airlock_digital: Add server activities datastream (#15106)

The PR includes server activities data stream and associated dashboard.

Airlock Digital server activities fields are mapped to their
corresponding ECS fields where possible.

Test samples were derived from documentation, which were subsequently
sanitized.

Author: sharadcrest

packages/airlock_digital/_dev/build/docs/README.md

@@ -8,21 +8,22 @@ The Airlock Digital integration for Elastic allows you to collect logs from, [Ai
 
 ### Compatibility
 
-The Airlock Digital integration is compatible with `v6.1.x` and `v1` version of Airlock Digital REST API.
+The Airlock Digital integration is compatible with version `v6.1.x` of Airlock Digital and `v1` of the REST API.
 
 ### How it works
 
-This integration periodically queries the Airlock Digital REST API to retrieve Agent and Execution Histories logs.
+This integration periodically queries the Airlock Digital REST API to retrieve Agent, Execution Histories and Server Activities logs.
 
 ## What data does this integration collect?
 
 This integration collects log messages of the following types:
 
 - `Agent`: Collects agent logs via [Airlock Digital REST API](https://api.airlockdigital.com/#35ef50c6-1df4-4330-a433-1915ccf380cf).
 - `Execution Histories`: Collects executions history logs via [Airlock Digital REST API](https://api.airlockdigital.com/#3634a82d-eb6b-44b7-b662-dddc37d4d9d6).
+- `Server Activities`: Collects server activity logs via [Airlock Digital REST API](https://api.airlockdigital.com/#290b4657-17d4-4048-982e-43df95200624).
 
 ### Supported use cases
-Integrating Airlock Digital agent and execution history logs with Elastic SIEM provides SOC teams with deep visibility into endpoint activity and policy enforcement. Dashboards surface insights into agent health, host and user patterns, OS distribution, group and policy metrics, storage availability, trusted configurations, and execution behaviors such as blocked or untrusted runs and policy violations. This enables faster investigations, stronger compliance, proactive resource management, and improved overall endpoint security.
+Integrating Airlock Digital agent, execution history, and server activity logs with Elastic SIEM delivers comprehensive visibility into endpoint and system operations. Dashboards highlight agent health, user and host activity, OS distribution, policy enforcement, storage status, trusted configurations, and execution behaviors such as blocked or untrusted runs and policy violations. At the same time, monitoring server-side activities across tasks, users, and root actions enables quick identification of unauthorized changes, policy misuse, and suspicious behavior. Together, these insights empower SOC teams to accelerate investigations, strengthen compliance, optimize resource management, and maintain stronger endpoint and system security.
 
 ## What do I need to use this integration?
 
@@ -32,7 +33,7 @@ Integrating Airlock Digital agent and execution history logs with Elastic SIEM p
 
 1. In order to make the API calls, the User Group to which a user belongs should contain required permissions. You can follow the below steps for that:
 2. Go to the **Settings** and navigate to **Users** tab.
-3. Under **User Group Management** for the respective user group provide **agent/find**, **group/policies** and **logging/exechistories** roles in the REST API Roles section and click on save.
+3. Under **User Group Management** for the respective user group provide **agent/find**, **group/policies**, **logging/exechistories** and **logging/svractivities** roles in the REST API Roles section and click on save.
 
 #### Generate Client API key for Authentication:
 
@@ -97,6 +98,10 @@ For more information on architectures that can be used for scaling this integrat
 
 {{fields "execution_histories"}}
 
+#### Server Activities
+
+{{fields "server_activities"}}
+
 ### Example event
 
 #### Agent
@@ -107,6 +112,10 @@ For more information on architectures that can be used for scaling this integrat
 
 {{event "execution_histories"}}
 
+#### Server Activities
+
+{{event "server_activities"}}
+
 ### Inputs used
 
 These inputs can be used in this integration:
@@ -138,3 +147,4 @@ These integration datasets use the following APIs:
     - Blocklist Browser Execution
     - Trusted Installer Execution
     - Trusted Browser Metadata Execution
+- `Server Activities`: [Airlock Digital REST API](https://api.airlockdigital.com/#290b4657-17d4-4048-982e-43df95200624).

packages/airlock_digital/_dev/deploy/docker/files/config.yml

@@ -1,6 +1,6 @@
 rules:
   #  We’re unable to test the pagination functionality with the current rule
-  #  since a fixed batch size of 10,000 is being used in data-collection.
+  #  since a fixed batch size of 10,000 is being used in data collection.
   - path: /v1/agent/find
     methods: ['POST']
     responses:
@@ -541,3 +541,44 @@ rules:
               }
             }
           ` }}
+  - path: /v1/logging/svractivities
+    methods: ['POST']
+    request_body: '{}'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - application/json
+          X-ApiKey:
+            - my-secret-api-key
+        body: |
+          {{ minify_json `
+          {
+            "error": "Success",
+            "response": {
+              "svractivities": [
+                {
+                  "checkpoint": "firstcheckpoint",
+                  "datetime": "2024-01-25T05:23:31.77Z",
+                  "task": "Repository Add",
+                  "user": "SYSTEM",
+                  "description": "a.out added to repository"
+                },
+                {
+                  "checkpoint": "secondcheckpoint",
+                  "datetime": "2024-01-25T05:23:31.88Z",
+                  "task": "Repository Add",
+                  "user": "SYSTEM",
+                  "description": "file.exe added to repository"
+                },
+                {
+                  "checkpoint": "thirdcheckpoint",
+                  "datetime": "2024-01-25T05:23:30.88Z",
+                  "task": "Client Checkin",
+                  "user": "SYSTEM",
+                  "description": "DESKTOP-GG4CEJM checks in"
+                }
+              ]
+            }
+          }
+          ` }}

packages/airlock_digital/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: '0.3.0'
+  changes:
+    - description: Add server activities data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/15106
 - version: '0.2.0'
   changes:
     - description: Add execution histories data stream.

packages/airlock_digital/data_stream/server_activities/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_duplicate_custom_fields

packages/airlock_digital/data_stream/server_activities/_dev/test/pipeline/test-server-activities.log

@@ -0,0 +1,2 @@
+{"checkpoint":"65b1f05387bacb6955a32a3c","datetime":"2024-01-25T05:23:31.77Z","task":"Repository Add","user":"SYSTEM","description":"a.out added to repository"}
+{"checkpoint":"65b1f05387bacb6955a32a40","datetime":"2024-01-25T05:23:31.88Z","task":"Repository Add","user":"SYSTEM","description":"file.exe added to repository"}

packages/airlock_digital/data_stream/server_activities/_dev/test/pipeline/test-server-activities.log-expected.json

@@ -0,0 +1,82 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2024-01-25T05:23:31.770Z",
+            "airlock_digital": {
+                "server_activities": {
+                    "checkpoint": "65b1f05387bacb6955a32a3c",
+                    "datetime": "2024-01-25T05:23:31.770Z",
+                    "description": "a.out added to repository",
+                    "task": "Repository Add",
+                    "user": "SYSTEM"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "repository-add",
+                "category": [
+                    "host"
+                ],
+                "id": "65b1f05387bacb6955a32a3c",
+                "kind": "event",
+                "original": "{\"checkpoint\":\"65b1f05387bacb6955a32a3c\",\"datetime\":\"2024-01-25T05:23:31.77Z\",\"task\":\"Repository Add\",\"user\":\"SYSTEM\",\"description\":\"a.out added to repository\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "a.out added to repository",
+            "related": {
+                "user": [
+                    "SYSTEM"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "name": "SYSTEM"
+            }
+        },
+        {
+            "@timestamp": "2024-01-25T05:23:31.880Z",
+            "airlock_digital": {
+                "server_activities": {
+                    "checkpoint": "65b1f05387bacb6955a32a40",
+                    "datetime": "2024-01-25T05:23:31.880Z",
+                    "description": "file.exe added to repository",
+                    "task": "Repository Add",
+                    "user": "SYSTEM"
+                }
+            },
+            "ecs": {
+                "version": "8.17.0"
+            },
+            "event": {
+                "action": "repository-add",
+                "category": [
+                    "host"
+                ],
+                "id": "65b1f05387bacb6955a32a40",
+                "kind": "event",
+                "original": "{\"checkpoint\":\"65b1f05387bacb6955a32a40\",\"datetime\":\"2024-01-25T05:23:31.88Z\",\"task\":\"Repository Add\",\"user\":\"SYSTEM\",\"description\":\"file.exe added to repository\"}",
+                "type": [
+                    "info"
+                ]
+            },
+            "message": "file.exe added to repository",
+            "related": {
+                "user": [
+                    "SYSTEM"
+                ]
+            },
+            "tags": [
+                "preserve_duplicate_custom_fields"
+            ],
+            "user": {
+                "name": "SYSTEM"
+            }
+        }
+    ]
+}

packages/airlock_digital/data_stream/server_activities/_dev/test/system/test-common-config.yml

@@ -0,0 +1,11 @@
+input: cel
+service: airlock_digital
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  api_key: my-secret-api-key
+data_stream:
+  vars:
+    preserve_original_event: true
+    preserve_duplicate_custom_fields: true
+assert:
+  hit_count: 3

packages/airlock_digital/data_stream/server_activities/agent/stream/cel.yml.hbs

@@ -0,0 +1,95 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+  enabled: {{enable_request_tracer}}
+  filename: "../../logs/cel/http-request-trace-*.ndjson"
+  maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+
+state:
+  api_key: {{api_key}}
+{{!--
+  The API does not support specifying a batch_size parameter; however, the documentation states
+  that a maximum of 10,000 events can be returned in a single response.
+  Reference Link: https://api.airlockdigital.com/#8643f2cc-4930-44d5-a7cb-21395b33ab62
+--}}
+  max_batch_size: 10000
+redact:
+  fields:
+    - api_key
+program: |
+  state.with(
+    post_request(
+      state.url.trim_right("/") + "/v1/logging/svractivities",
+      "application/json",
+      {
+        ?"checkpoint": state.?cursor.checkpoint,
+      }.encode_json()
+    ).with(
+      {
+        "Header": {
+          "Content-Type": ["application/json"],
+          "X-ApiKey": [state.api_key],
+        },
+      }
+    ).do_request().as(resp, (resp.StatusCode == 200) ?
+      resp.Body.decode_json().as(body,
+        {
+          "events": body.response.svractivities.map(e,
+            {
+              "message": e.encode_json(),
+            }
+          ),
+          "want_more": size(body.response.svractivities) >= state.max_batch_size,
+          "cursor": {
+            ?"checkpoint": (has(body.?response.svractivities) && size(body.response.svractivities) > 0) ?
+              optional.of(body.response.svractivities[size(body.response.svractivities) - 1].checkpoint)
+            :
+              state.?cursor.checkpoint,
+          },
+        }
+      )
+    :
+      {
+        "events": {
+          "error": {
+            "code": string(resp.StatusCode),
+            "id": string(resp.Status),
+            "message": "POST " + state.url.trim_right("/") + "/v1/logging/svractivities " + (
+              (size(resp.Body) != 0) ?
+                string(resp.Body)
+              :
+                string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+            ),
+          },
+        },
+        "want_more": false,
+      }
+    )
+  )
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}