[Automatic Import] CEL input program validation

elastic / kibana

Your window into the Elastic Stack

https://www.elastic.co/products/kibana

Other

19.61k stars 8.22k forks source link

[Automatic Import] CEL input program validation #197652

Open ebeahan opened 1 week ago

ebeahan commented 1 week ago

The goal of this would be to expand upon validation. In the base phase, we have basic support for running mito, but now we'd need to focus on how to update the program if any errors occur.

Requirements:

Add validation prompt(s) to update the program upon finding any errors in celfmt output

elasticmachine commented 1 week ago

Pinging @elastic/security-scalability (Team:Security-Scalability)

bhapas commented 1 week ago

Looked around little bit regarding the agent Action to perform this job. Possible route could be:

Create an INPUT_ACTION Action Handler in fleet similar to this osquerybeat example
This can be used to trigger a FleetActionRequest
This goes to the Agent Action Handler and from there an Application ActionRequest should be called.
Filebeat has ability to add Action Handler which can be used to execute specific action similar to how osquery has done

ebeahan commented 2 days ago

@bhapas is investigating using TinyGo to compile https://github.com/elastic/celfmt to WebAssembly and lazy load as a Kibana dependency.