[New Package] Add FreeIPA integration#17812
Conversation
ReviewersBuildkite won't run for external contributors automatically; you need to add a comment:
NOTE: https://github.com/elastic/integrations/blob/main/.buildkite/pull-requests.json contains all those details. |
3b030cf to
e5ab704
Compare
Adds a comprehensive FreeIPA integration with five log data streams
covering all major FreeIPA services:
kdc — Kerberos KDC authentication events (TGS/TGT grants, failures,
S4U proxy, pre-auth, encryption types)
directory_access — 389 Directory Server access log (BIND, SEARCH,
MOD, ADD, DELETE, MODRDN with connection tracking)
directory_errors — 389 DS error log (replication failures, plugin
errors, resource warnings)
ca_audit — Dogtag CA signed audit log (certificate requests,
approvals, revocations, CRL generation, ACL decisions)
ipa_api — IPA JSON/XML-RPC API access log (commands, parameters,
results, caller identity)
Includes two transforms for connection-level LDAP analysis (latest
bind state and operation enrichment), GeoIP enrichment on client IPs,
ECS-compliant field mappings, and pipeline tests with both synthetic
and real-world log samples from a multi-replica FreeIPA deployment.
|
Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as |
|
Hi! This PR has been stale for a while and we're going to close it as part of our cleanup procedure. We appreciate your contribution and would like to apologize if we have not been able to review it, due to the current heavy load of the team. Feel free to re-open this PR if you think it should stay open and is worth rebasing. Thank you for your contribution! |
|
It would surely be nice to finally have FreeIPA in our SIEM. Why isn't this a priority? |
Summary
Initial release of the FreeIPA (Red Hat IdM) integration. Collects security-relevant logs from five FreeIPA subsystems using filestream input: Kerberos KDC authentication events, 389 Directory Server access and error logs, Dogtag CA signed audit events, and IPA JSON API operations. Includes five ES|QL alerting rule templates that activate on Stack 9.2+, three optional transforms for cross-event LDAP correlation, and comprehensive ECS field mappings including x509 certificate fields and rule.name for policy objects. Dashboards will follow in a separate PR.
Changes
kdc,directory_access,directory_errors,ca_audit,ipa_apiTesting
elastic-package checkpasses (lint + build), full_review passes with 0 errors/0 warnings