Skip to content

[Change Proposal] Support additional asset types in content packages #803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
kpollich opened this issue Sep 19, 2024 · 7 comments · Fixed by #885
Closed

[Change Proposal] Support additional asset types in content packages #803

kpollich opened this issue Sep 19, 2024 · 7 comments · Fixed by #885
Assignees
@mrodm
Labels
discuss Issue needs discussion Team:Ecosystem Label for the Packages Ecosystem team

Comments

@kpollich
Copy link
Member

kpollich commented Sep 19, 2024
edited
Loading

Follow-up for #351

Today, content packages only supports dashboards or simple Kibana saved objects that can be directly imported. We should expand this support to allow for all Kibana asset types listed here: https://github.com/elastic/package-spec?tab=readme-ov-file#supported-assets
@kpollich kpollich added discuss Issue needs discussion Team:Ecosystem Label for the Packages Ecosystem team labels Sep 19, 2024
@kpollich kpollich mentioned this issue Sep 19, 2024
Closed
7 tasks
@kpollich
Copy link
Member Author

@jsoriano Now that content packages are GA, it'd be great to provide a path to get the prebuilt rules package moved over to type: content. I think we need to add security rules as a supported asset type and then things should work pretty much as expected? Not sure if I'm missing any complexity there. I'm going to schedule this for our next sprint to take a look.

@jsoriano
Copy link
Member

Yes, in principle we can start adding additional assets. For prebuilt rules I think we also needed to improve support for big files and packages in Fleet.

@kpollich kpollich assigned mrodm and unassigned jsoriano Mar 13, 2025
@mrodm
Copy link
Contributor

mrodm commented Mar 20, 2025
edited
Loading

Currently, the Kibana assets that are allowed in content packages are dashboards and SLOs (kibana folder spec definition)

The current list of Kibana assets that are supported in the integration packages is defined here:

  • Dashboards (dashboard folder).
  • Visualizations (visualization folder).
  • Searches (search folder).
  • Maps (map folder).
  • Lens (lens folder).
  • Index Patterns (index_pattern folder).
  • Security Rules (security_rule folder).
  • CSP Rule Templates (csp_rule_template).
  • ML modules (ml_module folder).
  • Tags (tag folder).
  • Osquery Pack Assets (osquery_pack_asset folder).
  • Osquery Saved Queries (osquery_saved_query folder).
  • SLOs (slo folder).

As it is recommended to define visualizations, maps, lens, ... assets inside the same dashboards, probably those kind of assets could be skipped (related to #316).
Currently, the following Kibana assets cannot be defined via references in dashboards (package-spec validation rule):

  • Lens
  • Maps
  • Searches
  • Visualizations

Looking into the packages defined in the integrations repository, there are some assets that it looks like they would require transforms or data stream definitions (or at least those packages contain those other resources). Examples found:

Taking that into account, what would be the Kibana assets that we should add support now in content packages? Maybe start adding just Security Rules (e.g. used in security_detection_engine)? @jsoriano @kpollich

If possible, I think it would be better to add support for new assets in content packages when they are required (on demand).

@mrodm mrodm mentioned this issue Mar 21, 2025
Merged
2 tasks
@mrodm
Copy link
Contributor

mrodm commented Mar 21, 2025

Here in this PR #885, it is being added the support to include security_rule assets in content packages.

Is there any other Kibana asset type that should be included (taking into account #803 (comment))?

@mrodm
Copy link
Contributor

mrodm commented Mar 24, 2025

Looking to the usage of other Kibana asset types, there are two other assets that probably they could be added to the content packages too: Index Patterns and Tags.

There are some packages using those assets specifically:

  • Index Patterns:
 $ find packages -type d -name index_pattern
packages/elasticsearch/kibana/index_pattern
packages/logstash/kibana/index_pattern
packages/network_traffic/kibana/index_pattern
packages/cloud_defend/kibana/index_pattern
packages/cloud_asset_inventory/kibana/index_pattern
packages/beat/kibana/index_pattern
  • Tags:
 $ find packages -type d -name tag | wc -l
51

These assets can be referenced from dashboards. They are not part of the assets in the validation rule mentioned above.

Regarding tag assets, there are some packages in the integrations repo that define the tags created by fleet, but others like ti_eset create their own tags:

@kpollich @jsoriano do you think it would be good to add those two assets to the content packages too? Or should we just add security_rule assets for now?

@mrodm
Copy link
Contributor

mrodm commented Mar 26, 2025

Talked to @jsoriano offline about this and we decided to just add Security Rule Kibana assets for now.

@mrodm
Copy link
Contributor

mrodm commented Apr 1, 2025

Closing after being merged #885

@mrodm mrodm closed this as completed Apr 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mrodm mrodm

Labels
discuss Issue needs discussion Team:Ecosystem Label for the Packages Ecosystem team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow security rule assets in content packages mrodm/package-spec
3 participants
@jsoriano @mrodm @kpollich