From 131e72bf0d3fe271261cc00f71fa7ddac4c9082a Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 15:53:41 -0700 Subject: [PATCH 01/14] add csp vulnerability finding to common schema --- .../schemas/csp_vulnerability_finding.ts | 114 ++++++++++++++++++ .../common/schemas/index.ts | 1 + 2 files changed, 115 insertions(+) create mode 100644 x-pack/plugins/cloud_security_posture/common/schemas/csp_vulnerability_finding.ts diff --git a/x-pack/plugins/cloud_security_posture/common/schemas/csp_vulnerability_finding.ts b/x-pack/plugins/cloud_security_posture/common/schemas/csp_vulnerability_finding.ts new file mode 100644 index 0000000000000..122e95f3b7c33 --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/common/schemas/csp_vulnerability_finding.ts @@ -0,0 +1,114 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +// TODO: this needs to be defined in a versioned schema +import type { EcsEvent } from '@kbn/ecs'; +import { VulnSeverity } from '../types'; + +export interface CspVulnerabilityFinding { + '@timestamp': string; + resource?: { + id: string; + name: string; + }; + event: EcsEvent; + vulnerability: Vulnerability; + ecs: { + version: string; + }; + host: { + os: { + name: string; + kernel: string; + codename: string; + type: string; + platform: string; + version: string; + family: string; + }; + id: string; + name: string; + containerized: boolean; + ip: string[]; + mac: string[]; + hostname: string; + architecture: string; + }; + agent: { + ephemeral_id: string; + id: string; + name: string; + type: string; + version: string; + }; + cloud: { + image?: { + id: string; + }; + provider?: string; + instance?: { + id: string; + }; + machine?: { + type: string; + }; + region: string; + availability_zone?: string; + service?: { + name: string; + }; + account?: { + id: string; + }; + }; + cloudbeat: { + version: string; + commit_sha: string; + commit_time: string; + }; +} + +export interface Vulnerability { + published_date: string; + score: { + version: string; + base: number; + }; + cwe: string[]; + id: string; + title: string; + reference: string; + severity: VulnSeverity; + cvss: { + nvd: VectorScoreBase; + redhat?: VectorScoreBase; + ghsa?: VectorScoreBase; + }; + data_source: { + ID: string; + Name: string; + URL: string; + }; + enumeration: string; + description: string; + classification: string; + scanner: { + vendor: string; + }; + package: { + version: string; + name: string; + fixed_version?: string; + }; +} + +export interface VectorScoreBase { + V3Score?: number; + V3Vector?: string; + V2Score?: number; + V2Vector?: string; +} diff --git a/x-pack/plugins/cloud_security_posture/common/schemas/index.ts b/x-pack/plugins/cloud_security_posture/common/schemas/index.ts index 9b6034b4489f5..c7730abc06dba 100644 --- a/x-pack/plugins/cloud_security_posture/common/schemas/index.ts +++ b/x-pack/plugins/cloud_security_posture/common/schemas/index.ts @@ -7,3 +7,4 @@ export * from './csp_rule_template_metadata'; export * from './csp_rule_template'; +export * from './csp_vulnerability_finding'; From 641f3ebab266eca0637281f2a775cddb41ec1581 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 15:53:59 -0700 Subject: [PATCH 02/14] add max signals to rule types --- .../public/common/api/create_detection_rule.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/plugins/cloud_security_posture/public/common/api/create_detection_rule.ts b/x-pack/plugins/cloud_security_posture/public/common/api/create_detection_rule.ts index ef0aa3321f35e..8a584be1bdbac 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/api/create_detection_rule.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/api/create_detection_rule.ts @@ -38,6 +38,7 @@ interface RuleCreateProps { name: string; description: string; tags: string[]; + max_signals: number; } export interface RuleResponse extends RuleCreateProps { From 9fe73640f6786fd215e8d30000609429086afbc1 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 15:54:20 -0700 Subject: [PATCH 03/14] common function to get vulnerability reference url --- .../utils/get_vulnerability_reference_url.ts | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts diff --git a/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts b/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts new file mode 100644 index 0000000000000..d77093ba7cebf --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts @@ -0,0 +1,19 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { CspVulnerabilityFinding } from '../../../common/schemas'; + +export const getVulnerabilityReferenceUrl = (finding: CspVulnerabilityFinding): string => { + const nvdDomain = 'https://nvd'; + const nvdWebsite = `${nvdDomain}.nist.gov/vuln/detail/${finding?.vulnerability?.id}`; + + const vulnerabilityReference = finding.vulnerability?.cvss?.nvd + ? nvdWebsite + : finding.vulnerability?.reference; + + return vulnerabilityReference; +}; From 4efc103e1228b99d7f1a9cd209deb7f5deec0eef Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 15:54:45 -0700 Subject: [PATCH 04/14] update findings rule tags --- .../utils/create_detection_rule_from_finding.ts | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index 179ac6e27713c..802eb46a51620 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -7,7 +7,10 @@ import { HttpSetup } from '@kbn/core/public'; import type { CspFinding } from '../../../../common/schemas/csp_finding'; -import { LATEST_FINDINGS_INDEX_DEFAULT_NS } from '../../../../common/constants'; +import { + FINDINGS_INDEX_PATTERN, + LATEST_FINDINGS_RETENTION_POLICY, +} from '../../../../common/constants'; import { createDetectionRule } from '../../../common/api/create_detection_rule'; const DEFAULT_RULE_RISK_SCORE = 0; @@ -15,6 +18,7 @@ const DEFAULT_RULE_SEVERITY = 'low'; const DEFAULT_RULE_ENABLED = true; const DEFAULT_RULE_AUTHOR = 'Elastic'; const DEFAULT_RULE_LICENSE = 'Elastic License v2'; +const DEFAULT_MAX_ALERTS_PER_RULE = 100; const ALERT_SUPPRESSION_FIELD = 'resource.id'; const ALERT_TIMESTAMP_FIELD = 'event.ingested'; @@ -40,7 +44,9 @@ const convertReferencesLinksToArray = (input: string | undefined) => { return matches.map((link) => link.replace(/^\d+\. /, '').replace(/\n/g, '')); }; -const STATIC_RULE_TAGS = ['Elastic', 'Cloud Security']; +const CSP_RULE_TAG = 'Cloud Security'; + +const STATIC_RULE_TAGS = [CSP_RULE_TAG]; const generateMisconfigurationsTags = (finding: CspFinding) => { return [STATIC_RULE_TAGS] @@ -78,8 +84,9 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C severity_mapping: [], threat: [], interval: '1h', - from: 'now-7200s', + from: `now-${LATEST_FINDINGS_RETENTION_POLICY}`, to: 'now', + max_signals: DEFAULT_MAX_ALERTS_PER_RULE, timestamp_override: ALERT_TIMESTAMP_FIELD, timestamp_override_fallback_disabled: false, actions: [], @@ -88,7 +95,7 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C group_by: [ALERT_SUPPRESSION_FIELD], missing_fields_strategy: AlertSuppressionMissingFieldsStrategy.Suppress, }, - index: [LATEST_FINDINGS_INDEX_DEFAULT_NS], + index: [FINDINGS_INDEX_PATTERN], query: generateMisconfigurationsRuleQuery(finding), references: convertReferencesLinksToArray(finding.rule.references), name: finding.rule.name, From a62ba3dd09ce4ab202a0c320e08ad73f9d01cb92 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 15:55:25 -0700 Subject: [PATCH 05/14] add detection rule from vulnerability --- .../public/pages/vulnerabilities/types.ts | 116 +----------------- ...reate_detection_rule_from_vulnerability.ts | 108 ++++++++++++++++ .../pages/vulnerabilities/vulnerabilities.tsx | 8 +- .../vulnerability_finding_flyout.tsx | 24 ++-- 4 files changed, 130 insertions(+), 126 deletions(-) create mode 100644 x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/types.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/types.ts index 8344de3e72665..14e9fbae28d41 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/types.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/types.ts @@ -5,119 +5,7 @@ * 2.0. */ -import { VulnSeverity } from '../../../common/types'; - -export interface VulnerabilityRecord { - '@timestamp': string; - resource?: { - id: string; - name: string; - }; - event: { - type: string[]; - category: string[]; - created: string; - id: string; - kind: string; - sequence: number; - outcome: string; - }; - vulnerability: Vulnerability; - ecs: { - version: string; - }; - host: { - os: { - name: string; - kernel: string; - codename: string; - type: string; - platform: string; - version: string; - family: string; - }; - id: string; - name: string; - containerized: boolean; - ip: string[]; - mac: string[]; - hostname: string; - architecture: string; - }; - agent: { - ephemeral_id: string; - id: string; - name: string; - type: string; - version: string; - }; - cloud: { - image?: { - id: string; - }; - provider?: string; - instance?: { - id: string; - }; - machine?: { - type: string; - }; - region: string; - availability_zone?: string; - service?: { - name: string; - }; - account?: { - id: string; - }; - }; - cloudbeat: { - version: string; - commit_sha: string; - commit_time: string; - }; -} - -export interface Vulnerability { - published_date: string; - score: { - version: string; - base: number; - }; - cwe: string[]; - id: string; - title: string; - reference: string; - severity: VulnSeverity; - cvss: { - nvd: VectorScoreBase; - redhat?: VectorScoreBase; - ghsa?: VectorScoreBase; - }; - data_source: { - ID: string; - Name: string; - URL: string; - }; - enumeration: string; - description: string; - classification: string; - scanner: { - vendor: string; - }; - package: { - version: string; - name: string; - fixed_version?: string; - }; -} - -export interface VectorScoreBase { - V3Score?: number; - V3Vector?: string; - V2Score?: number; - V2Vector?: string; -} +import { VectorScoreBase, CspVulnerabilityFinding } from '../../../common/schemas'; export type Vendor = 'NVD' | 'Red Hat' | 'GHSA'; @@ -133,7 +21,7 @@ export interface Vector { } export interface VulnerabilitiesQueryData { - page: VulnerabilityRecord[]; + page: CspVulnerabilityFinding[]; total: number; } diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts new file mode 100644 index 0000000000000..7461a8c9368ee --- /dev/null +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -0,0 +1,108 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { HttpSetup } from '@kbn/core/public'; +import { i18n } from '@kbn/i18n'; +import { getVulnerabilityReferenceUrl } from '../../../common/utils/get_vulnerability_reference_url'; +import type { CspVulnerabilityFinding } from '../../../../common/schemas'; +import { + LATEST_VULNERABILITIES_RETENTION_POLICY, + VULNERABILITIES_INDEX_PATTERN, +} from '../../../../common/constants'; +import { createDetectionRule } from '../../../common/api/create_detection_rule'; + +const DEFAULT_RULE_RISK_SCORE = 0; +const DEFAULT_RULE_SEVERITY = 'low'; +const DEFAULT_RULE_ENABLED = true; +const DEFAULT_RULE_AUTHOR = 'Elastic'; +const DEFAULT_RULE_LICENSE = 'Elastic License v2'; +const DEFAULT_MAX_ALERTS_PER_RULE = 100; +const ALERT_SUPPRESSION_FIELD = 'resource.id'; +const ALERT_TIMESTAMP_FIELD = 'event.ingested'; + +enum AlertSuppressionMissingFieldsStrategy { + // per each document a separate alert will be created + DoNotSuppress = 'doNotSuppress', + // only one alert will be created per suppress by bucket + Suppress = 'suppress', +} + +const CSP_RULE_TAG = 'Cloud Security'; +const CNVM_RULE_TAG = 'CNVM'; +const CNVM_RULE_TAG_DATA_SOURCE = 'Data Source: Cloud Native Vulnerability Management'; +const CNVM_RULE_TAG_USE_CASE = 'Use Case: Vulnerability'; +const CNVM_RULE_TAG_OS = 'OS: Linux'; + +const STATIC_RULE_TAGS = [ + CSP_RULE_TAG, + CNVM_RULE_TAG, + CNVM_RULE_TAG_DATA_SOURCE, + CNVM_RULE_TAG_USE_CASE, + CNVM_RULE_TAG_OS, +]; + +const generateVulnerabilitiesTags = (finding: CspVulnerabilityFinding) => { + return [...STATIC_RULE_TAGS, finding.vulnerability.id]; +}; + +const getVulnerabilityRuleName = (finding: CspVulnerabilityFinding) => { + return i18n.translate('xpack.cloudSecurityPosture.vulnerabilities.detectionRuleNamePrefix', { + defaultMessage: 'Vulnerability: {vulnerabilityId}', + values: { + vulnerabilityId: finding.vulnerability.id, + }, + }); +}; + +const generateVulnerabilitiesRuleQuery = (finding: CspVulnerabilityFinding) => { + return ` + vulnerability.id: "${finding.vulnerability.id}" + `; +}; + +/* + * Creates a detection rule from a CspVulnerabilityFinding + */ +export const createDetectionRuleFromVulnerabilityFinding = async ( + http: HttpSetup, + finding: CspVulnerabilityFinding +) => { + return await createDetectionRule({ + http, + rule: { + type: 'query', + language: 'kuery', + license: DEFAULT_RULE_LICENSE, + author: [DEFAULT_RULE_AUTHOR], + filters: [], + false_positives: [], + risk_score: DEFAULT_RULE_RISK_SCORE, + risk_score_mapping: [], + severity: DEFAULT_RULE_SEVERITY, + severity_mapping: [], + threat: [], + interval: '1h', + from: `now-${LATEST_VULNERABILITIES_RETENTION_POLICY}`, + to: 'now', + max_signals: DEFAULT_MAX_ALERTS_PER_RULE, + timestamp_override: ALERT_TIMESTAMP_FIELD, + timestamp_override_fallback_disabled: false, + actions: [], + enabled: DEFAULT_RULE_ENABLED, + alert_suppression: { + group_by: [ALERT_SUPPRESSION_FIELD], + missing_fields_strategy: AlertSuppressionMissingFieldsStrategy.Suppress, + }, + index: [VULNERABILITIES_INDEX_PATTERN], + query: generateVulnerabilitiesRuleQuery(finding), + references: [getVulnerabilityReferenceUrl(finding)], + name: getVulnerabilityRuleName(finding), + description: finding.vulnerability.description, + tags: generateVulnerabilitiesTags(finding), + }, + }); +}; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities.tsx index 0928af2f0b5b1..070fd9ea16242 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities.tsx @@ -22,7 +22,7 @@ import { Routes, Route } from '@kbn/shared-ux-router'; import { LOCAL_STORAGE_PAGE_SIZE_FINDINGS_KEY } from '../../common/constants'; import { useCloudPostureTable } from '../../common/hooks/use_cloud_posture_table'; import { useLatestVulnerabilities } from './hooks/use_latest_vulnerabilities'; -import type { VulnerabilityRecord, VulnerabilitiesQueryData } from './types'; +import type { VulnerabilitiesQueryData } from './types'; import { LATEST_VULNERABILITIES_INDEX_PATTERN } from '../../../common/constants'; import { ErrorCallout } from '../configurations/layout/error_callout'; import { FindingsSearchBar } from '../configurations/layout/findings_search_bar'; @@ -160,9 +160,9 @@ const VulnerabilitiesDataGrid = ({ }); const onOpenFlyout = useCallback( - (vulnerabilityRow: VulnerabilityRecord) => { + (vulnerabilityRow: VulnerabilitiesQueryData['page'][number]) => { const vulnerabilityIndex = data?.page.findIndex( - (vulnerabilityRecord: VulnerabilityRecord) => + (vulnerabilityRecord: VulnerabilitiesQueryData['page'][number]) => vulnerabilityRecord.vulnerability?.id === vulnerabilityRow.vulnerability?.id && vulnerabilityRecord.resource?.id === vulnerabilityRow.resource?.id && vulnerabilityRecord.vulnerability.package.name === @@ -204,7 +204,7 @@ const VulnerabilitiesDataGrid = ({ }): React.ReactElement | null => { const rowIndexFromPage = rowIndex > pageSize - 1 ? rowIndex % pageSize : rowIndex; - const vulnerabilityRow = data?.page[rowIndexFromPage] as VulnerabilityRecord; + const vulnerabilityRow = data?.page[rowIndexFromPage]; useEffect(() => { if (selectedVulnerabilityIndex === rowIndex) { diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx index efe451ba97e54..a71db48bb2eb7 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx @@ -25,24 +25,28 @@ import { i18n } from '@kbn/i18n'; import { FormattedMessage } from '@kbn/i18n-react'; import { euiThemeVars } from '@kbn/ui-theme'; import { css } from '@emotion/react'; +import { HttpSetup } from '@kbn/core-http-browser'; +import { TakeAction } from '../../../components/take_action'; +import { getVulnerabilityReferenceUrl } from '../../../common/utils/get_vulnerability_reference_url'; import { truthy } from '../../../../common/utils/helpers'; import { CspInlineDescriptionList } from '../../../components/csp_inline_description_list'; import { VulnerabilityOverviewTab } from './vulnerability_overview_tab'; import { VulnerabilityJsonTab } from './vulnerability_json_tab'; import { SeverityStatusBadge } from '../../../components/vulnerability_badges'; -import { VulnerabilityRecord } from '../types'; +import type { CspVulnerabilityFinding } from '../../../../common/schemas'; import { FINDINGS_VULNERABILITY_FLYOUT_DESCRIPTION_LIST, TAB_ID_VULNERABILITY_FLYOUT, } from '../test_subjects'; import { VulnerabilityTableTab } from './vulnerability_table_tab'; +import { createDetectionRuleFromVulnerabilityFinding } from '../utils/create_detection_rule_from_vulnerability'; const overviewTabId = 'vuln-flyout-overview-tab'; const tableTabId = 'vuln-flyout-table-tab'; const jsonTabId = 'vuln-flyout-json-tab'; const getFlyoutDescriptionList = ( - vulnerabilityRecord: VulnerabilityRecord + vulnerabilityRecord: CspVulnerabilityFinding ): EuiDescriptionListProps['listItems'] => [ vulnerabilityRecord.resource?.name && { @@ -80,7 +84,7 @@ export const VulnerabilityFindingFlyout = ({ onPaginate: (pageIndex: number) => void; totalVulnerabilitiesCount: number; flyoutIndex?: number; - vulnerabilityRecord: VulnerabilityRecord; + vulnerabilityRecord: CspVulnerabilityFinding; isLoading: boolean; }) => { const [selectedTabId, setSelectedTabId] = useState(overviewTabId); @@ -140,16 +144,17 @@ export const VulnerabilityFindingFlyout = ({ () => tabs.find((obj) => obj.id === selectedTabId)?.content, [selectedTabId, tabs] ); - const nvdDomain = 'https://nvd'; - const nvdWebsite = `${nvdDomain}.nist.gov/vuln/detail/${vulnerabilityRecord?.vulnerability?.id}`; - - const vulnerabilityReference = vulnerability?.cvss?.nvd ? nvdWebsite : vulnerability?.reference; const LOADING_ARIA_LABEL = i18n.translate( 'xpack.csp.vulnerabilities.vulnerabilityFindingFlyout.loadingAriaLabel', { defaultMessage: 'Loading' } ); + const vulnerabilityReference = getVulnerabilityReferenceUrl(vulnerabilityRecord); + + const createVulnerabilityRuleFn = async (http: HttpSetup) => + await createDetectionRuleFromVulnerabilityFinding(http, vulnerabilityRecord); + return ( @@ -220,7 +225,7 @@ export const VulnerabilityFindingFlyout = ({ - + + + + From 485175f3346b6f0cdc80df7097bb828b3ab96d88 Mon Sep 17 00:00:00 2001 From: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Date: Wed, 9 Aug 2023 23:08:52 +0000 Subject: [PATCH 06/14] [CI] Auto-commit changed files from 'node scripts/lint_ts_projects --fix' --- x-pack/plugins/cloud_security_posture/tsconfig.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/cloud_security_posture/tsconfig.json b/x-pack/plugins/cloud_security_posture/tsconfig.json index a88bbf2bd0995..07c86f24ea18a 100755 --- a/x-pack/plugins/cloud_security_posture/tsconfig.json +++ b/x-pack/plugins/cloud_security_posture/tsconfig.json @@ -48,7 +48,8 @@ "@kbn/shared-ux-router", "@kbn/core-saved-objects-server", "@kbn/share-plugin", - "@kbn/core-http-server" + "@kbn/core-http-server", + "@kbn/core-http-browser" ], "exclude": [ "target/**/*", From 4a93ec8ba83080085fad5dbeb387306f7e98a9da Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Wed, 9 Aug 2023 22:59:12 -0700 Subject: [PATCH 07/14] fix CI errors --- .../pages/vulnerabilities/_mocks_/vulnerability.mock.ts | 4 ++-- .../vulnerabilities/hooks/use_latest_vulnerabilities.tsx | 4 ++-- .../utils/create_detection_rule_from_vulnerability.ts | 2 +- .../pages/vulnerabilities/utils/get_vector_score_list.ts | 3 ++- .../utils/get_vulnerabilities_grid_cell_actions.tsx | 6 ++++-- .../resource_vulnerabilities/resource_vulnerabilities.tsx | 8 ++++---- .../vulnerability_json_tab.tsx | 4 ++-- .../vulnerability_overview_tab.tsx | 3 ++- .../vulnerability_table_tab.tsx | 6 +++--- 9 files changed, 22 insertions(+), 18 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/_mocks_/vulnerability.mock.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/_mocks_/vulnerability.mock.ts index 7a80bd66488cf..7f8e22eafb1b6 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/_mocks_/vulnerability.mock.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/_mocks_/vulnerability.mock.ts @@ -5,9 +5,9 @@ * 2.0. */ -import { VulnerabilityRecord } from '../types'; +import { CspVulnerabilityFinding } from '../../../../common/schemas'; -export const mockVulnerabilityHit: VulnerabilityRecord = { +export const mockVulnerabilityHit: CspVulnerabilityFinding = { '@timestamp': '2023-03-30T10:27:35.013Z', resource: { name: '634yfsdg2.dkr.ecr.eu-central-1.amazon.stage', id: 'ami_12328' }, agent: { diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/hooks/use_latest_vulnerabilities.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/hooks/use_latest_vulnerabilities.tsx index 1166b64a4f53a..31b1efe73b453 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/hooks/use_latest_vulnerabilities.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/hooks/use_latest_vulnerabilities.tsx @@ -15,12 +15,12 @@ import { AggregationsStringRareTermsBucketKeys, Sort, } from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; +import { CspVulnerabilityFinding } from '../../../../common/schemas'; import { LATEST_VULNERABILITIES_INDEX_PATTERN } from '../../../../common/constants'; import { getSafeVulnerabilitiesQueryFilter } from '../../../../common/utils/get_safe_vulnerabilities_query_filter'; import { useKibana } from '../../../common/hooks/use_kibana'; import { showErrorToast } from '../../../common/utils/show_error_toast'; import { FindingsBaseEsQuery } from '../../../common/types'; -import { VulnerabilityRecord } from '../types'; type LatestFindingsRequest = IKibanaSearchRequest; type LatestFindingsResponse = IKibanaSearchResponse>; @@ -60,7 +60,7 @@ export const useLatestVulnerabilities = (options: VulnerabilitiesQuery) => { ); return { - page: hits.hits.map((hit) => hit._source!) as VulnerabilityRecord[], + page: hits.hits.map((hit) => hit._source!) as CspVulnerabilityFinding[], total: number.is(hits.total) ? hits.total : 0, }; }, diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts index 7461a8c9368ee..9779f6c8c7cd3 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -50,7 +50,7 @@ const generateVulnerabilitiesTags = (finding: CspVulnerabilityFinding) => { }; const getVulnerabilityRuleName = (finding: CspVulnerabilityFinding) => { - return i18n.translate('xpack.cloudSecurityPosture.vulnerabilities.detectionRuleNamePrefix', { + return i18n.translate('xpack.csp.vulnerabilities.detectionRuleNamePrefix', { defaultMessage: 'Vulnerability: {vulnerabilityId}', values: { vulnerabilityId: finding.vulnerability.id, diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vector_score_list.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vector_score_list.ts index 0f7a3b6f1477b..b4f6bd90389fd 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vector_score_list.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vector_score_list.ts @@ -5,7 +5,8 @@ * 2.0. */ -import { VectorScoreBase, Vector } from '../types'; +import { VectorScoreBase } from '../../../../common/schemas'; +import { Vector } from '../types'; export const getVectorScoreList = (vectorBaseScore: VectorScoreBase) => { const result: Vector[] = []; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vulnerabilities_grid_cell_actions.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vulnerabilities_grid_cell_actions.tsx index edafbd1f763f6..17e1469fcd60e 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vulnerabilities_grid_cell_actions.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/get_vulnerabilities_grid_cell_actions.tsx @@ -7,11 +7,13 @@ import React from 'react'; import { EuiDataGridColumn, EuiDataGridColumnCellAction, EuiToolTip } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; -import { VulnerabilityRecord } from '../types'; +import { CspVulnerabilityFinding } from '../../../../common/schemas'; import { getFilters } from './get_filters'; import { FILTER_IN, FILTER_OUT } from '../translations'; -export const getVulnerabilitiesGridCellActions = >>({ +export const getVulnerabilitiesGridCellActions = < + T extends Array> +>({ data, columns, columnGridFn, diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_by_resource/resource_vulnerabilities/resource_vulnerabilities.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_by_resource/resource_vulnerabilities/resource_vulnerabilities.tsx index 0c34d18784e20..e18e3b855b1cb 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_by_resource/resource_vulnerabilities/resource_vulnerabilities.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_by_resource/resource_vulnerabilities/resource_vulnerabilities.tsx @@ -23,7 +23,7 @@ import type { BoolQuery } from '@kbn/es-query'; import { LOCAL_STORAGE_PAGE_SIZE_FINDINGS_KEY } from '../../../../common/constants'; import { useCloudPostureTable } from '../../../../common/hooks/use_cloud_posture_table'; import { useLatestVulnerabilities } from '../../hooks/use_latest_vulnerabilities'; -import type { VulnerabilityRecord, VulnerabilitiesQueryData } from '../../types'; +import type { VulnerabilitiesQueryData } from '../../types'; import { ErrorCallout } from '../../../configurations/layout/error_callout'; import { FindingsSearchBar } from '../../../configurations/layout/findings_search_bar'; import { CVSScoreBadge, SeverityStatusBadge } from '../../../../components/vulnerability_badges'; @@ -119,9 +119,9 @@ const ResourceVulnerabilitiesDataGrid = ({ }; const onOpenFlyout = useCallback( - (vulnerabilityRow: VulnerabilityRecord) => { + (vulnerabilityRow: VulnerabilitiesQueryData['page'][number]) => { const vulnerabilityIndex = data?.page.findIndex( - (vulnerabilityRecord: VulnerabilityRecord) => + (vulnerabilityRecord: VulnerabilitiesQueryData['page'][number]) => vulnerabilityRecord.vulnerability?.id === vulnerabilityRow.vulnerability?.id && vulnerabilityRecord.resource?.id === vulnerabilityRow.resource?.id && vulnerabilityRecord.vulnerability.package.name === @@ -169,7 +169,7 @@ const ResourceVulnerabilitiesDataGrid = ({ }): React.ReactElement | null => { const rowIndexFromPage = rowIndex > pageSize - 1 ? rowIndex % pageSize : rowIndex; - const vulnerabilityRow = data?.page[rowIndexFromPage] as VulnerabilityRecord; + const vulnerabilityRow = data?.page[rowIndexFromPage]; useEffect(() => { if (selectedVulnerabilityIndex === rowIndex) { diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_json_tab.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_json_tab.tsx index 93d83be8b7632..4a2e869d6b93f 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_json_tab.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_json_tab.tsx @@ -8,10 +8,10 @@ import { CodeEditor } from '@kbn/kibana-react-plugin/public'; import React from 'react'; import { XJsonLang } from '@kbn/monaco'; -import { VulnerabilityRecord } from '../types'; +import { CspVulnerabilityFinding } from '../../../../common/schemas'; import { JSON_TAB_VULNERABILITY_FLYOUT } from '../test_subjects'; interface VulnerabilityJsonTabProps { - vulnerabilityRecord: VulnerabilityRecord; + vulnerabilityRecord: CspVulnerabilityFinding; } export const VulnerabilityJsonTab = ({ vulnerabilityRecord }: VulnerabilityJsonTabProps) => { const offsetTopHeight = 188; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_overview_tab.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_overview_tab.tsx index bd950cff5b242..11cb395879b14 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_overview_tab.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_overview_tab.tsx @@ -19,10 +19,11 @@ import moment from 'moment'; import React from 'react'; import { euiThemeVars } from '@kbn/ui-theme'; import { i18n } from '@kbn/i18n'; +import { VectorScoreBase, Vulnerability } from '../../../../common/schemas'; import { CspFlyoutMarkdown } from '../../configurations/findings_flyout/findings_flyout'; import { NvdLogo } from '../../../assets/icons/nvd_logo_svg'; import { CVSScoreBadge } from '../../../components/vulnerability_badges'; -import { CVSScoreProps, VectorScoreBase, Vendor, Vulnerability } from '../types'; +import { CVSScoreProps, Vendor } from '../types'; import { getVectorScoreList } from '../utils/get_vector_score_list'; import { OVERVIEW_TAB_VULNERABILITY_FLYOUT } from '../test_subjects'; import redhatLogo from '../../../assets/icons/redhat_logo.svg'; diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_table_tab.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_table_tab.tsx index a8f5999928d43..3d5c5d6c519a7 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_table_tab.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_table_tab.tsx @@ -15,7 +15,7 @@ import { import React from 'react'; import { getFlattenedObject } from '@kbn/std'; import { i18n } from '@kbn/i18n'; -import { VulnerabilityRecord } from '../types'; +import { CspVulnerabilityFinding } from '../../../../common/schemas'; interface FlattenedItem { key: string; // flattened dot notation object path for Vulnerability; @@ -74,13 +74,13 @@ const columns: EuiInMemoryTableProps['columns'] = [ }, ]; -const getFlattenedItems = (vulnerabilityRecord: VulnerabilityRecord) => +const getFlattenedItems = (vulnerabilityRecord: CspVulnerabilityFinding) => Object.entries(getFlattenedObject(vulnerabilityRecord)).map(([key, value]) => ({ key, value })); export const VulnerabilityTableTab = ({ vulnerabilityRecord, }: { - vulnerabilityRecord: VulnerabilityRecord; + vulnerabilityRecord: CspVulnerabilityFinding; }) => ( Date: Thu, 10 Aug 2023 18:15:31 -0700 Subject: [PATCH 08/14] add vulnerability mapping --- ...reate_detection_rule_from_vulnerability.ts | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts index 9779f6c8c7cd3..a91dc23e94a28 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -12,6 +12,7 @@ import type { CspVulnerabilityFinding } from '../../../../common/schemas'; import { LATEST_VULNERABILITIES_RETENTION_POLICY, VULNERABILITIES_INDEX_PATTERN, + VULNERABILITIES_SEVERITY, } from '../../../../common/constants'; import { createDetectionRule } from '../../../common/api/create_detection_rule'; @@ -23,6 +24,14 @@ const DEFAULT_RULE_LICENSE = 'Elastic License v2'; const DEFAULT_MAX_ALERTS_PER_RULE = 100; const ALERT_SUPPRESSION_FIELD = 'resource.id'; const ALERT_TIMESTAMP_FIELD = 'event.ingested'; +const ALERT_SEVERITY_MAP_FIELD = 'vulnerability.severity'; + +enum RuleSeverityMapping { + Low = 'low', + Medium = 'medium', + High = 'high', + Critical = 'critical', +} enum AlertSuppressionMissingFieldsStrategy { // per each document a separate alert will be created @@ -83,7 +92,38 @@ export const createDetectionRuleFromVulnerabilityFinding = async ( risk_score: DEFAULT_RULE_RISK_SCORE, risk_score_mapping: [], severity: DEFAULT_RULE_SEVERITY, - severity_mapping: [], + severity_mapping: [ + { + field: ALERT_SEVERITY_MAP_FIELD, + value: VULNERABILITIES_SEVERITY.LOW, + operator: 'equals', + severity: RuleSeverityMapping.Low, + }, + { + field: ALERT_SEVERITY_MAP_FIELD, + value: VULNERABILITIES_SEVERITY.MEDIUM, + operator: 'equals', + severity: RuleSeverityMapping.Medium, + }, + { + field: ALERT_SEVERITY_MAP_FIELD, + value: VULNERABILITIES_SEVERITY.HIGH, + operator: 'equals', + severity: RuleSeverityMapping.High, + }, + { + field: ALERT_SEVERITY_MAP_FIELD, + value: VULNERABILITIES_SEVERITY.CRITICAL, + operator: 'equals', + severity: RuleSeverityMapping.Critical, + }, + { + field: ALERT_SEVERITY_MAP_FIELD, + value: VULNERABILITIES_SEVERITY.UNKNOWN, + operator: 'equals', + severity: RuleSeverityMapping.Low, + }, + ], threat: [], interval: '1h', from: `now-${LATEST_VULNERABILITIES_RETENTION_POLICY}`, From 1d2f484cdea0336dc15714179f9e028a933fc6af Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Thu, 10 Aug 2023 18:43:44 -0700 Subject: [PATCH 09/14] updating tags --- .../utils/create_detection_rule_from_finding.ts | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index 802eb46a51620..497937d73bca8 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -45,14 +45,23 @@ const convertReferencesLinksToArray = (input: string | undefined) => { }; const CSP_RULE_TAG = 'Cloud Security'; +const CNVM_RULE_TAG_USE_CASE = 'Use Case: Configuration Audit'; +const CNVM_RULE_TAG_DATA_SOURCE_PREFIX = 'Data Source: '; -const STATIC_RULE_TAGS = [CSP_RULE_TAG]; +const STATIC_RULE_TAGS = [CSP_RULE_TAG, CNVM_RULE_TAG_USE_CASE]; const generateMisconfigurationsTags = (finding: CspFinding) => { return [STATIC_RULE_TAGS] - .concat(finding.rule.tags) + .concat() .concat( - finding.rule.benchmark.posture_type ? [finding.rule.benchmark.posture_type.toUpperCase()] : [] + finding.rule.benchmark.posture_type + ? [ + `${CNVM_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`, + ] + : [] + ) + .concat( + finding.rule.benchmark.posture_type === 'cspm' ? ['Domain: Cloud'] : ['Domain: Container'] ) .flat(); }; From 237a0850c2d5637a663b0f1fd2a8bb842a00bef3 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Fri, 11 Aug 2023 15:03:15 -0700 Subject: [PATCH 10/14] adding query condition to skip findings already created --- .../utils/create_detection_rule_from_finding.ts | 7 ++++--- .../utils/create_detection_rule_from_vulnerability.ts | 6 +++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index 497937d73bca8..48169ff7052f6 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -67,11 +67,12 @@ const generateMisconfigurationsTags = (finding: CspFinding) => { }; const generateMisconfigurationsRuleQuery = (finding: CspFinding) => { - return ` - rule.benchmark.rule_number: "${finding.rule.benchmark.rule_number}" + const currentTimestamp = new Date().toISOString(); + + return `rule.benchmark.rule_number: "${finding.rule.benchmark.rule_number}" AND rule.benchmark.id: "${finding.rule.benchmark.id}" AND result.evaluation: "failed" - `; + AND event.ingested >= "${currentTimestamp}"`; }; /* diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts index a91dc23e94a28..520adfa0d1940 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -68,9 +68,9 @@ const getVulnerabilityRuleName = (finding: CspVulnerabilityFinding) => { }; const generateVulnerabilitiesRuleQuery = (finding: CspVulnerabilityFinding) => { - return ` - vulnerability.id: "${finding.vulnerability.id}" - `; + const currentTimestamp = new Date().toISOString(); + + return `vulnerability.id: "${finding.vulnerability.id}" AND event.ingested >= "${currentTimestamp}"`; }; /* From b305b12e43de982c7b039cd3cd390784c80bfcde Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 14 Aug 2023 12:54:57 -0700 Subject: [PATCH 11/14] adding undefined handler --- .../public/common/utils/get_vulnerability_reference_url.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts b/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts index d77093ba7cebf..c4d1e00450873 100644 --- a/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts +++ b/x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts @@ -7,7 +7,9 @@ import type { CspVulnerabilityFinding } from '../../../common/schemas'; -export const getVulnerabilityReferenceUrl = (finding: CspVulnerabilityFinding): string => { +export const getVulnerabilityReferenceUrl = ( + finding: CspVulnerabilityFinding +): string | undefined => { const nvdDomain = 'https://nvd'; const nvdWebsite = `${nvdDomain}.nist.gov/vuln/detail/${finding?.vulnerability?.id}`; From cc804c31844559595d099bef74dd70be208d1b9e Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 14 Aug 2023 12:55:23 -0700 Subject: [PATCH 12/14] fix empty concat --- .../create_detection_rule_from_finding.ts | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index 48169ff7052f6..e8be25237efbc 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -45,19 +45,17 @@ const convertReferencesLinksToArray = (input: string | undefined) => { }; const CSP_RULE_TAG = 'Cloud Security'; -const CNVM_RULE_TAG_USE_CASE = 'Use Case: Configuration Audit'; -const CNVM_RULE_TAG_DATA_SOURCE_PREFIX = 'Data Source: '; +const CSP_RULE_TAG_USE_CASE = 'Use Case: Configuration Audit'; +const CSP_RULE_TAG_DATA_SOURCE_PREFIX = 'Data Source: '; -const STATIC_RULE_TAGS = [CSP_RULE_TAG, CNVM_RULE_TAG_USE_CASE]; +const STATIC_RULE_TAGS = [CSP_RULE_TAG, CSP_RULE_TAG_USE_CASE]; -const generateMisconfigurationsTags = (finding: CspFinding) => { +const generateFindingsTags = (finding: CspFinding) => { return [STATIC_RULE_TAGS] - .concat() + .concat(finding.rule.tags) .concat( finding.rule.benchmark.posture_type - ? [ - `${CNVM_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`, - ] + ? [`${CSP_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`] : [] ) .concat( @@ -66,7 +64,7 @@ const generateMisconfigurationsTags = (finding: CspFinding) => { .flat(); }; -const generateMisconfigurationsRuleQuery = (finding: CspFinding) => { +const generateFindingsRuleQuery = (finding: CspFinding) => { const currentTimestamp = new Date().toISOString(); return `rule.benchmark.rule_number: "${finding.rule.benchmark.rule_number}" @@ -106,11 +104,11 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C missing_fields_strategy: AlertSuppressionMissingFieldsStrategy.Suppress, }, index: [FINDINGS_INDEX_PATTERN], - query: generateMisconfigurationsRuleQuery(finding), + query: generateFindingsRuleQuery(finding), references: convertReferencesLinksToArray(finding.rule.references), name: finding.rule.name, description: finding.rule.rationale, - tags: generateMisconfigurationsTags(finding), + tags: generateFindingsTags(finding), }, }); }; From 7bec7441686013bf0daf6652d6cc67d79f3327ab Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 14 Aug 2023 12:55:46 -0700 Subject: [PATCH 13/14] adding empty reference url handler --- .../utils/create_detection_rule_from_vulnerability.ts | 4 +++- .../vulnerability_finding_flyout.tsx | 11 ++++++++--- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts index 520adfa0d1940..c8cd677041b16 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/utils/create_detection_rule_from_vulnerability.ts @@ -80,6 +80,8 @@ export const createDetectionRuleFromVulnerabilityFinding = async ( http: HttpSetup, finding: CspVulnerabilityFinding ) => { + const referenceUrl = getVulnerabilityReferenceUrl(finding); + return await createDetectionRule({ http, rule: { @@ -139,7 +141,7 @@ export const createDetectionRuleFromVulnerabilityFinding = async ( }, index: [VULNERABILITIES_INDEX_PATTERN], query: generateVulnerabilitiesRuleQuery(finding), - references: [getVulnerabilityReferenceUrl(finding)], + references: referenceUrl ? [referenceUrl] : [], name: getVulnerabilityRuleName(finding), description: finding.vulnerability.description, tags: generateVulnerabilitiesTags(finding), diff --git a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx index a71db48bb2eb7..26aaf9926c0a5 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx +++ b/x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/vulnerabilities_finding_flyout/vulnerability_finding_flyout.tsx @@ -19,6 +19,7 @@ import { EuiSkeletonText, EuiTab, EuiTabs, + EuiText, EuiTitle, } from '@elastic/eui'; import { i18n } from '@kbn/i18n'; @@ -188,9 +189,13 @@ export const VulnerabilityFindingFlyout = ({ line-height: 32px; `} > - - {vulnerability?.id} - + {vulnerabilityReference ? ( + + {vulnerability?.id} + + ) : ( + {vulnerability?.id} + )} From d791b6102c5bdda7993ad6750d4faa3d89d01d74 Mon Sep 17 00:00:00 2001 From: Paulo Henrique Date: Mon, 14 Aug 2023 15:03:04 -0700 Subject: [PATCH 14/14] adding posture type tags --- .../utils/create_detection_rule_from_finding.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts index e8be25237efbc..778c222d2f5e1 100644 --- a/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts +++ b/x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts @@ -55,7 +55,10 @@ const generateFindingsTags = (finding: CspFinding) => { .concat(finding.rule.tags) .concat( finding.rule.benchmark.posture_type - ? [`${CSP_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`] + ? [ + finding.rule.benchmark.posture_type.toUpperCase(), + `${CSP_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`, + ] : [] ) .concat(