[Cloud Security] [Findings] [Vulnerabilities] [Alerts] - Create detection rule

x-pack/plugins/cloud_security_posture/common/schemas/csp_vulnerability_finding.ts

@@ -0,0 +1,114 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+// TODO: this needs to be defined in a versioned schema
+import type { EcsEvent } from '@kbn/ecs';
+import { VulnSeverity } from '../types';
+
+export interface CspVulnerabilityFinding {
+  '@timestamp': string;
+  resource?: {
+    id: string;
+    name: string;
+  };
+  event: EcsEvent;
+  vulnerability: Vulnerability;
+  ecs: {
+    version: string;
+  };
+  host: {
+    os: {
+      name: string;
+      kernel: string;
+      codename: string;
+      type: string;
+      platform: string;
+      version: string;
+      family: string;
+    };
+    id: string;
+    name: string;
+    containerized: boolean;
+    ip: string[];
+    mac: string[];
+    hostname: string;
+    architecture: string;
+  };
+  agent: {
+    ephemeral_id: string;
+    id: string;
+    name: string;
+    type: string;
+    version: string;
+  };
+  cloud: {
+    image?: {
+      id: string;
+    };
+    provider?: string;
+    instance?: {
+      id: string;
+    };
+    machine?: {
+      type: string;
+    };
+    region: string;
+    availability_zone?: string;
+    service?: {
+      name: string;
+    };
+    account?: {
+      id: string;
+    };
+  };
+  cloudbeat: {
+    version: string;
+    commit_sha: string;
+    commit_time: string;
+  };
+}
+
+export interface Vulnerability {
+  published_date: string;
+  score: {
+    version: string;
+    base: number;
+  };
+  cwe: string[];
+  id: string;
+  title: string;
+  reference: string;
+  severity: VulnSeverity;
+  cvss: {
+    nvd: VectorScoreBase;
+    redhat?: VectorScoreBase;
+    ghsa?: VectorScoreBase;
+  };
+  data_source: {
+    ID: string;
+    Name: string;
+    URL: string;
+  };
+  enumeration: string;
+  description: string;
+  classification: string;
+  scanner: {
+    vendor: string;
+  };
+  package: {
+    version: string;
+    name: string;
+    fixed_version?: string;
+  };
+}
+
+export interface VectorScoreBase {
+  V3Score?: number;
+  V3Vector?: string;
+  V2Score?: number;
+  V2Vector?: string;
+}

x-pack/plugins/cloud_security_posture/common/schemas/index.ts

@@ -7,3 +7,4 @@
 
 export * from './csp_rule_template_metadata';
 export * from './csp_rule_template';
+export * from './csp_vulnerability_finding';

x-pack/plugins/cloud_security_posture/public/common/api/create_detection_rule.ts

@@ -38,6 +38,7 @@ interface RuleCreateProps {
   name: string;
   description: string;
   tags: string[];
+  max_signals: number;
 }
 
 export interface RuleResponse extends RuleCreateProps {

x-pack/plugins/cloud_security_posture/public/common/utils/get_vulnerability_reference_url.ts

@@ -0,0 +1,21 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import type { CspVulnerabilityFinding } from '../../../common/schemas';
+
+export const getVulnerabilityReferenceUrl = (
+  finding: CspVulnerabilityFinding
+): string | undefined => {
+  const nvdDomain = 'https://nvd';
+  const nvdWebsite = `${nvdDomain}.nist.gov/vuln/detail/${finding?.vulnerability?.id}`;
+
+  const vulnerabilityReference = finding.vulnerability?.cvss?.nvd
+    ? nvdWebsite
+    : finding.vulnerability?.reference;
+
+  return vulnerabilityReference;
+};

x-pack/plugins/cloud_security_posture/public/pages/configurations/utils/create_detection_rule_from_finding.ts

@@ -7,14 +7,18 @@
 
 import { HttpSetup } from '@kbn/core/public';
 import type { CspFinding } from '../../../../common/schemas/csp_finding';
-import { LATEST_FINDINGS_INDEX_DEFAULT_NS } from '../../../../common/constants';
+import {
+  FINDINGS_INDEX_PATTERN,
+  LATEST_FINDINGS_RETENTION_POLICY,
+} from '../../../../common/constants';
 import { createDetectionRule } from '../../../common/api/create_detection_rule';
 
 const DEFAULT_RULE_RISK_SCORE = 0;
 const DEFAULT_RULE_SEVERITY = 'low';
 const DEFAULT_RULE_ENABLED = true;
 const DEFAULT_RULE_AUTHOR = 'Elastic';
 const DEFAULT_RULE_LICENSE = 'Elastic License v2';
+const DEFAULT_MAX_ALERTS_PER_RULE = 100;
 const ALERT_SUPPRESSION_FIELD = 'resource.id';
 const ALERT_TIMESTAMP_FIELD = 'event.ingested';
 
@@ -40,23 +44,36 @@ const convertReferencesLinksToArray = (input: string | undefined) => {
   return matches.map((link) => link.replace(/^\d+\. /, '').replace(/\n/g, ''));
 };
 
-const STATIC_RULE_TAGS = ['Elastic', 'Cloud Security'];
+const CSP_RULE_TAG = 'Cloud Security';
+const CSP_RULE_TAG_USE_CASE = 'Use Case: Configuration Audit';
+const CSP_RULE_TAG_DATA_SOURCE_PREFIX = 'Data Source: ';
 
-const generateMisconfigurationsTags = (finding: CspFinding) => {
+const STATIC_RULE_TAGS = [CSP_RULE_TAG, CSP_RULE_TAG_USE_CASE];
+
+const generateFindingsTags = (finding: CspFinding) => {
   return [STATIC_RULE_TAGS]
     .concat(finding.rule.tags)
     .concat(
-      finding.rule.benchmark.posture_type ? [finding.rule.benchmark.posture_type.toUpperCase()] : []
+      finding.rule.benchmark.posture_type
+        ? [
+            finding.rule.benchmark.posture_type.toUpperCase(),
+            `${CSP_RULE_TAG_DATA_SOURCE_PREFIX}${finding.rule.benchmark.posture_type.toUpperCase()}`,
+          ]
+        : []
+    )
+    .concat(
+      finding.rule.benchmark.posture_type === 'cspm' ? ['Domain: Cloud'] : ['Domain: Container']
     )
     .flat();
 };
 
-const generateMisconfigurationsRuleQuery = (finding: CspFinding) => {
-  return `
-    rule.benchmark.rule_number: "${finding.rule.benchmark.rule_number}"
+const generateFindingsRuleQuery = (finding: CspFinding) => {
+  const currentTimestamp = new Date().toISOString();
+
+  return `rule.benchmark.rule_number: "${finding.rule.benchmark.rule_number}"
     AND rule.benchmark.id: "${finding.rule.benchmark.id}"
     AND result.evaluation: "failed"
-  `;
+    AND event.ingested >= "${currentTimestamp}"`;
 };
 
 /*
@@ -78,8 +95,9 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C
       severity_mapping: [],
       threat: [],
       interval: '1h',
-      from: 'now-7200s',
+      from: `now-${LATEST_FINDINGS_RETENTION_POLICY}`,
       to: 'now',
+      max_signals: DEFAULT_MAX_ALERTS_PER_RULE,
       timestamp_override: ALERT_TIMESTAMP_FIELD,
       timestamp_override_fallback_disabled: false,
       actions: [],
@@ -88,12 +106,12 @@ export const createDetectionRuleFromFinding = async (http: HttpSetup, finding: C
         group_by: [ALERT_SUPPRESSION_FIELD],
         missing_fields_strategy: AlertSuppressionMissingFieldsStrategy.Suppress,
       },
-      index: [LATEST_FINDINGS_INDEX_DEFAULT_NS],
-      query: generateMisconfigurationsRuleQuery(finding),
+      index: [FINDINGS_INDEX_PATTERN],
+      query: generateFindingsRuleQuery(finding),
       references: convertReferencesLinksToArray(finding.rule.references),
       name: finding.rule.name,
       description: finding.rule.rationale,
-      tags: generateMisconfigurationsTags(finding),
+      tags: generateFindingsTags(finding),
     },
   });
 };

x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/_mocks_/vulnerability.mock.ts

@@ -5,9 +5,9 @@
  * 2.0.
  */
 
-import { VulnerabilityRecord } from '../types';
+import { CspVulnerabilityFinding } from '../../../../common/schemas';
 
-export const mockVulnerabilityHit: VulnerabilityRecord = {
+export const mockVulnerabilityHit: CspVulnerabilityFinding = {
   '@timestamp': '2023-03-30T10:27:35.013Z',
   resource: { name: '634yfsdg2.dkr.ecr.eu-central-1.amazon.stage', id: 'ami_12328' },
   agent: {

x-pack/plugins/cloud_security_posture/public/pages/vulnerabilities/hooks/use_latest_vulnerabilities.tsx

@@ -15,12 +15,12 @@ import {
   AggregationsStringRareTermsBucketKeys,
   Sort,
 } from '@elastic/elasticsearch/lib/api/typesWithBodyKey';
+import { CspVulnerabilityFinding } from '../../../../common/schemas';
 import { LATEST_VULNERABILITIES_INDEX_PATTERN } from '../../../../common/constants';
 import { getSafeVulnerabilitiesQueryFilter } from '../../../../common/utils/get_safe_vulnerabilities_query_filter';
 import { useKibana } from '../../../common/hooks/use_kibana';
 import { showErrorToast } from '../../../common/utils/show_error_toast';
 import { FindingsBaseEsQuery } from '../../../common/types';
-import { VulnerabilityRecord } from '../types';
 type LatestFindingsRequest = IKibanaSearchRequest<SearchRequest>;
 type LatestFindingsResponse = IKibanaSearchResponse<SearchResponse<any, FindingsAggs>>;
 
@@ -60,7 +60,7 @@ export const useLatestVulnerabilities = (options: VulnerabilitiesQuery) => {
       );
 
       return {
-        page: hits.hits.map((hit) => hit._source!) as VulnerabilityRecord[],
+        page: hits.hits.map((hit) => hit._source!) as CspVulnerabilityFinding[],
         total: number.is(hits.total) ? hits.total : 0,
       };
     },