Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

Can you provide a reference for the changes here?

I am not quite sure what you mean.
The changes are basically adding more extractions so that the data is more usable compared to the past :)

I am not quite sure what you mean.
The changes are basically adding more extractions so that the data is more usable compared to the past :)

The changes depend on an understanding of the expected layout of the data. It would be nice to have a reference for that for future maintenance.

We have added the following fields and why:
(I hope this helps)

event.reason:
https://www.elastic.co/docs/reference/ecs/ecs-event#field-event-reason
We would like to fill this field with the reason on why an event triggered.
Before now that data was in the message field, so it was available but not really searchable.
Examples: Entry Created, Entry Duplicated, Sign-in Failed
When we talk about "Entry" in the context of the application "Pleasant Password Server" we mean a password element inside of the password server. This is quite important to understand the custom fields we added

pps.*
We added this as an object that holds all Pleasant Password Server specific fields because we where not able to find a proper mapping to ECS.
Of course if you have ideas for mapping, we are open to them since we prefer ECS to custom fields.

pps.entry.*
We added the entry object which should hold all the information about what en Entry is or what happened to an Entry. We tried to make it similar to for example the ECS field "user"
Important is that as stated before, "Entry" is the name that the Pleasant Password Server uses to describe a Password Object in the database.

pps.entry.path
We added Path so that the Path of where an Entry is situated can be extracted into it.

pps.entry.reason
We added Reason so that the reason for, for example a modification of an Entry can be extracted into it.
Reason is not often seen in logs though.

pps.entry.name
This is the name of an "Entry" that was accessed or modified, deleted etc.

pps.entry.target.name
This field is only relevant on changes to the name of an "Entry"
It is very similar to user.name and user.target.name in function.
Hence this field always comes together with the old name of an entry (pps.entry.name) and the new one.

pps.entry.username
This field is a bit difficult to understand, this is not the User who is accessing or modifying an "Entry" but the username of that password entry in the password safe.
So it will almost always differ from user.name

pps.entry.target.username
This field just like pps.entry.target.name is only relevant on changes, but this time to the username within an "Entry"

Why we didn't put all the entry information directly into pps.* is basically to anticipate that maybe in the future other fields could become important that would not mix well with the entry fields.

Is there a reference for the field syntax in the log lines that we are consuming?

Maybe this will help:
https://pleasantpasswords.com/info/pleasant-password-server/g-logging/audit-log-contents

Thanks, that's good. There are two outstanding review comments, then I can run the tests.

I resolved them, I hope they where committed as well, but I didn't have a commit button on them

They are resolved, but unchanged. I'll do it.

/test

/test

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

/test

💚 Build Succeeded

• Buildkite Build
• Commit: 4e19b37

History

• 💚 Build #33041 succeeded 72a6d0e
• 💔 Build #33033 failed 70e3376

Package pps - 1.1.0 containing this change is available at https://epr.elastic.co/package/pps/1.1.0/