[google_secops] Initial release of the google secops

[janvi-elastic]

Proposed commit message

Create new integration package google_secops.

• Added data stream.
• Added data collection logic for alert data stream.
• Added the ingest pipeline for alert data stream.
• Mapped fields according to the ECS schema and added Fields metadata in the appropriate yml files.
• Added dashboards and visualizations.
• Added test for pipeline for alert data stream.
• Added system test cases for alert data stream.
• Add agentless deployment

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/google_secops directory.
• Run the following command to run tests.

elastic-package test

--- Test results for package: google_secops - START ---
╭───────────────┬─────────────┬───────────┬────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME                                                              │ RESULT │ TIME ELAPSED │
├───────────────┼─────────────┼───────────┼────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ google_secops │             │ asset     │ dashboard google_secops-517f96c9-1d44-420a-9ff4-96cf28de00d7 is loaded │ PASS   │      1.619µs │
│ google_secops │             │ asset     │ search google_secops-5407845c-e294-4f99-a342-9dc7e05dc8e0 is loaded    │ PASS   │        273ns │
│ google_secops │             │ asset     │ search google_secops-6a9de76e-e146-484e-ad87-fdb29c937fa2 is loaded    │ PASS   │        205ns │
│ google_secops │ alert       │ asset     │ index_template logs-google_secops.alert is loaded                      │ PASS   │        244ns │
│ google_secops │ alert       │ asset     │ ingest_pipeline logs-google_secops.alert-0.1.0 is loaded               │ PASS   │        253ns │
╰───────────────┴─────────────┴───────────┴────────────────────────────────────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: google_secops - END   ---
Done
--- Test results for package: google_secops - START ---
╭───────────────┬─────────────┬───────────┬───────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME                                 │ RESULT │ TIME ELAPSED │
├───────────────┼─────────────┼───────────┼───────────────────────────────────────────┼────────┼──────────────┤
│ google_secops │ alert       │ pipeline  │ (ingest pipeline warnings test-alert.log) │ PASS   │ 288.418232ms │
│ google_secops │ alert       │ pipeline  │ test-alert.log                            │ PASS   │ 342.148692ms │
╰───────────────┴─────────────┴───────────┴───────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: google_secops - END   ---
Done
--- Test results for package: google_secops - START ---
╭───────────────┬─────────────┬───────────┬──────────────────────────┬────────┬──────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME                │ RESULT │ TIME ELAPSED │
├───────────────┼─────────────┼───────────┼──────────────────────────┼────────┼──────────────┤
│ google_secops │ alert       │ static    │ Verify sample_event.json │ PASS   │ 239.740171ms │
╰───────────────┴─────────────┴───────────┴──────────────────────────┴────────┴──────────────╯
--- Test results for package: google_secops - END   ---
Done
--- Test results for package: google_secops - START ---
╭───────────────┬─────────────┬───────────┬───────────┬────────┬────────────────╮
│ PACKAGE       │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │   TIME ELAPSED │
├───────────────┼─────────────┼───────────┼───────────┼────────┼────────────────┤
│ google_secops │ alert       │ system    │ default   │ PASS   │ 2m8.093218093s │
╰───────────────┴─────────────┴───────────┴───────────┴────────┴────────────────╯
--- Test results for package: google_secops - END   ---
Done

Screenshot

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[jamiehynds]

We've discovered an issue across all of our integrations, whereby event.severity is not mapped to the values expected by Elastic Security. This is a result of ambiguity in the ECS field description that we're also working to address (https://www.elastic.co/guide/en/ecs/current/ecs-event.html#field-event-severity)

Could we map the event.severity values to the values expected by Elastic Security, to ensure the severity from 3rd party alerts will be assigned the correct severity within Elastic? It's a numeric scale:

Low - 21
Medium -47
High- 73
Critical - 99

cc @raqueltabuyo @cpascale43

[janvi-elastic]

@jamiehynds We have mapped event.severity to the values given in the Google SecOps documentation.

Let me know if we have to update the values as the values expected by Elastic Security.

[kcreddy]

@janvi-elastic , yes please update according to Elastic Security guidelines stated above.
The custom field will always be there if users wants the source severity.

You can add a note to the README to mentioning the same.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

Please check if we are able to ingest alert status updates from the API.
For example from ALERTING -> NOT_ALERTING.

If so, we will need a latest transform to store the last state.

[kcreddy]

Can you resolve an alert and check if you are getting the updated document?

ALERTING -> NOT_ALERTING

[jamiehynds]

Microsoft Sentinel shouldn't be mentioned in the Google SecOps docs, presume a copy/paste error.

[jamiehynds]

@alaudazzi can you advise how we're handing these agentless going forward? With this issue in mind, I want to ensure we adhere for any new integrations developed. https://github.com/elastic/integration-docs/issues/653

[jamiehynds]

Can we change logs to alerts, as the scope of the integration is limited to alerts from SecOps.

[jamiehynds]

Change from logs to alerts.

[jamiehynds]

Change from logs to alerts.

[efd6]

Do we want to remove "-" fields?

[efd6]

LGTM but please wait for @kcreddy.

[kcreddy]

My primary concern is from #12767 (comment), we didn't test for events with alert's state change.
This might mean the alerts will keep growing in Kibana, and no way to find Current Active Alerts.

[janvi-elastic]

My primary concern is from #12767 (comment), we didn't test for events with alert's state change. This might mean the alerts will keep growing in Kibana, and no way to find Current Active Alerts.

In our instance, we don't have an option to update the state of alert.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 5eb85c9

History

• 💚 Build #22588 succeeded 4b079da
• 💚 Build #22504 succeeded 8dc68c2
• 💚 Build #22443 succeeded f0061aa
• 💚 Build #22439 succeeded 98d6886
• 💚 Build #22240 succeeded 58bdca1

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
98.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[kcreddy]

My primary concern is from #12767 (comment), we didn't test for events with alert's state change. This might mean the alerts will keep growing in Kibana, and no way to find Current Active Alerts.

In our instance, we don't have an option to update the state of alert.

@jamiehynds,
As per @janvi-elastic, changing alert state is possible in SOAR, but they have only SIEM access. Due to this we are unable to test by closing an alert and whether we ingest the updated state.

If the API doesn't send updated states, we are okay.
If the API does send updated states, then we ingest the alert again in its new state (because we don't have fingerprint processor), thus leading to duplicates of same alert inside the dashboard. i.e., an alert can be in both Active and Close states. The only way to fix this is through latest transform.

I will leave it to you to take the call on merging the PR without this test.

[piyush-elastic]

My primary concern is from #12767 (comment), we didn't test for events with alert's state change. This might mean the alerts will keep growing in Kibana, and no way to find Current Active Alerts.

In our instance, we don't have an option to update the state of alert.

@jamiehynds, As per @janvi-elastic, changing alert state is possible in SOAR, but they have only SIEM access. Due to this we are unable to test by closing an alert and whether we ingest the updated state.

If the API doesn't send updated states, we are okay. If the API does send updated states, then we ingest the alert again in its new state (because we don't have fingerprint processor), thus leading to duplicates of same alert inside the dashboard. i.e., an alert can be in both Active and Close states. The only way to fix this is through latest transform.

I will leave it to you to take the call on merging the PR without this test.

My primary concern is from #12767 (comment), we didn't test for events with alert's state change. This might mean the alerts will keep growing in Kibana, and no way to find Current Active Alerts.

In our instance, we don't have an option to update the state of alert.

@jamiehynds, As per @janvi-elastic, changing alert state is possible in SOAR, but they have only SIEM access. Due to this we are unable to test by closing an alert and whether we ingest the updated state.

If the API doesn't send updated states, we are okay. If the API does send updated states, then we ingest the alert again in its new state (because we don't have fingerprint processor), thus leading to duplicates of same alert inside the dashboard. i.e., an alert can be in both Active and Close states. The only way to fix this is through latest transform.

I will leave it to you to take the call on merging the PR without this test.

@kcreddy , @jamiehynds -Unfortunately, we don't have access to the SOAR component. We can add transform as a precaution, but we are unable to determine which field leads to updated_detection. Alternatively, if we can confirm the relevant fields, we can test it using a Mockserver. Please find the list of supported response fields here.

[kcreddy]

@kcreddy , @jamiehynds -Unfortunately, we don't have access to the SOAR component. We can add transform as a precaution, but we are unable to determine which field leads to updated_detection. Alternatively, if we can confirm the relevant fields, we can test it using a Mockserver. Please find the list of supported response fields here.

@piyush-elastic, thanks for the info.

If we can't get access to SOAR, here's my suggestion:
The field responsible is lastUpdatedTime, but it is not available through the ListDetections API, i.e., not available in the rule-based detections (type: RULE_DETECTION).
It is available in API response of curated detections, i.e., threat intel detections (type: GCTI_FINDING).

At this point, we are unsure if the updated alert state comes through the List Detections API. We may not want to add transform as precaution, because we don't have a proper way to delete the transform and its destination index automatically.
In case later we find the updated alerts are not available through the API and there is no need for transform, then users will have to delete their existing transform and also the index manually, which doesn't seem ideal experience.

We can go ahead with what we have right now and collect user feedback on any duplicate alerts (with different states) in their indices. We can add transform if duplicate alerts are ingested.

@jamiehynds does that sound good?

[kcreddy]

Waiting on #12767 (comment) for merging.