diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index e2e3eb5625d..299782f1eea 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add cloud_configuration_finding data stream + type: enhancement + link: https://github.com/elastic/integrations/pull/9528/ - version: "1.1.1" changes: - description: Add cloudsecurity_cdr sub category label diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log new file mode 100644 index 00000000000..ddba5e4e9e6 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log @@ -0,0 +1 @@ +{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"cd971d74-92db-495c-8244-82da9a988fd0","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log-expected.json new file mode 100644 index 00000000000..275bbf63941 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-issue.log-expected.json @@ -0,0 +1,41 @@ +{ + "expected": [ + { + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "provider": "Azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": ["configuration"], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "event", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "type": ["info"] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "first_seen_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "subscription": { + "cloud_provider": "Azure" + } + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user." + } + } + } + } + ] +} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..f863bd2cfd5 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: wiz-cloud_configuration_finding +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth/token +data_stream: + vars: + interval: 10s + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 6 diff --git a/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..f31d54ea3bb --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs @@ -0,0 +1,195 @@ +config_version: 2 +interval: {{interval}} +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +{{/if}} +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + endpoint_params: + grant_type: client_credentials + audience: wiz-api +state: + initial_interval: {{initial_interval}} + want_more: false + batch_size: {{batch_size}} + query: >- + query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters $first: Int $after: String $orderBy: ConfigurationFindingOrder){ + configurationFindings(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { + nodes { + id + targetExternalId + targetObjectProviderUniqueId + analyzedAt + firstSeenAt + severity + result + status + remediation + resource { + id + providerId + name + nativeType + type + region + subscription { + id + name + externalId + cloudProvider + } + projects { + id + name + riskProfile { + businessImpact + } + } + tags { + key + value + } + } + rule { + id + graphId + name + description + remediationInstructions + functionAsControl + } + securitySubCategories { + id + title + category { + id + name + framework { + id + name + } + } + } + ignoreRules{ + id + name + enabled + expiredAt + } + } + pageInfo { + hasNextPage + endCursor + } + } + } +program: | + post_request( + state.url + "/graphql", + "application/json", + { + "query": state.query, + "variables": { + "first": state.batch_size, + "after": (has(state.end_cursor) && has(state.end_cursor.value) && state.end_cursor.value != null ? state.end_cursor.value : null), + "filterBy": { + "analyzedAt": { + "after": + ( + has(state.want_more) && !state.want_more + ? + ( + has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null + ? + state.cursor.last_timestamp + : + (now() - duration(state.initial_interval)).format(time_layout.RFC3339) + ) + : + ( + has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null + ? + state.cursor.first_timestamp + : + null + ) + ) } + } + } + }.encode_json() + ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + "events": body.data.configurationFindings.nodes.map(e, { + "message": e.encode_json(), + }), + "cursor": { + "last_timestamp": ( + has(body.data.configurationFindings.nodes) && body.data.configurationFindings.nodes.size() > 0 + ? + ( + has(state.cursor) && has(state.cursor.last_timestamp) && body.data.configurationFindings.nodes.map(e, e.analyzedAt).max() < state.cursor.last_timestamp + ? + state.cursor.last_timestamp + : + body.data.configurationFindings.nodes.map(e, e.analyzedAt).max() + ) + : + ( + has(state.cursor) && has(state.cursor.last_timestamp) + ? + state.cursor.last_timestamp + : + null + ) + ), + "first_timestamp": ( + has(state.cursor) && has(state.cursor.first_timestamp) && has(body.data) && state.cursor.first_timestamp != null + ? + ( body.data.configurationFindings.pageInfo.hasNextPage ? state.cursor.first_timestamp : state.cursor.last_timestamp ) + : + (now() - duration(state.initial_interval)).format(time_layout.RFC3339) + ), + }, + "end_cursor": { + "value": ( + has(body.data) && has(body.data.configurationFindings) && has(body.data.configurationFindings.pageInfo) && has(body.data.configurationFindings.pageInfo.hasNextPage) && body.data.configurationFindings.pageInfo.hasNextPage + ? + body.data.configurationFindings.pageInfo.endCursor + : + null + ) + }, + "query": state.query, + "url": state.url, + "want_more": body.data.configurationFindings.pageInfo.hasNextPage, + "batch_size": state.batch_size, + })) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..7eafc432948 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,205 @@ +--- +description: Pipeline for processing Cloud Configuration Finding logs +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '8.11.0' + - rename: + field: message + tag: rename_message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + tag: remove_message + ignore_missing: true + if: ctx.event?.original != null + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + tag: json_decoding + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.resource.subscription.cloudProvider + tag: rename_cloudProvider + target_field: wiz.cloud_configuration_finding.resource.subscription.cloud_provider + ignore_missing: true + - set: + field: cloud.provider + tag: set_cloud_provider + copy_from: wiz.cloud_configuration_finding.resource.subscription.cloud_provider + ignore_empty_value: true + - rename: + field: json.resource.region + tag: rename_region + target_field: wiz.cloud_configuration_finding.resource.region + ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: wiz.cloud_configuration_finding.resource.region + ignore_empty_value: true + - append: + field: event.category + tag: append_event_category + value: configuration + - append: + field: event.type + tag: append_event_type + value: info + - date: + field: json.firstSeenAt + target_field: wiz.cloud_configuration_finding.first_seen_at + tag: date_set_firstseenat + formats: + - ISO8601 + if: ctx.json?.firstSeenAt != null && ctx.json.firstSeenAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: wiz.cloud_configuration_finding.first_seen_at + ignore_empty_value: true + - rename: + field: json.id + tag: rename_id + target_field: wiz.cloud_configuration_finding.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id + copy_from: wiz.cloud_configuration_finding.id + ignore_empty_value: true + - set: + field: event.kind + value: event + tag: set_event_kind + - rename: + field: json.rule.description + tag: rename_rule_description + target_field: wiz.cloud_configuration_finding.rule.description + ignore_missing: true + - set: + field: message + tag: set_message + copy_from: wiz.cloud_configuration_finding.rule.description + ignore_empty_value: true + - date: + field: json.analyzedAt + tag: date_set_timestamp + formats: + - ISO8601 + if: ctx.json?.analyzedAt != null && ctx.json.analyzedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: wiz.cloud_configuration_finding.analyzed_at + tag: date_set_analyzed_at + copy_from: '@timestamp' + ignore_empty_value: true + - rename: + field: json.rule.id + tag: rename_rule_id + target_field: wiz.cloud_configuration_finding.rule.id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id + copy_from: wiz.cloud_configuration_finding.rule.id + ignore_empty_value: true + - rename: + field: json.rule.name + tag: rename_rule_name + target_field: wiz.cloud_configuration_finding.rule.name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: wiz.cloud_configuration_finding.rule.name + ignore_empty_value: true + - rename: + field: json.resource.id + tag: rename_resource_id + target_field: wiz.cloud_configuration_finding.resource.id + ignore_missing: true + - set: + field: resource.id + tag: set_resource_id + copy_from: wiz.cloud_configuration_finding.resource.id + ignore_empty_value: true + - rename: + field: json.resource.name + tag: rename_resource_name + target_field: wiz.cloud_configuration_finding.resource.name + ignore_missing: true + - set: + field: resource.name + tag: set_resource_name + copy_from: wiz.cloud_configuration_finding.resource.name + ignore_empty_value: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: + - wiz.cloud_configuration_finding.analyzed_at + - wiz.cloud_configuration_finding.resource.subscription.cloud_provider + - wiz.cloud_configuration_finding.resource.region + - wiz.cloud_configuration_finding.first_seen_at + - wiz.cloud_configuration_finding.id + - wiz.cloud_configuration_finding.rule.description + - wiz.cloud_configuration_finding.resource.name + - wiz.cloud_configuration_finding.rule.name + - wiz.cloud_configuration_finding.resource.id + - wiz.cloud_configuration_finding.rule.id + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - remove: + field: event.original + tag: remove_event_original + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + - script: + description: Drops null/empty values recursively. + tag: script_to_drop_null_values + lang: painless + source: | + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml new file mode 100644 index 00000000000..f982924b690 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: wiz +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: wiz.cloud_configuration_finding +- name: '@timestamp' + type: date + description: Event timestamp. \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml new file mode 100644 index 00000000000..b3701b581cf --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml @@ -0,0 +1,9 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml new file mode 100644 index 00000000000..083fdd4708b --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml @@ -0,0 +1,32 @@ +- name: wiz.cloud_configuration_finding + type: group + fields: + - name: first_seen_at + type: date + - name: analyzed_at + type: date + - name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: region + type: keyword + - name: subscription + type: group + fields: + - name: cloud_provider + type: keyword + - name: id + type: keyword + - name: rule + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: description + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml new file mode 100644 index 00000000000..c093c299032 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml new file mode 100644 index 00000000000..75f840ce005 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/result.yml @@ -0,0 +1,5 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml new file mode 100644 index 00000000000..8495b359777 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml @@ -0,0 +1,7 @@ +- name: rule + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml new file mode 100644 index 00000000000..fe5cfc90029 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml @@ -0,0 +1,80 @@ +title: Collet Cloud Configuration Finding logs from Wiz. +type: logs +streams: + - input: cel + title: Cloud Configuration Finding logs + description: Collect Cloud Configuration Finding logs from Wiz. + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Cloud Configuration Finding logs from Wiz. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Wiz API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - wiz-cloud_configuration_finding + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve wiz.cloud_configuration_finding fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json new file mode 100644 index 00000000000..9e26dfeeb6e --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/packages/wiz/elasticsearch/transform/latest_csp_findings/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_csp_findings/fields/fields.yml new file mode 100644 index 00000000000..1770a0eb0bf --- /dev/null +++ b/packages/wiz/elasticsearch/transform/latest_csp_findings/fields/fields.yml @@ -0,0 +1,3 @@ +- name: "@timestamp" + type: date + description: Event timestamp. \ No newline at end of file diff --git a/packages/wiz/elasticsearch/transform/latest_csp_findings/manifest.yml b/packages/wiz/elasticsearch/transform/latest_csp_findings/manifest.yml new file mode 100644 index 00000000000..3900fac022b --- /dev/null +++ b/packages/wiz/elasticsearch/transform/latest_csp_findings/manifest.yml @@ -0,0 +1,8 @@ +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc \ No newline at end of file diff --git a/packages/wiz/elasticsearch/transform/latest_csp_findings/transform.yml b/packages/wiz/elasticsearch/transform/latest_csp_findings/transform.yml new file mode 100644 index 00000000000..c15b25ea0df --- /dev/null +++ b/packages/wiz/elasticsearch/transform/latest_csp_findings/transform.yml @@ -0,0 +1,25 @@ +source: + index: + - "logs-wiz.cloud_configuration_finding-*" +dest: + index: "logs-wiz.cloud_configuration_finding_latest-default" +latest: + unique_key: + - resource.id + - rule.id + sort: "@timestamp" +description: Latest Cloud Configuration Findings from Wiz +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 3d +# _meta: + # managed: true, + # managed_by: 'cloud_security_posture', + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + # fleet_transform_version: 0.1.0 \ No newline at end of file diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index b57f47aef86..c8374bb7fe4 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "1.1.1" +version: "1.2.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: