In the scope of https://github.com/elastic/kibana/issues/162974 and https://github.com/elastic/kibana/issues/153584, we successfully adapted the event-based telemetry (EBT) framework for the collection of CSP violation reports. Now that we know it works well for this use case, we can consider moving further and enhancing this reporting pipeline to cover other types of policy violation reports (e.g., Permission Policy violation reports). Additionally, we need to add more fields to the violation reports to make monitoring and investigation more efficient, so that the final document/report might look like this:
In addition to new fields, we also need to add the ingest pipeline with the following processors to make data more filterable/searchable:
User agent processor to parse the user_agent field, so that we have dedicated fields for the user agent's OS and browser, which might be beneficial while debugging OS- or browser-specific issues.
Tasks
[ ] Work with the Kibana Core team to figure out if it's possible to detect whether Kibana has any custom plugins enabled or not (required by hasCustomPlugins report field)
[x] Update Kibana code to capture new fields that don't exist yet in the violation reports (version, deploymentId, etc.)
[x] Rename all telemetry indexing jobs, EDN files, and other related telemetry-specific files for _all environments to reflect that the pipeline is no longer CSP-specific (e.g. kibana-security-csp-violations.edn --> kibana-security-web-policy-violations.edn)
[x] Update telemetry EDN file to include all new and existing fields that weren't indexed before
[x] Work with the analytics/telemetry team to add ingest pipelines/ingest processors for violation reports data (e.g., user agent processor)
[ ] Work with the analytics/telemetry team to figure out if there is a way to expose our indices from the telemetry cluster to the main overview cluster to have a unified view of the Elastic deployments' health. If it's not possible, we can consider logging certain violation reports using a normal logger (after filtering out expected violations) so that the logs are immediately available in the overview cluster.
Summary
In the scope of https://github.com/elastic/kibana/issues/162974 and https://github.com/elastic/kibana/issues/153584, we successfully adapted the event-based telemetry (EBT) framework for the collection of CSP violation reports. Now that we know it works well for this use case, we can consider moving further and enhancing this reporting pipeline to cover other types of policy violation reports (e.g.,
Permission Policy
violation reports). Additionally, we need to add more fields to the violation reports to make monitoring and investigation more efficient, so that the final document/report might look like this:In addition to new fields, we also need to add the ingest pipeline with the following processors to make data more filterable/searchable:
user_agent
field, so that we have dedicated fields for the user agent's OS and browser, which might be beneficial while debugging OS- or browser-specific issues.Tasks
hasCustomPlugins
report field)version
,deploymentId
, etc.)kibana-security-csp-violations.edn
-->kibana-security-web-policy-violations.edn
)