[SEI] Integrations requiring manual testing for spec 3.0

[P1llus]

This is a list of integrations that should be manually tested to some extent, what should be tested is listed below each integration, this extends the amount of testing already listed in the communicated list of tests.

• network_traffic: Includes custom data-view/index pattern. Once installed, ingest some data to ensure that the data-view in the dashboards are still assigned correctly. Also ensure that the data-view is in the list of available data-views in for example the data-view list.

• ti_maltiverse: Has its own ILM (that should be converted) and transforms, need to ensure the transforms are installed and running after the integration is configured. Try to add in at least one sample document as well, either manually or through the agent system tests.

• ti_anomali: Has its own ILM (that should be converted) and transforms, need to ensure the transforms are installed and running after the integration is configured. Try to add in at least one sample document as well, either manually or through the agent system tests.

• ti_recorded_future Has its own ILM (that should be converted) and transforms, need to ensure the transforms are installed and running after the integration is configured. Try to add in at least one sample document as well, either manually or through the agent system tests.

• ti_rapid7: Has its own security detection rules, while these should be removed at some point as they are somewhat duplicates of the built-in SIEM rules for indicator match, currently we need to ensure they are installed and available in the SIEM UI.

• cel: Input type package, try to change common options there like dataset name or ingest pipeline, ensure that they are applied to the relevant index templates and data still comes in.

• 1-2 integrations that uses dynamic ECS templates (import_mappings: true in build.yml). For simplicity we could pick any that has log/file input for example, to simplify the process. We should ensure the dynamic template is added correctly to its relevant index templates, and that the results are as we expect them to be

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[kcreddy]

• network_traffic

  1. Serverless environment: (ingested documents by setting up agent in GCP)
     • Data View: The custom data-view is correctly created.
     • Dashboards: All Network Traffic Capture dashboards are correctly interpreting data without any errors.
     • Ingestion: Setup agent in GCP instance and able to ingest HTTP, DNS, TLS, etc. datasets. Verified by navigating into /app/discover endpoint in Serverless project.

• ti_recordedfuture

  1. Serverless environment: (tested with API key and ingesting documents)

     • Installed: Transform is getting installed correctly when integration is installed.
     • Running: Transform automatically starts running in continuous mode as expected.
     • Data Ingestion: Indicators are correctly ingested into source datastream.
     • Transform working: Latest transform able to move latest indicators into new destination index.
     • DLM/ILM: ILM is missing on source datastream. Since ILM policies cannot be viewed navigating via UI here, this is a screenshot taken via Project Settings -> Index Management -> Data streams -> select "logs-ti_recordedfuture.threat-default". The DLM policy is applied. The documents in the source datastream's writing indices are getting purged after the data_retention period from its rollover. The existing ILM policy is being ignored.

  2. Local docker stack using elastic-package stack up:

     • ILM: If both ILM and DLM are present in the package, ILM is taking preference and getting applied. If existing ILM is removed, then default logs ILM is being applied. DLM is not getting applied even if the lifecycle.yml is present in the datastream's root folder. Edit: As per lifecycle default settings, this is expected. So, packages that have existing ILM and opted for serverless needs to have ILM and DLM coexist inside the same package so that environment chooses the policy.

• ti_anomali

  1. Serverless environment: (tested with Anomali Integrator and ingesting documents)
     • Installed: Transform is getting installed correctly when integration is installed.
     • Running: Transform automatically starts running in continuous mode as expected.
     • Data Ingestion: Indicators are correctly ingested into source datastream.
     • Transform working: Latest transform able to move some of the indicators into new destination index. Not all the indicators are getting processed by the transform. This behaviour is unexpected and must be debugged by checking logs. Edit: After recommendation from Serverless team, due to increase in index refresh interval in Serverless, sync.time.delay could be increased for transforms. Increasing the current value from 60s to 120s made it work.
     • DLM/ILM: The DLM policy is applied. The existing ILM policy is being ignored.

• ti_maltiverse

  1. Serverless environment: (tested with system tests)
     • Installed: Transform is getting installed correctly when integration is installed.
     • Running: Transform automatically starts running in continuous mode as expected.
     • Data Ingestion: Indicators are correctly ingested into source datastream.
     • Transform working: Latest transform able to move all of the indicators into new destination index.
     • DLM/ILM: The DLM policy is applied. The existing ILM policy is being ignored.

• ti_rapid7

  1. Serverless environment: (tested with system tests and manually running steps documented in https://docs.elastic.co/integrations/ti_rapid7_threat_command#add-transforms-for-unique-iocs-and-detection-rule). Tested Unique IOC transform and its IOC Rule as other transforms and rules are similar.
     • Installed: Transform is getting installed correctly following the documented steps.
     • Ingestion: Ran system tests and data is ingested correctly into source datastream
     • Running: Transform gets started in continuous mode after following the documented steps.
     • Transform working: Transform moves latest source data into destination index rapid7-tc-unique-iocs.
     • Data Views: Custom dataviews created and able to find them via Discover and Data-views list in Management.
     • Detection Rules: Able to setup and install rule after following steps. The rules complains about possible lack of permission for ** indices which the rule is trying to read. Not sure why the rule is created to read ** instead of logs-*, filebeat-*, etc.

     Warning at Sep 20, 2023 @ 21:55:46.368
     
     This rule may not have the required read privileges to the following indices/index patterns: ["**"]
     

     Edit: Updated the patterns to "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" similar to Elastic prebuilt Indicator Match Rules.

• cel

  1. Serverless environment: (tested with CEL program calling API as specified here)
     • Updated dataset name and it reflected in the ingested document.
     • Ingest Pipeline: Updated existing managed pipeline and documents are created with updated changes. Added custom ingest pipeline inside the integration policy and that is getting applied into the documents.
     • Data is ingested correctly.

[P1llus]

@kcreddy the ILM policies needs to be changed to DLM 👍

[kcreddy]

@P1llus Considering the warning for ti_rapid7 above , I haven't merged its PR. Should I update the rule's index pattern to "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" instead of **?

[P1llus]

@kcreddy at some point we should just remove the rules, from what I understand they are a copy of the rules already included by default. @jamiehynds wdyt?

[kcreddy]

Hey @P1llus, based on Andrew's suggestion, for ti_rapid7 I updated the indices with prebuilt Indicator Match Rules index patterns.

[andrewkroh]

What is the status on the last remaining bullet ("1-2 integrations that uses dynamic ECS templates")? Is this done?