Addressed comments given by @kcreddy.

muskan-crest · muskan-crest · commit 27e632194946 · 2025-05-16T13:51:31.000+05:30
diff --git a/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json b/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json
@@ -95,18 +95,18 @@
                 ]
             },
             "resource": {
-                "id": "i-0a4468fbfafee6a8f",
+                "id": "arn:aws:config:us-east-1:329599655752:config-rule/config-rule-rwpvuz",
                 "type": "AWS::EC2::Instance"
             },
             "result": {
-                "evaluation": "COMPLIANT"
+                "evaluation": "passed"
             },
             "rule": {
                 "description": "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
+                "id": "config-rule-rwpvuz",
                 "name": "access-keys-rotated",
                 "reference": "arn:aws:config:us-east-1:329599655752:config-rule/config-rule-rwpvuz",
-                "tags": "string",
-                "uuid": "config-rule-rwpvuz"
+                "tags": "string"
             },
             "tags": [
                 "preserve_duplicate_custom_fields"
diff --git a/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml
@@ -89,7 +89,7 @@ processors:
       target_field: aws.config.rule_info.config_rule_id
       ignore_missing: true
   - set:
-      field: rule.uuid
+      field: rule.id
       tag: set_rule_id_from_config_config_rule_info_config_rule_id
       copy_from: aws.config.rule_info.config_rule_id
       ignore_empty_value: true
@@ -311,8 +311,8 @@ processors:
       ignore_missing: true
   - set:
       field: resource.id
-      tag: set_resource_id_from_config_evaluation_result_identifier_evaluation_result_qualifier_resource_id
-      copy_from: aws.config.evaluation_result_identifier.evaluation_result_qualifier.resource_id
+      tag: set_resource_id_from_config_config_rule_info_config_rule_arn
+      copy_from: aws.config.rule_info.config_rule_arn
       ignore_empty_value: true
   - rename:
       field: json.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceType
@@ -329,15 +329,10 @@ processors:
       tag: rename_ComplianceType
       target_field: aws.config.compliance_type
       ignore_missing: true
-  - set:
-      field: result.evaluation
-      tag: set_result_evaluation_from_aws_config_compliance_type
-      copy_from: aws.config.compliance_type
-      ignore_empty_value: true
   - script:
-      tag: set_event_outcome_from_aws_config_compliance_type
+      tag: set_event_outcome_and_result_evaluation_from_aws_config_compliance_type
       lang: painless
-      description: set event.outcome from aws.config.compliance_type
+      description: set event.outcome and result.evaluation from compliance_type
       if : ctx.aws?.config?.compliance_type instanceof String
       source: >-
         if (ctx.aws.config.compliance_type == 'NON_COMPLIANT') {
@@ -347,6 +342,24 @@ processors:
         } else {
           ctx.event.outcome = 'unknown';
         }
+  - set:
+      field: result.evaluation
+      tag: set_result_evaluation_passed
+      value: passed
+      if: ctx.aws?.config?.compliance_type == 'COMPLIANT'
+      ignore_empty_value: true
+  - set:
+      field: result.evaluation
+      tag: set_result_evaluation_failed
+      value: failed
+      if: ctx.aws?.config?.compliance_type == 'NON_COMPLIANT'
+      ignore_empty_value: true
+  - set:
+      field: result.evaluation
+      tag: set_result_evaluation_unknown
+      value: unknown
+      if: ctx.result?.evaluation == null
+      ignore_empty_value: true
   - rename:
       field: json.ConfigRuleInfo.Scope.TagValue
       tag: rename_ConfigRuleInfo_Scope_TagValue
diff --git a/packages/aws/data_stream/config/fields/ecs.yml b/packages/aws/data_stream/config/fields/ecs.yml
@@ -0,0 +1,4 @@
+- name: cloud.provider
+  type: constant_keyword
+- name: observer.vendor
+  type: constant_keyword
diff --git a/packages/aws/data_stream/config/fields/is-transform-source-true.yml b/packages/aws/data_stream/config/fields/is-transform-source-true.yml
diff --git a/packages/aws/data_stream/config/sample_event.json b/packages/aws/data_stream/config/sample_event.json
@@ -1,9 +1,9 @@
 {
-    "@timestamp": "2025-05-15T07:58:22.984Z",
+    "@timestamp": "2025-05-16T07:58:23.791Z",
     "agent": {
-        "ephemeral_id": "d0c3ee19-2392-4043-b593-6b17777af11d",
-        "id": "5be90210-85df-4e5b-85b6-88ffdd10983e",
-        "name": "elastic-agent-81980",
+        "ephemeral_id": "6fbe87e6-993e-4c40-abbe-bbe39ee3591c",
+        "id": "7d2ce287-1db4-4b2d-99f9-a00c406e3c06",
+        "name": "elastic-agent-65400",
         "type": "filebeat",
         "version": "8.18.0"
     },
@@ -52,14 +52,14 @@
     },
     "data_stream": {
         "dataset": "aws.config",
-        "namespace": "98805",
+        "namespace": "55739",
         "type": "logs"
     },
     "ecs": {
         "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "5be90210-85df-4e5b-85b6-88ffdd10983e",
+        "id": "7d2ce287-1db4-4b2d-99f9-a00c406e3c06",
         "snapshot": false,
         "version": "8.18.0"
     },
@@ -70,7 +70,7 @@
         ],
         "created": "2015-09-29T15:52:31.883Z",
         "dataset": "aws.config",
-        "ingested": "2025-05-15T07:58:25Z",
+        "ingested": "2025-05-16T07:58:26Z",
         "kind": "event",
         "original": "{\"ComplianceType\":\"COMPLIANT\",\"ConfigRuleInfo\":{\"ConfigRuleArn\":\"arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1\",\"ConfigRuleId\":\"config-rule-id1\",\"ConfigRuleName\":\"access-keys-rotated\",\"ConfigRuleState\":\"ACTIVE\",\"Description\":\"Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.\",\"EvaluationModes\":[{\"Mode\":\"DETECTIVE\"}],\"InputParameters\":\"{\\\"maxAccessKeyAge\\\":\\\"90\\\"}\",\"MaximumExecutionFrequency\":\"TwentyFour_Hours\",\"Source\":{\"Owner\":\"AWS\",\"SourceIdentifier\":\"ACCESS_KEYS_ROTATED\"}},\"ConfigRuleInvokedTime\":1444799479.852,\"EvaluationResultIdentifier\":{\"EvaluationResultQualifier\":{\"ConfigRuleName\":\"access-keys-rotated\",\"EvaluationMode\":\"DETECTIVE\",\"ResourceId\":\"i-0a4468fbfafeeg20h\",\"ResourceType\":\"AWS::EC2::Instance\"},\"OrderingTimestamp\":1443541951.883},\"ResultRecordedTime\":1444799480.061}",
         "outcome": "success",
@@ -87,17 +87,17 @@
         "vendor": "Amazon"
     },
     "resource": {
-        "id": "i-0a4468fbfafeeg20h",
+        "id": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1",
         "type": "AWS::EC2::Instance"
     },
     "result": {
-        "evaluation": "COMPLIANT"
+        "evaluation": "passed"
     },
     "rule": {
         "description": "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
+        "id": "config-rule-id1",
         "name": "access-keys-rotated",
-        "reference": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1",
-        "uuid": "config-rule-id1"
+        "reference": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1"
     },
     "tags": [
         "preserve_original_event",
diff --git a/packages/aws/docs/config.md b/packages/aws/docs/config.md
@@ -72,11 +72,11 @@ An example event for `config` looks as following:
 
 ```json
 {
-    "@timestamp": "2025-05-15T07:58:22.984Z",
+    "@timestamp": "2025-05-16T07:58:23.791Z",
     "agent": {
-        "ephemeral_id": "d0c3ee19-2392-4043-b593-6b17777af11d",
-        "id": "5be90210-85df-4e5b-85b6-88ffdd10983e",
-        "name": "elastic-agent-81980",
+        "ephemeral_id": "6fbe87e6-993e-4c40-abbe-bbe39ee3591c",
+        "id": "7d2ce287-1db4-4b2d-99f9-a00c406e3c06",
+        "name": "elastic-agent-65400",
         "type": "filebeat",
         "version": "8.18.0"
     },
@@ -125,14 +125,14 @@ An example event for `config` looks as following:
     },
     "data_stream": {
         "dataset": "aws.config",
-        "namespace": "98805",
+        "namespace": "55739",
         "type": "logs"
     },
     "ecs": {
         "version": "8.17.0"
     },
     "elastic_agent": {
-        "id": "5be90210-85df-4e5b-85b6-88ffdd10983e",
+        "id": "7d2ce287-1db4-4b2d-99f9-a00c406e3c06",
         "snapshot": false,
         "version": "8.18.0"
     },
@@ -143,7 +143,7 @@ An example event for `config` looks as following:
         ],
         "created": "2015-09-29T15:52:31.883Z",
         "dataset": "aws.config",
-        "ingested": "2025-05-15T07:58:25Z",
+        "ingested": "2025-05-16T07:58:26Z",
         "kind": "event",
         "original": "{\"ComplianceType\":\"COMPLIANT\",\"ConfigRuleInfo\":{\"ConfigRuleArn\":\"arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1\",\"ConfigRuleId\":\"config-rule-id1\",\"ConfigRuleName\":\"access-keys-rotated\",\"ConfigRuleState\":\"ACTIVE\",\"Description\":\"Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.\",\"EvaluationModes\":[{\"Mode\":\"DETECTIVE\"}],\"InputParameters\":\"{\\\"maxAccessKeyAge\\\":\\\"90\\\"}\",\"MaximumExecutionFrequency\":\"TwentyFour_Hours\",\"Source\":{\"Owner\":\"AWS\",\"SourceIdentifier\":\"ACCESS_KEYS_ROTATED\"}},\"ConfigRuleInvokedTime\":1444799479.852,\"EvaluationResultIdentifier\":{\"EvaluationResultQualifier\":{\"ConfigRuleName\":\"access-keys-rotated\",\"EvaluationMode\":\"DETECTIVE\",\"ResourceId\":\"i-0a4468fbfafeeg20h\",\"ResourceType\":\"AWS::EC2::Instance\"},\"OrderingTimestamp\":1443541951.883},\"ResultRecordedTime\":1444799480.061}",
         "outcome": "success",
@@ -160,17 +160,17 @@ An example event for `config` looks as following:
         "vendor": "Amazon"
     },
     "resource": {
-        "id": "i-0a4468fbfafeeg20h",
+        "id": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1",
         "type": "AWS::EC2::Instance"
     },
     "result": {
-        "evaluation": "COMPLIANT"
+        "evaluation": "passed"
     },
     "rule": {
         "description": "Checks whether the active access keys are rotated within the number of days specified in maxAccessKeyAge. The rule is non-compliant if the access keys have not been rotated for more than maxAccessKeyAge number of days.",
+        "id": "config-rule-id1",
         "name": "access-keys-rotated",
-        "reference": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1",
-        "uuid": "config-rule-id1"
+        "reference": "arn:aws:config:us-east-1:11223344556:config-rule/config-rule-id1"
     },
     "tags": [
         "preserve_original_event",
@@ -224,14 +224,15 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | aws.config.rule_info.source.source_details.maximum_execution_frequency | The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger. | keyword |
 | aws.config.rule_info.source.source_details.message_type | The type of notification that triggers AWS Config to run an evaluation for a rule. | keyword |
 | aws.config.rule_info.source.source_identifier | For AWS Config Managed rules, a predefined identifier from a list. | keyword |
+| cloud.provider |  | constant_keyword |
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | event.dataset | Event dataset. | constant_keyword |
 | event.module | Event module. | constant_keyword |
 | input.type | Type of Filebeat input. | keyword |
-| labels.is_transform_source | Distinguishes between documents that are a source for a transform and documents that are an output of a transform, to facilitate easier filtering. | constant_keyword |
 | log.offset | Log offset. | long |
+| observer.vendor |  | constant_keyword |
 | resource.id |  | keyword |
 | resource.type |  | keyword |
 | result.evaluation |  | keyword |
diff --git a/packages/aws/elasticsearch/transform/latest_config_misconfigurations/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_config_misconfigurations/fields/ecs.yml
@@ -0,0 +1,4 @@
+- name: cloud.provider
+  type: constant_keyword
+- name: observer.vendor
+  type: constant_keyword
diff --git a/packages/aws/elasticsearch/transform/latest_config_misconfigurations/fields/is-transform-source-false.yml b/packages/aws/elasticsearch/transform/latest_config_misconfigurations/fields/is-transform-source-false.yml
diff --git a/packages/aws/elasticsearch/transform/latest_config_misconfigurations/manifest.yml b/packages/aws/elasticsearch/transform/latest_config_misconfigurations/manifest.yml
diff --git a/packages/aws/elasticsearch/transform/latest_config_misconfigurations/transform.yml b/packages/aws/elasticsearch/transform/latest_config_misconfigurations/transform.yml
@@ -9,17 +9,15 @@ dest:
       move_on_creation: true
 latest:
   unique_key:
-    - rule.uuid
+    - rule.id
     - resource.id
     - data_stream.namespace
-    - data_stream.dataset
   sort: "@timestamp"
 description: >-
   Latest Configs from AWS. As configs get updated, this transform stores only the latest state of each config inside the destination index. Thus the transform's destination index contains only the latest state of the config.
 frequency: 5m
 settings:
   # This is required to prevent the transform from clobbering the Fleet-managed mappings.
-  deduce_mappings: false
   unattended: true
 sync:
   time:
@@ -29,7 +27,7 @@ sync:
 retention_policy:
   time:
     field: "@timestamp"
-    max_age: 2160h
+    max_age: 24h
 _meta:
   managed: true
   # Bump this version to delete, reinstall, and restart the transform during
