Skip to content

[Neon Cyber] New Elastic integration neon_cyber for the Neon Cyber platform #15725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

[Neon Cyber] New Elastic integration neon_cyber for the Neon Cyber platform #15725

wants to merge 11 commits into from

Conversation

@codypierce
Copy link

Proposed commit message

Changes made

  • Initial package boilerplate
  • Readme updated to spec
  • Changelog updated to spec
  • Event data stream for CEL processing from Neon events API
  • Field definitions for events
  • Pipeline processor definitions
  • Sample log included for supported events
  • Detections data stream for CEL processing from Neon detections API
  • Field definitions for detections
  • Sample log included for supported detections
  • Pipeline, policy, and system tests for new data streams

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • [ ]

How to test this PR locally

  1. Run pipeline and system tests

Related issues

  • N/A

Screenshots

@codypierce codypierce requested a review from a team as a code owner October 22, 2025 18:09
@cla-checker-service
Copy link

cla-checker-service bot commented Oct 22, 2025
edited
Loading

💚 CLA has been signed

@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package. labels Oct 22, 2025
@narph narph added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Oct 27, 2025
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6
efd6 reviewed Oct 29, 2025
View reviewed changes
packages/neon_cyber/LICENSE.txt
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to add this file, it will be automatically generated.

packages/neon_cyber/_dev/build/docs/README.md
@@ -0,0 +1,45 @@
{{- generatedHeader }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this for?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was in the template and adds the auto generation "Do not edit" in the rendered README.md

packages/neon_cyber/changelog.yml Outdated
@@ -0,0 +1,6 @@
# newer versions go on top
- version: "1.0.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy with GA from the outset?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll be more conservative with 0.1.0

packages/neon_cyber/data_stream/events/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 4 to 6
- drop:
description: Ignore retry placeholder message.
if: ctx.message == "retry"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not needed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

packages/neon_cyber/data_stream/events/elasticsearch/ingest_pipeline/default.yml Outdated
if: ctx.message == "retry"
- set:
field: ecs.version
value: 8.11.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
value: 8.11.0
value: 8.17.0

packages/neon_cyber/data_stream/detections/elasticsearch/ingest_pipeline/default.yml
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Processors should have tags to allow failures to be identified in the error message. Also below.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

packages/neon_cyber/manifest.yml Outdated
Comment on lines 44 to 51
- name: url
type: url
title: URL
default: https://api.neoncyber.io/v1
description: Base URL of the Neon Cyber API
multi: false
required: true
show_user: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not ever used AFAICS.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. I understand now, removing package URL for data stream resource url.

packages/neon_cyber/manifest.yml
Comment on lines +52 to +59
- name: api_token
type: password
title: API Token
description: Neon Cyber developer API token
multi: false
required: true
show_user: true
secret: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this shared for all endpoints?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

efd6
efd6 reviewed Oct 29, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.github/CODEOWNERS needs to be updated to include this package with the owner matching the owner in the package's manifest.

packages/neon_cyber/manifest.yml Outdated
show_user: false
owner:
github: elastic/security-service-integrations
type: elastic
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This likely should be either "community" or "partner" depending on the arrangement here.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changing to partner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. New Integration Issue or pull request for creating a new integration package. Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@codypierce @elasticmachine @efd6 @narph @andrewkroh