-
Notifications
You must be signed in to change notification settings - Fork 429
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[corelight] initial release of Corelight #11288
base: main
Are you sure you want to change the base?
Conversation
💚 CLA has been signed |
|
||
## Prerequisites: | ||
|
||
**Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub repository](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). These mappings will ensure that Corelight data is correctly formatted and aligned with Elastic's schema. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are users been asked to manually download an input ECS mappings from Github. The ingest pipeline can be included with the integration to avoid this additional step. Any reason why we can't include the ingest pipeline as part of the integration (inline with all other integrations?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Corelight have mapped custom mapping differently in their GitHub repo, also they have Elastic as a configuration page where they have build pipeline along with ECS mapping for the fields, so the only ask from them is to build dashboards inline to dashboards for other vendors(Splunk, Looker etc..)
/test |
Quality Gate passedIssues Measures |
💚 Build Succeeded
|
@jamiehynds Are we okay to start review for this PR, please? |
@kcreddy are you ok to review this PR for Corelight (developed by Crest). Would be great to understand if the work you had done previously with Corelight, could be leveraged here? The current workflow goes against the experience of most integrations, as you're required have to manually download the mappings from Github. |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The integration is unconventional and requests users to install assets such as mappings, settings, templates, ingest pipelines, etc. using an installation script provided by Corelight.
Although the Corelight repositories (providing the script and assets) are well-maintained, it should be noted and documented that this integration only provides dashboards and nothing more. The users are responsible for the updates and have to frequently check and update assets from the script provided by the Corelight repository. This should also be documented in the README
.
Also it should be documented that any issues with the installation during initial setup or updates must be followed up with Corelight as we don't own them. This applies to any non-dashboard issues.
In the future, if we were to add some or all of these assets to our integration, users will need to manually delete existing stale Corelight assets.
cc: @jamiehynds
|
||
[Corelight](https://corelight.com/) provides network detection and response (NDR) solutions that enhance visibility, threat detection, and incident response by leveraging open-source technologies like Zeek. Its platform integrates with existing security tools to deliver high-fidelity network data, helping organizations detect and respond to threats more effectively across both on-premises and cloud environments. | ||
|
||
This integration includes only the Corelight dashboards for Security Posture, Remote Activity Insights, Name Resolution Insights, and Secure Channel Insights. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a bulleted list?
|
||
**Add ECS Mappings**: Start by adding the ECS (Elastic Common Schema) mappings from the [Corelight GitHub repository](https://github.com/corelight). You can find the required templates here: [Corelight ECS Templates](https://github.com/corelight/ecs-templates). These mappings will ensure that Corelight data is correctly formatted and aligned with Elastic's schema. | ||
|
||
**Send Data from Corelight to Elastic**: Once the ECS mappings are in place, configure Corelight to send data directly to your Elastic environment. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be explained step-by-step.
|
||
**Send Data from Corelight to Elastic**: Once the ECS mappings are in place, configure Corelight to send data directly to your Elastic environment. | ||
|
||
**Note**: Use the default index (logs-*) name instead of a custom index. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get this. Where do users set this? This can be explained better.
### Enabling the integration in Elastic: | ||
|
||
1. In Kibana go to Management > Integrations. | ||
2. In "Search for integrations" search bar, type Corelight. | ||
3. Click on the "Corelight" integration from the search results. | ||
4. Go to Settings. | ||
5. Click on the "Install Corelight assets". | ||
6. Go to Assets to get list of dashboards. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To conform the docs across integration, we should make this section wording exactly same as https://github.com/elastic/integrations/blob/main/packages/abnormal_security/_dev/build/docs/README.md#enabling-the-integration-in-elastic
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was there any requirement to make the title Remote Access Hygiene
while the left navigation calls it Remote Activity Insights
? I think they should be alike to avoid confusion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same for the rest of the dashboards.
description: Collect logs from Corelight with Elastic Agent. | ||
type: integration | ||
categories: | ||
- security |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add following as well:
- dns_security
- network
- network_security
- vpn_security
@piyush-elastic, related to #11288 (comment), can you update Crest template for README with changes from #11210? This is to conform the README docs across integrations. |
Proposed commit message
Create New integration package corelight and add below four dashboards:
Checklist
changelog.yml
file.How to test this PR locally
Screenshots