Skip to content

[microsoft_sentinel] Add event.provider and rule.name ecs fields and update event.severity values #13360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kcreddy merged 2 commits into from
Apr 3, 2025
Merged

[microsoft_sentinel] Add event.provider and rule.name ecs fields and update event.severity values #13360

kcreddy merged 2 commits into from
Apr 3, 2025

Conversation

@janvi-elastic
Copy link
Contributor

@janvi-elastic janvi-elastic commented Mar 31, 2025

Type of change

  • Enhancement

Proposed commit message

  • Add event.provider and rule.name ecs fields.
  • Update event.severity values.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/microsoft_sentinel directory.
  • Run the following command to run tests.

elastic-package test

Run pipeline tests for the package
--- Test results for package: microsoft_sentinel - START ---
╭────────────────────┬─────────────┬───────────┬───────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE            │ DATA STREAM │ TEST TYPE │ TEST NAME                                 │ RESULT │ TIME ELAPSED │
├────────────────────┼─────────────┼───────────┼───────────────────────────────────────────┼────────┼──────────────┤
│ microsoft_sentinel │ alert       │ pipeline  │ (ingest pipeline warnings test-alert.log) │ PASS   │ 459.335779ms │
│ microsoft_sentinel │ alert       │ pipeline  │ test-alert.log                            │ PASS   │ 195.104359ms │
╰────────────────────┴─────────────┴───────────┴───────────────────────────────────────────┴────────┴──────────────╯
--- Test results for package: microsoft_sentinel - END   ---
Done
--- Test results for package: microsoft_sentinel - START ---
╭────────────────────┬─────────────┬───────────┬───────────┬────────┬───────────────╮
│ PACKAGE            │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │  TIME ELAPSED │
├────────────────────┼─────────────┼───────────┼───────────┼────────┼───────────────┤
│ microsoft_sentinel │ alert       │ system    │ default   │ PASS   │ 36.560536052s │
│ microsoft_sentinel │ incident    │ system    │ default   │ PASS   │  39.30994259s │
╰────────────────────┴─────────────┴───────────┴───────────┴────────┴───────────────╯
--- Test results for package: microsoft_sentinel - END   ---
Done

@janvi-elastic janvi-elastic requested a review from a team as a code owner March 31, 2025 12:26
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Mar 31, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Mar 31, 2025

💚 Build Succeeded

@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Mar 31, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
93.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@jamiehynds jamiehynds added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Mar 31, 2025
@elasticmachine
Copy link

elasticmachine commented Mar 31, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added Integration:microsoft_sentinel Microsoft Sentinel Crest Contributions from Crest developement team. labels Mar 31, 2025
kcreddy
kcreddy reviewed Apr 1, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@janvi-elastic, do you have a tracking issue for this ?
I just want to verify if the mapping is correctly done based on a requirement.

@janvi-elastic
Copy link
Contributor Author

janvi-elastic commented Apr 2, 2025

@janvi-elastic, do you have a tracking issue for this ? I just want to verify if the mapping is correctly done based on a requirement.

No, we don't have issue for this.

kcreddy
kcreddy reviewed Apr 2, 2025
View reviewed changes
packages/microsoft_sentinel/data_stream/alert/_dev/test/pipeline/test-alert.log-expected.json
Comment on lines +69 to +71
"rule": {
"name": "myAlert"
},
Copy link
Contributor

@kcreddy kcreddy Apr 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this change, the rule.name is being populated from alertDisplayName raw field.

@jamiehynds, I'm not sure if this is a correct match. As per docs, the rule.* fields are populated by rules generating the alert itself. Is it okay to populate it with alert name?

(@janvi-elastic confirmed we don't have raw data to verify if this mapping is correct.)

Copy link
Contributor

@kcreddy kcreddy Apr 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is beta integration, we can go ahead with this. If this not intended mapping, it can be updated before GA.

@kcreddy kcreddy merged commit 274930b into elastic:main Apr 3, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Apr 3, 2025

Package microsoft_sentinel - 0.6.0 containing this change is available at https://epr.elastic.co/package/microsoft_sentinel/0.6.0/

flexitrev pushed a commit that referenced this pull request Apr 3, 2025
@janvi-elastic @flexitrev
[microsoft_sentinel] Add event.provider and rule.name ecs fields and …
e93bc72 
…update event.severity values (#13360)

- Add event.provider and rule.name ecs fields.
- Update event.severity values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

No one assigned

Labels

Crest Contributions from Crest developement team. Integration:microsoft_sentinel Microsoft Sentinel Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@janvi-elastic @elasticmachine @kcreddy @andrewkroh @jamiehynds