Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Integration] Endace #9579

Open
11 of 15 tasks
jamiehynds opened this issue Apr 12, 2024 · 8 comments
Open
11 of 15 tasks

[New Integration] Endace #9579

jamiehynds opened this issue Apr 12, 2024 · 8 comments
Assignees
Labels
New Integration Issue or pull request for creating a new integration package. Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform]

Comments

@jamiehynds
Copy link

jamiehynds commented Apr 12, 2024

Description

Endace is a leading provider of high-speed network packet recording, playback, and analytics solutions. Specializing in network visibility and security, Endace empowers organizations to confidently manage, secure, and optimize their networks. By capturing and analyzing vast amounts of network data in real-time, Endace enables businesses to swiftly detect and respond to security threats, troubleshoot network performance issues, and comply with regulatory requirements.

Architecture

This will differ slightly from our typical ingest integrations. Endance provides full network packet capture, but using Packetbeat's flow support on their probes, allows us to ingest data from a span port on the Endance probes. The goal of the integration is to allow users to pivot from a document with the flow information within Elastic to Endance, in order to deeply investigate the packet data in Endace.

@jamesagarside has started an implementation whereby an Endace integration, based on the Network Packet Capture integration's flow support, can be used as the basis for the Endance integration. The integration will then contain an option to provide the URL for the Endance UI to ensure certain fields (like source/destination IP) can be hyperlinked to Endace's UI.

In the future we can explore additional use cases and data from Endace, but this is a great starting point to add value to Endace adn Elastic's mutual customers. Endace have also agreed to collaborate on dashboards, detection rules, etc.

Endace has similar integrations which can be viewed here: Palo Alto and Splunk

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

  • Change follows the contributing guidelines
  • Supported versions of the monitoring target are documented
  • Supported operating systems are documented (if applicable)
  • Integration or System tests exist
  • Documentation exists
  • Fields follow ECS and naming conventions
  • At least a manual test with ES / Kibana / Agent has been performed.
  • Required Kibana version set to:

New Package

  • Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

  • Dashboards exists
  • Screenshots added or updated
  • Datastream filters added to visualizations

Log dataset changes

  • Pipeline tests exist (if applicable)
  • Generated output for at least 1 log file exists
  • Sample event (sample_event.json) exists
@jamiehynds jamiehynds added New Integration Issue or pull request for creating a new integration package. Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Apr 12, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-deployment-and-devices (Team:Security-Deployment and Devices)

@jamiehynds jamiehynds added Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform] and removed Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] labels Apr 17, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@jamiehynds
Copy link
Author

@norrietaylor - @jamesagarside has built an initial integration package with Endace (based on the flow support we have in the Network Packet Capture integration). Is there someone from the Linux platform team that could assist with creating the PR and reviewing James's package?

@norrietaylor norrietaylor added the Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] label Apr 22, 2024
@norrietaylor
Copy link
Member

The Linux team is incredibly resource-constrained right now. To keep this moving, I will add this task to the Deployment and Devices team backlog. We can discuss it during this week's team meeting. Once an engineer is assigned, they can work directly with @jamesagarside to review and merge the PR.

I believe this should be owned by the Linux team moving forward for SDHs and maintenance due to the dependency on packetbeat and similarities to the Network Packet Capture integration. cc/ @nfritts

@mjwolf mjwolf self-assigned this Apr 24, 2024
@mjwolf
Copy link
Contributor

mjwolf commented Apr 24, 2024

@jamesagarside I'll help you out with this

@jamesagarside
Copy link

Update on this, we have an MVP, Im just finalising tests https://github.com/elastic/integrations/tree/endace

@jamesagarside
Copy link

@jamiehynds @mjwolf #10308

PR in however I cant view the Sonarqube test results

@mjwolf
Copy link
Contributor

mjwolf commented Jul 2, 2024

@jamiehynds @mjwolf #10308

PR in however I cant view the Sonarqube test results

I'll send you the details of the sonarqube report, and review the PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Integration Issue or pull request for creating a new integration package. Team:Security-Deployment and Devices Deployment and Devices Security team [elastic/sec-deployment-and-devices] Team:Security-Linux Platform Linux Platform Security team [elastic/sec-linux-platform]
Projects
None yet
Development

No branches or pull requests

5 participants