elastic · CohenIdo · Apr 23, 2025 · Apr 7, 2025 · Apr 7, 2025 · Apr 7, 2025
@@ -13,8 +13,13 @@
 # 1.4.x - 8.9.x
 # 1.3.x - 8.8.x
 # 1.2.x - 8.7.x
+- version: "1.14.0-preview04"
+  changes:
+    - description: Add latest Transform to misconfiguration findings.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13444
 - version: "1.14.0-preview03"
-  changes: 
+  changes:
     - description: Update Cloud Connector fields for CSPM
       type: enhancement
       link: https://github.com/elastic/integrations/pull/13488

@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: keyword
+  description: Data stream namespace.
+- name: "@timestamp"
+  type: date
+  description: Event timestamp.
@@ -0,0 +1,8 @@
+# once introduced to ecs, these fields should be moved to ecs.yml
+- name: cloud
+  type: group
+  fields:
+    - name: Organization.id
+      type: keyword
+    - name: Organization.name
+      type: keyword
@@ -0,0 +1,38 @@
+- name: cloudbeat
+  title: Cloudbeat
+  group: 2
+  description: Cloudbeat metadata fields
+  type: group
+  default_field: true
+  fields:
+    - name: version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version of Cloudbeat.
+      default_field: false
+    - name: policy.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version of the policy.
+      default_field: false
+    - name: commit_sha
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The commit SHA of the Cloudbeat.
+      default_field: false
+      # Currently we can't map commit_time, epm doesn't support format for field type date (see: https://github.com/elastic/kibana/pull/151871)
+      #    - name: commit_time
+      #      level: extended
+      #      type: date
+      #      description: The commit time of the Cloudbeat.
+      #      format: "yyyy-MM-dd HH:mm:ss Z z||strict_date_optional_time||epoch_millis"
+      #      default_field: false
+    - name: kubernetes.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The version of Kubernetes running on the cluster.
+      default_field: false
@@ -0,0 +1,148 @@
+- name: agent.ephemeral_id
+  external: ecs
+- name: agent.id
+  external: ecs
+- name: agent.name
+  external: ecs
+- name: agent.type
+  external: ecs
+- name: agent.version
+  external: ecs
+- name: ecs.version
+  external: ecs
+- name: event.agent_id_status
+  external: ecs
+- name: event.ingested
+  external: ecs
+- name: file.accessed
+  external: ecs
+- name: file.ctime
+  external: ecs
+- name: file.directory
+  external: ecs
+- name: file.extension
+  external: ecs
+- name: file.gid
+  external: ecs
+- name: file.group
+  external: ecs
+- name: file.inode
+  external: ecs
+- name: file.mode
+  external: ecs
+- name: file.mtime
+  external: ecs
+- name: file.name
+  external: ecs
+- name: file.owner
+  external: ecs
+- name: file.path
+  external: ecs
+- name: file.size
+  external: ecs
+- name: file.type
+  external: ecs
+- name: file.uid
+  external: ecs
+- name: host.architecture
+  external: ecs
+- name: host.hostname
+  external: ecs
+- name: host.ip
+  external: ecs
+- name: host.mac
+  external: ecs
+- name: host.name
+  external: ecs
+- name: host.os.family
+  external: ecs
+- name: host.os.full
+  external: ecs
+- name: host.os.kernel
+  external: ecs
+- name: host.os.name
+  external: ecs
+- name: host.os.platform
+  external: ecs
+- name: host.os.type
+  external: ecs
+- name: host.os.version
+  external: ecs
+- name: message
+  external: ecs
+- name: process.args
+  external: ecs
+- name: process.args_count
+  external: ecs
+- name: process.command_line
+  external: ecs
+- name: process.name
+  external: ecs
+- name: process.parent.pid
+  external: ecs
+- name: process.parent.start
+  external: ecs
+- name: process.pgid
+  external: ecs
+- name: process.pid
+  external: ecs
+- name: process.start
+  external: ecs
+- name: process.title
+  external: ecs
+- name: process.uptime
+  external: ecs
+- name: rule.description
+  external: ecs
+- name: rule.id
+  external: ecs
+- name: rule.name
+  external: ecs
+- name: rule.version
+  external: ecs
+- name: event.category
+  external: ecs
+- name: event.created
+  external: ecs
+- name: event.id
+  external: ecs
+- name: event.kind
+  external: ecs
+- name: event.sequence
+  external: ecs
+- name: event.outcome
+  external: ecs
+- name: event.type
+  external: ecs
+- name: orchestrator.type
+  external: ecs
+- name: orchestrator.cluster.id
+  external: ecs
+- name: orchestrator.cluster.name
+  external: ecs
+- name: orchestrator.cluster.version
+  external: ecs
+- name: orchestrator.resource.id
+  external: ecs
+- name: orchestrator.resource.name
+  external: ecs
+- name: orchestrator.resource.type
+  external: ecs
+- name: cloud.account.id
+  external: ecs
+- name: cloud.account.name
+  external: ecs
+- name: cloud.provider
+  external: ecs
+- name: cloud.region
+  external: ecs
+- name: user.name
+  external: ecs
+- name: user.id
+  external: ecs
+- name: user.effective.name
+  external: ecs
+- name: user.effective.id
+  external: ecs
+- name: observer.vendor
+  external: ecs
@@ -0,0 +1,8 @@
+- name: cluster_id
+  type: keyword
+- name: cloud_security_posture.package_policy.id
+  type: keyword
+  description: The fleet package policy id for the cloud_security_posture integration.
+- name: cloud_security_posture.package_policy.revision
+  type: short
+  description: The revision of the `cloud_security_posture.package_policy.id`
@@ -0,0 +1,5 @@
+- name: related
+  type: group
+  fields:
+    - name: entity
+      type: keyword
@@ -0,0 +1,11 @@
+- name: resource
+  type: group
+  fields:
+    - name: id
+      type: keyword
+    - name: name
+      type: keyword
+    - name: type
+      type: keyword
+    - name: sub_type
+      type: keyword
@@ -0,0 +1,5 @@
+- name: result
+  type: group
+  fields:
+    - name: evaluation
+      type: keyword
@@ -0,0 +1,70 @@
+- name: rule
+  title: Rule
+  group: 2
+  description: |
+    Rule fields are used to capture the specifics of any observer or
+    agent rules that generate alerts or other notable events.
+
+    Examples of data sources that would populate the rule fields include: network
+    admission control platforms, network or host IDS/IPS, network firewalls, web
+    application firewalls, url filters, endpoint detection and response (EDR) systems,
+    etc.
+  type: group
+  default_field: true
+  fields:
+    - name: benchmark.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: A unique identifier defining the compliance benchmark.
+      default_field: false
+    - name: benchmark.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The full name of the compliance benchmark.
+      default_field: false
+    - name: benchmark.version
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Version of the compliance benchmark.
+      default_field: false
+    - name: benchmark.posture_type
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: Type of the compliance benchmark.
+      default_field: false
+    - name: benchmark.rule_number
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: CIS benchmark rule number.
+      example: 1.2.4
+      default_field: false
+    - name: section
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: The name of the section the rule belongs to in the benchmark.
+      default_field: false
+    - name: tags
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: List of keywords used to tag the rule.
+      default_field: false
+      # TODO: add support for annotated_text
+      # - name: description
+      #   type: annotated_text
+      # - name: impact
+      #   type: annotated_text
+      # - name: profile_applicability
+      #   type: annotated_text
+      # - name: rationale
+      #   type: annotated_text
+      # - name: references
+      #   type: annotated_text
+      # - name: remediation
+      #   type: annotated_text
@@ -0,0 +1,18 @@
+start: true
+destination_index_template:
+  settings:
+    index:
+      sort:
+        field:
+          - "@timestamp"
+        order:
+          - desc
+  mappings:
+    dynamic: false
+    dynamic_templates:
+      - strings_as_keyword:
+          match_mapping_type: string
+          mapping:
+            ignore_above: 1024
+            type: keyword
+    date_detection: false
@@ -0,0 +1,30 @@
+source:
+  index:
+    - "logs-cloud_security_posture.findings-*"
+dest:
+  index: "security_solution-cloud_security_posture.misconfiguration_latest-v1"
+  aliases:
+    - alias: "security_solution-cloud_security_posture.misconfiguration_latest"
+      move_on_creation: true
+latest:
+  unique_key:
+    - rule.id
+    - resource.id
+    - data_stream.namespace
+  sort: "@timestamp"
+description: Latest Cloud Configuration Findings from Cloud Security Posture
+frequency: 5m
+sync:
+  time:
+    field: event.ingested
+retention_policy:
+  time:
+    field: "@timestamp"
+    max_age: 90d
+settings:
+  unattended: true
+_meta:
+  managed: true
+  # Bump this version to delete, reinstall, and restart the transform during package.
+  # Version bump is needed if there is any code change in transform.
+  fleet_transform_version: 0.1.0
@@ -1,7 +1,7 @@
 format_version: 3.3.2
 name: cloud_security_posture
 title: "Security Posture Management"
-version: "1.14.0-preview03"
+version: "1.14.0-preview04"
 source:
   license: "Elastic-2.0"
 description: "Identify & remediate configuration risks in your Cloud infrastructure"