diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index 20cc407f09f..79e4d692ce0 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -13,8 +13,13 @@ # 1.4.x - 8.9.x # 1.3.x - 8.8.x # 1.2.x - 8.7.x +- version: "1.14.0-preview04" + changes: + - description: Add latest Transform to misconfiguration findings. + type: enhancement + link: https://github.com/elastic/integrations/pull/13444 - version: "1.14.0-preview03" - changes: + changes: - description: Update Cloud Connector fields for CSPM type: enhancement link: https://github.com/elastic/integrations/pull/13488 diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/base-fields.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/base-fields.yml new file mode 100644 index 00000000000..9d26f22e25c --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/base-fields.yml @@ -0,0 +1,12 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: keyword + description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloud.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloud.yml new file mode 100644 index 00000000000..42edb1bfe3b --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloud.yml @@ -0,0 +1,8 @@ +# once introduced to ecs, these fields should be moved to ecs.yml +- name: cloud + type: group + fields: + - name: Organization.id + type: keyword + - name: Organization.name + type: keyword diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloudbeat.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloudbeat.yml new file mode 100644 index 00000000000..704c3055bfd --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/cloudbeat.yml @@ -0,0 +1,38 @@ +- name: cloudbeat + title: Cloudbeat + group: 2 + description: Cloudbeat metadata fields + type: group + default_field: true + fields: + - name: version + level: extended + type: keyword + ignore_above: 1024 + description: The version of Cloudbeat. + default_field: false + - name: policy.version + level: extended + type: keyword + ignore_above: 1024 + description: The version of the policy. + default_field: false + - name: commit_sha + level: extended + type: keyword + ignore_above: 1024 + description: The commit SHA of the Cloudbeat. + default_field: false + # Currently we can't map commit_time, epm doesn't support format for field type date (see: https://github.com/elastic/kibana/pull/151871) + # - name: commit_time + # level: extended + # type: date + # description: The commit time of the Cloudbeat. + # format: "yyyy-MM-dd HH:mm:ss Z z||strict_date_optional_time||epoch_millis" + # default_field: false + - name: kubernetes.version + level: extended + type: keyword + ignore_above: 1024 + description: The version of Kubernetes running on the cluster. + default_field: false diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/ecs.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/ecs.yml new file mode 100644 index 00000000000..9357395e2d5 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/ecs.yml @@ -0,0 +1,148 @@ +- name: agent.ephemeral_id + external: ecs +- name: agent.id + external: ecs +- name: agent.name + external: ecs +- name: agent.type + external: ecs +- name: agent.version + external: ecs +- name: ecs.version + external: ecs +- name: event.agent_id_status + external: ecs +- name: event.ingested + external: ecs +- name: file.accessed + external: ecs +- name: file.ctime + external: ecs +- name: file.directory + external: ecs +- name: file.extension + external: ecs +- name: file.gid + external: ecs +- name: file.group + external: ecs +- name: file.inode + external: ecs +- name: file.mode + external: ecs +- name: file.mtime + external: ecs +- name: file.name + external: ecs +- name: file.owner + external: ecs +- name: file.path + external: ecs +- name: file.size + external: ecs +- name: file.type + external: ecs +- name: file.uid + external: ecs +- name: host.architecture + external: ecs +- name: host.hostname + external: ecs +- name: host.ip + external: ecs +- name: host.mac + external: ecs +- name: host.name + external: ecs +- name: host.os.family + external: ecs +- name: host.os.full + external: ecs +- name: host.os.kernel + external: ecs +- name: host.os.name + external: ecs +- name: host.os.platform + external: ecs +- name: host.os.type + external: ecs +- name: host.os.version + external: ecs +- name: message + external: ecs +- name: process.args + external: ecs +- name: process.args_count + external: ecs +- name: process.command_line + external: ecs +- name: process.name + external: ecs +- name: process.parent.pid + external: ecs +- name: process.parent.start + external: ecs +- name: process.pgid + external: ecs +- name: process.pid + external: ecs +- name: process.start + external: ecs +- name: process.title + external: ecs +- name: process.uptime + external: ecs +- name: rule.description + external: ecs +- name: rule.id + external: ecs +- name: rule.name + external: ecs +- name: rule.version + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.id + external: ecs +- name: event.kind + external: ecs +- name: event.sequence + external: ecs +- name: event.outcome + external: ecs +- name: event.type + external: ecs +- name: orchestrator.type + external: ecs +- name: orchestrator.cluster.id + external: ecs +- name: orchestrator.cluster.name + external: ecs +- name: orchestrator.cluster.version + external: ecs +- name: orchestrator.resource.id + external: ecs +- name: orchestrator.resource.name + external: ecs +- name: orchestrator.resource.type + external: ecs +- name: cloud.account.id + external: ecs +- name: cloud.account.name + external: ecs +- name: cloud.provider + external: ecs +- name: cloud.region + external: ecs +- name: user.name + external: ecs +- name: user.id + external: ecs +- name: user.effective.name + external: ecs +- name: user.effective.id + external: ecs +- name: observer.vendor + external: ecs diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/fields.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/fields.yml new file mode 100644 index 00000000000..b56f1e400cc --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/fields.yml @@ -0,0 +1,8 @@ +- name: cluster_id + type: keyword +- name: cloud_security_posture.package_policy.id + type: keyword + description: The fleet package policy id for the cloud_security_posture integration. +- name: cloud_security_posture.package_policy.revision + type: short + description: The revision of the `cloud_security_posture.package_policy.id` diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/related.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/related.yml new file mode 100644 index 00000000000..f73ae3fdc60 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/related.yml @@ -0,0 +1,5 @@ +- name: related + type: group + fields: + - name: entity + type: keyword diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/resource.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/resource.yml new file mode 100644 index 00000000000..c093c299032 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/result.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/result.yml new file mode 100644 index 00000000000..75f840ce005 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/result.yml @@ -0,0 +1,5 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/rule.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/rule.yml new file mode 100644 index 00000000000..d107364f7df --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/fields/rule.yml @@ -0,0 +1,70 @@ +- name: rule + title: Rule + group: 2 + description: | + Rule fields are used to capture the specifics of any observer or + agent rules that generate alerts or other notable events. + + Examples of data sources that would populate the rule fields include: network + admission control platforms, network or host IDS/IPS, network firewalls, web + application firewalls, url filters, endpoint detection and response (EDR) systems, + etc. + type: group + default_field: true + fields: + - name: benchmark.id + level: extended + type: keyword + ignore_above: 1024 + description: A unique identifier defining the compliance benchmark. + default_field: false + - name: benchmark.name + level: extended + type: keyword + ignore_above: 1024 + description: The full name of the compliance benchmark. + default_field: false + - name: benchmark.version + level: extended + type: keyword + ignore_above: 1024 + description: Version of the compliance benchmark. + default_field: false + - name: benchmark.posture_type + level: extended + type: keyword + ignore_above: 1024 + description: Type of the compliance benchmark. + default_field: false + - name: benchmark.rule_number + level: extended + type: keyword + ignore_above: 1024 + description: CIS benchmark rule number. + example: 1.2.4 + default_field: false + - name: section + level: extended + type: keyword + ignore_above: 1024 + description: The name of the section the rule belongs to in the benchmark. + default_field: false + - name: tags + level: extended + type: keyword + ignore_above: 1024 + description: List of keywords used to tag the rule. + default_field: false + # TODO: add support for annotated_text + # - name: description + # type: annotated_text + # - name: impact + # type: annotated_text + # - name: profile_applicability + # type: annotated_text + # - name: rationale + # type: annotated_text + # - name: references + # type: annotated_text + # - name: remediation + # type: annotated_text diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/manifest.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/manifest.yml new file mode 100644 index 00000000000..4568d28ee48 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: false + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/transform.yml b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/transform.yml new file mode 100644 index 00000000000..dc8df2a39a8 --- /dev/null +++ b/packages/cloud_security_posture/elasticsearch/transform/misconfiguration/transform.yml @@ -0,0 +1,30 @@ +source: + index: + - "logs-cloud_security_posture.findings-*" +dest: + index: "security_solution-cloud_security_posture.misconfiguration_latest-v1" + aliases: + - alias: "security_solution-cloud_security_posture.misconfiguration_latest" + move_on_creation: true +latest: + unique_key: + - rule.id + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: Latest Cloud Configuration Findings from Cloud Security Posture +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 90d +settings: + unattended: true +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index 5dbbaf75716..f7d98cda1cd 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: cloud_security_posture title: "Security Posture Management" -version: "1.14.0-preview03" +version: "1.14.0-preview04" source: license: "Elastic-2.0" description: "Identify & remediate configuration risks in your Cloud infrastructure"