Skip to content

[sentinel_one] Add Support for Application Risk Data Stream #14910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 19, 2025
Merged

[sentinel_one] Add Support for Application Risk Data Stream #14910

merged 9 commits into from
Sep 19, 2025
+3,523 −18

Conversation

mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Aug 12, 2025
edited
Loading

Proposed commit message

sentinel_one: Add support for application risk data stream and ilm policy to application data stream.

Added support for ingesting data through the SentinelOne application risk data stream.
This includes necessary configuration updates and input adjustments to enable collection and parsing of
application risk–related events, ensuring accurate ingestion and processing of risk insights
from supported sources.
Also added ilm policy to the application data stream.

Tested on the live samples collected through the SentinelOne API.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/sentinel_one directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issue

  • Related to enhancement issue 25330

@mohitjha-elastic mohitjha-elastic self-assigned this Aug 12, 2025
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner August 12, 2025 11:41
@mohitjha-elastic mohitjha-elastic added enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Aug 12, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@andrewkroh andrewkroh added dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. labels Aug 12, 2025
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Aug 13, 2025
edited
Loading

🚀 Benchmarks report

Package sentinel_one 👍(14) 💚(0) 💔(0)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
alert 0 3703.7 3703.7 ( - %) 👍
application 0 9174.31 9174.31 ( - %) 👍
application_risk 0 5586.59 5586.59 ( - %) 👍
group 0 25000 25000 ( - %) 👍
threat 0 2178.65 2178.65 ( - %) 👍
activity 0 5200.21 5200.21 ( - %) 👍
agent 0 3753.75 3753.75 ( - %) 👍
alert 0 3361.34 3361.34 ( - %) 👍
application 0 21321.96 21321.96 ( - %) 👍
application_risk 0 9066.18 9066.18 ( - %) 👍
group 0 34246.58 34246.58 ( - %) 👍
threat 0 1719.39 1719.39 ( - %) 👍
activity 0 5291.01 5291.01 ( - %) 👍
agent 0 4484.3 4484.3 ( - %) 👍

kcreddy
kcreddy reviewed Aug 19, 2025
View reviewed changes
packages/sentinel_one/data_stream/application_risk/elasticsearch/ilm/default_policy.json
@@ -0,0 +1,20 @@
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this ILM policy to work, you would need delete_index privilege on source indices for kibana_system role.

https://github.com/elastic/elasticsearch/blob/main/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java#L438-L439

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
Here is the PR - elastic/elasticsearch#133793

(Added the application_risk under CDR packages list that ships a transform and has ILM policy)

@mohitjha-elastic mohitjha-elastic mentioned this pull request Aug 29, 2025
Merged
@mohitjha-elastic
Resolve review comments.
f47b531 
1. Remove tranform pipeline.
2. Add some ECS mappings in the pipeline.
3. Update event.kind to state from event.
kcreddy
kcreddy reviewed Aug 29, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but will approve and merge after permissions are merged and backported. #14910 (comment)

@mohitjha-elastic
Copy link
Collaborator Author

LGTM, but will approve and merge after permissions are merged and backported. #14910 (comment)

@kcreddy
ILM Permissions have been updated and PR related to that has been merged.
Can you please merge this if everything looks good now?

kcreddy
kcreddy reviewed Sep 4, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kcreddy ILM Permissions have been updated and PR related to that has been merged. Can you please merge this if everything looks good now?

You will need to change kibana.version to ^8.18.7 || ^8.19.4 || ^9.0.7 || ^9.1.4 and can merge it only after they are public (not released yet).

kcreddy
kcreddy reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mohitjha-elastic , can you also add policy tests for this new data stream?
Please check #15029

For the benchmarks, please ensure to add them in this PR or as part of #14741.

There is also future data stream (Threat Events) that should be handled similarly.

cc: @navnit-elastic

@mohitjha-elastic
Copy link
Collaborator Author

@kcreddy
New versions are out and also added the pipeline and rally benchmark as a part of #14741

System benchmark is blocked. Ref here.

kcreddy
kcreddy reviewed Sep 18, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mohitjha-elastic, Can you please fix CI issue of naming benchmark files?

@kcreddy
Copy link
Contributor

kcreddy commented Sep 18, 2025

/test benchmark fullreport

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @mohitjha-elastic

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
94.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

kcreddy
kcreddy approved these changes Sep 18, 2025
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@mohitjha-elastic mohitjha-elastic merged commit 60ac006 into elastic:main Sep 19, 2025
9 checks passed
@mohitjha-elastic mohitjha-elastic deleted the sentinel_one-1.38.0 branch September 19, 2025 05:45
@elastic-vault-github-plugin-prod
Copy link

Package sentinel_one - 1.38.0 containing this change is available at https://epr.elastic.co/package/sentinel_one/1.38.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxcold maxcold maxcold left review comments

@kcreddy kcreddy kcreddy approved these changes

Assignees

@mohitjha-elastic mohitjha-elastic

Labels
dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:sentinel_one SentinelOne Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@mohitjha-elastic @elasticmachine @kcreddy @maxcold @andrewkroh