Merge branch 'main' into fsstat-ignore

VihasMakwana · web-flow · commit 9129ba8d068c · 2025-05-23T11:30:17.000+05:30
diff --git a/packages/sublime_security/_dev/build/docs/README.md b/packages/sublime_security/_dev/build/docs/README.md
@@ -22,6 +22,12 @@ The Sublime Security integration collects three types of logs:
 
 Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
 
+## Agentless-enabled integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
 ### Installing and managing an Elastic Agent:
 
 There are several options for installing and managing Elastic Agent:
diff --git a/packages/sublime_security/changelog.yml b/packages/sublime_security/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.9.0"
+  changes:
+    - description: Add agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13963
 - version: "1.8.2"
   changes:
     - description: Fix default request trace enabled behavior.
diff --git a/packages/sublime_security/docs/README.md b/packages/sublime_security/docs/README.md
@@ -22,6 +22,12 @@ The Sublime Security integration collects three types of logs:
 
 Elastic Agent must be installed. For more details and installation instructions, please refer to the [Elastic Agent Installation Guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html).
 
+## Agentless-enabled integration
+
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
 ### Installing and managing an Elastic Agent:
 
 There are several options for installing and managing Elastic Agent:
diff --git a/packages/sublime_security/manifest.yml b/packages/sublime_security/manifest.yml
@@ -1,15 +1,15 @@
-format_version: 3.2.1
+format_version: 3.2.3
 name: sublime_security
 title: Sublime Security
-version: "1.8.2"
+version: "1.9.0"
 description: Collect logs from Sublime Security with Elastic Agent.
 type: integration
 categories:
   - security
   - email_security
 conditions:
   kibana:
-    version: "^8.16.5 || ^9.0.0"
+    version: "^8.18.0 || ^9.0.0"
   elastic:
     subscription: basic
 screenshots:
@@ -39,6 +39,14 @@ policy_templates:
   - name: sublime_security
     title: Sublime Security logs
     description: Collect Sublime Security logs.
+    deployment_modes: 
+      default:
+        enabled: true 
+      agentless:
+        enabled: true
+        organization: security
+        division: engineering
+        team: security-service-integrations
     inputs:
       - type: cel
         title: Collect Sublime Security logs via API
diff --git a/packages/zscaler_zpa/changelog.yml b/packages/zscaler_zpa/changelog.yml
@@ -1,4 +1,12 @@
 # newer versions go on top
+- version: "1.22.2"
+  changes:
+    - description: Fix handling of remote IP lists in audit data stream.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13755
+    - description: Fix ECS event type, category and outcome mapping of audit events.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/13755
 - version: "1.22.1"
   changes:
     - description: Do not set `error.message` for expected behavior related to Zscaler `Host` field.
diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log
@@ -1,2 +1,3 @@
 {"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"81.2.69.144\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0}
 {"ModifiedTime":"","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"example.com\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0}
+{"ModifiedTime":"","CreationTime":"2025-04-30T16:23:40.000Z","ModifiedBy":288263728720249833,"RequestID":"12d6eccc-718c-4657-b267-83cc1c3f35f6","SessionID":"1samau4fwi7xbsf3317mkd5vz","AuditOldValue":"","AuditNewValue":"{\"loginAttempt\":\"2025-04-30 16:23:40 UTC\",\"remoteIP\":\"81.2.69.142, 81.2.69.144\"}","AuditOperationType":"Sign In","ObjectType":"Authentication","ObjectName":"xxxx","ObjectID":"xxxxx","CustomerID":"xxxxx","User":"xxxx","ClientAuditUpdate":1}
diff --git a/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/zscaler_zpa/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
@@ -13,6 +13,7 @@
                 "id": "11111111-1111-1111-1111-111111111111",
                 "kind": "event",
                 "original": "{\"ModifiedTime\":\"2021-11-17T04:29:38.000Z\",\"CreationTime\":\"2021-11-17T04:29:38.000Z\",\"ModifiedBy\":12345678901234567,\"RequestID\":\"11111111-1111-1111-1111-111111111111\",\"SessionID\":\"1idn23nlfm2q1txa5h3r4mep6\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"72058340288495701\\\",\\\"name\\\":\\\"Some-Name\\\",\\\"domainOrIpAddress\\\":\\\"81.2.69.144\\\",\\\"description\\\":\\\"This is a description field\\\",\\\"enabled\\\":\\\"true\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Server\",\"ObjectName\":\"Some-Name\",\"ObjectID\":12345678901234567,\"CustomerID\":98765432109876543,\"User\":\"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com\",\"ClientAuditUpdate\":0}",
+                "outcome": "success",
                 "type": [
                     "creation"
                 ]
@@ -77,6 +78,7 @@
                 "id": "11111111-1111-1111-1111-111111111111",
                 "kind": "event",
                 "original": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2021-11-17T04:29:38.000Z\",\"ModifiedBy\":12345678901234567,\"RequestID\":\"11111111-1111-1111-1111-111111111111\",\"SessionID\":\"1idn23nlfm2q1txa5h3r4mep6\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"72058340288495701\\\",\\\"name\\\":\\\"Some-Name\\\",\\\"domainOrIpAddress\\\":\\\"example.com\\\",\\\"description\\\":\\\"This is a description field\\\",\\\"enabled\\\":\\\"true\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Server\",\"ObjectName\":\"Some-Name\",\"ObjectID\":12345678901234567,\"CustomerID\":98765432109876543,\"User\":\"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com\",\"ClientAuditUpdate\":0}",
+                "outcome": "success",
                 "type": [
                     "creation"
                 ]
@@ -123,6 +125,72 @@
                     }
                 }
             }
+        },
+        {
+            "@timestamp": "2025-04-30T16:23:40.000Z",
+            "client": {
+                "ip": [
+                    "81.2.69.142",
+                    "81.2.69.144"
+                ]
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "authentication",
+                    "session"
+                ],
+                "created": "2025-04-30T16:23:40.000Z",
+                "id": "12d6eccc-718c-4657-b267-83cc1c3f35f6",
+                "kind": "event",
+                "original": "{\"ModifiedTime\":\"\",\"CreationTime\":\"2025-04-30T16:23:40.000Z\",\"ModifiedBy\":288263728720249833,\"RequestID\":\"12d6eccc-718c-4657-b267-83cc1c3f35f6\",\"SessionID\":\"1samau4fwi7xbsf3317mkd5vz\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"loginAttempt\\\":\\\"2025-04-30 16:23:40 UTC\\\",\\\"remoteIP\\\":\\\"81.2.69.142, 81.2.69.144\\\"}\",\"AuditOperationType\":\"Sign In\",\"ObjectType\":\"Authentication\",\"ObjectName\":\"xxxx\",\"ObjectID\":\"xxxxx\",\"CustomerID\":\"xxxxx\",\"User\":\"xxxx\",\"ClientAuditUpdate\":1}",
+                "outcome": "success",
+                "type": [
+                    "start"
+                ]
+            },
+            "organization": {
+                "id": "xxxxx"
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.142",
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "288263728720249833",
+                    "xxxx"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "288263728720249833",
+                "name": "xxxx"
+            },
+            "zscaler_zpa": {
+                "audit": {
+                    "client_audit_update": 1,
+                    "object": {
+                        "id": "xxxxx",
+                        "name": "xxxx",
+                        "type": "Authentication"
+                    },
+                    "operation_type": "Sign In",
+                    "session": {
+                        "id": "1samau4fwi7xbsf3317mkd5vz"
+                    },
+                    "value": {
+                        "new": {
+                            "loginAttempt": "2025-04-30 16:23:40 UTC",
+                            "remoteIP": "81.2.69.142, 81.2.69.144"
+                        }
+                    }
+                }
+            }
         }
     ]
 }
diff --git a/packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/zscaler_zpa/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -39,30 +39,74 @@ processors:
       field: event.created
       copy_from: '@timestamp'
       ignore_failure: true
-  - append:
-      field: event.category
-      value: iam
   - set:
       field: event.kind
       value: event
   - script:
       if: ctx.json?.AuditOperationType != null && ctx.json.AuditOperationType != ''
       lang: painless
+      params:
+        event_classification:
+          'create':
+            type:
+              - creation
+            category:
+              - iam
+            outcome: success
+          'delete':
+            type:
+              - deletion
+            category:
+              - iam
+            outcome: success
+          'update':
+            type:
+              - change
+            category:
+              - iam
+            outcome: success
+          'sign in':
+            type:
+              - start
+            category:
+              - authentication
+              - session
+            outcome: success
+          'sign in failure':
+            type:
+              - start
+              - error
+            category: failure
+              - session
+            outcome: 
+          'download':
+            type:
+              - info
+              - access
+            outcome: success
+            category:
+              - file
+          'sign out':
+            type:
+              - end
+            category:
+              - session
+            outcome: success
+          'client session revoked':
+            type:
+              - change
+              - deletion
+            category:
+              - iam
+            outcome: success
       source: |
-        def eventType = ctx.json.AuditOperationType?.toLowerCase();
-        ctx.event.type = new ArrayList();
-        Map referenceTable = [
-          'create': ['creation'],
-          'delete': ['deletion'],
-          'update': ['change'],
-          'sign in': ['access', 'allowed'],
-          'sign in failure': ['access', 'error'],
-          'download': ['info'],
-          'sign out': ['access'],
-          'client session revoked': ['end']
-        ];
-
-        ctx.event.type = referenceTable[eventType];
+        def class = params.event_classification[ctx.json.AuditOperationType?.toLowerCase()];
+        if (class == null) {
+          return;
+        }
+        ctx.event.type = class.type;
+        ctx.event.category = class.category;
+        ctx.event.outcome = class.outcome;
   - rename:
       field: json.RequestID
       target_field: event.id
@@ -216,12 +260,25 @@ processors:
           ctx.server = new HashMap();
           ctx.server.address = valuesMap?.domainOrIpAddress;
         }
+  - split:
+      field: client.ip
+      separator: ', *'
+      if: ctx.client?.ip instanceof String && ctx.client.ip.contains(',')
   - append:
       field: related.ip
       value: '{{{client.ip}}}'
-      if: ctx.client?.ip != null
+      if: ctx.client?.ip instanceof String
       allow_duplicates: false
       ignore_failure: true
+  - foreach:
+      field: client.ip
+      if: ctx.client?.ip instanceof List
+      processor:       
+        append:
+          field: related.ip
+          value: '{{{_ingest._value}}}'
+          allow_duplicates: false
+          ignore_failure: true
   - convert:
       field: server.address
       target_field: server.ip
diff --git a/packages/zscaler_zpa/manifest.yml b/packages/zscaler_zpa/manifest.yml
@@ -1,7 +1,7 @@
 format_version: "3.0.3"
 name: zscaler_zpa
 title: Zscaler Private Access
-version: "1.22.1"
+version: "1.22.2"
 source:
   license: Elastic-2.0
 description: Collect logs from Zscaler Private Access (ZPA) with Elastic Agent.

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,3 @@`
`1`	`1`	{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"81.2.69.144\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0}
`2`	`2`	{"ModifiedTime":"","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"example.com\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"zpaadmin@xxxxxxxxxxxxxxxxx.zpa-customer.com","ClientAuditUpdate":0}
	`3`	`+{"ModifiedTime":"","CreationTime":"2025-04-30T16:23:40.000Z","ModifiedBy":288263728720249833,"RequestID":"12d6eccc-718c-4657-b267-83cc1c3f35f6","SessionID":"1samau4fwi7xbsf3317mkd5vz","AuditOldValue":"","AuditNewValue":"{\"loginAttempt\":\"2025-04-30 16:23:40 UTC\",\"remoteIP\":\"81.2.69.142, 81.2.69.144\"}","AuditOperationType":"Sign In","ObjectType":"Authentication","ObjectName":"xxxx","ObjectID":"xxxxx","CustomerID":"xxxxx","User":"xxxx","ClientAuditUpdate":1}`