Skip to content

Remove Security Category Tag from Non-Security Packages #15611

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

Remove Security Category Tag from Non-Security Packages #15611

wants to merge 11 commits into from

Conversation

@JDKurma
Copy link

@JDKurma JDKurma commented Oct 9, 2025
edited
Loading

Proposed commit message

The following packages are categorized as security despite not being semantically related to security nor having security related datastreams:

[
  "miniflux",
  "mongodb",
  "mysql"
]

Datastreams:

[
  {
    "package": "miniflux",
    "datastream": "miniflux.feed_entry"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.collstats"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.dbstats"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.log"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.metrics"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.replstatus"
  },
  {
    "package": "mongodb",
    "datastream": "mongodb.status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.error"
  },
  {
    "package": "mysql",
    "datastream": "mysql.galera_status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.performance"
  },
  {
    "package": "mysql",
    "datastream": "mysql.replica_status"
  },
  {
    "package": "mysql",
    "datastream": "mysql.slowlog"
  },
  {
    "package": "mysql",
    "datastream": "mysql.status"
  }
]

I've removed the security tag for the above mentioned packages to accurately categorize them.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@JDKurma JDKurma self-assigned this Oct 9, 2025
@JDKurma JDKurma added the bugfix Pull request that fixes a bug issue label Oct 9, 2025
@JDKurma JDKurma requested a review from trisch-me October 9, 2025 05:49
@JDKurma JDKurma marked this pull request as ready for review October 9, 2025 15:40
@JDKurma JDKurma requested review from a team as code owners October 9, 2025 15:40
@andrewkroh andrewkroh added Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Oct 9, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Oct 9, 2025
View reviewed changes
packages/miniflux/manifest.yml
Comment on lines -12 to -13
# Added security category as Miniflux integration is assigned to security team
- security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@clement-fouque Do you recall why this was added as a security integration?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we had a discussion but I don't remember why we added it. We can remove it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is owned by security team, has it no security use case?

packages/aws_bedrock/manifest.yml
- aws
- cloud
- observability
- security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Mikaayenson What's your view on whether the bedrock integration is a security product?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do have prebuilt security detection rules that leverage this integration.

This is the same case for azure_openai.

Note: We have some PRs in the work to further codify security related genai fields. See:

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reverted the changes for those!

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 10, 2025
edited
Loading

🚀 Benchmarks report

Package miniflux 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
feed_entry 2020.2 1557.63 -462.57 (-22.9%) 💔

Package mongodb 👍(0) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
log 26315.79 22222.22 -4093.57 (-15.56%) 💔

Package mysql 👍(1) 💚(0) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
error 27027.03 15625 -11402.03 (-42.19%) 💔
slowlog 21739.13 17543.86 -4195.27 (-19.3%) 💔

To see the full report comment with /test benchmark fullreport

@muthu-mps
Copy link
Contributor

  • azure_app_service logs include the AppServiceIPSecAuditLogs, AppServiceAuditLogs and AppServiceHTTPLogs categories. This integration can be tagged with security category.
  • Azure AI Foundry is an enhanced version of Azure OpenAI that currently enables monitoring of both third-party models and Azure OpenAI models. @Mikaayenson - Do you think the threat detection rule implementation can be done for AI Foundry similar to Azure OpenAI? If yes, Then this integration can get tagged with security category similar to Azure OpenAI.

@Mikaayenson
Copy link
Contributor

  • azure_app_service logs include the AppServiceIPSecAuditLogs, AppServiceAuditLogs and AppServiceHTTPLogs categories. This integration can be tagged with security category.
  • Azure AI Foundry is an enhanced version of Azure OpenAI that currently enables monitoring of both third-party models and Azure OpenAI models. @Mikaayenson - Do you think the threat detection rule implementation can be done for AI Foundry similar to Azure OpenAI? If yes, Then this integration can get tagged with security category similar to Azure OpenAI.

Yes, we just do not yet have any prebuilt rules for this integration. And if we ever get a gemini integration that would too.

@JDKurma JDKurma removed the Integration:azure_app_service Azure App Service label Oct 14, 2025
@JDKurma JDKurma removed the Integration:azure_ai_foundry Azure AI Foundry label Oct 14, 2025
@JDKurma
Copy link
Author

JDKurma commented Oct 14, 2025

@muthu-mps removed both!

@andrewkroh andrewkroh added the Integration:azure_app_service Azure App Service label Oct 14, 2025
@JDKurma JDKurma removed the Integration:azure_app_service Azure App Service label Oct 14, 2025
trisch-me
trisch-me reviewed Oct 16, 2025
View reviewed changes
trisch-me
trisch-me approved these changes Oct 16, 2025
View reviewed changes
Copy link
Contributor

@trisch-me trisch-me left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm apart from 1 change

@trisch-me trisch-me enabled auto-merge (squash) October 16, 2025 13:25
@trisch-me trisch-me disabled auto-merge October 16, 2025 13:29
lalit-satapathy
lalit-satapathy reviewed Oct 17, 2025
View reviewed changes
packages/miniflux/manifest.yml
Comment on lines -12 to -13
# Added security category as Miniflux integration is assigned to security team
- security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is owned by security team, has it no security use case?

packages/mongodb/manifest.yml
# Added database_security category as it collects database logs and metrics including collection statistics, database statistics, and replication status
- database_security
# Added global security category as this integration collects security-relevant data
- security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine

packages/mysql/manifest.yml
# Added database_security category as it collects error logs, slow query logs, and replication status metrics that are relevant for database security monitoring
- database_security
# Added global security category as this integration collects security-relevant data
- security
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks fine

@daniela-elastic
Copy link

CC @jamiehynds There was a whole re-categorization effort done recently to more effectively label the various use cases for each integration (see PR). As a result, additional solution categories were added to some integrations.

The bigger picture:
A decision of how we label an integration (o11y or security) is how customers ultimately use it. Today there are integrations that are effectively used for both but are mis-labled as only catering to one use case. For example, recently speaking with field team revealed that the Netflow integration is being used by customers and sold as a through-and-through observability integration, however it is not labeled as such (see manifest file)

Next steps:
@jamiehynds it would be worth for sec and o11y to align on the usefuless and intended purpose of the solution category. This can help drive more clarity and easier decision making on the correct labelling.

@JDKurma
Copy link
Author

JDKurma commented Oct 20, 2025

@lalit-satapathy miniflux doesn't have any detection rules for it and just has 1 datastream for a rss feed entry.

cisco_meraki_metrics appears only o11y and has no detection rules for it; however, I'll revert it just to be safe per @trisch-me recommendation

@JDKurma JDKurma removed the Integration:cisco_meraki_metrics Cisco Meraki Metrics label Oct 20, 2025
@daniela-elastic
Copy link

If miniflux is not a security integration and it never was considered an observability integration then what type of integration is it?

@trisch-me
Copy link
Contributor

trisch-me commented Oct 21, 2025
edited
Loading

If miniflux is not a security integration and it never was considered an observability integration then what type of integration is it?

@norrietaylor or @jamiehynds any help with this integration? I have also checked telemetry and we had no trace of this integration to be used by customers for last year or so

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @JDKurma

@jamiehynds
Copy link

it would be worth for sec and o11y to align on the usefuless and intended purpose of the solution category. This can help drive more clarity and easier decision making on the correct labelling.

I personally find the security (or observability) categories useful - they improve discoverability and help users quickly hone in on integrations relevant to their use case, or start broad and drill down (e.g., Security → Endpoint Security). They also allow our field teams to showcase our set of security or o11y quickly and easily. So far, there hasn’t been formal guidance or guardrails on which label should apply to which integrations. There are likely some gaps, but overall the current labels seem in reasonable shape. If certain integrations naturally span both domains (e.g., NetFlow), I don’t think dual categorization is a problem.

@jamiehynds
Copy link

If miniflux is not a security integration and it never was considered an observability integration then what type of integration is it?

@norrietaylor or @jamiehynds any help with this integration? I have also checked telemetry and we had no trace of this integration to be used by customers for last year or so

I'm not overly familiar with the integration, but its owned by the security team and was developed by @clement-fouque who can probably clarify the intent behind it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson left review comments

@trisch-me trisch-me trisch-me approved these changes

@clement-fouque clement-fouque clement-fouque left review comments

@lalit-satapathy lalit-satapathy lalit-satapathy left review comments

@efd6 efd6 efd6 approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

@JDKurma JDKurma

Labels

bugfix Pull request that fixes a bug issue Integration:miniflux Miniflux RSS reader Integration:mongodb MongoDB Integration:mysql MySQL Team:Obs-InfraObs Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.