[Netskope] Add alerts_events_v2 data stream to fetch the data for alerts_v2 and events_v2 from a single queue #15697
Conversation
…ents_v2 data from a single queue
moxarth-rathod
added
breaking change
Integration:netskope
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
andrewkroh
added
the
documentation
| bucket_arn: {{bucket_arn}} | ||
| {{/if}} | ||
| {{#if number_of_workers}} | ||
| number_of_workers: {{number_of_workers}} |
There was a problem hiding this comment.
Hello @moxarth-rathod
This needs to be outside #if collect_s3_logs and #if queue_url as the setting number_of_workers is applied to both ways of getting data from S3, polling and SQS, the setting max_number_of_messages is ignored on agents higher than 8.16+
For more context this was reported on #13179 and fixed on multiple integrations on #13350
There was a problem hiding this comment.
Thanks! I've made the changes accordingly.
|
|
||
| **Note**: It is recommended to use the combined alerts_events_v2 data stream rather than configuring the individual events_v2 or alerts_v2 data stream. The alerts_events_v2 stream automatically directs logs to the appropriate individual data streams. | ||
|
|
||
| If the individual v2 data streams, events_v2 or alerts_v2, are used via SQS, it is necessary to implement event-based bucket segregation. |
There was a problem hiding this comment.
This may change in the future, but according to current Netskope documentation, if you choose any event type and alerts, they will be streamed together.
The user may choose to stream only events or to stream only alerts, but when choosing alerts and any other event type, they will be streamed together.
| "city_name": "Ikebukuro", | ||
| "country_iso_code": "AU", | ||
| "location": { | ||
| "lat": 37.7749, | ||
| "lon": 151.2093 | ||
| }, | ||
| "postal_code": "2099", | ||
| "region_name": "Western Australia", | ||
| "timezone": "America/Los_Angeles" |
packages/netskope/data_stream/alerts_events_v2/routing_rules.yml
Outdated
Show resolved
Hide resolved
packages/netskope/data_stream/alerts_events_v2/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
alerts_v2 |
1212.12 | 861.33 | -350.79 (-28.94%) | 💔 |
events |
2070.39 | 1636.66 | -433.73 (-20.95%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
History
|
| field: ecs.version | ||
| tag: set_ecs_version | ||
| value: 8.17.0 | ||
| value: 8.17. |
There was a problem hiding this comment.
| value: 8.17. | |
| value: 8.17.0 |
| - json: | ||
| field: event.original | ||
| tag: json_event_original | ||
| target_field: netskope.alerts_or_events |
There was a problem hiding this comment.
Any reason why we are not using the data stream name i.e., netskope.alerts_events_v2 but instead opting for netskope.alerts_or_events ?
|
|
||
| Considering you already have an AWS S3 bucket setup, to configure it with Netskope, follow [these steps](https://docs.netskope.com/en/stream-logs-to-amazon-s3) to enable the log streaming. | ||
|
|
||
| **Note**: It is recommended to use the combined alerts_events_v2 data stream rather than configuring the individual events_v2 or alerts_v2 data stream. The alerts_events_v2 stream automatically directs logs to the appropriate individual data streams. |
There was a problem hiding this comment.
Unless users look at the integration code, they are not aware of alerts_events_v2, events_v2, or alerts_v2. It might be better to use titles instead.
Alerts V2 and Events V2, Events V2, and Alerts V2.
| ### Alerts V2 | ||
|
|
||
| {{fields "alerts_v2"}} | ||
|
|
||
| {{event "alerts_v2"}} | ||
|
|
||
| ### Events | ||
|
|
||
| {{fields "events"}} | ||
|
|
||
| {{event "events"}} | ||
|
|
||
| ### Events V2 | ||
|
|
||
| {{fields "events_v2"}} | ||
|
|
||
| {{event "events_v2"}} | ||
|
|
There was a problem hiding this comment.
Can we also add system tests from this routing data stream alerts_events_v2, and add sample event and field mappings to README? Looks like it is possible, example
|
@moxarth-rathod, the field definitions are not present in each of the routed data streams, It will likely cause errors when the data is routed and published in the respective dataset. Have we tested this with live data ? I believe it's necessary to test this with the fields absent & present. Can we do this ? |
After discussing with @moxarth-rathod, the respective field definitions are present and also a live test has been performed. |
7 participants
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Additionally, the following cloud credentials are required to setup:
AWS:
Related issues