Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Cisco Duo] New data stream for Activity logs#11394

Merged
chemamartinez merged 32 commits intoelastic:mainfrom
chemamartinez:10960-cisco_duo-activity
Oct 21, 2024
Merged

[Cisco Duo] New data stream for Activity logs#11394
chemamartinez merged 32 commits intoelastic:mainfrom
chemamartinez:10960-cisco_duo-activity

Conversation

@chemamartinez
Copy link
Contributor

@chemamartinezchemamartinez commentedOct 10, 2024
edited
Loading

Proposed commit message

Added new data streamactivity to collectActivity logs from Cisco Duo.

The CEL program follows the API specifications set at:

It also adds a feature request for theauth data stream, including geo enrichment for the IP into theaccess_device field.

Checklist

  • I have reviewedtips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package'schangelog.yml file.
  • I have verified that Kibana version constraints are current according toguidelines.
  • I have verified that any added dashboard complies with Kibana'sDashboard good practices

How to test this PR locally

Added pipeline and system tests for the new data stream:

Run asset tests for the package--- Test results for package: cisco_duo - START ---╭───────────┬────────────────────┬───────────┬────────────────────────────────────────────────────────────────────┬────────┬──────────────╮│ PACKAGE   │ DATA STREAM        │ TEST TYPE │ TEST NAME                                                          │ RESULT │ TIME ELAPSED │├───────────┼────────────────────┼───────────┼────────────────────────────────────────────────────────────────────┼────────┼──────────────┤│ cisco_duo │                    │ asset     │ dashboard cisco_duo-0607d4a3-5322-41c1-b8fa-f0d29bcc2757 is loaded │ PASS   │      1.584µs ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-118061c3-3130-4c71-8899-157bab1ad447 is loaded │ PASS   │        292ns ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-5a0b80af-49ad-42ee-89b7-c89faa927826 is loaded │ PASS   │        416ns ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-7a135061-78a3-45d9-951b-4b9b665fa729 is loaded │ PASS   │        208ns ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-b386f94c-0856-4508-ba08-a525a2f3b70f is loaded │ PASS   │        417ns ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-c3336a66-68ff-4bcd-95ff-fb388793f721 is loaded │ PASS   │        375ns ││ cisco_duo │                    │ asset     │ dashboard cisco_duo-e91470e5-2ded-4ff1-8bb5-24e06b949c1d is loaded │ PASS   │        250ns ││ cisco_duo │                    │ asset     │ map cisco_duo-158c0e80-148c-11ec-9386-31989719f9db is loaded       │ PASS   │        250ns ││ cisco_duo │                    │ asset     │ search cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0 is loaded    │ PASS   │        375ns ││ cisco_duo │ activity           │ asset     │ index_template logs-cisco_duo.activity is loaded                   │ PASS   │        250ns ││ cisco_duo │ activity           │ asset     │ ingest_pipeline logs-cisco_duo.activity-2.2.0 is loaded            │ PASS   │        292ns ││ cisco_duo │ admin              │ asset     │ index_template logs-cisco_duo.admin is loaded                      │ PASS   │        166ns ││ cisco_duo │ admin              │ asset     │ ingest_pipeline logs-cisco_duo.admin-2.2.0 is loaded               │ PASS   │        292ns ││ cisco_duo │ auth               │ asset     │ index_template logs-cisco_duo.auth is loaded                       │ PASS   │        334ns ││ cisco_duo │ auth               │ asset     │ ingest_pipeline logs-cisco_duo.auth-2.2.0 is loaded                │ PASS   │        125ns ││ cisco_duo │ offline_enrollment │ asset     │ index_template logs-cisco_duo.offline_enrollment is loaded         │ PASS   │        209ns ││ cisco_duo │ offline_enrollment │ asset     │ ingest_pipeline logs-cisco_duo.offline_enrollment-2.2.0 is loaded  │ PASS   │        125ns ││ cisco_duo │ summary            │ asset     │ index_template logs-cisco_duo.summary is loaded                    │ PASS   │        208ns ││ cisco_duo │ summary            │ asset     │ ingest_pipeline logs-cisco_duo.summary-2.2.0 is loaded             │ PASS   │        125ns ││ cisco_duo │ telephony          │ asset     │ index_template logs-cisco_duo.telephony is loaded                  │ PASS   │        209ns ││ cisco_duo │ telephony          │ asset     │ ingest_pipeline logs-cisco_duo.telephony-2.2.0 is loaded           │ PASS   │        125ns ││ cisco_duo │ telephony_v2       │ asset     │ index_template logs-cisco_duo.telephony_v2 is loaded               │ PASS   │        375ns ││ cisco_duo │ telephony_v2       │ asset     │ ingest_pipeline logs-cisco_duo.telephony_v2-2.2.0 is loaded        │ PASS   │        166ns ││ cisco_duo │ trust_monitor      │ asset     │ index_template logs-cisco_duo.trust_monitor is loaded              │ PASS   │        375ns ││ cisco_duo │ trust_monitor      │ asset     │ ingest_pipeline logs-cisco_duo.trust_monitor-2.2.0 is loaded       │ PASS   │        125ns │╰───────────┴────────────────────┴───────────┴────────────────────────────────────────────────────────────────────┴────────┴──────────────╯--- Test results for package: cisco_duo - END   ---DoneRun pipeline tests for the package--- Test results for package: cisco_duo - START ---╭───────────┬────────────────────┬───────────┬────────────────────────────────────────────────────────┬────────┬──────────────╮│ PACKAGE   │ DATA STREAM        │ TEST TYPE │ TEST NAME                                              │ RESULT │ TIME ELAPSED │├───────────┼────────────────────┼───────────┼────────────────────────────────────────────────────────┼────────┼──────────────┤│ cisco_duo │ activity           │ pipeline  │ (ingest pipeline warnings test-activity.log)           │ PASS   │ 196.669625ms ││ cisco_duo │ activity           │ pipeline  │ test-activity.log                                      │ PASS   │ 134.559833ms ││ cisco_duo │ admin              │ pipeline  │ (ingest pipeline warnings test-admin.log)              │ PASS   │ 206.523291ms ││ cisco_duo │ admin              │ pipeline  │ (ingest pipeline warnings test-empty.log)              │ PASS   │ 202.109375ms ││ cisco_duo │ admin              │ pipeline  │ test-admin.log                                         │ PASS   │    151.045ms ││ cisco_duo │ admin              │ pipeline  │ test-empty.log                                         │ PASS   │  40.457458ms ││ cisco_duo │ auth               │ pipeline  │ (ingest pipeline warnings test-auth.log)               │ PASS   │ 218.412834ms ││ cisco_duo │ auth               │ pipeline  │ (ingest pipeline warnings test-empty.log)              │ PASS   │   194.9385ms ││ cisco_duo │ auth               │ pipeline  │ test-auth.log                                          │ PASS   │ 345.084917ms ││ cisco_duo │ auth               │ pipeline  │ test-empty.log                                         │ PASS   │   40.33725ms ││ cisco_duo │ offline_enrollment │ pipeline  │ (ingest pipeline warnings test-empty.log)              │ PASS   │  198.41075ms ││ cisco_duo │ offline_enrollment │ pipeline  │ (ingest pipeline warnings test-offline-enrollment.log) │ PASS   │   200.7585ms ││ cisco_duo │ offline_enrollment │ pipeline  │ test-empty.log                                         │ PASS   │  37.008042ms ││ cisco_duo │ offline_enrollment │ pipeline  │ test-offline-enrollment.log                            │ PASS   │  44.096708ms ││ cisco_duo │ summary            │ pipeline  │ (ingest pipeline warnings test-summary.log)            │ PASS   │ 205.246834ms ││ cisco_duo │ summary            │ pipeline  │ test-summary.log                                       │ PASS   │   41.75075ms ││ cisco_duo │ telephony          │ pipeline  │ (ingest pipeline warnings test-empty.log)              │ PASS   │ 234.215875ms ││ cisco_duo │ telephony          │ pipeline  │ (ingest pipeline warnings test-telephony.log)          │ PASS   │ 247.474375ms ││ cisco_duo │ telephony          │ pipeline  │ test-empty.log                                         │ PASS   │  40.395042ms ││ cisco_duo │ telephony          │ pipeline  │ test-telephony.log                                     │ PASS   │  38.864542ms ││ cisco_duo │ telephony_v2       │ pipeline  │ (ingest pipeline warnings test-telephony-v2.log)       │ PASS   │ 210.205625ms ││ cisco_duo │ telephony_v2       │ pipeline  │ test-telephony-v2.log                                  │ PASS   │   43.08375ms ││ cisco_duo │ trust_monitor      │ pipeline  │ (ingest pipeline warnings test-trust-monitor.log)      │ PASS   │ 204.730667ms ││ cisco_duo │ trust_monitor      │ pipeline  │ test-trust-monitor.log                                 │ PASS   │  49.444791ms │╰───────────┴────────────────────┴───────────┴────────────────────────────────────────────────────────┴────────┴──────────────╯--- Test results for package: cisco_duo - END   ---DoneRun policy tests for the package--- Test results for package: cisco_duo - START ---No test results--- Test results for package: cisco_duo - END   ---DoneRun static tests for the package--- Test results for package: cisco_duo - START ---╭───────────┬────────────────────┬───────────┬──────────────────────────┬────────┬──────────────╮│ PACKAGE   │ DATA STREAM        │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │├───────────┼────────────────────┼───────────┼──────────────────────────┼────────┼──────────────┤│ cisco_duo │ activity           │ static    │ Verify sample_event.json │ PASS   │  52.114292ms ││ cisco_duo │ admin              │ static    │ Verify sample_event.json │ PASS   │  41.618833ms ││ cisco_duo │ auth               │ static    │ Verify sample_event.json │ PASS   │  57.805375ms ││ cisco_duo │ offline_enrollment │ static    │ Verify sample_event.json │ PASS   │  42.232042ms ││ cisco_duo │ summary            │ static    │ Verify sample_event.json │ PASS   │  38.962625ms ││ cisco_duo │ telephony          │ static    │ Verify sample_event.json │ PASS   │  38.040167ms ││ cisco_duo │ telephony_v2       │ static    │ Verify sample_event.json │ PASS   │  37.535666ms ││ cisco_duo │ trust_monitor      │ static    │ Verify sample_event.json │ PASS   │  42.190791ms │╰───────────┴────────────────────┴───────────┴──────────────────────────┴────────┴──────────────╯--- Test results for package: cisco_duo - END   ---DoneRun system tests for the package--- Test results for package: cisco_duo - START ---╭───────────┬────────────────────┬───────────┬───────────┬────────┬───────────────╮│ PACKAGE   │ DATA STREAM        │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │├───────────┼────────────────────┼───────────┼───────────┼────────┼───────────────┤│ cisco_duo │ activity           │ system    │ default   │ PASS   │ 36.870015625s ││ cisco_duo │ admin              │ system    │ default   │ PASS   │  33.85713475s ││ cisco_duo │ auth               │ system    │ default   │ PASS   │ 33.772624833s ││ cisco_duo │ offline_enrollment │ system    │ default   │ PASS   │ 38.540788792s ││ cisco_duo │ summary            │ system    │ default   │ PASS   │ 34.455289708s ││ cisco_duo │ telephony          │ system    │ default   │ PASS   │  33.41083725s ││ cisco_duo │ telephony_v2       │ system    │ default   │ PASS   │ 39.567072958s ││ cisco_duo │ trust_monitor      │ system    │ default   │ PASS   │ 39.527218083s │╰───────────┴────────────────────┴───────────┴───────────┴────────┴───────────────╯--- Test results for package: cisco_duo - END   ---Done

Related issues

Screenshots

Data stream configuration

Screenshot 2024-10-10 at 19 53 26

Dashboard

dashboard-activity

@chemamartinezchemamartinez added enhancementNew feature or request dashboardRelates to a Kibana dashboard bug, enhancement, or modification. Integration:cisco_duoCisco Duo Team:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations] labelsOct 10, 2024
@chemamartinezchemamartinez self-assigned thisOct 10, 2024
@chemamartinezchemamartinez marked this pull request as ready for reviewOctober 10, 2024 18:05
@chemamartinezchemamartinez requested a review froma team as acode ownerOctober 10, 2024 18:05
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prodbot commentedOct 10, 2024
edited
Loading

🚀 Benchmarks report

Packagecisco_duo 👍(2) 💚(1) 💔(5)

Expand to view
Data streamPrevious EPSNew EPSDiff (%)Result
auth2564.11385.04-1179.06 (-45.98%)💔
offline_enrollment25641.0314925.37-10715.66 (-41.79%)💔
telephony43478.2627027.03-16451.23 (-37.84%)💔
telephony_v215873.0211235.96-4637.06 (-29.21%)💔
trust_monitor9009.017299.27-1709.74 (-18.98%)💔

To see the full report comment with/test benchmark fullreport

Copy link
Contributor

@efd6efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Though note the concern about the string(list) conversion.

Copy link
Contributor

@efd6efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Something about real-world Cisco Duo documents is causing breakage with this code (as it exists in auth). So blocking.

Copy link
Contributor

@efd6efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

LGTM after nit addressed.

chemamartinez reacted with hooray emoji
@elasticmachine
Copy link

💚 Build Succeeded

History

cc@chemamartinez

@elastic-sonarqube
Copy link

@chemamartinezchemamartinez merged commit2ea9938 intoelastic:mainOct 21, 2024
@elastic-vault-github-plugin-prod

Package cisco_duo - 2.2.0 containing this change is available athttps://epr.elastic.co/search?package=cisco_duo

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull requestFeb 4, 2025
Added new data stream activity to collect Activity logs from Cisco Duo.It also adds a feature request for the auth data stream, including geo enrichment for the IP into the access_device field.
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull requestFeb 5, 2025
Added new data stream activity to collect Activity logs from Cisco Duo.It also adds a feature request for the auth data stream, including geo enrichment for the IP into the access_device field.
@chemamartinezchemamartinez deleted the 10960-cisco_duo-activity branchFebruary 6, 2025 10:29
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@efd6efd6efd6 approved these changes

Assignees

@chemamartinezchemamartinez

Labels

dashboardRelates to a Kibana dashboard bug, enhancement, or modification.enhancementNew feature or requestIntegration:cisco_duoCisco DuoTeam:Security-Service IntegrationsSecurity Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Cisco_duo] feature request - additional enrichment for access_device [Cisco Duo] Add support for Activity Logs

3 participants

@chemamartinez@elasticmachine@efd6

Comments

[8]ページ先頭
©2009-2026 Movatter.jp