Merge branch 'main' into fix-527

Author: alaudazzi

.github/CODEOWNERS

@@ -295,6 +295,7 @@
 /packages/juniper_srx @elastic/integration-experience
 /packages/kafka @elastic/obs-infraobs-integrations
 /packages/kafka_log @elastic/obs-infraobs-integrations
+/packages/keeper_security_siem_integration @elastic/security-service-integrations
 /packages/keycloak @elastic/security-service-integrations
 /packages/kibana @elastic/stack-monitoring
 /packages/kubernetes @elastic/obs-ds-hosted-services

packages/airlock_digital/_dev/build/docs/README.md

@@ -12,16 +12,17 @@ The Airlock Digital integration is compatible with `v6.1.x` and `v1` version of
 
 ### How it works
 
-This integration periodically queries the Airlock Digital REST API to retrieve Agent logs.
+This integration periodically queries the Airlock Digital REST API to retrieve Agent and Execution Histories logs.
 
 ## What data does this integration collect?
 
 This integration collects log messages of the following types:
 
 - `Agent`: Collects agent logs via [Airlock Digital REST API](https://api.airlockdigital.com/#35ef50c6-1df4-4330-a433-1915ccf380cf).
+- `Execution Histories`: Collects executions history logs via [Airlock Digital REST API](https://api.airlockdigital.com/#3634a82d-eb6b-44b7-b662-dddc37d4d9d6).
 
 ### Supported use cases
-Integrating Airlock Digital agent logs with Elastic SIEM provides SOC teams with comprehensive visibility into endpoint policy enforcement and system activity. Dashboards highlight agent health, host and user patterns, OS distribution, group and policy metrics, storage availability, and trusted configurations, empowering efficient monitoring, proactive resource management, and improved operational readiness.
+Integrating Airlock Digital agent and execution history logs with Elastic SIEM provides SOC teams with deep visibility into endpoint activity and policy enforcement. Dashboards surface insights into agent health, host and user patterns, OS distribution, group and policy metrics, storage availability, trusted configurations, and execution behaviors such as blocked or untrusted runs and policy violations. This enables faster investigations, stronger compliance, proactive resource management, and improved overall endpoint security.
 
 ## What do I need to use this integration?
 
@@ -31,7 +32,7 @@ Integrating Airlock Digital agent logs with Elastic SIEM provides SOC teams with
 
 1. In order to make the API calls, the User Group to which a user belongs should contain required permissions. You can follow the below steps for that:
 2. Go to the **Settings** and navigate to **Users** tab.
-3. Under **User Group Management** for the respective user group provide **agent/find** and **group/policies** roles in the REST API Roles section and click on save.
+3. Under **User Group Management** for the respective user group provide **agent/find**, **group/policies** and **logging/exechistories** roles in the REST API Roles section and click on save.
 
 #### Generate Client API key for Authentication:
 
@@ -92,12 +93,20 @@ For more information on architectures that can be used for scaling this integrat
 
 {{fields "agent"}}
 
+#### Execution Histories
+
+{{fields "execution_histories"}}
+
 ### Example event
 
 #### Agent
 
 {{event "agent"}}
 
+#### Execution Histories
+
+{{event "execution_histories"}}
+
 ### Inputs used
 
 These inputs can be used in this integration:
@@ -106,6 +115,26 @@ These inputs can be used in this integration:
 
 ### API usage
 
-These integration datasets use the following API:
+These integration datasets use the following APIs:
 
 - `Agent`: [Airlock Digital REST API](https://api.airlockdigital.com/#35ef50c6-1df4-4330-a433-1915ccf380cf).
+- `Execution Histories`: [Airlock Digital REST API](https://api.airlockdigital.com/#3634a82d-eb6b-44b7-b662-dddc37d4d9d6). Supported execution types are:
+ - Trusted Execution
+ - Blocked Execution
+ - Untrusted Execution [Audit]
+ - Untrusted Execution [OTP]
+ - Trusted Path Execution
+ - Trusted Publisher Execution
+ - Blocklist Execution
+ - Blocklist Execution [Audit]
+ - Trusted Process Execution
+ - Constrained Execution
+ - Trusted Metadata Execution
+ - Trusted Browser Execution
+ - Blocked Browser Execution
+ - Untrusted Browser Execution [Audit]
+ - Untrusted Browser Execution [OTP]
+ - Blocklist Browser Execution [Audit]
+ - Blocklist Browser Execution
+ - Trusted Installer Execution
+ - Trusted Browser Metadata Execution

packages/airlock_digital/_dev/deploy/docker/files/config.yml

@@ -321,3 +321,223 @@ rules:
  }
  }
  ` }}
+ - path: /v1/logging/exechistories
+ methods: ['POST']
+ request_body: '{"type":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18]}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - application/json
+ X-ApiKey:
+ - my-secret-api-key
+ body: |
+ {{ minify_json `
+ {
+ "error": "Success",
+ "response": {
+ "exechistories": [
+ {
+ "checkpoint": "firstcheckpoint",
+ "type": 1,
+ "username": "root",
+ "hostname": ".local",
+ "netdomain": ".local",
+ "filename": "/tmp/PKInstallSandbox.mqvKk4/preinstall",
+ "ppolicy": "Airlock Groups",
+ "policyname": "Apple Mac",
+ "policyver": "v485",
+ "commandline": "/bin/sh /tmp/PKInstallSandbox.mqvKk4/Scripts/ /Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "a3f791dec1f2a40bd623a9b37604e7f2dee84eab3f6a513c6882231d89037c40",
+ "datetime": "2024-04-26T14:50:56Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ },
+ {
+ "checkpoint": "secondcheckpoint",
+ "type": 2,
+ "username": "antos",
+ "hostname": ".local",
+ "netdomain": ".local",
+ "filename": "/Users/libswift_Concurrency.dylib",
+ "ppolicy": "Airlock Groups",
+ "policyname": "Apple Mac",
+ "policyver": "v485",
+ "commandline": "",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "Code Helper (Renderer)",
+ "sha256": "00138fe01658ee525ea0cdce387033dfff880985605affbf59d3843ad8a65e56",
+ "datetime": "2024-04-26T15:04:39Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ },
+ {
+ "checkpoint": "thirdcheckpoint",
+ "type": 3,
+ "username": "devuser",
+ "hostname": ".local",
+ "netdomain": ".local",
+ "filename": "/tmp/PKInstallSandbox.fINk77/Scripts/com.airlock.enforcementagent.core.t6o72s/preinstall",
+ "ppolicy": "Airlock Groups",
+ "policyname": "Apple Mac",
+ "policyver": "v485",
+ "commandline": "/bin/sh /tmp/Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "a3f791dec1f2a40bd623a9b37604e7f2dee84eab3f6a513c6882231d89037c40",
+ "datetime": "2024-04-26T15:04:45Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ }
+ ]
+ }
+ }
+ ` }}
+ - path: /v1/logging/exechistories
+ methods: ['POST']
+ request_body: '{"type":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18],"checkpoint":"thirdcheckpoint"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - application/json
+ X-ApiKey:
+ - my-secret-api-key
+ body: |
+ {{ minify_json `
+ {
+ "error": "Success",
+ "response": {
+ "exechistories": [
+ {
+ "checkpoint": "fourthcheckpoint",
+ "type": 4,
+ "username": "tos",
+ "hostname": ".local",
+ "netdomain": ".local",
+ "filename": "/Users/libswift_Concurrency.dylib",
+ "ppolicy": "Airlock Groups",
+ "policyname": "Apple Mac",
+ "policyver": "v485",
+ "commandline": "",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "Code Helper (Renderer)",
+ "sha256": "00138fe01658ee525ea0cdce387033dfff880985605affbf59d3843ad8a65e56",
+ "datetime": "2024-04-26T15:06:20Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ },
+ {
+ "checkpoint": "fifthcheckpoint",
+ "type": 5,
+ "username": "admin",
+ "hostname": "macbook.local",
+ "netdomain": "corp.local",
+ "filename": "/tmp/PKInstallSandbox.mock0/preinstall",
+ "ppolicy": "Security Policy",
+ "policyname": "Linux Base",
+ "policyver": "v731",
+ "commandline": "/bin/sh /tmp/PKInstallSandbox.mock0/Scripts/ /Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "f08d03c46e1a4b55b095c918dcd520f719f1de992a73b174b6c0a1859dbaf263",
+ "datetime": "2024-04-26T14:51:56Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ },
+ {
+ "checkpoint": "sixthcheckpoint",
+ "type": 6,
+ "username": "user1",
+ "hostname": "linuxhost.local",
+ "netdomain": ".local",
+ "filename": "/tmp/PKInstallSandbox.mock1/preinstall",
+ "ppolicy": "Airlock Groups",
+ "policyname": "Apple Mac",
+ "policyver": "v234",
+ "commandline": "/bin/sh /tmp/PKInstallSandbox.mock1/Scripts/ /Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "a7a1985d2c65915b964dc6a6e78eb26c776172764b36c183f0ea69a5a621d246",
+ "datetime": "2024-04-26T14:52:56Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ }
+ ]
+ }
+ }
+ ` }}
+ - path: /v1/logging/exechistories
+ methods: ['POST']
+ request_body: '{"type":[1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18],"checkpoint":"sixthcheckpoint"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - application/json
+ X-ApiKey:
+ - my-secret-api-key
+ body: |
+ {{ minify_json `
+ {
+ "error": "Success",
+ "response": {
+ "exechistories": [
+ {
+ "checkpoint": "seventhcheckpoint",
+ "type": 7,
+ "username": "root",
+ "hostname": ".local",
+ "netdomain": "corp.local",
+ "filename": "/tmp/PKInstallSandbox.mock2/preinstall",
+ "ppolicy": "Default Policy",
+ "policyname": "Windows Core",
+ "policyver": "v678",
+ "commandline": "/bin/sh /tmp/PKInstallSandbox.mock2/Scripts/ /Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "8f561d9c96427bb89986b75aa0e2314d7ee73eb4201de1ab35fc4c79f2e93b95",
+ "datetime": "2024-04-26T14:53:56Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ },
+ {
+ "checkpoint": "eightcheckpoint",
+ "type": 8,
+ "username": "service",
+ "hostname": "macbook.local",
+ "netdomain": ".local",
+ "filename": "/tmp/PKInstallSandbox.mock3/preinstall",
+ "ppolicy": "Security Policy",
+ "policyname": "Linux Base",
+ "policyver": "v532",
+ "commandline": "/bin/sh /tmp/PKInstallSandbox.mock3/Scripts/ /Library/Airlock Digital / /",
+ "publisher": "Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)",
+ "pprocess": "sh",
+ "sha256": "d135d274e0618e41730280b6b49f6400c55c9abf9e51929a7d67141ea369edfd",
+ "datetime": "2024-04-26T14:54:56Z",
+ "md5": "",
+ "sha128": "",
+ "sha384": "",
+ "sha512": ""
+ }
+ ]
+ }
+ }
+ ` }}

packages/airlock_digital/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: '0.2.0'
+ changes:
+ - description: Add execution histories data stream.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/15079
 - version: '0.1.0'
  changes:
  - description: Initial release.

packages/airlock_digital/data_stream/execution_histories/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields

packages/airlock_digital/data_stream/execution_histories/_dev/test/pipeline/test-execution-histories.log

@@ -0,0 +1,2 @@
+{"checkpoint":"662bbf75fe5fd7b1c13d8172","type":5,"username":"root","hostname":".local","netdomain":".local","filename":"/tmp/PKInstallSandbox.mqvKk4/preinstall","ppolicy":"Airlock Groups","policyname":"Apple Mac","policyver":"v485","commandline":"/bin/sh /tmp/PKInstallSandbox.mqvKk4/Scripts/ /Library/Airlock Digital / /","publisher":"Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)","pprocess":"sh","sha256":"a3f791dec1f2a40bd623a9b37604e7f2dee84eab3f6a513c6882231d89037c40","datetime":"2024-04-26T14:50:56Z","md5":"","sha128":"","sha384":"","sha512":""}
+{"checkpoint":"662bc29144bb7f0003cd2e2e","type":5,"username":"antos","hostname":".local","netdomain":".local","filename":"C:\\Users\\Pranay\\Documents\\report.txt","ppolicy":"Airlock Groups","policyname":"Apple Mac","policyver":"v485","commandline":"","publisher":"Airlock Digital Pty Ltd (MXRN6N7XFL) (Mac)","pprocess":"Code Helper (Renderer)","sha256":"00138fe01658ee525ea0cdce387033dfff880985605affbf59d3843ad8a65e56","datetime":"2024-04-26T15:04:39Z","md5":"","sha128":"","sha384":"","sha512":""}