Resolve #11741, bbot update based on testing using BBOT v2.1.2

[colin-stubbs]

• Enhancement

Proposed commit message

This commit adds BBOT v2.x NDJSON format support the integration, while simultaneously supporting the existing BBOT v1.x format.

It also adds a HTTP input configuration option to support webhook/NDJSON style logging over HTTP or HTTPS via Elastic Agent inputs.

Enhancements to ingest pipelines, as well as pipeline and system tests have also been made.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Pipeline and system tests complete
• Manual testing from live bbot system to production system using HTTP output/input methods captured all of the same events that were logged to file

How to test this PR locally

elastic-agent test

Related issues

• Closes Update bbot integration to support recent major v2.x release #11741

Screenshots

Not applicable.

See Also

https://blog.blacklanternsecurity.com/p/bbot-20-release-announcement

[efd6]

Are there specific fields that need to be included here to prevent mismapping? If not, this does not need to be present.

[colin-stubbs]

My experience is that there is a bunch of base ECS fields that need to be explicitly defined as elastic-package doesn't know about them for whatever reason. I'll re-test and dump the output if it's still the case with v0.108.0.

[colin-stubbs]

Yeah... nah, this isn't even that issue.

These need to be defined here for the field types to explicitly make it into the index component template. Otherwise yes 100% guaranteed some type of field type conflict will occur between the fields in the bbot.asm_intel indices and some other indices that have ECS conformant field types.

Expecting dynamic mapping by Elasticsearch to work reliably across all indices with highly variable data is, in my experience, a guaranteed way to get type conflicts and search failures.

related.ip is the most obvious one in my experience, as without explicit definition here Elasticsearch will simply consider it as a keyword within bbot.asm_intel indices while it will actually be defined as IP somewhere else.

url.full and url.original can also be problematic depending on how long/large they are in the early stages of dynamic mapping they can go either way as keyword or as text.

I'm happy to be corrected wrong if this has somehow been fixed in 8.17.x etc, I just strongly doubt it's the case.

[colin-stubbs]

Ah I think I see what you're getting at... most were not yet mapped in the pipelines, so explicit definition really not needed (yet). I'll improve the mapping and clean this up.

[kcreddy]

What @efd6 means by this is you don't need this file as long as your ECS fields adhere to standard. If you need to override a ECS field mapping, for example, you want to map event.code as an integer instead of standard keyword, then you only need to add those fields in this file.

Context: Starting from 8.13, we have standard ecs@mappings component template which automatically takes care of mapping all standard ECS fields, without needing to manually define in ecs.yml. Example PR: #10135 removes ecs.yml as we don't need them from 8.13.

From your fields list, it seems all of them are defined as - external: ecs and hence they are standard ECS mappings. You don't probably need this file.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[botelastic]

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[colin-stubbs]

@efd6 @andrewkroh how do we get this moving now?

[kcreddy]

/test

[kcreddy]

Re-reviewed @efd6 review comments.
Unnecessary ECS field mappings is the one that stands out: #11742 (comment).

[kcreddy]

What @efd6 means by this is you don't need this file as long as your ECS fields adhere to standard. If you need to override a ECS field mapping, for example, you want to map event.code as an integer instead of standard keyword, then you only need to add those fields in this file.

Context: Starting from 8.13, we have standard ecs@mappings component template which automatically takes care of mapping all standard ECS fields, without needing to manually define in ecs.yml. Example PR: #10135 removes ecs.yml as we don't need them from 8.13.

From your fields list, it seems all of them are defined as - external: ecs and hence they are standard ECS mappings. You don't probably need this file.

[kcreddy]

@colin-stubbs,

The CI has following error as pipeline tests are failing:

pipeline test: test-bbot-v2-ndjson.log in bbot.asm_intel
test case failed: Expected results are different from actual ones: --- want
+++ got
@@ -4591,6 +4591,7 @@
             ],
             "url": {
                 "domain": "example.com",
+                "extension": "well-known/openid-configuration",
                 "full": [
                     "https://login.windows.net/example.com/.well-known/openid-configuration"
                 ],

You can follow this PR: #9623 to add below block to pipeline test config to prevent error in url.extension:

dynamic_fields:
  # This can be removed after ES 8.14 is the minimum version.
  # Relates: https://github.com/elastic/elasticsearch/pull/105689
  url.extension: '^.*$'

[colin-stubbs]

@kcreddy thank you!

I've gotten up to speed with some of these changes to the index templating and ingest pipeline processes that are attempting to ensure ECS conformance.

Who would be best to suggest add some content to https://www.elastic.co/guide/en/integrations-developer/current/index.html with a visualisation similar to the below?

Obviously a better one than my mud map, and ideally created by someone who really understands how this all hangs together a little better.

I think this would help explain, more completely and visually, what the current state of things is to anyone developing integrations.

[kcreddy]

/test

[kcreddy]

Who would be best to suggest add some content to https://www.elastic.co/guide/en/integrations-developer/current/index.html with a visualisation similar to the below?

@colin-stubbs, the current documentation resides in here: https://github.com/elastic/observability-docs/tree/main/docs/en/integrations
You can follow the contributing guide to get started.

cc: @bmorelli25 who recently updated the doc: elastic/observability-docs#3875

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 28d3e3c1c28a6308a5e3c9dd12b476747cbcd163

History

• 💔 Build #20905 failed fddfaa8685bbe2fd426b37edf611f69ba4bd9a4d

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
94.1% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[kcreddy]

LGTM 👍🏼

[elastic-vault-github-plugin-prod]

Package bbot - 1.2.0 containing this change is available at https://epr.elastic.co/package/bbot/1.2.0/

[CarsonHrusovsky]

woohoo! @colin-stubbs we've been following your PR - excited to try this out!

[TheTechromancer]

Congrats!!