[Marketplace Contribution] Kibana#43781
[Marketplace Contribution] Kibana#43781xsoar-bot wants to merge 3 commits intodemisto:contrib/xsoar-contrib_whsmith1223-contrib-Kibanafrom
Conversation
content-bot
added
Contribution
content-bot
changed the base branch from
master
to
contrib/xsoar-contrib_whsmith1223-contrib-Kibana
|
Thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution, please ask the reviewer to update your information in the pack contributors file. See more information here link |
🤖 AI-Powered Code Review AvailableHi @kamalq97, you can leverage AI-powered code review to assist with this PR! Available Commands:
|
content-bot
added
the
Contribution Form Filled
|
This can be assigned to Barry Yosilevich since we were working on a similar request previously. |
|
Hi @whsmith1223, please rename the pack to |
Changed pack name
barryyosi-panw
added
ready-for-instance-test
marketplace-ai-reviewer
removed
the
ready-for-ai-review
|
🤖 Analysis started. Please wait for results... |
|
For the Reviewer: Trigger build request has been accepted for this contribution PR. |
|
For the Reviewer: Successfully created a pipeline in GitLab with url: https://gitlab.xdr.pan.local/xdr/cortex-content/content/-/pipelines/8222051 |
content-bot
removed
the
ready-for-instance-test
🤖 AI Review DisclaimerThis review was generated by an AI-powered tool and may contain inaccuracies. Please be advised, and we extend our sincere apologies for any inconvenience this may cause. |
marketplace-ai-reviewer
left a comment
marketplace-ai-reviewer
left a comment
There was a problem hiding this comment.
Hi there! Thanks for contributing the new Kibana integration to the CommunityElasticSearch pack. I've reviewed your submission and found a few architectural and security items that need to be addressed before we can merge.
Here are the main areas to focus on:
- Architecture & Testing: Please refactor the integration to use the standard
ContentClientclass instead of directrequests, ensuredemisto.params()is only called once insidemain(), and include unit tests for your commands. - Security & Code Quality: Avoid hardcoding authentication or SSL bypasses, remove log statements that might expose sensitive credentials, and fix the missing imports and undefined variables.
- Metadata & Documentation: Update the pack metadata with required fields (categories, keywords, support info), remove the
package-lock.json, and regenerate the documentation using thedemisto-sdkto include command examples.
Thanks again for your hard work on this!
Additionally, please address the following file-level notes:
Packs/CommunityElasticSearch/Integrations/Kibana/package-lock.json: Please remove thepackage-lock.jsonfile.Packs/CommunityElasticSearch/pack_metadata.json: - Please add a support email and vendor URL to the pack metadata.- Please add relevant categories and keywords to the pack metadata.
Packs/CommunityElasticSearch/Integrations/Kibana/Kibana.py: - New integrations must use aClientclass inheriting fromContentClient(fromCommonServerPython) instead of standalone functions and directrequestscalls. This standardizes HTTP requests, proxy handling, and SSL verification.- All new commands and helpers must have unit tests. Please add a
Kibana_test.pyfile withpytesttests covering the new functionality.
@barryyosi-panw please review and approve the results generated by the AI Reviewer by responding 👍 on this comment.
|
|
||
| # Disable insecure warnings | ||
| urllib3.disable_warnings() | ||
| warnings.filterwarnings(action="ignore", message=".*using SSL with verify_certs=False is insecure.") |
There was a problem hiding this comment.
Disabling SSL warnings globally is discouraged. SSL verification should be controlled by the insecure parameter from the integration configuration, and handled by the ContentClient.
| urllib3.disable_warnings() | ||
| warnings.filterwarnings(action="ignore", message=".*using SSL with verify_certs=False is insecure.") | ||
|
|
||
| PARAMS = demisto.params() |
There was a problem hiding this comment.
demisto.params()must be called exactly once per script execution, typically withinmain(). Please move this insidemain()and pass the required parameters to your functions orClientclass.- Missing definitions for
INSECUREandTIMEOUT.
| "verify_certs": INSECURE, | ||
| "timeout": TIMEOUT, | ||
| } | ||
| demisto.debug(f"Building Elasticsearch client with args: {connection_args}") |
There was a problem hiding this comment.
Logging connection_args directly can expose sensitive credentials like api_key or basic_auth. Please redact sensitive keys before logging or remove this log statement entirely.
| query_params = {"status": status, "severity": severity, "from": from_time} | ||
|
|
||
| try: | ||
| response = requests.get( |
There was a problem hiding this comment.
Direct use of the requests library bypasses XSOAR's built-in proxy/SSL configurations and lacks mandatory timeout handling. Please use the _http_request method from a ContentClient class, or wrap this call in a try/except requests.exceptions.Timeout block and implement retries.
| # output results to markdown table | ||
| md = tableToMarkdown("Kibana Cases", json_data, headers=[]) | ||
|
|
||
| result = CommandResults(readable_output=md, outputs_prefix="Kibana.Cases", outputs=json_data) |
There was a problem hiding this comment.
The CommandResults object is missing the raw_response argument. Please include raw_response=json_data to ensure the raw data is available in the context.
|
|
||
| | **Argument Name** | **Description** | **Required** | | ||
| | --- | --- | --- | | ||
| | email_wildcard | Full or partial email address to search for user with. (i.e. william.smith@*). | Required | |
There was a problem hiding this comment.
Consider using e.g., instead of i.e. when providing an example.
| | email_wildcard | Full or partial email address to search for user with. (i.e. william.smith@*). | Required | | |
| | email_wildcard | Full or partial email address to search for user with. (e.g., william.smith@*). | Required | |
|
|
||
| | **Argument Name** | **Description** | **Required** | | ||
| | --- | --- | --- | | ||
| | case_id | The case ID to retrieve information for. View available case IDs with kibana_find_cases. | Required | |
There was a problem hiding this comment.
The command name should use kebab-case (kibana-find-cases) instead of snake_case (kibana_find_cases).
| | case_id | The case ID to retrieve information for. View available case IDs with kibana_find_cases. | Required | | |
| | case_id | The case ID to retrieve information for. View available case IDs with kibana-find-cases. | Required | |
Additionally, it appears this README might be hand-written or generated without examples, as standard sections like Command example and Human Readable Output are missing. Please consider regenerating the documentation with examples using the SDK:
demisto-sdk generate-docs --insecure -e <path/to/command_examples.txt>
| "url": "", | ||
| "email": "", | ||
| "created": "2026-04-08T21:25:31Z", | ||
| "categories": [], |
There was a problem hiding this comment.
The categories field is mandatory and cannot be empty. Please add at least one valid category.
| "categories": [], | ||
| "tags": [], | ||
| "useCases": [], | ||
| "keywords": [], |
There was a problem hiding this comment.
The vendor's name (e.g., Elastic) must appear in the keywords list.
| @@ -0,0 +1 @@ | |||
| These contributions help to boost the lack of SIEM capabilities with the Elasticsearch v2 integration. By adding support for Kibana API commands, users can integrate into case management and much more than simple log searching. | |||
There was a problem hiding this comment.
Consider expanding this README to include a structured overview of the pack's capabilities.
|
@whsmith1223 please address the comments left by the AI Review so we can proceed with the rest of the review process. |
6 participants
Status
Contributor
@whsmith1223
Description
This pack allows for using Elastic Security for SIEM for security operations management. It also allows for searching Elastic logs.
Notes
These contributions help to boost the severe lack of SIEM capabilities with the Elasticsearch v2 integration. By adding support for Kibana API commands, users can integrate into case management and much more than simple log searching that exists today.
Auto-Generated Documentation Requiring Modification
Video Link
Short demo video of the Pack usage. Speeds up the review. Optional but recommended. Use a video sharing service such as Google Drive or YouTube.
relates: https://jira-dc.paloaltonetworks.com/browse/CIAC-16481