Skip to content

Update blacklens integration #16893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ChriZzn wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update blacklens integration #16893

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2c5b406
update blacklens integration
Jan 7, 2026
3835d65
add pr link
Jan 7, 2026
cc00b4b
Merge branch 'main' into main
ChriZzn Jan 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/blacklens/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.0.0"
changes:
- description: Make GA and Update Fields to match new JSON Scheme
type: enhancement
link: https://github.com/elastic/integrations/pull/16893
- version: "0.4.1"
changes:
- description: Fix default request trace enabled behavior.
Expand Down
2 changes: 1 addition & 1 deletion packages/blacklens/data_stream/alerts/_dev/test/pipeline/test-alerts.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
{"updated_date":"2024-11-12T09:39:58.489Z","created_date":"2024-11-12T09:39:58.489Z","id":1001,"details":{"id":100,"engine":"Port Scanner","title":"New Open Port"},"severity":"medium","affected_entities":2,"alert_outcome":"affected","alert_status":"resolved","customer_state":"open","alert_payload":[],"type_id":100}
{"updated_date":"2025-12-31T16:10:56.155874Z","created_date":"2025-12-30T16:11:57.194393Z","id":"7ea10c5d-559a-4c55-8608-2e060956de68","name":"External Vulnerability Detected","type":"ExternalVulnerabilityDiscovered","severity":"high","status":"new","analysis":"completed","category":"vulnerability","activities":[{"updated_date":null,"created_date":"2025-12-30T16:11:40.195989Z","id":"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4","type":"ExternalVulnerabilityCreated","description":"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'","category":"threat","trace_id":"40eda190-83fd-4a1b-8155-3a1c7434b319","data":{}}]}
31 changes: 20 additions & 11 deletions packages/blacklens/data_stream/alerts/_dev/test/pipeline/test-alerts.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,26 @@
{
"expected": [
{
"@timestamp": "2024-11-12T09:39:58.489Z",
"@timestamp": "2025-12-30T16:11:57.194Z",
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
"activities": [
{
"category": "threat",
"created_date": "2025-12-30T16:11:40.195989Z",
"description": "A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id": "73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id": "40eda190-83fd-4a1b-8155-3a1c7434b319",
"type": "ExternalVulnerabilityCreated"
}
],
"analysis": "completed",
"category": "vulnerability",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"name": "External Vulnerability Detected",
"severity": "high",
"status": "new",
"updated_date": "2025-12-31T16:10:56.155Z"
}
},
"ecs": {
Expand All @@ -21,8 +30,8 @@
"category": [
"threat"
],
"id": "1001",
"original": "{\"updated_date\":\"2024-11-12T09:39:58.489Z\",\"created_date\":\"2024-11-12T09:39:58.489Z\",\"id\":1001,\"details\":{\"id\":100,\"engine\":\"Port Scanner\",\"title\":\"New Open Port\"},\"severity\":\"medium\",\"affected_entities\":2,\"alert_outcome\":\"affected\",\"alert_status\":\"resolved\",\"customer_state\":\"open\",\"alert_payload\":[],\"type_id\":100}",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"original": "{\"updated_date\":\"2025-12-31T16:10:56.155874Z\",\"created_date\":\"2025-12-30T16:11:57.194393Z\",\"id\":\"7ea10c5d-559a-4c55-8608-2e060956de68\",\"name\":\"External Vulnerability Detected\",\"type\":\"ExternalVulnerabilityDiscovered\",\"severity\":\"high\",\"status\":\"new\",\"analysis\":\"completed\",\"category\":\"vulnerability\",\"activities\":[{\"updated_date\":null,\"created_date\":\"2025-12-30T16:11:40.195989Z\",\"id\":\"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4\",\"type\":\"ExternalVulnerabilityCreated\",\"description\":\"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'\",\"category\":\"threat\",\"trace_id\":\"40eda190-83fd-4a1b-8155-3a1c7434b319\",\"data\":{}}]}",
"type": [
"indicator"
]
Expand Down
22 changes: 9 additions & 13 deletions packages/blacklens/data_stream/alerts/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,28 +52,24 @@ processors:
target_field: blacklens.alert.severity
ignore_missing: true
- rename:
field: json.alert_status
field: json.status
target_field: blacklens.alert.status
ignore_missing: true
- rename:
field: json.alert_outcome
target_field: blacklens.alert.outcome
field: json.analysis
target_field: blacklens.alert.analysis
ignore_missing: true
- rename:
field: json.details.engine
target_field: blacklens.alert.type
field: json.category
target_field: blacklens.alert.category
ignore_missing: true
- rename:
field: json.type_id
target_field: blacklens.alert.type_id
field: json.name
target_field: blacklens.alert.name
ignore_missing: true
- rename:
field: json.details.title
target_field: blacklens.alert.title
ignore_missing: true
- rename:
field: json.alert_payload
target_field: blacklens.alert.details
field: json.activities
target_field: blacklens.alert.activities
ignore_missing: true
- remove:
field: json
Expand Down
38 changes: 26 additions & 12 deletions packages/blacklens/data_stream/alerts/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,26 +5,40 @@
type: date
description: Activity last updated time (UTC).
- name: id
type: integer
type: keyword
description: Unique Alert ID
- name: severity
type: keyword
description: Alert Severity
- name: status
type: keyword
description: Current Status of the Alert
- name: outcome
- name: analysis
type: keyword
description: Determines whether the current alert triggers further events
- name: type
- name: category
type: keyword
description: Alert Type (Engine)
- name: type_id
type: integer
description: Alert Type ID (Engine)
- name: title
description: Alert category
- name: name
type: keyword
description: Title/Description of the given Alert
- name: details
type: nested
description: Alert Details
description: Name of the given Alert
- name: activities
description: Associated Activities of the Alert
type: group
fields:
- name: id
type: keyword
- name: created_date
type: date
- name: updated_date
type: date
- name: category
type: keyword
- name: type
type: keyword
- name: description
type: keyword
- name: trace_id
type: keyword
- name: data
type: nested
117 changes: 63 additions & 54 deletions packages/blacklens/data_stream/alerts/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,55 +1,64 @@
{
"@timestamp": "2024-11-12T09:39:58.489Z",
"agent": {
"ephemeral_id": "33939e93-54ef-4184-b92b-bc8f02e179a6",
"id": "f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"name": "elastic-agent-49577",
"type": "filebeat",
"version": "8.15.2"
},
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
}
},
"data_stream": {
"dataset": "blacklens.alerts",
"namespace": "41265",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"snapshot": false,
"version": "8.15.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"threat"
],
"created": "2025-12-09T05:45:05.855Z",
"dataset": "blacklens.alerts",
"id": "1001",
"ingested": "2025-12-09T05:45:08Z",
"type": [
"indicator"
]
},
"input": {
"type": "httpjson"
},
"tags": [
"forwarded",
"blacklens-alert"
]
}
"@timestamp":"2024-11-12T09:39:58.489Z",
"agent":{
"ephemeral_id":"33939e93-54ef-4184-b92b-bc8f02e179a6",
"id":"f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"name":"elastic-agent-49577",
"type":"filebeat",
"version":"8.15.2"
},
"blacklens":{
"alert":{
"activities":[
{
"category":"threat",
"created_date":"2025-12-30T16:11:40.195989Z",
"description":"A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id":"73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id":"40eda190-83fd-4a1b-8155-3a1c7434b319",
"type":"ExternalVulnerabilityCreated"
}
],
"analysis":"completed",
"category":"vulnerability",
"id":"7ea10c5d-559a-4c55-8608-2e060956de68",
"name":"External Vulnerability Detected",
"severity":"high",
"status":"new",
"updated_date":"2025-12-31T16:10:56.155Z"
}
},
"data_stream":{
"dataset":"blacklens.alerts",
"namespace":"41265",
"type":"logs"
},
"ecs":{
"version":"8.11.0"
},
"elastic_agent":{
"id":"f98f4444-6fca-4500-83b6-a8c5e8f32bf1",
"snapshot":false,
"version":"8.15.2"
},
"event":{
"agent_id_status":"verified",
"category":[
"threat"
],
"created":"2025-12-09T05:45:05.855Z",
"dataset":"blacklens.alerts",
"id":"1001",
"ingested":"2025-12-09T05:45:08Z",
"type":[
"indicator"
]
},
"input":{
"type":"httpjson"
},
"tags":[
"forwarded",
"blacklens-alert"
]
}
43 changes: 29 additions & 14 deletions packages/blacklens/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,14 +64,23 @@ An example event for `alerts` looks as following:
},
"blacklens": {
"alert": {
"id": 1001,
"outcome": "affected",
"severity": "medium",
"status": "resolved",
"title": "New Open Port",
"type": "Port Scanner",
"type_id": 100,
"updated_date": "2024-11-12T09:39:58.489Z"
"activities": [
{
"category": "threat",
"created_date": "2025-12-30T16:11:40.195989Z",
"description": "A Critical severity external vulnerability 'Blind SQL Injection via HTTP Header' has been detected on asset 'demo.example.com'",
"id": "73dcaa88-09e1-4c58-9fa5-5495f8dac2a4",
"trace_id": "40eda190-83fd-4a1b-8155-3a1c7434b319",
"type": "ExternalVulnerabilityCreated"
}
],
"analysis": "completed",
"category": "vulnerability",
"id": "7ea10c5d-559a-4c55-8608-2e060956de68",
"name": "External Vulnerability Detected",
"severity": "high",
"status": "new",
"updated_date": "2025-12-31T16:10:56.155Z"
}
},
"data_stream": {
Expand Down Expand Up @@ -115,14 +124,20 @@ An example event for `alerts` looks as following:
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| blacklens.alert.details | Alert Details | nested |
| blacklens.alert.id | Unique Alert ID | integer |
| blacklens.alert.outcome | Determines whether the current alert triggers further events | keyword |
| blacklens.alert.activities.category | | keyword |
| blacklens.alert.activities.created_date | | date |
| blacklens.alert.activities.data | | nested |
| blacklens.alert.activities.description | | keyword |
| blacklens.alert.activities.id | | keyword |
| blacklens.alert.activities.trace_id | | keyword |
| blacklens.alert.activities.type | | keyword |
| blacklens.alert.activities.updated_date | | date |
| blacklens.alert.analysis | Determines whether the current alert triggers further events | keyword |
| blacklens.alert.category | Alert category | keyword |
| blacklens.alert.id | Unique Alert ID | keyword |
| blacklens.alert.name | Name of the given Alert | keyword |
| blacklens.alert.severity | Alert Severity | keyword |
| blacklens.alert.status | Current Status of the Alert | keyword |
| blacklens.alert.title | Title/Description of the given Alert | keyword |
| blacklens.alert.type | Alert Type (Engine) | keyword |
| blacklens.alert.type_id | Alert Type ID (Engine) | integer |
| blacklens.alert.updated_date | Activity last updated time (UTC). | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
Expand Down
12 changes: 6 additions & 6 deletions packages/blacklens/kibana/dashboard/blacklens-e718fd52-f1b3-400f-94c1-ead17da571f6.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@
"5daabdc5-ef58-44c4-abc6-e081ccc141b3": {
"dataType": "string",
"isBucketed": true,
"label": "Top 7 values of blacklens.alert.type",
"label": "Top 7 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"exclude": [],
Expand All @@ -234,7 +234,7 @@
"size": 7
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"779791bd-efc6-4cd7-a348-e1f02e55da6a": {
"dataType": "number",
Expand Down Expand Up @@ -515,7 +515,7 @@
"596741f2-76ab-4053-96a3-f7d0c419e3ca": {
"dataType": "string",
"isBucketed": true,
"label": "Top 10 values of blacklens.alert.type",
"label": "Top 10 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"accuracyMode": false,
Expand All @@ -536,7 +536,7 @@
"size": 10
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"740c7874-8bd6-4615-a570-bb61d09e2343": {
"customLabel": true,
Expand Down Expand Up @@ -671,7 +671,7 @@
"5adc4648-4eb7-4b43-9235-26d66a0ab3d2": {
"dataType": "string",
"isBucketed": true,
"label": "Top 5 values of blacklens.alert.type",
"label": "Top 5 values of blacklens.alert.category",
"operationType": "terms",
"params": {
"exclude": [],
Expand All @@ -691,7 +691,7 @@
"size": 5
},
"scale": "ordinal",
"sourceField": "blacklens.alert.type"
"sourceField": "blacklens.alert.category"
},
"772e1ee4-713b-4a0e-84ce-76b2030e1240": {
"dataType": "number",
Expand Down
2 changes: 1 addition & 1 deletion packages/blacklens/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.3.0
name: blacklens
title: "blacklens.io"
version: "0.4.1"
version: "1.0.0"
source:
license: "Elastic-2.0"
description: "Collect logs from blacklens.io with Elastic Agent"
Expand Down