Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[prisma_access] Initial release of the Prisma Access #10399

Merged
merged 5 commits into from
Jul 29, 2024
Merged

[prisma_access] Initial release of the Prisma Access #10399

merged 5 commits into from
Jul 29, 2024

Conversation

muskan-agarwal26
Copy link
Contributor

Proposed commit message

  • Added an event data stream.
  • Added data collection logic for event data stream.
  • Added the ingest pipeline for event data stream.
  • Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
  • Added dashboards and visualizations.
  • Added test for pipeline for event data stream.
  • Added system test cases for event data stream.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/prisma_access directory.
  • Run the following command to run tests.

elastic-package test
Test-verbose.txt

Screenshots

prisma_access_2
prisma_access_1

@jamiehynds jamiehynds requested a review from a team July 8, 2024 12:10
@jamiehynds jamiehynds added the Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] label Jul 8, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@jamiehynds jamiehynds added the New Integration Issue or pull request for creating a new integration package. label Jul 8, 2024
@kcreddy kcreddy added the Crest label Jul 12, 2024
@kcreddy
Copy link
Contributor

kcreddy commented Jul 16, 2024

/test

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

kcreddy
kcreddy reviewed Jul 16, 2024
View reviewed changes
packages/prisma_access/manifest.yml
@@ -0,0 +1,70 @@
format_version: 3.1.4
name: prisma_access
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jamiehynds, can you confirm the name of the integration?
It seems to me that it should be panw_prisma_access just like panw_cortex_xdr

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch @kcreddy. Probably best to keep the name inline with other Palo integrations and include panw. Does this impact custom field names too or just the name in the manifest?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It does impact the field names too.
cc: @muskan-agarwal26

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do we use for prisma cloud? is it panw_prisma_cloud or prisma_cloud?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do we use for prisma cloud? is it panw_prisma_cloud or prisma_cloud?

We seem to use prisma_cloud as both package name and also in field names.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, goes against the grain a bit, but lets keep prisma_access here to align with prisma_cloud which has been around for awhile.

packages/prisma_access/manifest.yml Show resolved Hide resolved
packages/prisma_access/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/prisma_access/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/prisma_access/_dev/build/docs/README.md Outdated Show resolved Hide resolved
packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json-expected.json Outdated Show resolved Hide resolved
packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json-expected.json Outdated Show resolved Hide resolved
packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json-expected.json Outdated Show resolved Hide resolved
packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json-expected.json Outdated Show resolved Hide resolved
packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json Show resolved Hide resolved
@muskan-agarwal26
Resolved comments
055d852 
1. Implemented the Readme changes.
2. Added network category in the manifest.
3. Added comments for the scripts used.
4. Changed the context of the test-logs.
5. Split user.domain.user.name for the user fields.
@muskan-agarwal26 muskan-agarwal26 requested a review from kcreddy July 25, 2024 11:08
kcreddy
kcreddy reviewed Jul 26, 2024
View reviewed changes
packages/prisma_access/data_stream/event/sample_event.json Outdated
@@ -0,0 +1,187 @@
{
"@timestamp": "2019-07-25T23:30:12.000Z",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This timestamp should be derived with event.timezone offset

packages/prisma_access/data_stream/event/_dev/test/pipeline/test-event.json-expected.json Outdated
"cortex_data_lake_tenant_id": "xxxxxxxxxxxxx",
"destination": {
"address": {
"v6": "FE80:CD00:0000:0CDE:1257:0000:211E:729C"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets make this lowercase as per RFC5952

@muskan-agarwal26
Resolved comment
4e07075 
1. Derived timestamo from event.timezone.
2. Lowercase the ipv6.
@kcreddy
Copy link
Contributor

kcreddy commented Jul 29, 2024

/test

@muskan-agarwal26 muskan-agarwal26 requested a review from kcreddy July 29, 2024 08:45
kcreddy
kcreddy reviewed Jul 29, 2024
View reviewed changes
packages/prisma_access/data_stream/event/elasticsearch/ingest_pipeline/default.yml Outdated
@@ -2836,6 +2831,54 @@ processors:
tag: set_event_timezone_from_event_log_source_timezone_offset
copy_from: prisma_access.event.log.source.timezone_offset
ignore_empty_value: true
- date:
Copy link
Contributor

@kcreddy kcreddy Jul 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of null, non-null conditions and defining date processors for each case, can you follow this approach to set event.timezone to UTC default before the single date processor?

https://github.com/elastic/integrations/blob/main/packages/zscaler_zia/data_stream/endpoint_dlp/elasticsearch/ingest_pipeline/default.yml#L377-L401

@muskan-agarwal26 muskan-agarwal26 requested a review from kcreddy July 29, 2024 09:15
@kcreddy
Copy link
Contributor

kcreddy commented Jul 29, 2024

/test

@elasticmachine
Copy link

💚 Build Succeeded

History

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
98.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@kcreddy kcreddy merged commit aba9540 into elastic:main Jul 29, 2024
5 checks passed
@elasticmachine
Copy link

Package prisma_access - 0.1.0 containing this change is available at https://epr.elastic.co/search?package=prisma_access

@andrewkroh andrewkroh added the Integration:prisma_access Palo Alto Prisma Access label Jul 29, 2024
jvalente-salemstate pushed a commit to jvalente-salemstate/integrations that referenced this pull request Aug 21, 2024
@muskan-agarwal26
[prisma_access] Initial release of the Prisma Access (elastic#10399)
faa52ee 
Initial release of the Prisma Access.

   - Added an event data stream.
   - Added data collection logic for event data stream.
   - Added the ingest pipeline for event data stream.
   - Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
   - Added dashboards and visualizations.
   - Added test for pipeline for event data stream.
   - Added system test cases for event data stream.
harnish-elastic pushed a commit to harnish-elastic/integrations that referenced this pull request Feb 4, 2025
@muskan-agarwal26
[prisma_access] Initial release of the Prisma Access (elastic#10399)
c050a40 
Initial release of the Prisma Access.

   - Added an event data stream.
   - Added data collection logic for event data stream.
   - Added the ingest pipeline for event data stream.
   - Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
   - Added dashboards and visualizations.
   - Added test for pipeline for event data stream.
   - Added system test cases for event data stream.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamiehynds jamiehynds jamiehynds left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees
No one assigned
Labels
8.16 candidate Crest Integration:prisma_access Palo Alto Prisma Access New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@muskan-agarwal26 @elasticmachine @kcreddy @jamiehynds @andrewkroh @cpascale43