Skip to content

[New Integration] Cursor Audit logs#18854

Open
P1llus wants to merge 19 commits intoelastic:mainfrom
P1llus:new_cursor_test
Open

[New Integration] Cursor Audit logs#18854
P1llus wants to merge 19 commits intoelastic:mainfrom
P1llus:new_cursor_test

Conversation

@P1llus
Copy link
Copy Markdown
Member

@P1llus P1llus commented May 6, 2026
edited
Loading

Proposed commit message

This PR defines the new Cursor integration with an "audit" datastream. The datastream has support for both S3 (and SQS) + its Admin API with CEL.

All events received through S3 is also available in the API, however they have a slightly different schema, so there is a separate S3 pipeline that converts that schema to mimic what is in the API responses, then the rest of the pipeline applies the same parsing logic for both.

System tests covers both pagination and cursor checks (2 intervals).

Pipeline tests have split all available event types (from official docs + resources from cursor) between the S3 and the API based inputs to test both.

The cursor.audit.event_data is left as flattened as if new field types are provided in the future we are able to support them without a mapping explosion, any known fields are moved out of it.

Outside of pipeline/system tests it has also been tested against live environments both for S3 and API with a double check that no error.message was produced or similar.

Rate limits for CEL has been defined to fit closely to their 20/min rate limits but made configurable.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Additional Information

API + schemas: https://cursor.com/docs/account/teams/admin-api#get-audit-logs

Related issues

Screenshots

cursor-overview1 cursor-overview2

@P1llus P1llus requested a review from a team as a code owner May 6, 2026 12:20
@P1llus P1llus added New Integration Issue or pull request for creating a new integration package. Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience] Integration:cursor [Integration not found in source] labels May 6, 2026
@infra-vault-gh-plugin-prod
Copy link
Copy Markdown

infra-vault-gh-plugin-prod Bot commented May 6, 2026

Pinging @elastic/integration-experience (Team:Integration-Experience)

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026
edited
Loading

Vale Linting Results

Summary: 17 warnings, 15 suggestions found

⚠️ Warnings (17)
File Line Rule Message
packages/cursor/docs/README.md 118 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 134 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 157 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 164 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 177 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 186 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 190 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'and so on' instead of 'etc'.
packages/cursor/docs/README.md 206 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 206 Elastic.DontUse Don't use 'please'.
packages/cursor/docs/README.md 208 Elastic.Latinisms Latin terms and abbreviations are a common source of confusion. Use 'for example' instead of 'e.g'.
packages/cursor/docs/README.md 227 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cursor/docs/README.md 227 Elastic.DontUse Don't use 'and/or'.
packages/cursor/docs/README.md 229 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cursor/docs/README.md 230 Elastic.DontUse Don't use 'just'.
packages/cursor/docs/README.md 233 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cursor/docs/README.md 235 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
packages/cursor/docs/README.md 236 Elastic.QuotesPunctuation Place punctuation inside closing quotation marks.
💡 Suggestions (15)
File Line Rule Message
packages/cursor/docs/README.md 122 Elastic.WordChoice Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI.
packages/cursor/docs/README.md 157 Elastic.WordChoice Consider using 'deactivate, deselect, hide, turn off' instead of 'disable', unless the term is in the UI.
packages/cursor/docs/README.md 198 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 204 Elastic.Wordiness Consider using 'tell' instead of 'inform'.
packages/cursor/docs/README.md 204 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 204 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 206 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 206 Elastic.WordChoice Consider using 'deactivated, deselected, hidden, turned off, unavailable' instead of 'disabled', unless the term is in the UI.
packages/cursor/docs/README.md 207 Elastic.WordChoice Consider using 'efficiently' instead of 'simply', unless the term is in the UI.
packages/cursor/docs/README.md 207 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 212 Elastic.Wordiness Consider using 'all' instead of 'All of '.
packages/cursor/docs/README.md 227 Elastic.Wordiness Consider using 'sometimes' instead of 'In some cases'.
packages/cursor/docs/README.md 227 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 230 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.
packages/cursor/docs/README.md 397 Elastic.WordChoice Consider using 'can, might' instead of 'may', unless the term is in the UI.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@P1llus P1llus marked this pull request as draft May 6, 2026 12:25
@github-actions

This comment has been minimized.

Sign in to view
@andrewkroh andrewkroh added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. and removed New Integration Issue or pull request for creating a new integration package. Integration:cursor [Integration not found in source] labels May 6, 2026
@P1llus P1llus marked this pull request as ready for review May 6, 2026 16:09
@P1llus P1llus force-pushed the new_cursor_test branch from 1c2bc3e to 79f4f03 Compare May 6, 2026 16:37
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026

TL;DR

The Buildkite failure is caused by a README drift, not a pipeline/runtime issue: commit d7ae2e6a added new ECS constant fields (event.module, event.dataset) but the package README table was not regenerated. Regenerate and commit the README output to unblock CI.

Remediation

  • Regenerate the Cursor package docs (elastic-package build from packages/cursor/) and commit the updated README output.
  • Re-run the package check job (or push the regenerated README commit) to confirm check readme files are up-to-date passes.
Investigation details

Root Cause

d7ae2e6a modifies packages/cursor/data_stream/audit/fields/base-fields.yml by adding:

  • event.module (value: cursor) at lines 10-13
  • event.dataset (value: cursor.audit) at lines 14-17

Those fields are not reflected in the generated field table currently present in packages/cursor/docs/README.md around lines 200-204, so the README consistency check fails.

Evidence

README.md is outdated. Rebuild the package with 'elastic-package build'
@@ -201,4 +201,6 @@
+| event.dataset | Event dataset. | constant_keyword |
...
+| event.module | Event module. | constant_keyword |
Error: checking package failed: checking readme files are up-to-date failed: files do not match

Verification

  • Not run locally: elastic-package is not installed in this runner environment.

Follow-up

After regenerating docs, verify no other field-table drift exists by re-running the same package check job.

Note

🔒 Integrity filter blocked 2 items

The following items were blocked because they don't meet the GitHub integrity level.

  • #18854 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
  • [New Integration] Cursor Audit logs #18854 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented May 6, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented May 6, 2026

💚 Build Succeeded

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. Team:Integration-Experience Security Integrations Integration Experience [elastic/integration-experience]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[New Integration] Cursor Audit Logs

3 participants

@P1llus @elasticmachine @andrewkroh