[WithSecure] Added the WithSecure Elements integration for collecting security incident and events

[fspms]

README.md

• Complete setup instructions
• Configuration parameters
• Data collection details
• ECS field mapping reference

Changelog

• Version 1.0.0 with initial features
• OAuth2 authentication support
• ECS field mapping implementation

Configuration

Required Parameters

• url: WithSecure Elements API URL
• client_id: OAuth2 Client ID
• client_secret: OAuth2 Client Secret
• organization_id: Organization identifier

Optional Parameters

• interval: Collection frequency (default: 5m)
• preserve_original_event: Keep raw event data
• preserve_duplicate_custom_fields: Keep WithSecure fields

Use Cases

Security Operations

• Threat Detection: Monitor BCDs and security events
• Incident Response: Analyze incident details and detections
• Compliance: Track security actions and events

Analytics & Dashboards

• Security Metrics: Risk scores, severity distributions
• Trend Analysis: Security event patterns over time
• Device Monitoring: Endpoint security status

Deployment

Prerequisites

• WithSecure Elements API access
• OAuth2 credentials
• Organization ID
• Elastic Agent 8.18.0+ or 9.0.0+

Installation

1. Add integration to Elastic Agent
2. Configure OAuth2 credentials
3. Set organization ID
4. Enable desired data streams
5. Deploy and monitor

Checklist

• Code Quality: Linting passed, no errors
• Documentation: Complete README and changelog
• Testing: All pipelines tested with sample data
• ECS Compliance: Full field mapping implementation
• Security: OAuth2 authentication implemented
• Performance: Optimized for production use

Review Notes

Key Files to Review

• manifest.yml - Main integration configuration
• data_stream/*/agent/stream/httpjson.yml.hbs - API templates
• data_stream/*/elasticsearch/ingest_pipeline/default.yml - Data processing
• data_stream/*/fields/*.yml - Field definitions

Testing

• All test files are in _dev/test/pipeline/
• Sample data reflects real WithSecure API responses
• Expected outputs validate ECS mapping

Screenshots

Ready for Production

This integration is production-ready and follows all Elastic integration standards. It provides comprehensive WithSecure Elements data collection with full ECS compliance and robust error handling.

Perfect for security teams looking to integrate WithSecure Elements data into their Elastic SIEM!

[cla-checker-service]

💚 CLA has been signed

[fspms]

I have signed the Contributor Agreement as requested.
Please let me know if any additional steps are required to proceed with the review process.

[fspms]

Hi @andrewkroh, could you please take a look on this integration ?
Thank you

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[efd6]

This is not a valid configuration. The documentation for this file is here.

[fspms]

I've fixed the test configuration in commit 9429cc3.

Changes made:

• Simplified test-common-config.yml to minimal valid configuration
• Converted all test input files to proper array format with events structure
• Added corresponding -expected.json files with expected array structure
• All test files now comply with elastic-package validation requirements

[efd6]

Suggest making this an array of events as described here.

[efd6]

Suggest using the CEL input instead of HTTP JSON.

[fspms]

Thank you for the suggestion

You're absolutely right that CEL is the better choice for new integrations. I initially went with httpjson because I was more familiar with it, but I understand that CEL is now the recommended approach and offers several advantages

I suggest doing the initial integration with httpjson and planning a migration to CEL in a future version. It is a significant amount of work.
Would that work for you?

Could you point me to good reference integrations that use CEL with OAuth2 and pagination that I could learn from?

[efd6]

The ingest pipeline will need improved error handling. Please take a look at some examples of ingest pipelines elsewhere in the repository. This document is also worth reading.

[fspms]

I've significantly improved the ingest pipelines in commit 94b30b7.

Enhancements made for all data streams (incidents, security_events, incident_detections):

1. JSON Decoding:

   • Decode JSON from message field or event.original
   • Use intermediate _temp field to avoid conflicts
   • Proper ignore_failure: true flags

2. Processor Tags & Descriptions:

   • Added unique tags (json_decode, move_json_fields, set_timestamp)
   • Descriptive comments for debugging

3. Error Handling (on_failure block):

   on_failure:
     - set:
         field: event.kind
         value: pipeline_error
     - append:
         field: error.message
         value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'