Remove Security Category Tag from Non-Security Packages

[JDKurma]

Proposed commit message

The following packages are categorized as security despite not being semantically related to security nor having security related datastreams:

[
  "cisco_meraki_metrics",
  "miniflux",
  "mongodb",
  "mysql"
]

Datastreams:

[
  {
    "package": "cisco_meraki_metrics",
    "datastream": "cisco_meraki_metrics.device_health"
  },
  {
    "package": "miniflux",
    "datastream": "miniflux.feed_entry"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.collstats"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.dbstats"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.log"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.metrics"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.replstatus"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.error"
  },
  {
    "package": "mysql",
    "datastream": "mysql.galera_status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.performance"
  },
  {
    "package": "mysql",
    "datastream": "mysql.replica_status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.slowlog"
  },
  {
    "package": "mysql",
    "datastream": "mysql.status"
  }
]

I've removed the security tag for the above mentioned packages to accurately categorize them.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• [Enhancement] Update categories for packages #14571

Screenshots

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

@clement-fouque Do you recall why this was added as a security integration?

[clement-fouque]

I think we had a discussion but I don't remember why we added it. We can remove it.

[lalit-satapathy]

It is owned by security team, has it no security use case?

[efd6]

@Mikaayenson What's your view on whether the bedrock integration is a security product?

[Mikaayenson]

We do have prebuilt security detection rules that leverage this integration.

This is the same case for azure_openai.

Note: We have some PRs in the work to further codify security related genai fields. See:

• Stage 0: [RFC] Stage 0: Add additional GenAI fields ecs#2519
• Stage 1: [RFC 0052] Stage 1: Update GenAI fields ecs#2525
• Stage 2: [RFC 0052] Stage 2: Update additional GenAI fields  ecs#2532

[JDKurma]

Reverted the changes for those!

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[muthu-mps]

• azure_app_service logs include the AppServiceIPSecAuditLogs, AppServiceAuditLogs and AppServiceHTTPLogs categories. This integration can be tagged with security category.
• Azure AI Foundry is an enhanced version of Azure OpenAI that currently enables monitoring of both third-party models and Azure OpenAI models. @Mikaayenson - Do you think the threat detection rule implementation can be done for AI Foundry similar to Azure OpenAI? If yes, Then this integration can get tagged with security category similar to Azure OpenAI.

[Mikaayenson]

• azure_app_service logs include the AppServiceIPSecAuditLogs, AppServiceAuditLogs and AppServiceHTTPLogs categories. This integration can be tagged with security category.
• Azure AI Foundry is an enhanced version of Azure OpenAI that currently enables monitoring of both third-party models and Azure OpenAI models. @Mikaayenson - Do you think the threat detection rule implementation can be done for AI Foundry similar to Azure OpenAI? If yes, Then this integration can get tagged with security category similar to Azure OpenAI.

Yes, we just do not yet have any prebuilt rules for this integration. And if we ever get a gemini integration that would too.

[JDKurma]

@muthu-mps removed both!

[trisch-me]

why this was removed? It was added a year ago so I’m concerned if this is a correct approach.

[lalit-satapathy]

It is fine to assume that the metrics one is purely o11y usecase?

[trisch-me]

lgtm apart from 1 change

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 9d42d2b

History

• 💚 Build #32787 succeeded b918827
• 💚 Build #32735 succeeded ec75bb4
• 💚 Build #32723 succeeded c2e56b3
• 💚 Build #32606 succeeded b332ed4
• 💚 Build #32544 succeeded 5b28f03

cc @JDKurma

[lalit-satapathy]

It is owned by security team, has it no security use case?

[lalit-satapathy]

Looks fine

[lalit-satapathy]

Looks fine

[lalit-satapathy]

It is fine to assume that the metrics one is purely o11y usecase?

[daniela-elastic]

CC @jamiehynds There was a whole re-categorization effort done recently to more effectively label the various use cases for each integration (see PR). As a result, additional solution categories were added to some integrations.

The bigger picture:
A decision of how we label an integration (o11y or security) is how customers ultimately use it. Today there are integrations that are effectively used for both but are mis-labled as only catering to one use case. For example, recently speaking with field team revealed that the Netflow integration is being used by customers and sold as a through-and-through observability integration, however it is not labeled as such (see manifest file)

Next steps:
@jamiehynds it would be worth for sec and o11y to align on the usefuless and intended purpose of the solution category. This can help drive more clarity and easier decision making on the correct labelling.