrations - https://github.com/elastic/integrations/issues/1900#issuecomment-941100420
@jamiehynds thank you for the bump, I missed this the first time around 😉
There are a few integrations that don't map directly to beats / agent ingest. EMS boundaries, sample data and file upload to name a few. We are addressing those here. If we can, I think we could fine tune to align with the guidelines as much as possible. I've taken a stab at applying these below as an example.
With the amount of time we have before FF, I'd be fine with leaving the descriptions as-is. But if we can apply the guidelines, it'd be great for alignment. How the guidelines are applied are completely up to the team.
Current Title | Current Description | New Title | New Description |
---|---|---|---|
Osquery Manager | This Elastic integration lets you centrally manage osquery deployments, run live queries and schedule recurring queries | Osquery Manager | Centrally manage and query osquery deployments with Elastic Agent. |
Endpoint Security | Protect your hosts with threat prevention, detection and deep security visibility | Endpoint Security | Protect your hosts with threat prevention, detection and deep security visibility with Elastic Agent. |
@melissaburpo & @bradenlpreston you both ok to update the Osquery and Endpoint integrations as per Alex's comments above?
To make the titles and descriptions better we want to split these packages:
What sort of title description do we want applied to packages that are deprecated? This is what we currently have as descriptions (this is also shown in the spreadsheet linked by me above).
The "Microsoft" package is in the process of being deprecated. As will both Juniper and Fortinet after they are split.
Thanks for raising @andrewkroh that's a great question. @dborodyansky @KOTungseth @gchaps any suggestions on how our integration text guidelines should highlight deprecated integrations?
@andrewkroh I looked at the descriptions in the google sheet. Our deprecation guidelines suggest this format:
Deprecated. Use Xyz to do the thing.
Cisco Deprecated. Use a specific Cisco package instead.
Cyber-Ark Integration Deprecated. Use CyberArk Privileged Access Security instead.
(No need for single quotes in the above message.)
Do these cards have a deprecated label (similar to the Beta label in the Osquery card above)? If so, we probably don't need the word "Deprecated" in the description.
Hi @jamiehynds, @alexfrancoeur - I chatted with @gchaps about the proposed description update for Osquery Manager, and I think we'd like to go with something more like this:
Deploy osquery to Elastic Agent, then run and monitor queries in Kibana
@jamiehynds - is this something our team should take care of, or is your team going to do this as part of one big update? We're happy to help, if needed.
Thanks all!
I suppose that we need to figure out potential the formal spec changes too (mark package as deprecated). Highlighting that a package is deprecated just by adding a label or caption in the Kibana UI doesn't sound bulletproof to me.
Would you mind share your thoughts on https://github.com/elastic/package-spec/issues/227 , so we can come up with PR/proposal?
I was doing a final review and some things got merged while we were working this and they are not correct. Also there was an issue with one of the ones we did change. So we'll need to fix these:
Title | Desc |
---|---|
1Password Events Reporting | This Elastic integration collects events from 1Password Events Reporting. |
GitHub | GitHub Integration |
Network Packet Capture | Collect logs from Network Packet Capture with Elastic Agent. |
AbuseCH API | This Elastic integration collects threat intelligence from AbuseCH API endpoints |
Anomali | This Elastic integration collects events from Anomali |
Alienvault OTX | This Elastic integration collects threat intelligence from Alienvault OTX API endpoints |
This should be the final result after https://github.com/elastic/integrations/pull/1997 is merged.
Title | Desc |
---|---|
1Password Events Reporting | Collect events from 1Password Events API with Elastic Agent. |
AbuseCH | Collect threat intelligence from AbuseCH API with Elastic Agent. |
AlienVault OTX | Collect threat intelligence from AlienVault OTX with Elastic Agent. |
Anomali | Collect threat intelligence from Anomali APIs with Elastic Agent. |
Apache Tomcat | Collect logs from Apache Tomcat with Elastic Agent. |
Arbor Peakflow SP | Collect logs from Arbor Peakflow SP with Elastic Agent. |
Auditd | Collect logs from the Linux auditd daemon with Elastic Agent. |
Barracuda | Collect logs from Barracuda with Elastic Agent. |
Blue Coat Director | Collect logs from Blue Coat Director with Elastic Agent. |
CEF Logs | Collect logs from CEF Logs with Elastic Agent. |
Check Point | Collect logs from Check Point with Elastic Agent. |
Cisco ASA | Collect logs from Cisco ASA with Elastic Agent. |
Cisco Duo | Collect logs from Cisco Duo with Elastic Agent. |
Cisco FTD | Collect logs from Cisco FTD with Elastic Agent. |
Cisco IOS | Collect logs from Cisco IOS with Elastic Agent. |
Cisco Meraki | Collect logs from Cisco Meraki with Elastic Agent. |
Cisco Nexus | Collect logs from Cisco Nexus with Elastic Agent. |
Cisco Secure Endpoint (AMP) | Collect logs from Cisco Secure Endpoint (AMP) with Elastic Agent. |
Cisco Umbrella | Collect logs from Cisco Umbrella with Elastic Agent. |
Cisco | Deprecated. Use a specific Cisco package instead. |
Cloudflare | Collect logs from Cloudflare with Elastic Agent. |
CrowdStrike Falcon | Collect logs from CrowdStrike Falcon with Elastic Agent. |
Custom Windows event logs | Collect event logs from Windows with Elastic Agent. |
Cyber-Ark | Deprecated. Use CyberArk Privileged Access Security instead. |
CyberArk Privileged Access Security | Collect logs from CyberArk Privileged Access Security with Elastic Agent. |
CylancePROTECT | Collect logs from CylancePROTECT with Elastic Agent. |
F5 BIG-IP | Collect logs from F5 BIG-IP with Elastic Agent. |
Fortinet | Collect logs from Fortinet software with Elastic Agent. |
GitHub | Collect events from GitHub with Elastic Agent. |
Google Cloud Platform | Collect logs from Google Cloud Platform with Elastic Agent. |
Google Santa | Collect logs from Google Santa with Elastic Agent. |
Google Workspace | Collect logs from Google Workspace with Elastic Agent. |
Hashicorp Vault | Collect logs from Hashicorp Vault with Elastic Agent. |
Imperva SecureSphere | Collect logs from Imperva SecureSphere with Elastic Agent. |
Infoblox NIOS | Collect logs from Infoblox NIOS with Elastic Agent. |
Iptables | Collect logs from Iptables with Elastic Agent. |
Juniper | Collect logs from Juniper devices with Elastic Agent. |
Microsoft DHCP | Collect logs from Microsoft DHCP with Elastic Agent. |
Microsoft Defender for Endpoint | Collect logs from Microsoft Defender for Endpoint with Elastic Agent. |
Microsoft | Deprecated. Use a specific Microsoft package instead. |
NetFlow | Collect logs from NetFlow with Elastic Agent. |
Network Packet Capture | Collect packets from network interfaces with Elastic Agent. |
Office 365 | Collect logs from Office 365 with Elastic Agent. |
Okta | Collect logs from Okta with Elastic Agent. |
Osquery | Collect logs from Osquery with Elastic Agent. |
Palo Alto Cortex XDR | Collect logs from Palo Alto Cortex XDR with Elastic Agent. |
Palo Alto PAN-OS | Collect logs from Palo Alto PAN-OS with Elastic Agent. |
Proofpoint Email Security | Collect logs from Proofpoint Email Security with Elastic Agent. |
Radware DefensePro | Collect logs from Radware DefensePro with Elastic Agent. |
Snort | Collect logs from Snort with Elastic Agent. |
SonicWall FW | Collect logs from SonicWall FW with Elastic Agent. |
Sophos | Collect logs from Sophos with Elastic Agent. |
Squid | Collect logs from Squid with Elastic Agent. |
Suricata | Collect logs from Suricata with Elastic Agent. |
VMware Carbon Black EDR | Collect logs from VMware Carbon Black EDR with Elastic Agent. |
Zeek | Collect logs from Zeek with Elastic Agent. |
ZeroFox | Collect logs from ZeroFox with Elastic Agent. |
Zoom | Collect logs from Zoom with Elastic Agent. |
Zscaler NSS | Collect logs from Zscaler NSS with Elastic Agent. |
pfSense | Collect logs from pfSense with Elastic Agent. |
All of the packages with owner: elastic/security-external-integrations
have been updated and @melissaburpo updated the osquery_manager package (btw @melissaburpo I recommend setting the owner
in the osquery_manager manifest.yml to your team's name).
In 7.16, we are planning to introduce the unified integrations view. The primary goal of this view is to improve the discoverability for all data ingest options at Elastic. As part of this initiative, we'd like to improve the titles and descriptions of each integration card and do so in a uniform way.
Guidelines
These are the general guidelines we plan to use for the integration cards
Elastic Agent example
Here's an example for how agent can leverage these guidelines, but please follow the guidelines as you see fit.