Skip to content

Update blacklens integration #16893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChriZzn wants to merge 9 commits into
base: main
Choose a base branch
from
+162 −111
Open

Update blacklens integration #16893

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
2c5b406
update blacklens integration
Jan 7, 2026
3835d65
add pr link
Jan 7, 2026
cc00b4b
Merge branch 'main' into main
ChriZzn Jan 7, 2026
f571156
merge
Jan 26, 2026
bdaab19
Merge branch 'main' into main
ChriZzn Jan 27, 2026
31eea77
Update packages/blacklens/changelog.yml
ChriZzn Jan 27, 2026
4a29392
Merge branch 'elastic:main' into main
ChriZzn Jan 29, 2026
7825958
Update fields.yml
ChriZzn Jan 29, 2026
5b01c81
Update test-alerts.log
ChriZzn Jan 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions packages/blacklens/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "1.0.0"
changes:
- description: Make integration GA.
type: enhancement
link: https://github.com/elastic/integrations/pull/16893
- description: Update fields to match new JSON schema.
type: breaking-change
link: https://github.com/elastic/integrations/pull/16893
- version: "0.5.0"
changes:
- description: Prevent updating fleet health status to degraded when pagination completes.
Expand Down
2 changes: 1 addition & 1 deletion packages/blacklens/data_stream/alerts/_dev/test/pipeline/test-alerts.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"updated_date":"2024-11-12T09:39:58.489Z","created_date":"2024-11-12T09:39:58.489Z","id":1001,"details":{"id":100,"engine":"Port Scanner","title":"New Open Port"},"severity":"medium","affected_entities":2,"alert_outcome":"affected","alert_status":"resolved","customer_state":"open","alert_payload":[],"type_id":100}
{"updated_date":"2025-12-31T16:10:56.155874Z","created_date":"2025-12-30T16:11:57.194393Z","id":"7ea10c5d-559a-4c55-8608-2e060956de68","name":"External Vulnerability Detected","type":"ExternalVulnerabilityDiscovered","severity":"high","status":"new","analysis":"completed","category":"vulnerability","activities":[{"updated_date":null,"created_date":"2025-12-30T16:11:40.195989Z","id":"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4","type":"ExternalVulnerabilityCreated","description":"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'","category":"threat","trace_id":"40eda190-83fd-4a1b-8155-3a1c7434b319","data":{}}]}
31 changes: 20 additions & 11 deletions packages/blacklens/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,26 @@
{
"expected": [
{
"@timestamp": "2024-11-12T09:39:58.489Z",
"@timestamp": "2025-12-30T16:11:57.194Z",
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
"activities": [
{
"category": "threat",
"created_date": "2025-12-30T16:11:40.195989Z",
"description": "A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id": "73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id": "40eda190-83fd-4a1b-8155-3a1c7434b319",
"type": "ExternalVulnerabilityCreated"
}
],
"analysis": "completed",
"category": "vulnerability",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"name": "External Vulnerability Detected",
"severity": "high",
"status": "new",
"updated_date": "2025-12-31T16:10:56.155Z"
}
},
"ecs": {
Expand All @@ -21,8 +30,8 @@
"category": [
"threat"
],
"id": "1001",
"original": "{\"updated_date\":\"2024-11-12T09:39:58.489Z\",\"created_date\":\"2024-11-12T09:39:58.489Z\",\"id\":1001,\"details\":{\"id\":100,\"engine\":\"Port Scanner\",\"title\":\"New Open Port\"},\"severity\":\"medium\",\"affected_entities\":2,\"alert_outcome\":\"affected\",\"alert_status\":\"resolved\",\"customer_state\":\"open\",\"alert_payload\":[],\"type_id\":100}",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"original": "{\"updated_date\":\"2025-12-31T16:10:56.155874Z\",\"created_date\":\"2025-12-30T16:11:57.194393Z\",\"id\":\"7ea10c5d-559a-4c55-8608-2e060956de68\",\"name\":\"External Vulnerability Detected\",\"type\":\"ExternalVulnerabilityDiscovered\",\"severity\":\"high\",\"status\":\"new\",\"analysis\":\"completed\",\"category\":\"vulnerability\",\"activities\":[{\"updated_date\":null,\"created_date\":\"2025-12-30T16:11:40.195989Z\",\"id\":\"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4\",\"type\":\"ExternalVulnerabilityCreated\",\"description\":\"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'\",\"category\":\"threat\",\"trace_id\":\"40eda190-83fd-4a1b-8155-3a1c7434b319\",\"data\":{}}]}",
"type": [
"indicator"
]
Expand Down
22 changes: 9 additions & 13 deletions packages/blacklens/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,28 +52,24 @@ processors:
target_field: blacklens.alert.severity
ignore_missing: true
- rename:
field: json.alert_status
field: json.status
target_field: blacklens.alert.status
ignore_missing: true
- rename:
field: json.alert_outcome
target_field: blacklens.alert.outcome
field: json.analysis
target_field: blacklens.alert.analysis
ignore_missing: true
- rename:
field: json.details.engine
target_field: blacklens.alert.type
field: json.category
target_field: blacklens.alert.category
ignore_missing: true
- rename:
field: json.type_id
target_field: blacklens.alert.type_id
field: json.name
target_field: blacklens.alert.name
ignore_missing: true
- rename:
field: json.details.title
target_field: blacklens.alert.title
ignore_missing: true
- rename:
field: json.alert_payload
target_field: blacklens.alert.details
field: json.activities
target_field: blacklens.alert.activities
ignore_missing: true
- remove:
field: json
Expand Down
38 changes: 26 additions & 12 deletions packages/blacklens/data_stream/alerts/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,40 @@
type: date
description: Activity last updated time (UTC).
- name: id
type: integer
type: keyword
description: Unique Alert ID
- name: severity
type: keyword
description: Alert Severity
- name: status
type: keyword
description: Current Status of the Alert
- name: outcome
- name: analysis
type: keyword
description: Determines whether the current alert triggers further events
- name: type
- name: category
type: keyword
description: Alert Type (Engine)
- name: type_id
type: integer
description: Alert Type ID (Engine)
- name: title
description: Alert category
- name: name
type: keyword
description: Title/Description of the given Alert
- name: details
type: nested
description: Alert Details
description: Name of the given Alert
- name: activities
description: Associated Activities of the Alert
type: group
fields:
- name: id
type: keyword
- name: created_date
type: date
- name: updated_date
type: date
- name: category
type: keyword
- name: type
type: keyword
- name: description
type: keyword
- name: trace_id
type: keyword
- name: data
type: nested
115 changes: 62 additions & 53 deletions packages/blacklens/data_stream/alerts/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,64 @@
{
"@timestamp": "2024-11-12T09:39:58.489Z",
"agent": {
"ephemeral_id": "6f67dab1-a41b-450f-a155-a71e23a90def",
"id": "078a56bf-68d7-4243-a5de-83dfb7e00e88",
"name": "elastic-agent-18047",
"type": "filebeat",
"version": "8.19.4"
},
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
}
},
"data_stream": {
"dataset": "blacklens.alerts",
"namespace": "38546",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "078a56bf-68d7-4243-a5de-83dfb7e00e88",
"snapshot": false,
"version": "8.19.4"
},
"event": {
"agent_id_status": "verified",
"category": [
"threat"
],
"created": "2026-01-19T05:27:59.414Z",
"dataset": "blacklens.alerts",
"id": "1001",
"ingested": "2026-01-19T05:28:02Z",
"type": [
"indicator"
]
},
"input": {
"type": "httpjson"
},
"tags": [
"forwarded",
"blacklens-alert"
]
"@timestamp":"2024-11-12T09:39:58.489Z",
"agent":{
"ephemeral_id":"33939e93-54ef-4184-b92b-bc8f02e179a6",
"id":"f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"name":"elastic-agent-49577",
"type":"filebeat",
"version":"8.15.2"
},
"blacklens":{
"alert":{
"activities":[
{
"category":"threat",
"created_date":"2025-12-30T16:11:40.195989Z",
"description":"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id":"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id":"40eda190-83fd-4a1b-8155-3a1c7434b319",
"type":"ExternalVulnerabilityCreated"
}
],
"analysis":"completed",
"category":"vulnerability",
"id":"7ea10c5d-559a-4c55-8608-2e060956de68",
"name":"External Vulnerability Detected",
"severity":"high",
"status":"new",
"updated_date":"2025-12-31T16:10:56.155Z"
}
},
"data_stream":{
"dataset":"blacklens.alerts",
"namespace":"41265",
"type":"logs"
},
"ecs":{
"version":"8.11.0"
},
"elastic_agent":{
"id":"f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"snapshot":false,
"version":"8.15.2"
},
"event":{
"agent_id_status":"verified",
"category":[
"threat"
],
"created":"2025-12-09T05:45:05.855Z",
"dataset":"blacklens.alerts",
"id":"1001",
"ingested":"2025-12-09T05:45:08Z",
"type":[
"indicator"
]
},
"input":{
"type":"httpjson"
},
"tags":[
"forwarded",
"blacklens-alert"
]
}
43 changes: 29 additions & 14 deletions packages/blacklens/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,23 @@ An example event for `alerts` looks as following:
},
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
"activities": [
{
"category": "threat",
"created_date": "2025-12-30T16:11:40.195989Z",
"description": "A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id": "73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id": "40eda190-83fd-4a1b-8155-3a1c7434b319",
"type": "ExternalVulnerabilityCreated"
}
],
"analysis": "completed",
"category": "vulnerability",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"name": "External Vulnerability Detected",
"severity": "high",
"status": "new",
"updated_date": "2025-12-31T16:10:56.155Z"
}
},
"data_stream": {
Expand Down Expand Up @@ -115,14 +124,20 @@ An example event for `alerts` looks as following:
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| blacklens.alert.details | Alert Details | nested |
| blacklens.alert.id | Unique Alert ID | integer |
| blacklens.alert.outcome | Determines whether the current alert triggers further events | keyword |
| blacklens.alert.activities.category | | keyword |
| blacklens.alert.activities.created_date | | date |
| blacklens.alert.activities.data | | nested |
| blacklens.alert.activities.description | | keyword |
| blacklens.alert.activities.id | | keyword |
| blacklens.alert.activities.trace_id | | keyword |
| blacklens.alert.activities.type | | keyword |
| blacklens.alert.activities.updated_date | | date |
| blacklens.alert.analysis | Determines whether the current alert triggers further events | keyword |
| blacklens.alert.category | Alert category | keyword |
| blacklens.alert.id | Unique Alert ID | keyword |
| blacklens.alert.name | Name of the given Alert | keyword |
| blacklens.alert.severity | Alert Severity | keyword |
| blacklens.alert.status | Current Status of the Alert | keyword |
| blacklens.alert.title | Title/Description of the given Alert | keyword |
| blacklens.alert.type | Alert Type (Engine) | keyword |
| blacklens.alert.type_id | Alert Type ID (Engine) | integer |
| blacklens.alert.updated_date | Activity last updated time (UTC). | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
Expand Down
12 changes: 6 additions & 6 deletions packages/blacklens/kibana/dashboard/blacklens-e718fd52-f1b3-400f-94c1-ead17da571f6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@
"5daabdc5-ef58-44c4-abc6-e081ccc141b3": {
"dataType": "string",
"isBucketed": true,
"label": "Top 7 values of blacklens.alert.type",
"label": "Top 7 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"exclude": [],
Expand All @@ -234,7 +234,7 @@
"size": 7
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"779791bd-efc6-4cd7-a348-e1f02e55da6a": {
"dataType": "number",
Expand Down Expand Up @@ -515,7 +515,7 @@
"596741f2-76ab-4053-96a3-f7d0c419e3ca": {
"dataType": "string",
"isBucketed": true,
"label": "Top 10 values of blacklens.alert.type",
"label": "Top 10 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"accuracyMode": false,
Expand All @@ -536,7 +536,7 @@
"size": 10
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"740c7874-8bd6-4615-a570-bb61d09e2343": {
"customLabel": true,
Expand Down Expand Up @@ -671,7 +671,7 @@
"5adc4648-4eb7-4b43-9235-26d66a0ab3d2": {
"dataType": "string",
"isBucketed": true,
"label": "Top 5 values of blacklens.alert.type",
"label": "Top 5 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"exclude": [],
Expand All @@ -691,7 +691,7 @@
"size": 5
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"772e1ee4-713b-4a0e-84ce-76b2030e1240": {
"dataType": "number",
Expand Down
2 changes: 1 addition & 1 deletion packages/blacklens/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.3.0
name: blacklens
title: "blacklens.io"
version: "0.5.0"
version: "1.0.0"
source:
license: "Elastic-2.0"
description: "Collect logs from blacklens.io with Elastic Agent"
Expand Down