Security requirements on Cells Observability Blueprint
What does this MR do and why?
This is a follow-up on the discussion on this issue https://gitlab.com/gitlab-org/core-platform-section/data-stores/-/issues/87 Adding a reference to Osquery and Wiz agents and a non-exhaustive list of logs to send to the SIEM.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Merge request reports
Activity
assigned to @pmartinsgl
requested review from @mcoons, @igorwwwwwwwwwwwwwwwwwwww, @sxuereb, @dperic, @mjozenazemian, @hasharma, and @hsuezawa
- A deleted user
added Architecture Evolution Blueprint documentation labels
5 Warnings 
1547e5b9: The commit subject must contain at least 3 words. For more information, take a look at our Commit message guidelines. 1547e5b9: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. 8b9faea6: The commit subject may not be longer than 72 characters. For more information, take a look at our Commit message guidelines. 8b9faea6: The commit subject must start with a capital letter. For more information, take a look at our Commit message guidelines. This merge request does not refer to an existing milestone. 2 Messages 
This merge request might require a review from a Coach Engineer. This MR contains docs in the /doc/architecture directory, but any Maintainer (other than the author) can merge. You do not need tech writer review. Architecture Evolution Review
This merge request might require a review from a Coach Engineer.
The following files, which might require the additional review, have been changed:
doc/architecture/blueprints/cells/infrastructure/observability.md
If needed, you can retry the
danger-reviewjob that generated this comment.Generated by
Edited by Ghost Usermentioned in issue Taucher2003/reporting#443 (closed)
Resolved by 🤖 GitLab Bot 🤖Proper labels assigned to this merge request. Please ignore me.
1 Error 
Please add typebug typefeature, or typemaintenance label to this merge request. Edited by 🤖 GitLab Bot 🤖
added docs-only label
added typefeature label
Resolved by Steve Xuereb - Out of Office Back 2025-04-21@sxuereb could you merge this please?
Edited by Paulo Martins- Last reply by Paulo Martins
mentioned in commit dc2fd051
53 53 1. Alerting is evaluated per cell. 54 54 1. Capacity planning. 55 55 1. Error budget metrics. 56 1. SIRT: Log delivery to Devo. 56 1. SIRT: Logs delivery to Devo (e.g. Application Logs, Syslogs, Cloud & Infrastructure Audit logs) 57 1. Osquery on VMs 58 1. Wiz Runtime Agent on all VMs & Kubernetes nodes - Comment on lines +57 to +58
@pmartinsgl @sxuereb Should this be part of Observability? I think this blueprint is about what we need for operational observability. Similar to what we need for the "legacy" GitLab.com observability.
The logs are in scope because Observability is responsible for log ingestion, so I agree it makes sense to deliver these to other users as well.
But for Osquery or Wiz I'm not sure: I don't think Observability is currently involved in running these tools for GitLab.com as it currently stands. I for one have no knowledge about the data these tools need to collect, or how to query it. So I don't think we'd be the right folks for making sure these tools run correctly in a Cell.
@igorwwwwwwwwwwwwwwwwwwww What do you think?
I've asked the same question in !149118 (comment 1857757077).
I'll leave it up to you to decide, but I think it makes sense to have them part of observability because it provides observability to our fleet, now who owns the provisioning of the tool and who the users of that tool are different than the rest of the observability, but doesn't mean they are not observability right
-
I started writing about Security in Cells in the Internal handbook (the MR is still in Draft): https://gitlab.com/gitlab-com/content-sites/internal-handbook/-/merge_requests/4479
I am going to write about osquery and Wiz there, and then I can update this to link to that page for any "Security Observability" topic. That way, it doesn't appear like it is meant to be for the Observability team to own and deploy.
added workflowstaging-canary label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
changed milestone to %17.0
added workflowpost-deploy-db-staging label and removed workflowproduction label
added releasedcandidate label
added releasedpublished label and removed releasedcandidate label
