From 36732d3401e0ef91bb5e2d0ed7c5b06832927c35 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 17 Sep 2024 18:28:41 +0530 Subject: [PATCH 01/28] Add CSPM fields - 1 --- packages/aws/changelog.yml | 5 + .../pipeline/test-securityhub-findings.log | 6 +- ...est-securityhub-findings.log-expected.json | 753 +++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 302 ++++++- .../securityhub_findings/fields/fields.yml | 3 + .../securityhub_findings/fields/resource.yml | 11 + .../securityhub_findings/fields/result.yml | 16 + .../securityhub_findings/fields/rule.yml | 17 + packages/aws/docs/securityhub.md | 17 + packages/aws/manifest.yml | 2 +- 10 files changed, 1103 insertions(+), 29 deletions(-) create mode 100644 packages/aws/data_stream/securityhub_findings/fields/resource.yml create mode 100644 packages/aws/data_stream/securityhub_findings/fields/result.yml create mode 100644 packages/aws/data_stream/securityhub_findings/fields/rule.yml diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index e3f65a5aa8e..8c99e2105cb 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.25.0" + changes: + - description: Improve support for CDR in securityhub_findings data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/ - version: "2.24.1" changes: - description: Fixed and refactored AWS cloudfront log parsing. diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log index c45ba72f135..4382d4d1f19 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log @@ -1,4 +1,8 @@ {"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"IPV4_ADDRESS","Value":"175.16.199.1","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"HASH_MD5","Value":"ae2b1fca515949e5d54fb22b8ed95575","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","Compliance":{"Status":"FAILED"},"ProductName":"Security Hub","FirstObservedAt":"2022-06-02T16:14:34.949Z","CreatedAt":"2022-06-02T16:14:34.949Z","LastObservedAt":"2022-06-17T08:43:26.724Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.8","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"xxx","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Workflow":{"Status":"NEW"},"Severity":{"Normalized":70,"Label":"HIGH","Product":70,"Original":"HIGH"},"UpdatedAt":"2022-06-17T08:43:26.731Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxxx","Resources":[{"Partition":"aws","Type":"AwsEc2Instance","Details":{"AwsEc2Instance":{"KeyName":"xxx","VpcId":"xxx","NetworkInterfaces":[{"NetworkInterfaceId":"xxx"}],"ImageId":"xxx","SubnetId":"xxx","LaunchedAt":"2022-06-02T16:11:39.000Z","IamInstanceProfileArn":"xxx"}},"Region":"us-east-1","Id":"xxx"}] } -{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","Compliance":{"Status":"NOT_AVAILABLE","StatusReasons":[{"Description":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","ReasonCode":"CONFIG_RETURNS_NOT_APPLICABLE"}]},"ProductName":"Security Hub","FirstObservedAt":"2022-06-17T10:25:14.800Z","CreatedAt":"2022-06-17T10:25:14.800Z","LastObservedAt":"2022-06-17T10:25:18.568Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.3","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.3 Attached EBS volumes should be encrypted at-rest","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"},"UpdatedAt":"2022-06-17T10:25:14.800Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxx","Resources":[{"Partition":"aws","Type":"AwsEc2Volume","Region":"us-east-1","Id":"xxx"}] } \ No newline at end of file +{"ProductArn":"xxx","Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","Compliance":{"Status":"NOT_AVAILABLE","StatusReasons":[{"Description":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","ReasonCode":"CONFIG_RETURNS_NOT_APPLICABLE"}]},"ProductName":"Security Hub","FirstObservedAt":"2022-06-17T10:25:14.800Z","CreatedAt":"2022-06-17T10:25:14.800Z","LastObservedAt":"2022-06-17T10:25:18.568Z","CompanyName":"AWS","FindingProviderFields":{"Types":["Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices"],"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"}},"ProductFields":{"StandardsArn":"xxx","StandardsSubscriptionArn":"xxx","ControlId":"EC2.3","RecommendationUrl":"https://example.com/","RelatedAWSResources:0/name":"xxx","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","StandardsControlArn":"xxx","aws/securityhub/ProductName":"Security Hub","aws/securityhub/CompanyName":"AWS","aws/securityhub/annotation":"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.","Resources:0/Id":"xxx","aws/securityhub/FindingId":"xxx"},"Remediation":{"Recommendation":{"Text":"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.","Url":"https://example.com/"}},"SchemaVersion":"2018-10-08","GeneratorId":"xxx","RecordState":"ARCHIVED","Title":"EC2.3 Attached EBS volumes should be encrypted at-rest","Workflow":{"Status":"NEW"},"Severity":{"Normalized":40,"Label":"MEDIUM","Product":40,"Original":"INFORMATIONAL"},"UpdatedAt":"2022-06-17T10:25:14.800Z","WorkflowState":"NEW","AwsAccountId":"xxx","Region":"us-east-1","Id":"xxx","Resources":[{"Partition":"aws","Type":"AwsEc2Volume","Region":"us-east-1","Id":"xxx"}] } +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-10T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","LastObservedAt":"2024-09-11T08:00:01.828Z","ProcessedAt":"2024-09-11T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","LaunchedAt":"2024-09-10T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 SC-12(2)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 SI-7(6)","NIST.800-53.r5 AU-9"],"SecurityControlId":"S3.17","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:37.338Z","Description":"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:37.338Z","GeneratorId":"security-control/S3.17","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","LastObservedAt":"2024-09-13T22:50:29.249Z","ProcessedAt":"2024-09-13T22:50:30.870Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-s3-default-encryption-kms-3a38fc59","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:s3:::s3-test-public-bucket","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Amazon S3 bucket is not encrypted with AWS KMS key."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation"}},"Resources":[{"Details":{"AwsS3Bucket":{"CreatedAt":"2024-08-14T09:32:06.000Z","Name":"s3-test-public-bucket","OwnerId":"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46"}},"Id":"arn:aws:s3:::s3-test-public-bucket","Partition":"aws","Region":"ap-south-1","Type":"AwsS3Bucket"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"S3 general purpose buckets should be encrypted at rest with AWS KMS keys","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:13.008Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.2"],"SecurityControlId":"EC2.53","Status":"PASSED"},"CreatedAt":"2024-09-10T11:03:33.389Z","Description":"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T11:03:33.389Z","GeneratorId":"security-control/EC2.53","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","LastObservedAt":"2024-09-11T08:00:06.960Z","ProcessedAt":"2024-09-11T08:00:08.685Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-vpc-sg-port-restriction-check-8bef9db4","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation"}},"Resources":[{"Details":{"AwsEc2SecurityGroup":{"GroupId":"sg-0dbc8c6200a0a9c51","GroupName":"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279","IpPermissionsEgress":[{"IpProtocol":"-1","IpRanges":[{"CidrIp":"0.0.0.0/0"}]}],"OwnerId":"111111111111","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51","Partition":"aws","Region":"ap-south-1","Tags":{"aws:cloudformation:logical-id":"ElasticAgentSecurityGroup","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2SecurityGroup"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.364Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 SI-7(6)"],"SecurityControlId":"EC2.3","Status":"FAILED"},"CreatedAt":"2024-09-10T16:51:26.034Z","Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T16:50:59.623Z","GeneratorId":"security-control/EC2.3","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","LastObservedAt":"2024-09-10T16:50:59.623Z","ProcessedAt":"2024-09-10T16:51:39.864Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-encrypted-volumes-4e81c587","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation"}},"Resources":[{"Details":{"AwsEc2Volume":{"Attachments":[{"AttachTime":"2024-09-10T10:39:36.000Z","DeleteOnTermination":true,"InstanceId":"i-0f1ede89308a584d8","Status":"attached"}],"CreateTime":"2024-09-10T10:39:36.313Z","Encrypted":false,"Size":32,"SnapshotId":"snap-07cb2350b59fa5cce","Status":"in-use"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Volume"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"Attached EBS volumes should be encrypted at-rest","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-10T16:51:26.034Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 43af1b05bc3..56b3097bc52 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2017-03-22T13:22:13.933Z", + "@timestamp": "2018-08-31T00:15:09.000Z", "aws": { "securityhub_findings": { "action": { @@ -357,7 +357,9 @@ "cloud": { "account": { "id": "111111111111" - } + }, + "provider": "aws", + "region": "us-east-1" }, "destination": { "domain": "example2.com", @@ -372,17 +374,29 @@ }, "event": { "action": "port_probe", + "category": [ + "configuration" + ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", "type": [ "info" ] }, + "host": { + "id": [ + "i-cafebabe" + ] + }, "network": { "direction": "inbound", "protocol": "tcp" }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, @@ -402,6 +416,19 @@ "2a02:cf40::" ] }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, "source": { "domain": "example1.com", "ip": [ @@ -444,7 +471,7 @@ } }, { - "@timestamp": "2017-03-22T13:22:13.933Z", + "@timestamp": "2018-08-31T00:15:09.000Z", "aws": { "securityhub_findings": { "action": { @@ -800,7 +827,9 @@ "cloud": { "account": { "id": "111111111111" - } + }, + "provider": "aws", + "region": "us-east-1" }, "destination": { "domain": "example2.com", @@ -815,17 +844,29 @@ }, "event": { "action": "port_probe", + "category": [ + "configuration" + ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"HASH_MD5\",\"Value\":\"ae2b1fca515949e5d54fb22b8ed95575\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", "type": [ "info" ] }, + "host": { + "id": [ + "i-cafebabe" + ] + }, "network": { "direction": "inbound", "protocol": "tcp" }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, @@ -845,6 +886,19 @@ "2a02:cf40::" ] }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", + "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "ruleset": [ + "Req1", + "Req2" + ] + }, "source": { "domain": "example1.com", "ip": [ @@ -898,7 +952,7 @@ } }, { - "@timestamp": "2022-06-02T16:14:34.949Z", + "@timestamp": "2022-06-17T08:43:26.731Z", "aws": { "securityhub_findings": { "aws_account_id": "xxx", @@ -998,22 +1052,46 @@ "cloud": { "account": { "id": "xxx" - } + }, + "provider": "aws", + "region": "us-east-1" }, "ecs": { "version": "8.11.0" }, "event": { + "category": [ + "configuration" + ], "id": "xxxx", - "kind": "event", + "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"Compliance\":{\"Status\":\"FAILED\"},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-02T16:14:34.949Z\",\"CreatedAt\":\"2022-06-02T16:14:34.949Z\",\"LastObservedAt\":\"2022-06-17T08:43:26.724Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.8\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"xxx\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"},\"UpdatedAt\":\"2022-06-17T08:43:26.731Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Instance\",\"Details\":{\"AwsEc2Instance\":{\"KeyName\":\"xxx\",\"VpcId\":\"xxx\",\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"xxx\"}],\"ImageId\":\"xxx\",\"SubnetId\":\"xxx\",\"LaunchedAt\":\"2022-06-02T16:11:39.000Z\",\"IamInstanceProfileArn\":\"xxx\"}},\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "failure", + "severity": 70, "type": [ "info" ] }, + "host": { + "id": [ + "xxx" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://example.com/", + "references": "https://example.com/" + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" @@ -1112,22 +1190,675 @@ "cloud": { "account": { "id": "xxx" - } + }, + "provider": "aws", + "region": "us-east-1" }, "ecs": { "version": "8.11.0" }, "event": { + "category": [ + "configuration" + ], "id": "xxx", - "kind": "event", + "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"Compliance\":{\"Status\":\"NOT_AVAILABLE\",\"StatusReasons\":[{\"Description\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"ReasonCode\":\"CONFIG_RETURNS_NOT_APPLICABLE\"}]},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-17T10:25:14.800Z\",\"CreatedAt\":\"2022-06-17T10:25:14.800Z\",\"LastObservedAt\":\"2022-06-17T10:25:18.568Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.3\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/annotation\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.3 Attached EBS volumes should be encrypted at-rest\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"},\"UpdatedAt\":\"2022-06-17T10:25:14.800Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Volume\",\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", + "outcome": "unknown", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", + "reference": "https://example.com/", + "references": "https://example.com/" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:59:56.087Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "status": "PASSED" + }, + "created_at": "2024-09-10T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-10T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "last_observed_at": "2024-09-11T08:00:01.828Z", + "processed_at": "2024-09-11T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "LaunchedAt": "2024-09-10T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"LastObservedAt\":\"2024-09-11T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-11T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"LaunchedAt\":\"2024-09-10T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, "type": [ "info" ] }, + "host": { + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, "organization": { "name": "AWS" }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:13.008Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ], + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:37.338Z", + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "first_observed_at": "2024-08-14T10:14:37.338Z", + "generator": { + "id": "security-control/S3.17" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "last_observed_at": "2024-09-13T22:50:29.249Z", + "processed_at": "2024-09-13T22:50:30.870Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-s3-default-encryption-kms-3a38fc59", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:s3:::s3-test-public-bucket", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Amazon S3 bucket is not encrypted with AWS KMS key." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsS3Bucket": { + "CreatedAt": "2024-08-14T09:32:06.000Z", + "Name": "s3-test-public-bucket", + "OwnerId": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + } + }, + "Id": "arn:aws:s3:::s3-test-public-bucket", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsS3Bucket" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:13.008Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:30.870Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"],\"SecurityControlId\":\"S3.17\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:37.338Z\",\"Description\":\"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:37.338Z\",\"GeneratorId\":\"security-control/S3.17\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"LastObservedAt\":\"2024-09-13T22:50:29.249Z\",\"ProcessedAt\":\"2024-09-13T22:50:30.870Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-s3-default-encryption-kms-3a38fc59\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Amazon S3 bucket is not encrypted with AWS KMS key.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation\"}},\"Resources\":[{\"Details\":{\"AwsS3Bucket\":{\"CreatedAt\":\"2024-08-14T09:32:06.000Z\",\"Name\":\"s3-test-public-bucket\",\"OwnerId\":\"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46\"}},\"Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsS3Bucket\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"S3 general purpose buckets should be encrypted at rest with AWS KMS keys\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:13.008Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", + "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "ruleset": [ + "NIST.800-53.r5 SC-12(2)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 SI-7(6)", + "NIST.800-53.r5 AU-9" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" + ] + } + }, + { + "@timestamp": "2024-09-11T07:59:56.364Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ], + "status": "PASSED" + }, + "created_at": "2024-09-10T11:03:33.389Z", + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "first_observed_at": "2024-09-10T11:03:33.389Z", + "generator": { + "id": "security-control/EC2.53" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "last_observed_at": "2024-09-11T08:00:06.960Z", + "processed_at": "2024-09-11T08:00:08.685Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-vpc-sg-port-restriction-check-8bef9db4", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2SecurityGroup": { + "GroupId": "sg-0dbc8c6200a0a9c51", + "GroupName": "elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279", + "IpPermissionsEgress": [ + { + "IpProtocol": "-1", + "IpRanges": [ + { + "CidrIp": "0.0.0.0/0" + } + ] + } + ], + "OwnerId": "111111111111", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "aws:cloudformation:logical-id": "ElasticAgentSecurityGroup", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2SecurityGroup" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:59:56.364Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T08:00:08.685Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.2\"],\"SecurityControlId\":\"EC2.53\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T11:03:33.389Z\",\"Description\":\"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T11:03:33.389Z\",\"GeneratorId\":\"security-control/EC2.53\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"LastObservedAt\":\"2024-09-11T08:00:06.960Z\",\"ProcessedAt\":\"2024-09-11T08:00:08.685Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-vpc-sg-port-restriction-check-8bef9db4\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupId\":\"sg-0dbc8c6200a0a9c51\",\"GroupName\":\"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279\",\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}],\"OwnerId\":\"111111111111\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"aws:cloudformation:logical-id\":\"ElasticAgentSecurityGroup\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2SecurityGroup\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.364Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.2" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-10T16:51:26.034Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ], + "status": "FAILED" + }, + "created_at": "2024-09-10T16:51:26.034Z", + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "first_observed_at": "2024-09-10T16:50:59.623Z", + "generator": { + "id": "security-control/EC2.3" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "last_observed_at": "2024-09-10T16:50:59.623Z", + "processed_at": "2024-09-10T16:51:39.864Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-encrypted-volumes-4e81c587", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Volume": { + "Attachments": [ + { + "AttachTime": "2024-09-10T10:39:36.000Z", + "DeleteOnTermination": true, + "InstanceId": "i-0f1ede89308a584d8", + "Status": "attached" + } + ], + "CreateTime": "2024-09-10T10:39:36.313Z", + "Encrypted": false, + "Size": 32, + "SnapshotId": "snap-07cb2350b59fa5cce", + "Status": "in-use" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Volume" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "title": "Attached EBS volumes should be encrypted at-rest", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-10T16:51:26.034Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-10T16:51:39.864Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 SI-7(6)\"],\"SecurityControlId\":\"EC2.3\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T16:51:26.034Z\",\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T16:50:59.623Z\",\"GeneratorId\":\"security-control/EC2.3\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"LastObservedAt\":\"2024-09-10T16:50:59.623Z\",\"ProcessedAt\":\"2024-09-10T16:51:39.864Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-encrypted-volumes-4e81c587\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Volume\":{\"Attachments\":[{\"AttachTime\":\"2024-09-10T10:39:36.000Z\",\"DeleteOnTermination\":true,\"InstanceId\":\"i-0f1ede89308a584d8\",\"Status\":\"attached\"}],\"CreateTime\":\"2024-09-10T10:39:36.313Z\",\"Encrypted\":false,\"Size\":32,\"SnapshotId\":\"snap-07cb2350b59fa5cce\",\"Status\":\"in-use\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Volume\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"Attached EBS volumes should be encrypted at-rest\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-10T16:51:26.034Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 40, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "name": "Attached EBS volumes should be encrypted at-rest", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "ruleset": [ + "NIST.800-53.r5 CA-9(1)", + "NIST.800-53.r5 CM-3(6)", + "NIST.800-53.r5 SC-13", + "NIST.800-53.r5 SC-28", + "NIST.800-53.r5 SC-28(1)", + "NIST.800-53.r5 SC-7(10)", + "NIST.800-53.r5 SI-7(6)" + ] + }, "tags": [ "preserve_original_event", "preserve_duplicate_custom_fields" diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 2dafd11a833..d535fdc3bd3 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -6,10 +6,14 @@ processors: value: '8.11.0' - set: field: event.kind - value: event - - set: + value: state + - append: field: event.type - value: [info] + value: info + - append: + field: event.category + value: configuration + tag: append_event_category - rename: field: message target_field: event.original @@ -26,6 +30,14 @@ processors: - json.CreatedAt target_field: _id ignore_missing: true + - set: + field: observer.vendor + value: AWS Security Hub + tag: set_observer_vendor + - set: + field: cloud.provider + value: aws + tag: set_cloud_provider - rename: field: json.Action.ActionType target_field: aws.securityhub_findings.action.type @@ -463,10 +475,56 @@ processors: field: json.Compliance.RelatedRequirements target_field: aws.securityhub_findings.compliance.related_requirements ignore_missing: true + - foreach: + field: aws.securityhub_findings.compliance.related_requirements + if: ctx.aws?.securityhub_findings?.compliance?.related_requirements instanceof List + tag: foreach_compliance_related_requirements + processor: + append: + field: rule.ruleset + value: '{{{_ingest._value}}}' + tag: append_related_requirements_rule_ruleset + allow_duplicates: false - rename: field: json.Compliance.Status target_field: aws.securityhub_findings.compliance.status ignore_missing: true + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: passed + if: ctx.aws?.securityhub_findings?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: failed + if: ctx.aws?.securityhub_findings?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: unknown + if: ctx.result?.evaluation == null + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.aws?.securityhub_findings?.compliance?.status == 'PASSED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.aws?.securityhub_findings?.compliance?.status == 'FAILED' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + if: ctx.event?.outcome == null + ignore_empty_value: true - foreach: field: json.Compliance.StatusReasons processor: @@ -510,10 +568,22 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.UpdatedAt + if: ctx.json?.UpdatedAt != null && ctx.json?.UpdatedAt != '' + target_field: aws.securityhub_findings.updated_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' - set: field: '@timestamp' - copy_from : aws.securityhub_findings.created_at - ignore_failure: true + copy_from : aws.securityhub_findings.updated_at + tag: set_timestamp + ignore_empty_value: true - convert: field: json.Criticality target_field: aws.securityhub_findings.criticality @@ -528,6 +598,11 @@ processors: field: json.Description target_field: aws.securityhub_findings.description ignore_missing: true + - set: + field: rule.description + tag: set_rule_description + copy_from: aws.securityhub_findings.description + ignore_empty_value: true - convert: field: json.FindingProviderFields.Confidence target_field: aws.securityhub_findings.provider_fields.confidence @@ -636,6 +711,23 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.ProcessedAt + if: ctx.json?.ProcessedAt != null && ctx.json?.ProcessedAt != '' + target_field: aws.securityhub_findings.processed_at + tag: date_processed_at + formats: + - ISO8601 + - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: aws.securityhub_findings.processed_at + ignore_empty_value: true - foreach: field: json.Malware processor: @@ -1375,6 +1467,11 @@ processors: field: json.Region target_field: aws.securityhub_findings.region ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: aws.securityhub_findings.region + ignore_empty_value: true - foreach: field: json.RelatedFindings processor: @@ -1405,10 +1502,179 @@ processors: field: json.Remediation.Recommendation.Url target_field: aws.securityhub_findings.remediation.recommendation.url ignore_missing: true + - set: + field: rule.reference + tag: set_rule_reference + copy_from: aws.securityhub_findings.remediation.recommendation.url + ignore_empty_value: true + - set: + field: rule.references + tag: set_rule_references + copy_from: aws.securityhub_findings.remediation.recommendation.url + ignore_empty_value: true - rename: field: json.Resources target_field: aws.securityhub_findings.resources ignore_missing: true + - script: + description: Extract ECS fields from aws.securityhub_findings.resources. + lang: painless + if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 0 + source: |- + def resources = ctx.aws.securityhub_findings.resources; + for (resource in resources) { + // Extract ECS user field + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.user.name == null) { + ctx.user.name = new ArrayList(); + } + if (ctx.user.id == null) { + ctx.user.id = new ArrayList(); + } + if (resource.Type == 'AwsIamUser' && resource.Details?.AwsIamUser?.UserName != null) { + ctx.user.name.add(resource.Details.AwsIamUser.UserName); + } + if (resource.Type == 'AwsIamAccessKey' && resource.Details?.AwsIamAccessKey?.UserName != null) { + ctx.user.name.add(resource.Details.AwsIamAccessKey.UserName); + } + if (resource.Type == 'AwsS3Bucket' && resource.Details?.AwsS3Bucket?.OwnerName != null) { + ctx.user.name.add(resource.Details.AwsS3Bucket.OwnerName); + } + if (resource.Type == 'AwsIamUser' && resource.Details?.AwsIamUser?.UserId != null) { + ctx.user.id.add(resource.Details.AwsIamUser.UserId); + } + if (resource.Type == 'AwsS3Bucket' && resource.Details?.AwsS3Bucket?.OwnerId != null) { + ctx.user.id.add(resource.Details.AwsS3Bucket.OwnerId); + } + + // Extract ECS host field + if (ctx.host == null) { + ctx.host = new HashMap(); + } + if (ctx.host.id == null) { + ctx.host.id = new ArrayList(); + } + if (resource.Type == 'AwsEc2Instance' && resource.Id != null) { + ctx.host.id.add(resource.Id); + } + + // Extract ECS orchestrator field + if (ctx.orchestrator == null) { + ctx.orchestrator = new HashMap(); + } + if (ctx.orchestrator.cluster == null) { + ctx.orchestrator.cluster = new HashMap(); + } + if (ctx.orchestrator.cluster.id == null) { + ctx.orchestrator.cluster.id = new ArrayList(); + } + if (ctx.orchestrator.cluster.name == null) { + ctx.orchestrator.cluster.name = new ArrayList(); + } + if (['AwsEcsCluster', 'AwsEcsTask'].contains(resource.Type) && resource.Details?.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id.add(resource.Details.AwsEcsCluster.ClusterArn); + } + if (resource.Type == 'AwsEksCluster' && resource.Details?.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id.add(resource.Details.AwsEksCluster.Arn); + } + if (resource.Type == 'AwsEcsCluster' && resource.Details?.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name.add(resource.Details.AwsEcsCluster.ClusterName); + } + if (resource.Type == 'AwsEksCluster' && resource.Details?.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name.add(resource.Details.AwsEksCluster.Name); + } + } + + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_details_awsiamuser_username + # processor: + # append: + # field: user.name + # value: '{{{_ingest._value.Details.AwsIamUser.UserName}}}' + # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserName != null + # tag: append_details_awsiamuser_username + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awsiamaccesskey_username + # processor: + # append: + # field: user.name + # value: '{{{_ingest._value.Details.AwsIamAccessKey.UserName}}}' + # if: _ingest._value.Type == 'AwsIamAccessKey' && _ingest._value.Details?.AwsIamAccessKey?.UserName != null + # tag: append_details_awsiamaccesskey_username + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awsiamuser_userid + # processor: + # append: + # field: user.id + # value: '{{{_ingest._value.Details.AwsIamUser.UserId}}}' + # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserId != null + # tag: append_details_awsiamuser_userid + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awsec2instance_hostid + # processor: + # append: + # field: host.id + # value: '{{{_ingest._value.Id}}}' + # if: _ingest._value.Type == 'AwsEc2Instance' + # tag: append_details_awsec2instance_hostid + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awsecs_clusterid + # processor: + # append: + # field: orchestrator.cluster.id + # value: '{{{_ingest._value.ClusterArn}}}' + # if: (_ingest._value.Type == 'AwsEcsCluster' || _ingest._value.Type == 'AwsEcsTask') && _ingest._value.ClusterArn != null + # tag: append_details_awsecs_clusterid + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awseks_clusterid + # processor: + # append: + # field: orchestrator.cluster.id + # value: '{{{_ingest._value.Arn}}}' + # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Arn != null + # tag: append_details_awseks_clusterid + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awsecs_clustername + # processor: + # append: + # field: orchestrator.cluster.name + # value: '{{{_ingest._value.ClusterName}}}' + # if: _ingest._value.Type == 'AwsEcsCluster' && _ingest._value.ClusterName != null + # tag: append_details_awsecs_clustername + # allow_duplicates: false + # - foreach: + # field: aws.securityhub_findings.resources + # if: ctx.aws?.securityhub_findings?.resources instanceof List + # tag: foreach_resources_awseks_clustername + # processor: + # append: + # field: orchestrator.cluster.name + # value: '{{{_ingest._value.Name}}}' + # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Name != null + # tag: append_details_awseks_clustername + # allow_duplicates: false - convert: field: json.Sample target_field: aws.securityhub_findings.sample @@ -1437,6 +1703,16 @@ processors: - append: field: error.message value: '{{{_ingest.on_failure_message}}}' + - convert: + field: aws.securityhub_findings.severity.normalized + tag: convert_severity_normalized + target_field: event.severity + if: ctx.aws?.securityhub_findings?.severity?.normalized != null + type: long + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.Severity.Original target_field: aws.securityhub_findings.severity.original @@ -1592,21 +1868,15 @@ processors: field: json.Title target_field: aws.securityhub_findings.title ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: aws.securityhub_findings.title + ignore_empty_value: true - rename: field: json.Types target_field: aws.securityhub_findings.types ignore_missing: true - - date: - field: json.UpdatedAt - if: ctx.json?.UpdatedAt != null && ctx.json?.UpdatedAt != '' - target_field: aws.securityhub_findings.updated_at - formats: - - ISO8601 - - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' - on_failure: - - append: - field: error.message - value: '{{{_ingest.on_failure_message}}}' - rename: field: json.UserDefinedFields target_field: aws.securityhub_findings.user_defined_fields diff --git a/packages/aws/data_stream/securityhub_findings/fields/fields.yml b/packages/aws/data_stream/securityhub_findings/fields/fields.yml index 0d4765d4a2f..e545d08d887 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/fields.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/fields.yml @@ -289,6 +289,9 @@ - name: confidence type: long description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: processed_at + type: date + description: Indicates when AWS Security Hub received a finding and begins to process it. - name: created_at type: date description: Indicates when the security-findings provider created the potential security issue that a finding captured. diff --git a/packages/aws/data_stream/securityhub_findings/fields/resource.yml b/packages/aws/data_stream/securityhub_findings/fields/resource.yml new file mode 100644 index 00000000000..c093c299032 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/aws/data_stream/securityhub_findings/fields/result.yml b/packages/aws/data_stream/securityhub_findings/fields/result.yml new file mode 100644 index 00000000000..c465d18bc64 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/result.yml @@ -0,0 +1,16 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text diff --git a/packages/aws/data_stream/securityhub_findings/fields/rule.yml b/packages/aws/data_stream/securityhub_findings/fields/rule.yml new file mode 100644 index 00000000000..b9d505b971f --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/rule.yml @@ -0,0 +1,17 @@ +- name: rule + type: group + fields: + - name: uuid + type: keyword + - name: id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation + type: text + - name: references + type: text + - name: reference + type: text diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index fa46ef19325..1492b79fd54 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -590,6 +590,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.process.path | The path to the process executable. | keyword | | aws.securityhub_findings.process.pid | The process ID. | long | | aws.securityhub_findings.process.terminated_at | Indicates when the process was terminated. | date | +| aws.securityhub_findings.processed_at | Indicates when AWS Security Hub received a finding and begins to process it. | date | | aws.securityhub_findings.product.arn | The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. | keyword | | aws.securityhub_findings.product.fields | A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. | flattened | | aws.securityhub_findings.product.name | The name of the product that generated the finding. | keyword | @@ -660,6 +661,22 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| resource.id | | keyword | +| resource.name | | keyword | +| resource.sub_type | | keyword | +| resource.type | | keyword | +| result.evaluation | | keyword | +| result.evidence.cloud_configuration_link | | text | +| result.evidence.configuration_path | | text | +| result.evidence.current_value | | text | +| result.evidence.expected_value | | text | +| rule.description | | text | +| rule.id | | keyword | +| rule.name | | keyword | +| rule.reference | | text | +| rule.references | | text | +| rule.remediation | | text | +| rule.uuid | | keyword | | url.user_info | | keyword | diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index c3d6ead9600..12145bf7499 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: aws title: AWS -version: 2.24.1 +version: 2.25.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: From 93dd7264359f065e1c2a12955c10df46be7feebf Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 17 Sep 2024 18:32:20 +0530 Subject: [PATCH 02/28] reformat --- packages/aws/changelog.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 89 ------------------- 2 files changed, 1 insertion(+), 90 deletions(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 8c99e2105cb..3e85f2ae66b 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Improve support for CDR in securityhub_findings data stream. type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/11158 - version: "2.24.1" changes: - description: Fixed and refactored AWS cloudfront log parsing. diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index d535fdc3bd3..afd578756a3 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1586,95 +1586,6 @@ processors: ctx.orchestrator.cluster.name.add(resource.Details.AwsEksCluster.Name); } } - - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_details_awsiamuser_username - # processor: - # append: - # field: user.name - # value: '{{{_ingest._value.Details.AwsIamUser.UserName}}}' - # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserName != null - # tag: append_details_awsiamuser_username - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsiamaccesskey_username - # processor: - # append: - # field: user.name - # value: '{{{_ingest._value.Details.AwsIamAccessKey.UserName}}}' - # if: _ingest._value.Type == 'AwsIamAccessKey' && _ingest._value.Details?.AwsIamAccessKey?.UserName != null - # tag: append_details_awsiamaccesskey_username - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsiamuser_userid - # processor: - # append: - # field: user.id - # value: '{{{_ingest._value.Details.AwsIamUser.UserId}}}' - # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserId != null - # tag: append_details_awsiamuser_userid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsec2instance_hostid - # processor: - # append: - # field: host.id - # value: '{{{_ingest._value.Id}}}' - # if: _ingest._value.Type == 'AwsEc2Instance' - # tag: append_details_awsec2instance_hostid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsecs_clusterid - # processor: - # append: - # field: orchestrator.cluster.id - # value: '{{{_ingest._value.ClusterArn}}}' - # if: (_ingest._value.Type == 'AwsEcsCluster' || _ingest._value.Type == 'AwsEcsTask') && _ingest._value.ClusterArn != null - # tag: append_details_awsecs_clusterid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awseks_clusterid - # processor: - # append: - # field: orchestrator.cluster.id - # value: '{{{_ingest._value.Arn}}}' - # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Arn != null - # tag: append_details_awseks_clusterid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsecs_clustername - # processor: - # append: - # field: orchestrator.cluster.name - # value: '{{{_ingest._value.ClusterName}}}' - # if: _ingest._value.Type == 'AwsEcsCluster' && _ingest._value.ClusterName != null - # tag: append_details_awsecs_clustername - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awseks_clustername - # processor: - # append: - # field: orchestrator.cluster.name - # value: '{{{_ingest._value.Name}}}' - # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Name != null - # tag: append_details_awseks_clustername - # allow_duplicates: false - convert: field: json.Sample target_field: aws.securityhub_findings.sample From 364c668f4e1320fc65ce9e1b02c8d1df96c60049 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 17 Sep 2024 18:38:24 +0530 Subject: [PATCH 03/28] reformat --- packages/aws/changelog.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 89 ------------------- 2 files changed, 1 insertion(+), 90 deletions(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 8c99e2105cb..3e85f2ae66b 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Improve support for CDR in securityhub_findings data stream. type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/11158 - version: "2.24.1" changes: - description: Fixed and refactored AWS cloudfront log parsing. diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index d535fdc3bd3..afd578756a3 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1586,95 +1586,6 @@ processors: ctx.orchestrator.cluster.name.add(resource.Details.AwsEksCluster.Name); } } - - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_details_awsiamuser_username - # processor: - # append: - # field: user.name - # value: '{{{_ingest._value.Details.AwsIamUser.UserName}}}' - # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserName != null - # tag: append_details_awsiamuser_username - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsiamaccesskey_username - # processor: - # append: - # field: user.name - # value: '{{{_ingest._value.Details.AwsIamAccessKey.UserName}}}' - # if: _ingest._value.Type == 'AwsIamAccessKey' && _ingest._value.Details?.AwsIamAccessKey?.UserName != null - # tag: append_details_awsiamaccesskey_username - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsiamuser_userid - # processor: - # append: - # field: user.id - # value: '{{{_ingest._value.Details.AwsIamUser.UserId}}}' - # if: _ingest._value.Type == 'AwsIamUser' && _ingest._value.Details?.AwsIamUser?.UserId != null - # tag: append_details_awsiamuser_userid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsec2instance_hostid - # processor: - # append: - # field: host.id - # value: '{{{_ingest._value.Id}}}' - # if: _ingest._value.Type == 'AwsEc2Instance' - # tag: append_details_awsec2instance_hostid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsecs_clusterid - # processor: - # append: - # field: orchestrator.cluster.id - # value: '{{{_ingest._value.ClusterArn}}}' - # if: (_ingest._value.Type == 'AwsEcsCluster' || _ingest._value.Type == 'AwsEcsTask') && _ingest._value.ClusterArn != null - # tag: append_details_awsecs_clusterid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awseks_clusterid - # processor: - # append: - # field: orchestrator.cluster.id - # value: '{{{_ingest._value.Arn}}}' - # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Arn != null - # tag: append_details_awseks_clusterid - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awsecs_clustername - # processor: - # append: - # field: orchestrator.cluster.name - # value: '{{{_ingest._value.ClusterName}}}' - # if: _ingest._value.Type == 'AwsEcsCluster' && _ingest._value.ClusterName != null - # tag: append_details_awsecs_clustername - # allow_duplicates: false - # - foreach: - # field: aws.securityhub_findings.resources - # if: ctx.aws?.securityhub_findings?.resources instanceof List - # tag: foreach_resources_awseks_clustername - # processor: - # append: - # field: orchestrator.cluster.name - # value: '{{{_ingest._value.Name}}}' - # if: _ingest._value.Type == 'AwsEksCluster' && _ingest._value.Name != null - # tag: append_details_awseks_clustername - # allow_duplicates: false - convert: field: json.Sample target_field: aws.securityhub_findings.sample From 0d6a54b15c465c8d428d599e860660f6b60ec8c3 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 20 Sep 2024 16:09:48 +0530 Subject: [PATCH 04/28] Add more ECS fields --- .../pipeline/test-securityhub-findings.log | 7 +- ...est-securityhub-findings.log-expected.json | 906 +++++++++++++++++- .../elasticsearch/ingest_pipeline/default.yml | 156 ++- .../securityhub_findings/fields/fields.yml | 3 + packages/aws/docs/securityhub.md | 1 + 5 files changed, 1044 insertions(+), 29 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log index 4382d4d1f19..b25ea22c1b0 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log @@ -5,4 +5,9 @@ {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-10T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","LastObservedAt":"2024-09-11T08:00:01.828Z","ProcessedAt":"2024-09-11T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","LaunchedAt":"2024-09-10T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 SC-12(2)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 SI-7(6)","NIST.800-53.r5 AU-9"],"SecurityControlId":"S3.17","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:37.338Z","Description":"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:37.338Z","GeneratorId":"security-control/S3.17","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","LastObservedAt":"2024-09-13T22:50:29.249Z","ProcessedAt":"2024-09-13T22:50:30.870Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-s3-default-encryption-kms-3a38fc59","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:s3:::s3-test-public-bucket","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Amazon S3 bucket is not encrypted with AWS KMS key."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation"}},"Resources":[{"Details":{"AwsS3Bucket":{"CreatedAt":"2024-08-14T09:32:06.000Z","Name":"s3-test-public-bucket","OwnerId":"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46"}},"Id":"arn:aws:s3:::s3-test-public-bucket","Partition":"aws","Region":"ap-south-1","Type":"AwsS3Bucket"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"S3 general purpose buckets should be encrypted at rest with AWS KMS keys","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:13.008Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.2"],"SecurityControlId":"EC2.53","Status":"PASSED"},"CreatedAt":"2024-09-10T11:03:33.389Z","Description":"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T11:03:33.389Z","GeneratorId":"security-control/EC2.53","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","LastObservedAt":"2024-09-11T08:00:06.960Z","ProcessedAt":"2024-09-11T08:00:08.685Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-vpc-sg-port-restriction-check-8bef9db4","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation"}},"Resources":[{"Details":{"AwsEc2SecurityGroup":{"GroupId":"sg-0dbc8c6200a0a9c51","GroupName":"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279","IpPermissionsEgress":[{"IpProtocol":"-1","IpRanges":[{"CidrIp":"0.0.0.0/0"}]}],"OwnerId":"111111111111","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51","Partition":"aws","Region":"ap-south-1","Tags":{"aws:cloudformation:logical-id":"ElasticAgentSecurityGroup","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2SecurityGroup"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:59:56.364Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} -{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 SI-7(6)"],"SecurityControlId":"EC2.3","Status":"FAILED"},"CreatedAt":"2024-09-10T16:51:26.034Z","Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T16:50:59.623Z","GeneratorId":"security-control/EC2.3","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","LastObservedAt":"2024-09-10T16:50:59.623Z","ProcessedAt":"2024-09-10T16:51:39.864Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-encrypted-volumes-4e81c587","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation"}},"Resources":[{"Details":{"AwsEc2Volume":{"Attachments":[{"AttachTime":"2024-09-10T10:39:36.000Z","DeleteOnTermination":true,"InstanceId":"i-0f1ede89308a584d8","Status":"attached"}],"CreateTime":"2024-09-10T10:39:36.313Z","Encrypted":false,"Size":32,"SnapshotId":"snap-07cb2350b59fa5cce","Status":"in-use"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Volume"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"Attached EBS volumes should be encrypted at-rest","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-10T16:51:26.034Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["NIST.800-53.r5 CA-9(1)","NIST.800-53.r5 CM-3(6)","NIST.800-53.r5 SC-13","NIST.800-53.r5 SC-28","NIST.800-53.r5 SC-28(1)","NIST.800-53.r5 SC-7(10)","NIST.800-53.r5 SI-7(6)"],"SecurityControlId":"EC2.3","Status":"FAILED"},"CreatedAt":"2024-09-10T16:51:26.034Z","Description":"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T16:50:59.623Z","GeneratorId":"security-control/EC2.3","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","LastObservedAt":"2024-09-10T16:50:59.623Z","ProcessedAt":"2024-09-10T16:51:39.864Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-encrypted-volumes-4e81c587","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation"}},"Resources":[{"Details":{"AwsEc2Volume":{"Attachments":[{"AttachTime":"2024-09-10T10:39:36.000Z","DeleteOnTermination":true,"InstanceId":"i-0f1ede89308a584d8","Status":"attached"}],"CreateTime":"2024-09-10T10:39:36.313Z","Encrypted":false,"Size":32,"SnapshotId":"snap-07cb2350b59fa5cce","Status":"in-use"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Volume"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Title":"Attached EBS volumes should be encrypted at-rest","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-10T16:51:26.034Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"},{"StandardsId":"standards/pci-dss/v/3.2.1"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v1.2.0/1.16"],"SecurityControlId":"IAM.2","Status":"FAILED"},"CreatedAt":"2024-09-10T12:40:36.785Z","Description":"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-10T12:40:36.785Z","GeneratorId":"security-control/SSM.1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-user-no-policies-check-832bb806","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsIamUser","Details":{"AwsIamUser":{"Path":"/developers/","AttachedManagedPolicies":[{"PolicyArn":"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess","PolicyName":"AWSSecurityHubFullAccess"}],"UserName":"Dev UserName","GroupList":["DevUsers"],"UserId":"DevUserId","CreateDate":"2023-01-10T01:07:37.000Z"}},"Region":"ap-south-1","Id":"arn:aws:iam::111111111111:user/developers/devuser@dev.dev"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"IAM users should not have IAM policies attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"EKS.1","Status":"FAILED"},"CreatedAt":"2024-09-11T12:40:36.785Z","Description":"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.","FindingProviderFields":{"Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-11T12:40:36.785Z","GeneratorId":"security-control/EKS.1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-eks-endpoint-no-public-access-2dc35c63","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Cluster Endpoint of democluster is Publicly accessible"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsEksCluster","Details":{"AwsEksCluster":{"Version":"1.27","Arn":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","ResourcesVpcConfig":{"EndpointPublicAccess":true,"SecurityGroupIds":["sg-111"],"SubnetIds":["subnet-aaa","subnet-bbb"]},"RoleArn":"arn:aws:iam::111111111111:role/EKSClusterRole","Name":"democluster"}},"Region":"ap-south-1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","Tags":{"environment":"dev","managed_by":"terraform","project":"demo","team":"dev"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Title":"EKS cluster endpoints should not be publicly accessible","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/1.22"],"SecurityControlId":"IAM.27","Status":"PASSED","StatusReasons":[{"Description":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","ReasonCode":"CONFIG_EVALUATIONS_EMPTY"}]},"CreatedAt":"2024-08-14T12:11:57.803Z","Description":"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T12:11:57.803Z","GeneratorId":"security-control/IAM.27","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","LastObservedAt":"2024-09-11T07:53:19.500Z","ProcessedAt":"2024-09-11T07:53:27.460Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-policy-blacklisted-check-0ab52b49","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:root","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation"}},"Resources":[{"Id":"AWS::::Account:111111111111","Partition":"aws","Region":"ap-south-1","Type":"AwsAccount"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"IAM identities should not have the AWSCloudShellFullAccess policy attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:53:19.500Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-resource-tagging-standard/v/1.0.0"}],"SecurityControlId":"EC2.44","SecurityControlParameters":[{"Name":"requiredTagKeys","Value":[]}],"Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"}},"Resources":[{"Details":{"AwsEc2Subnet":{"AssignIpv6AddressOnCreation":false,"AvailabilityZone":"ap-south-1c","AvailabilityZoneId":"aps1-az2","AvailableIpAddressCount":4091,"CidrBlock":"171.32.32.0/20","DefaultForAz":true,"MapPublicIpOnLaunch":true,"OwnerId":"111111111111","State":"available","SubnetArn":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9","SubnetId":"subnet-c19c74b9","VpcId":"vpc-39017152"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Subnet"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 56b3097bc52..095422ae78e 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -358,6 +358,10 @@ "account": { "id": "111111111111" }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, "provider": "aws", "region": "us-east-1" }, @@ -416,14 +420,21 @@ "2a02:cf40::" ] }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, "result": { "evaluation": "passed" }, "rule": { "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes. \\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -828,6 +839,10 @@ "account": { "id": "111111111111" }, + "instance": { + "id": "i-cafebabe", + "name": "i-cafebabe" + }, "provider": "aws", "region": "us-east-1" }, @@ -886,14 +901,21 @@ "2a02:cf40::" ] }, + "resource": { + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" + }, "result": { "evaluation": "passed" }, "rule": { "description": "The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.", + "id": "acme-vuln-9ab348", "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes. \\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -1053,6 +1075,10 @@ "account": { "id": "xxx" }, + "instance": { + "id": "xxx", + "name": "xxx" + }, "provider": "aws", "region": "us-east-1" }, @@ -1083,14 +1109,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Instance" + }, "result": { "evaluation": "failed" }, "rule": { "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "xxx", "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://example.com/", - "references": "https://example.com/" + "references": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \\n https://example.com/" }, "tags": [ "preserve_original_event", @@ -1216,14 +1249,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Volume" + }, "result": { "evaluation": "unknown" }, "rule": { "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "xxx", "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", "reference": "https://example.com/", - "references": "https://example.com/" + "references": "https://example.com/", + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \\n https://example.com/" }, "tags": [ "preserve_original_event", @@ -1246,6 +1286,7 @@ "NIST.800-53.r5 AC-3(7)", "NIST.800-53.r5 AC-6" ], + "security_control_id": "EC2.8", "status": "PASSED" }, "created_at": "2024-09-10T10:40:32.189Z", @@ -1350,8 +1391,15 @@ "account": { "id": "111111111111" }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "i-0e2ede89308a594d7" + }, "provider": "aws", - "region": "ap-south-1" + "region": "ap-south-1", + "service": { + "name": "ec2" + } }, "ecs": { "version": "8.11.0" @@ -1381,14 +1429,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "i-0e2ede89308a594d7", + "type": "AwsEc2Instance" + }, "result": { "evaluation": "passed" }, "rule": { "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.6", "NIST.800-53.r5 AC-3", @@ -1422,6 +1477,7 @@ "NIST.800-53.r5 SI-7(6)", "NIST.800-53.r5 AU-9" ], + "security_control_id": "S3.17", "status": "FAILED" }, "created_at": "2024-08-14T10:14:37.338Z", @@ -1503,7 +1559,10 @@ "id": "111111111111" }, "provider": "aws", - "region": "ap-south-1" + "region": "ap-south-1", + "service": { + "name": "s3" + } }, "ecs": { "version": "8.11.0" @@ -1528,14 +1587,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "arn:aws:s3:::s3-test-public-bucket", + "name": "s3-test-public-bucket", + "type": "AwsS3Bucket" + }, "result": { "evaluation": "failed" }, "rule": { "description": "This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).", + "id": "security-control/S3.17", "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "ruleset": [ "NIST.800-53.r5 SC-12(2)", "NIST.800-53.r5 CM-3(6)", @@ -1570,6 +1636,7 @@ "related_requirements": [ "CIS AWS Foundations Benchmark v3.0.0/5.2" ], + "security_control_id": "EC2.53", "status": "PASSED" }, "created_at": "2024-09-10T11:03:33.389Z", @@ -1666,7 +1733,10 @@ "id": "111111111111" }, "provider": "aws", - "region": "ap-south-1" + "region": "ap-south-1", + "service": { + "name": "ec2" + } }, "ecs": { "version": "8.11.0" @@ -1691,14 +1761,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "name": "sg-0dbc9c6210a0a9c51", + "type": "AwsEc2SecurityGroup" + }, "result": { "evaluation": "passed" }, "rule": { "description": "This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.", + "id": "security-control/EC2.53", "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.2" ] @@ -1726,6 +1803,7 @@ "NIST.800-53.r5 SC-7(10)", "NIST.800-53.r5 SI-7(6)" ], + "security_control_id": "EC2.3", "status": "FAILED" }, "created_at": "2024-09-10T16:51:26.034Z", @@ -1816,7 +1894,10 @@ "id": "111111111111" }, "provider": "aws", - "region": "ap-south-1" + "region": "ap-south-1", + "service": { + "name": "ec2" + } }, "ecs": { "version": "8.11.0" @@ -1841,14 +1922,21 @@ "organization": { "name": "AWS" }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "name": "vol-03821fa7de881617e", + "type": "AwsEc2Volume" + }, "result": { "evaluation": "failed" }, "rule": { "description": "This AWS control checks whether the EBS volumes that are in an attached state are encrypted.", + "id": "security-control/EC2.3", "name": "Attached EBS volumes should be encrypted at-rest", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "ruleset": [ "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", @@ -1863,6 +1951,812 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ], + "security_control_id": "IAM.2", + "status": "FAILED" + }, + "created_at": "2024-09-10T12:40:36.785Z", + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "first_observed_at": "2024-09-10T12:40:36.785Z", + "generator": { + "id": "security-control/SSM.1" + }, + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-user-no-policies-check-832bb806", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsIamUser": { + "AttachedManagedPolicies": [ + { + "PolicyArn": "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess", + "PolicyName": "AWSSecurityHubFullAccess" + } + ], + "CreateDate": "2023-01-10T01:07:37.000Z", + "GroupList": [ + "DevUsers" + ], + "Path": "/developers/", + "UserId": "DevUserId", + "UserName": "Dev UserName" + } + }, + "Id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsIamUser" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "IAM users should not have IAM policies attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "iam" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"},{\"StandardsId\":\"standards/pci-dss/v/3.2.1\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/1.16\"],\"SecurityControlId\":\"IAM.2\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T12:40:36.785Z\",\"Description\":\"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T12:40:36.785Z\",\"GeneratorId\":\"security-control/SSM.1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-user-no-policies-check-832bb806\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsIamUser\",\"Details\":{\"AwsIamUser\":{\"Path\":\"/developers/\",\"AttachedManagedPolicies\":[{\"PolicyArn\":\"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess\",\"PolicyName\":\"AWSSecurityHubFullAccess\"}],\"UserName\":\"Dev UserName\",\"GroupList\":[\"DevUsers\"],\"UserId\":\"DevUserId\",\"CreateDate\":\"2023-01-10T01:07:37.000Z\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"IAM users should not have IAM policies attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "name": "devuser@dev.dev", + "type": "AwsIamUser" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.", + "id": "security-control/SSM.1", + "name": "IAM users should not have IAM policies attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v1.2.0/1.16" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": [ + "DevUserId" + ], + "name": [ + "Dev UserName" + ] + } + }, + { + "@timestamp": "2024-09-15T16:48:45.279Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EKS.1", + "status": "FAILED" + }, + "created_at": "2024-09-11T12:40:36.785Z", + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "first_observed_at": "2024-09-11T12:40:36.785Z", + "generator": { + "id": "security-control/EKS.1" + }, + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "last_observed_at": "2024-09-15T16:48:57.829Z", + "processed_at": "2024-09-15T16:48:59.493Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-eks-endpoint-no-public-access-2dc35c63", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "Cluster Endpoint of democluster is Publicly accessible" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEksCluster": { + "Arn": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Name": "democluster", + "ResourcesVpcConfig": { + "EndpointPublicAccess": true, + "SecurityGroupIds": [ + "sg-111" + ], + "SubnetIds": [ + "subnet-aaa", + "subnet-bbb" + ] + }, + "RoleArn": "arn:aws:iam::111111111111:role/EKSClusterRole", + "Version": "1.27" + } + }, + "Id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "environment": "dev", + "managed_by": "terraform", + "project": "demo", + "team": "dev" + }, + "Type": "AwsEksCluster" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "HIGH", + "normalized": "70", + "original": "HIGH" + }, + "title": "EKS cluster endpoints should not be publicly accessible", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-15T16:48:45.279Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "eks" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-15T16:48:59.493Z", + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"EKS.1\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-11T12:40:36.785Z\",\"Description\":\"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-11T12:40:36.785Z\",\"GeneratorId\":\"security-control/EKS.1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-eks-endpoint-no-public-access-2dc35c63\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Cluster Endpoint of democluster is Publicly accessible\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEksCluster\",\"Details\":{\"AwsEksCluster\":{\"Version\":\"1.27\",\"Arn\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"ResourcesVpcConfig\":{\"EndpointPublicAccess\":true,\"SecurityGroupIds\":[\"sg-111\"],\"SubnetIds\":[\"subnet-aaa\",\"subnet-bbb\"]},\"RoleArn\":\"arn:aws:iam::111111111111:role/EKSClusterRole\",\"Name\":\"democluster\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"Tags\":{\"environment\":\"dev\",\"managed_by\":\"terraform\",\"project\":\"demo\",\"team\":\"dev\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Title\":\"EKS cluster endpoints should not be publicly accessible\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 70, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "orchestrator": { + "cluster": { + "id": [ + "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" + ], + "name": [ + "democluster" + ], + "version": [ + "1.27" + ] + }, + "resource": { + "id": [ + "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" + ], + "name": [ + "democluster" + ], + "type": [ + "AwsEksCluster" + ] + }, + "type": [ + "kubernetes" + ] + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.", + "id": "security-control/EKS.1", + "name": "EKS cluster endpoints should not be publicly accessible", + "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-11T07:53:19.500Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ], + "security_control_id": "IAM.27", + "status": "PASSED", + "status_reasons": [ + { + "description": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.", + "reason_code": "CONFIG_EVALUATIONS_EMPTY" + } + ] + }, + "created_at": "2024-08-14T12:11:57.803Z", + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "first_observed_at": "2024-08-14T12:11:57.803Z", + "generator": { + "id": "security-control/IAM.27" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "last_observed_at": "2024-09-11T07:53:19.500Z", + "processed_at": "2024-09-11T07:53:27.460Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-iam-policy-blacklisted-check-0ab52b49", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:iam::111111111111:root", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation" + } + }, + "resources": [ + { + "Id": "AWS::::Account:111111111111", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsAccount" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-11T07:53:19.500Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "provider": "aws", + "region": "ap-south-1" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-11T07:53:27.460Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/1.22\"],\"SecurityControlId\":\"IAM.27\",\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\",\"ReasonCode\":\"CONFIG_EVALUATIONS_EMPTY\"}]},\"CreatedAt\":\"2024-08-14T12:11:57.803Z\",\"Description\":\"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T12:11:57.803Z\",\"GeneratorId\":\"security-control/IAM.27\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"LastObservedAt\":\"2024-09-11T07:53:19.500Z\",\"ProcessedAt\":\"2024-09-11T07:53:27.460Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-policy-blacklisted-check-0ab52b49\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"IAM identities should not have the AWSCloudShellFullAccess policy attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:53:19.500Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "AWS::::Account:111111111111", + "name": "AWS::::Account:111111111111", + "type": "AwsAccount" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.", + "id": "security-control/IAM.27", + "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", + "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/1.22" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "EC2.44", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Subnet": { + "AssignIpv6AddressOnCreation": false, + "AvailabilityZone": "ap-south-1c", + "AvailabilityZoneId": "aps1-az2", + "AvailableIpAddressCount": 4091, + "CidrBlock": "171.32.32.0/20", + "DefaultForAz": true, + "MapPublicIpOnLaunch": true, + "OwnerId": "111111111111", + "State": "available", + "SubnetArn": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9", + "SubnetId": "subnet-c19c74b9", + "VpcId": "vpc-39017152" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "Partition": "aws", + "Region": "ap-south-1", + "Type": "AwsEc2Subnet" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": [ + "ap-south-1c" + ], + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-resource-tagging-standard/v/1.0.0\"}],\"SecurityControlId\":\"EC2.44\",\"SecurityControlParameters\":[{\"Name\":\"requiredTagKeys\",\"Value\":[]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Subnet\":{\"AssignIpv6AddressOnCreation\":false,\"AvailabilityZone\":\"ap-south-1c\",\"AvailabilityZoneId\":\"aps1-az2\",\"AvailableIpAddressCount\":4091,\"CidrBlock\":\"171.32.32.0/20\",\"DefaultForAz\":true,\"MapPublicIpOnLaunch\":true,\"OwnerId\":\"111111111111\",\"State\":\"available\",\"SubnetArn\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9\",\"SubnetId\":\"subnet-c19c74b9\",\"VpcId\":\"vpc-39017152\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Subnet\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "name": "subnet-c28c74b9", + "type": "AwsEc2Subnet" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": [ + "ap-south-1b", + "ap-south-1a" + ], + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "elasticloadbalancing" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "name": "894921ab8833ff1e", + "type": "AwsElbv2LoadBalancer" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index afd578756a3..428f64e040b 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -692,6 +692,21 @@ processors: field: json.GeneratorId target_field: aws.securityhub_findings.generator.id ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_generator_id + copy_from: aws.securityhub_findings.generator.id + ignore_failure: true + - rename: + field: json.Compliance.SecurityControlId + target_field: aws.securityhub_findings.compliance.security_control_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_security_control_id + copy_from: aws.securityhub_findings.compliance.security_control_id + if: ctx.rule?.id == null + ignore_failure: true - rename: field: json.Id target_field: aws.securityhub_findings.id @@ -1512,17 +1527,37 @@ processors: tag: set_rule_references copy_from: aws.securityhub_findings.remediation.recommendation.url ignore_empty_value: true + - set: + field: rule.remediation + tag: set_rule_remediation + value: '{{{aws.securityhub_findings.remediation.recommendation.text}}} \n {{{aws.securityhub_findings.remediation.recommendation.url}}}' + if: ctx.aws?.securityhub_findings?.remediation?.recommendation?.url != null && ctx.aws.securityhub_findings.remediation.recommendation.text != null + ignore_empty_value: true - rename: field: json.Resources target_field: aws.securityhub_findings.resources ignore_missing: true - script: - description: Extract ECS fields from aws.securityhub_findings.resources. + description: Extract fields from aws.securityhub_findings.resources. lang: painless if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 0 source: |- def resources = ctx.aws.securityhub_findings.resources; - for (resource in resources) { + + // Extract resource field + if (ctx.resource == null) { + ctx.resource = new HashMap(); + } + ctx.resource.type = resources[0].Type; + ctx.resource.id = resources[0].Id; + if (resources[0].Details != null && resources[0].Details[ctx.resource.type]?.Name != null) { + ctx.resource.name = resources[0].Details[ctx.resource.type].Name; + } else { + String[] tokenList = ctx.resource.id.splitOnToken("/"); + ctx.resource.name = tokenList[tokenList.length - 1]; + } + + for (res in resources) { // Extract ECS user field if (ctx.user == null) { ctx.user = new HashMap(); @@ -1533,20 +1568,20 @@ processors: if (ctx.user.id == null) { ctx.user.id = new ArrayList(); } - if (resource.Type == 'AwsIamUser' && resource.Details?.AwsIamUser?.UserName != null) { - ctx.user.name.add(resource.Details.AwsIamUser.UserName); + if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamUser.UserName); } - if (resource.Type == 'AwsIamAccessKey' && resource.Details?.AwsIamAccessKey?.UserName != null) { - ctx.user.name.add(resource.Details.AwsIamAccessKey.UserName); + if (res.Type == 'AwsIamAccessKey' && res.Details?.AwsIamAccessKey?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamAccessKey.UserName); } - if (resource.Type == 'AwsS3Bucket' && resource.Details?.AwsS3Bucket?.OwnerName != null) { - ctx.user.name.add(resource.Details.AwsS3Bucket.OwnerName); + if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerName != null) { + ctx.user.name.add(res.Details.AwsS3Bucket.OwnerName); } - if (resource.Type == 'AwsIamUser' && resource.Details?.AwsIamUser?.UserId != null) { - ctx.user.id.add(resource.Details.AwsIamUser.UserId); + if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserId != null) { + ctx.user.id.add(res.Details.AwsIamUser.UserId); } - if (resource.Type == 'AwsS3Bucket' && resource.Details?.AwsS3Bucket?.OwnerId != null) { - ctx.user.id.add(resource.Details.AwsS3Bucket.OwnerId); + if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerId != null) { + ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); } // Extract ECS host field @@ -1556,14 +1591,17 @@ processors: if (ctx.host.id == null) { ctx.host.id = new ArrayList(); } - if (resource.Type == 'AwsEc2Instance' && resource.Id != null) { - ctx.host.id.add(resource.Id); + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id.add(res.Id); } // Extract ECS orchestrator field if (ctx.orchestrator == null) { ctx.orchestrator = new HashMap(); } + if (ctx.orchestrator.type == null) { + ctx.orchestrator.type = new ArrayList(); + } if (ctx.orchestrator.cluster == null) { ctx.orchestrator.cluster = new HashMap(); } @@ -1573,17 +1611,91 @@ processors: if (ctx.orchestrator.cluster.name == null) { ctx.orchestrator.cluster.name = new ArrayList(); } - if (['AwsEcsCluster', 'AwsEcsTask'].contains(resource.Type) && resource.Details?.AwsEcsCluster?.ClusterArn != null) { - ctx.orchestrator.cluster.id.add(resource.Details.AwsEcsCluster.ClusterArn); + if (ctx.orchestrator.cluster.version == null) { + ctx.orchestrator.cluster.version = new ArrayList(); + } + if (ctx.orchestrator.resource == null) { + ctx.orchestrator.resource = new HashMap(); + } + if (ctx.orchestrator.resource.id == null) { + ctx.orchestrator.resource.id = new ArrayList(); + } + if (ctx.orchestrator.resource.name == null) { + ctx.orchestrator.resource.name = new ArrayList(); + } + if (ctx.orchestrator.resource.type == null) { + ctx.orchestrator.resource.type = new ArrayList(); + } + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details?.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEksCluster.Arn); } - if (resource.Type == 'AwsEksCluster' && resource.Details?.AwsEksCluster?.Arn != null) { - ctx.orchestrator.cluster.id.add(resource.Details.AwsEksCluster.Arn); + if (res.Type == 'AwsEcsCluster' && res.Details?.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEcsCluster.ClusterName); } - if (resource.Type == 'AwsEcsCluster' && resource.Details?.AwsEcsCluster?.ClusterName != null) { - ctx.orchestrator.cluster.name.add(resource.Details.AwsEcsCluster.ClusterName); + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEksCluster.Name); } - if (resource.Type == 'AwsEksCluster' && resource.Details?.AwsEksCluster?.Name != null) { - ctx.orchestrator.cluster.name.add(resource.Details.AwsEksCluster.Name); + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version.add(res.Details.AwsEksCluster.Version); + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); + } + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id.add(ctx.resource.id); + ctx.orchestrator.resource.name.add(ctx.resource.name); + ctx.orchestrator.resource.type.add(ctx.resource.type); + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type.add('kubernetes'); + } else { + ctx.orchestrator.type.add('ecs'); + } + } + + // Extract ECS cloud field + if (ctx.cloud == null) { + ctx.cloud = new HashMap(); + } + if (ctx.cloud.instance == null) { + ctx.cloud.instance = new HashMap(); + } + if (ctx.cloud.service == null) { + ctx.cloud.service = new HashMap(); + } + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id = ctx.resource.id; + ctx.cloud.instance.name = ctx.resource.name; + } + String[] cloud_service = ctx.resource.id.splitOnToken(":"); + if (cloud_service.length > 2) { + ctx.cloud.service.name = cloud_service[2]; + } + if (ctx.cloud.availability_zone == null) { + ctx.cloud.availability_zone = new ArrayList(); + } + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details != null && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details != null && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone.add(az); + } + } + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details?.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.Value); + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details?.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone); + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details?.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.ZoneName); + } } } - convert: diff --git a/packages/aws/data_stream/securityhub_findings/fields/fields.yml b/packages/aws/data_stream/securityhub_findings/fields/fields.yml index e545d08d887..03f083a3e5d 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/fields.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/fields.yml @@ -271,6 +271,9 @@ - name: compliance type: group fields: + - name: security_control_id + type: keyword + description: Unique identifier of a control across standards. - name: related_requirements type: keyword description: For a control, the industry or regulatory framework requirements that are related to the control. diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index 1492b79fd54..94e80b8aaa4 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -526,6 +526,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.aws_account_id | The Amazon Web Services account ID that a finding is generated in. | keyword | | aws.securityhub_findings.company.name | The name of the company for the product that generated the finding. | keyword | | aws.securityhub_findings.compliance.related_requirements | For a control, the industry or regulatory framework requirements that are related to the control. | keyword | +| aws.securityhub_findings.compliance.security_control_id | Unique identifier of a control across standards. | keyword | | aws.securityhub_findings.compliance.status | The result of a standards check. | keyword | | aws.securityhub_findings.compliance.status_reasons.description | The corresponding description for the status reason code. | keyword | | aws.securityhub_findings.compliance.status_reasons.reason_code | A code that represents a reason for the control status. | keyword | From 866e8c9d5e387c90f9919a40728c01a8beb551cf Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 20 Sep 2024 16:21:32 +0530 Subject: [PATCH 05/28] Consider multiple resources --- ...est-securityhub-findings.log-expected.json | 220 +++++++++++++----- .../elasticsearch/ingest_pipeline/default.yml | 67 ++++-- 2 files changed, 209 insertions(+), 78 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 095422ae78e..3f0f9510a3e 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -359,8 +359,12 @@ "id": "111111111111" }, "instance": { - "id": "i-cafebabe", - "name": "i-cafebabe" + "id": [ + "i-cafebabe" + ], + "name": [ + "i-cafebabe" + ] }, "provider": "aws", "region": "us-east-1" @@ -421,9 +425,15 @@ ] }, "resource": { - "id": "i-cafebabe", - "name": "i-cafebabe", - "type": "AwsEc2Instance" + "id": [ + "i-cafebabe" + ], + "name": [ + "i-cafebabe" + ], + "type": [ + "AwsEc2Instance" + ] }, "result": { "evaluation": "passed" @@ -840,8 +850,12 @@ "id": "111111111111" }, "instance": { - "id": "i-cafebabe", - "name": "i-cafebabe" + "id": [ + "i-cafebabe" + ], + "name": [ + "i-cafebabe" + ] }, "provider": "aws", "region": "us-east-1" @@ -902,9 +916,15 @@ ] }, "resource": { - "id": "i-cafebabe", - "name": "i-cafebabe", - "type": "AwsEc2Instance" + "id": [ + "i-cafebabe" + ], + "name": [ + "i-cafebabe" + ], + "type": [ + "AwsEc2Instance" + ] }, "result": { "evaluation": "passed" @@ -1076,8 +1096,12 @@ "id": "xxx" }, "instance": { - "id": "xxx", - "name": "xxx" + "id": [ + "xxx" + ], + "name": [ + "xxx" + ] }, "provider": "aws", "region": "us-east-1" @@ -1110,9 +1134,15 @@ "name": "AWS" }, "resource": { - "id": "xxx", - "name": "xxx", - "type": "AwsEc2Instance" + "id": [ + "xxx" + ], + "name": [ + "xxx" + ], + "type": [ + "AwsEc2Instance" + ] }, "result": { "evaluation": "failed" @@ -1250,9 +1280,15 @@ "name": "AWS" }, "resource": { - "id": "xxx", - "name": "xxx", - "type": "AwsEc2Volume" + "id": [ + "xxx" + ], + "name": [ + "xxx" + ], + "type": [ + "AwsEc2Volume" + ] }, "result": { "evaluation": "unknown" @@ -1392,13 +1428,19 @@ "id": "111111111111" }, "instance": { - "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", - "name": "i-0e2ede89308a594d7" + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" + ], + "name": [ + "i-0e2ede89308a594d7" + ] }, "provider": "aws", "region": "ap-south-1", "service": { - "name": "ec2" + "name": [ + "ec2" + ] } }, "ecs": { @@ -1430,9 +1472,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", - "name": "i-0e2ede89308a594d7", - "type": "AwsEc2Instance" + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" + ], + "name": [ + "i-0e2ede89308a594d7" + ], + "type": [ + "AwsEc2Instance" + ] }, "result": { "evaluation": "passed" @@ -1561,7 +1609,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "s3" + "name": [ + "s3" + ] } }, "ecs": { @@ -1588,9 +1638,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:s3:::s3-test-public-bucket", - "name": "s3-test-public-bucket", - "type": "AwsS3Bucket" + "id": [ + "arn:aws:s3:::s3-test-public-bucket" + ], + "name": [ + "s3-test-public-bucket" + ], + "type": [ + "AwsS3Bucket" + ] }, "result": { "evaluation": "failed" @@ -1735,7 +1791,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "ec2" + "name": [ + "ec2" + ] } }, "ecs": { @@ -1762,9 +1820,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", - "name": "sg-0dbc9c6210a0a9c51", - "type": "AwsEc2SecurityGroup" + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51" + ], + "name": [ + "sg-0dbc9c6210a0a9c51" + ], + "type": [ + "AwsEc2SecurityGroup" + ] }, "result": { "evaluation": "passed" @@ -1896,7 +1960,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "ec2" + "name": [ + "ec2" + ] } }, "ecs": { @@ -1923,9 +1989,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", - "name": "vol-03821fa7de881617e", - "type": "AwsEc2Volume" + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e" + ], + "name": [ + "vol-03821fa7de881617e" + ], + "type": [ + "AwsEc2Volume" + ] }, "result": { "evaluation": "failed" @@ -2057,7 +2129,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "iam" + "name": [ + "iam" + ] } }, "ecs": { @@ -2084,9 +2158,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", - "name": "devuser@dev.dev", - "type": "AwsIamUser" + "id": [ + "arn:aws:iam::111111111111:user/developers/devuser@dev.dev" + ], + "name": [ + "devuser@dev.dev" + ], + "type": [ + "AwsIamUser" + ] }, "result": { "evaluation": "failed" @@ -2225,7 +2305,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "eks" + "name": [ + "eks" + ] } }, "ecs": { @@ -2279,9 +2361,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", - "name": "democluster", - "type": "AwsEksCluster" + "id": [ + "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" + ], + "name": [ + "democluster" + ], + "type": [ + "AwsEksCluster" + ] }, "result": { "evaluation": "failed" @@ -2418,9 +2506,15 @@ "name": "AWS" }, "resource": { - "id": "AWS::::Account:111111111111", - "name": "AWS::::Account:111111111111", - "type": "AwsAccount" + "id": [ + "AWS::::Account:111111111111" + ], + "name": [ + "AWS::::Account:111111111111" + ], + "type": [ + "AwsAccount" + ] }, "result": { "evaluation": "passed" @@ -2546,7 +2640,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "ec2" + "name": [ + "ec2" + ] } }, "ecs": { @@ -2573,9 +2669,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", - "name": "subnet-c28c74b9", - "type": "AwsEc2Subnet" + "id": [ + "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9" + ], + "name": [ + "subnet-c28c74b9" + ], + "type": [ + "AwsEc2Subnet" + ] }, "result": { "evaluation": "failed" @@ -2711,7 +2813,9 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": "elasticloadbalancing" + "name": [ + "elasticloadbalancing" + ] } }, "ecs": { @@ -2738,9 +2842,15 @@ "name": "AWS" }, "resource": { - "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", - "name": "894921ab8833ff1e", - "type": "AwsElbv2LoadBalancer" + "id": [ + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e" + ], + "name": [ + "894921ab8833ff1e" + ], + "type": [ + "AwsElbv2LoadBalancer" + ] }, "result": { "evaluation": "failed" diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 428f64e040b..f1ae8063a21 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1543,21 +1543,33 @@ processors: if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 0 source: |- def resources = ctx.aws.securityhub_findings.resources; - - // Extract resource field - if (ctx.resource == null) { - ctx.resource = new HashMap(); - } - ctx.resource.type = resources[0].Type; - ctx.resource.id = resources[0].Id; - if (resources[0].Details != null && resources[0].Details[ctx.resource.type]?.Name != null) { - ctx.resource.name = resources[0].Details[ctx.resource.type].Name; - } else { - String[] tokenList = ctx.resource.id.splitOnToken("/"); - ctx.resource.name = tokenList[tokenList.length - 1]; - } for (res in resources) { + // Extract resource field + if (ctx.resource == null) { + ctx.resource = new HashMap(); + } + if (ctx.resource.type == null) { + ctx.resource.type = new ArrayList(); + } + if (ctx.resource.id == null) { + ctx.resource.id = new ArrayList(); + } + if (ctx.resource.name == null) { + ctx.resource.name = new ArrayList(); + } + ctx.resource.type.add(res.Type); + ctx.resource.id.add(res.Id); + def res_name; + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + String[] tokenList = res.Id.splitOnToken("/"); + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name.add(res_name); + + // Extract ECS user field if (ctx.user == null) { ctx.user = new HashMap(); @@ -1645,9 +1657,9 @@ processors: ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); } if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { - ctx.orchestrator.resource.id.add(ctx.resource.id); - ctx.orchestrator.resource.name.add(ctx.resource.name); - ctx.orchestrator.resource.type.add(ctx.resource.type); + ctx.orchestrator.resource.id.add(res.Id); + ctx.orchestrator.resource.name.add(res_name); + ctx.orchestrator.resource.type.add(res.Type); if (res.Type.startsWith('AwsEks')) { ctx.orchestrator.type.add('kubernetes'); } else { @@ -1662,20 +1674,29 @@ processors: if (ctx.cloud.instance == null) { ctx.cloud.instance = new HashMap(); } + if (ctx.cloud.instance.id == null) { + ctx.cloud.instance.id = new ArrayList(); + } + if (ctx.cloud.instance.name == null) { + ctx.cloud.instance.name = new ArrayList(); + } if (ctx.cloud.service == null) { ctx.cloud.service = new HashMap(); } - if (res.Type == 'AwsEc2Instance') { - ctx.cloud.instance.id = ctx.resource.id; - ctx.cloud.instance.name = ctx.resource.name; - } - String[] cloud_service = ctx.resource.id.splitOnToken(":"); - if (cloud_service.length > 2) { - ctx.cloud.service.name = cloud_service[2]; + if (ctx.cloud.service.name == null) { + ctx.cloud.service.name = new ArrayList(); } if (ctx.cloud.availability_zone == null) { ctx.cloud.availability_zone = new ArrayList(); } + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id.add(res.Id); + ctx.cloud.instance.name.add(res_name); + } + String[] cloud_service = res.Id.splitOnToken(":"); + if (cloud_service.length > 2) { + ctx.cloud.service.name.add(cloud_service[2]); + } if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details != null && res.Details[res.Type]?.AvailabilityZone != null) { ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); } From 849e44456ed50adb83a8b444db7c2a075596b28c Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 23 Sep 2024 11:36:39 +0530 Subject: [PATCH 06/28] Split single and multiple resource logic. Add multiple resources test. --- .../pipeline/test-securityhub-findings.log | 3 +- ...est-securityhub-findings.log-expected.json | 471 ++++++++++-------- .../elasticsearch/ingest_pipeline/default.yml | 274 +++++++--- 3 files changed, 469 insertions(+), 279 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log index b25ea22c1b0..3397ee49d79 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log @@ -10,4 +10,5 @@ {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"EKS.1","Status":"FAILED"},"CreatedAt":"2024-09-11T12:40:36.785Z","Description":"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.","FindingProviderFields":{"Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-11T12:40:36.785Z","GeneratorId":"security-control/EKS.1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","LastObservedAt":"2024-09-15T16:48:57.829Z","ProcessedAt":"2024-09-15T16:48:59.493Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-eks-endpoint-no-public-access-2dc35c63","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"Cluster Endpoint of democluster is Publicly accessible"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsEksCluster","Details":{"AwsEksCluster":{"Version":"1.27","Arn":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","ResourcesVpcConfig":{"EndpointPublicAccess":true,"SecurityGroupIds":["sg-111"],"SubnetIds":["subnet-aaa","subnet-bbb"]},"RoleArn":"arn:aws:iam::111111111111:role/EKSClusterRole","Name":"democluster"}},"Region":"ap-south-1","Id":"arn:aws:eks:ap-south-1:111111111111:cluster/democluster","Tags":{"environment":"dev","managed_by":"terraform","project":"demo","team":"dev"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"HIGH","Normalized":70,"Original":"HIGH"},"Title":"EKS cluster endpoints should not be publicly accessible","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-15T16:48:45.279Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/1.22"],"SecurityControlId":"IAM.27","Status":"PASSED","StatusReasons":[{"Description":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","ReasonCode":"CONFIG_EVALUATIONS_EMPTY"}]},"CreatedAt":"2024-08-14T12:11:57.803Z","Description":"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T12:11:57.803Z","GeneratorId":"security-control/IAM.27","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","LastObservedAt":"2024-09-11T07:53:19.500Z","ProcessedAt":"2024-09-11T07:53:27.460Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-policy-blacklisted-check-0ab52b49","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:root","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation"}},"Resources":[{"Id":"AWS::::Account:111111111111","Partition":"aws","Region":"ap-south-1","Type":"AwsAccount"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"IAM identities should not have the AWSCloudShellFullAccess policy attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:53:19.500Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-resource-tagging-standard/v/1.0.0"}],"SecurityControlId":"EC2.44","SecurityControlParameters":[{"Name":"requiredTagKeys","Value":[]}],"Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"}},"Resources":[{"Details":{"AwsEc2Subnet":{"AssignIpv6AddressOnCreation":false,"AvailabilityZone":"ap-south-1c","AvailabilityZoneId":"aps1-az2","AvailableIpAddressCount":4091,"CidrBlock":"171.32.32.0/20","DefaultForAz":true,"MapPublicIpOnLaunch":true,"OwnerId":"111111111111","State":"available","SubnetArn":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9","SubnetId":"subnet-c19c74b9","VpcId":"vpc-39017152"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Subnet"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} -{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}},{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-18T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e","Tags":{"kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 3f0f9510a3e..b03fed1ed5a 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -359,12 +359,8 @@ "id": "111111111111" }, "instance": { - "id": [ - "i-cafebabe" - ], - "name": [ - "i-cafebabe" - ] + "id": "i-cafebabe", + "name": "i-cafebabe" }, "provider": "aws", "region": "us-east-1" @@ -394,9 +390,7 @@ ] }, "host": { - "id": [ - "i-cafebabe" - ] + "id": "i-cafebabe" }, "network": { "direction": "inbound", @@ -425,15 +419,9 @@ ] }, "resource": { - "id": [ - "i-cafebabe" - ], - "name": [ - "i-cafebabe" - ], - "type": [ - "AwsEc2Instance" - ] + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" }, "result": { "evaluation": "passed" @@ -850,12 +838,8 @@ "id": "111111111111" }, "instance": { - "id": [ - "i-cafebabe" - ], - "name": [ - "i-cafebabe" - ] + "id": "i-cafebabe", + "name": "i-cafebabe" }, "provider": "aws", "region": "us-east-1" @@ -885,9 +869,7 @@ ] }, "host": { - "id": [ - "i-cafebabe" - ] + "id": "i-cafebabe" }, "network": { "direction": "inbound", @@ -916,15 +898,9 @@ ] }, "resource": { - "id": [ - "i-cafebabe" - ], - "name": [ - "i-cafebabe" - ], - "type": [ - "AwsEc2Instance" - ] + "id": "i-cafebabe", + "name": "i-cafebabe", + "type": "AwsEc2Instance" }, "result": { "evaluation": "passed" @@ -1096,12 +1072,8 @@ "id": "xxx" }, "instance": { - "id": [ - "xxx" - ], - "name": [ - "xxx" - ] + "id": "xxx", + "name": "xxx" }, "provider": "aws", "region": "us-east-1" @@ -1123,9 +1095,7 @@ ] }, "host": { - "id": [ - "xxx" - ] + "id": "xxx" }, "observer": { "vendor": "AWS Security Hub" @@ -1134,15 +1104,9 @@ "name": "AWS" }, "resource": { - "id": [ - "xxx" - ], - "name": [ - "xxx" - ], - "type": [ - "AwsEc2Instance" - ] + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Instance" }, "result": { "evaluation": "failed" @@ -1280,15 +1244,9 @@ "name": "AWS" }, "resource": { - "id": [ - "xxx" - ], - "name": [ - "xxx" - ], - "type": [ - "AwsEc2Volume" - ] + "id": "xxx", + "name": "xxx", + "type": "AwsEc2Volume" }, "result": { "evaluation": "unknown" @@ -1428,19 +1386,13 @@ "id": "111111111111" }, "instance": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" - ], - "name": [ - "i-0e2ede89308a594d7" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "i-0e2ede89308a594d7" }, "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "ec2" - ] + "name": "ec2" } }, "ecs": { @@ -1461,9 +1413,7 @@ ] }, "host": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" }, "observer": { "vendor": "AWS Security Hub" @@ -1472,15 +1422,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" - ], - "name": [ - "i-0e2ede89308a594d7" - ], - "type": [ - "AwsEc2Instance" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", + "name": "i-0e2ede89308a594d7", + "type": "AwsEc2Instance" }, "result": { "evaluation": "passed" @@ -1609,9 +1553,7 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "s3" - ] + "name": "s3" } }, "ecs": { @@ -1638,15 +1580,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:s3:::s3-test-public-bucket" - ], - "name": [ - "s3-test-public-bucket" - ], - "type": [ - "AwsS3Bucket" - ] + "id": "arn:aws:s3:::s3-test-public-bucket", + "name": "s3-test-public-bucket", + "type": "AwsS3Bucket" }, "result": { "evaluation": "failed" @@ -1675,9 +1611,7 @@ "preserve_duplicate_custom_fields" ], "user": { - "id": [ - "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" - ] + "id": "e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46" } }, { @@ -1791,9 +1725,7 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "ec2" - ] + "name": "ec2" } }, "ecs": { @@ -1820,15 +1752,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51" - ], - "name": [ - "sg-0dbc9c6210a0a9c51" - ], - "type": [ - "AwsEc2SecurityGroup" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", + "name": "sg-0dbc9c6210a0a9c51", + "type": "AwsEc2SecurityGroup" }, "result": { "evaluation": "passed" @@ -1960,9 +1886,7 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "ec2" - ] + "name": "ec2" } }, "ecs": { @@ -1989,15 +1913,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e" - ], - "name": [ - "vol-03821fa7de881617e" - ], - "type": [ - "AwsEc2Volume" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", + "name": "vol-03821fa7de881617e", + "type": "AwsEc2Volume" }, "result": { "evaluation": "failed" @@ -2129,9 +2047,7 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "iam" - ] + "name": "iam" } }, "ecs": { @@ -2158,15 +2074,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:iam::111111111111:user/developers/devuser@dev.dev" - ], - "name": [ - "devuser@dev.dev" - ], - "type": [ - "AwsIamUser" - ] + "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", + "name": "devuser@dev.dev", + "type": "AwsIamUser" }, "result": { "evaluation": "failed" @@ -2187,12 +2097,8 @@ "preserve_duplicate_custom_fields" ], "user": { - "id": [ - "DevUserId" - ], - "name": [ - "Dev UserName" - ] + "id": "DevUserId", + "name": "Dev UserName" } }, { @@ -2305,9 +2211,7 @@ "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "eks" - ] + "name": "eks" } }, "ecs": { @@ -2332,44 +2236,24 @@ }, "orchestrator": { "cluster": { - "id": [ - "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" - ], - "name": [ - "democluster" - ], - "version": [ - "1.27" - ] + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "version": "1.27" }, "resource": { - "id": [ - "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" - ], - "name": [ - "democluster" - ], - "type": [ - "AwsEksCluster" - ] + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" }, - "type": [ - "kubernetes" - ] + "type": "kubernetes" }, "organization": { "name": "AWS" }, "resource": { - "id": [ - "arn:aws:eks:ap-south-1:111111111111:cluster/democluster" - ], - "name": [ - "democluster" - ], - "type": [ - "AwsEksCluster" - ] + "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", + "name": "democluster", + "type": "AwsEksCluster" }, "result": { "evaluation": "failed" @@ -2506,15 +2390,9 @@ "name": "AWS" }, "resource": { - "id": [ - "AWS::::Account:111111111111" - ], - "name": [ - "AWS::::Account:111111111111" - ], - "type": [ - "AwsAccount" - ] + "id": "AWS::::Account:111111111111", + "name": "AWS::::Account:111111111111", + "type": "AwsAccount" }, "result": { "evaluation": "passed" @@ -2634,15 +2512,11 @@ "account": { "id": "111111111111" }, - "availability_zone": [ - "ap-south-1c" - ], + "availability_zone": "ap-south-1c", "provider": "aws", "region": "ap-south-1", "service": { - "name": [ - "ec2" - ] + "name": "ec2" } }, "ecs": { @@ -2669,15 +2543,9 @@ "name": "AWS" }, "resource": { - "id": [ - "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9" - ], - "name": [ - "subnet-c28c74b9" - ], - "type": [ - "AwsEc2Subnet" - ] + "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", + "name": "subnet-c28c74b9", + "type": "AwsEc2Subnet" }, "result": { "evaluation": "failed" @@ -2802,11 +2670,208 @@ } } }, + "cloud": { + "account": { + "id": "111111111111" + }, + "availability_zone": "ap-south-1a", + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "elasticloadbalancing" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-13T22:50:27.295Z", + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "outcome": "failure", + "severity": 1, + "type": [ + "info" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "name": "894921ab8833ff1e", + "type": "AwsElbv2LoadBalancer" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "id": "security-control/EC2.44", + "name": "EC2 subnets should be tagged", + "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2024-09-13T22:50:15.737Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "security_control_id": "ELB.6", + "status": "FAILED" + }, + "created_at": "2024-08-14T10:14:50.020Z", + "description": "This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.", + "first_observed_at": "2024-08-14T10:14:50.020Z", + "generator": { + "id": "security-control/EC2.44" + }, + "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "last_observed_at": "2024-09-13T22:50:24.617Z", + "processed_at": "2024-09-13T22:50:27.295Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-tagged-ec2-subnet-4c30afd3", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a", + "aws/securityhub/ProductName": "Security Hub", + "aws/securityhub/annotation": "No tags are present." + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "MEDIUM", + "normalized": "40", + "original": "MEDIUM" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-17T21:35:20.303Z", + "DNSName": "a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned", + "kubernetes.io/service-name": "default/traefik" + }, + "Type": "AwsElbv2LoadBalancer" + }, + { + "Details": { + "AwsElbv2LoadBalancer": { + "AvailabilityZones": [ + { + "SubnetId": "subnet-aaa", + "ZoneName": "ap-south-1b" + }, + { + "SubnetId": "subnet-bbb", + "ZoneName": "ap-south-1a" + } + ], + "CanonicalHostedZoneId": "ZLPOA36VPKAMP", + "CreatedTime": "2024-04-18T21:35:20.303Z", + "DNSName": "a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com", + "IpAddressType": "ipv4", + "Scheme": "internet-facing", + "State": { + "Code": "active" + }, + "Type": "network", + "VpcId": "vpc-132ddf1f407252a0a" + } + }, + "Id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "kubernetes.io/cluster/demo": "owned" + }, + "Type": "AwsElbv2LoadBalancer" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "LOW", + "normalized": "1", + "original": "LOW" + }, + "title": "EC2 subnets should be tagged", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-13T22:50:15.737Z", + "workflow": { + "state": "NEW", + "status": "NEW" + } + } + }, "cloud": { "account": { "id": "111111111111" }, "availability_zone": [ + "ap-south-1b", + "ap-south-1a", "ap-south-1b", "ap-south-1a" ], @@ -2814,6 +2879,7 @@ "region": "ap-south-1", "service": { "name": [ + "elasticloadbalancing", "elasticloadbalancing" ] } @@ -2828,7 +2894,7 @@ "created": "2024-09-13T22:50:27.295Z", "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", "kind": "state", - "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}},{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-18T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e\",\"Tags\":{\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 1, "type": [ @@ -2843,12 +2909,15 @@ }, "resource": { "id": [ - "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e" + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" ], "name": [ - "894921ab8833ff1e" + "894921ab8833ff1e", + "994921ab8833ff1e" ], "type": [ + "AwsElbv2LoadBalancer", "AwsElbv2LoadBalancer" ] }, diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index f1ae8063a21..dc5cd4f7dbd 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1538,26 +1538,213 @@ processors: target_field: aws.securityhub_findings.resources ignore_missing: true - script: - description: Extract fields from aws.securityhub_findings.resources. + description: Extract fields from aws.securityhub_findings.resources with single resource. + tag: script_extract_fields_from_single_resource lang: painless if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 0 source: |- + // Arrays won't work in general in current UI of Cloud Security Posture workflow. In AWS SecurityHub, a finding may contain multiple resources, but rarely. + // When a finding has single-resource, we extract fields as single-value so that the Findings UI behaves as expected for almost all cases. + // But in the rare multi-resource case, we extract fields into an array to not miss any affected resources for a finding. + // This trade-off is okay as not many findings will be affected. When our UI natively supports multi-resources, the single-value resource extraction must be removed. + // This script is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. + def resources = ctx.aws.securityhub_findings.resources; - for (res in resources) { + // Define fields to be extracted. + if (ctx.resource == null) { + ctx.resource = new HashMap(); + } + if (ctx.user == null) { + ctx.user = new HashMap(); + } + if (ctx.host == null) { + ctx.host = new HashMap(); + } + if (ctx.orchestrator == null) { + ctx.orchestrator = new HashMap(); + } + if (ctx.orchestrator.cluster == null) { + ctx.orchestrator.cluster = new HashMap(); + } + if (ctx.orchestrator.resource == null) { + ctx.orchestrator.resource = new HashMap(); + } + if (ctx.cloud == null) { + ctx.cloud = new HashMap(); + } + if (ctx.cloud.instance == null) { + ctx.cloud.instance = new HashMap(); + } + if (ctx.cloud.service == null) { + ctx.cloud.service = new HashMap(); + } + + if (resources.size() == 1){ + def res = resources[0]; + // Extract resource field - if (ctx.resource == null) { - ctx.resource = new HashMap(); + ctx.resource.type = res.Type; + ctx.resource.id = res.Id; + def res_name; + if (res.Details != null && res.Details[res.Type]?.Name != null) { + res_name = res.Details[res.Type].Name; + } else { + String[] tokenList = res.Id.splitOnToken("/"); + res_name = tokenList[tokenList.length - 1]; + } + ctx.resource.name = res_name; + + // Extract ECS user field + if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserName != null) { + ctx.user.name = res.Details.AwsIamUser.UserName; + } + if (res.Type == 'AwsIamAccessKey' && res.Details?.AwsIamAccessKey?.UserName != null) { + ctx.user.name = res.Details.AwsIamAccessKey.UserName; + } + if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerName != null) { + ctx.user.name = res.Details.AwsS3Bucket.OwnerName; + } + if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserId != null) { + ctx.user.id = res.Details.AwsIamUser.UserId; + } + if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerId != null) { + ctx.user.id = res.Details.AwsS3Bucket.OwnerId; + } + + // Extract ECS host field + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id = res.Id; + } + + // Extract ECS orchestrator field + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details?.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEksCluster.Arn; + } + if (res.Type == 'AwsEcsCluster' && res.Details?.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEcsCluster.ClusterName; + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEksCluster.Name; + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version = res.Details.AwsEksCluster.Version; + } + if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; + } + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id = res.Id; + ctx.orchestrator.resource.name = res_name; + ctx.orchestrator.resource.type = res.Type; + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type = 'kubernetes'; + } else { + ctx.orchestrator.type = 'ecs'; + } + } + + // Extract ECS cloud field + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id = res.Id; + ctx.cloud.instance.name = res_name; + } + String[] cloud_service = res.Id.splitOnToken(":"); + if (cloud_service.length > 2) { + ctx.cloud.service.name = cloud_service[2]; + } + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details != null && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; + } + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details != null && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone = az; + } } - if (ctx.resource.type == null) { - ctx.resource.type = new ArrayList(); + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details?.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone = az.Value; + } } - if (ctx.resource.id == null) { - ctx.resource.id = new ArrayList(); + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details?.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone; } - if (ctx.resource.name == null) { - ctx.resource.name = new ArrayList(); + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details?.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone = az.ZoneName; + } } + } + - script: + description: Extract fields from aws.securityhub_findings.resources. + tag: script_extract_fields_from_multiple_resources + lang: painless + if: ctx.aws?.securityhub_findings?.resources instanceof List && ctx.aws.securityhub_findings.resources.size() > 1 + source: |- + def resources = ctx.aws.securityhub_findings.resources; + + // Define fields to be extracted. + if (ctx.resource.type == null) { + ctx.resource.type = new ArrayList(); + } + if (ctx.resource.id == null) { + ctx.resource.id = new ArrayList(); + } + if (ctx.resource.name == null) { + ctx.resource.name = new ArrayList(); + } + + if (ctx.user.name == null) { + ctx.user.name = new ArrayList(); + } + if (ctx.user.id == null) { + ctx.user.id = new ArrayList(); + } + + if (ctx.host.id == null) { + ctx.host.id = new ArrayList(); + } + + if (ctx.orchestrator.type == null) { + ctx.orchestrator.type = new ArrayList(); + } + if (ctx.orchestrator.cluster.id == null) { + ctx.orchestrator.cluster.id = new ArrayList(); + } + if (ctx.orchestrator.cluster.name == null) { + ctx.orchestrator.cluster.name = new ArrayList(); + } + if (ctx.orchestrator.cluster.version == null) { + ctx.orchestrator.cluster.version = new ArrayList(); + } + if (ctx.orchestrator.resource.id == null) { + ctx.orchestrator.resource.id = new ArrayList(); + } + if (ctx.orchestrator.resource.name == null) { + ctx.orchestrator.resource.name = new ArrayList(); + } + if (ctx.orchestrator.resource.type == null) { + ctx.orchestrator.resource.type = new ArrayList(); + } + + if (ctx.cloud.instance.id == null) { + ctx.cloud.instance.id = new ArrayList(); + } + if (ctx.cloud.instance.name == null) { + ctx.cloud.instance.name = new ArrayList(); + } + if (ctx.cloud.service.name == null) { + ctx.cloud.service.name = new ArrayList(); + } + if (ctx.cloud.availability_zone == null) { + ctx.cloud.availability_zone = new ArrayList(); + } + + for (res in resources) { + // Extract resource field ctx.resource.type.add(res.Type); ctx.resource.id.add(res.Id); def res_name; @@ -1569,17 +1756,7 @@ processors: } ctx.resource.name.add(res_name); - // Extract ECS user field - if (ctx.user == null) { - ctx.user = new HashMap(); - } - if (ctx.user.name == null) { - ctx.user.name = new ArrayList(); - } - if (ctx.user.id == null) { - ctx.user.id = new ArrayList(); - } if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserName != null) { ctx.user.name.add(res.Details.AwsIamUser.UserName); } @@ -1597,47 +1774,11 @@ processors: } // Extract ECS host field - if (ctx.host == null) { - ctx.host = new HashMap(); - } - if (ctx.host.id == null) { - ctx.host.id = new ArrayList(); - } if (res.Type == 'AwsEc2Instance' && res.Id != null) { ctx.host.id.add(res.Id); } // Extract ECS orchestrator field - if (ctx.orchestrator == null) { - ctx.orchestrator = new HashMap(); - } - if (ctx.orchestrator.type == null) { - ctx.orchestrator.type = new ArrayList(); - } - if (ctx.orchestrator.cluster == null) { - ctx.orchestrator.cluster = new HashMap(); - } - if (ctx.orchestrator.cluster.id == null) { - ctx.orchestrator.cluster.id = new ArrayList(); - } - if (ctx.orchestrator.cluster.name == null) { - ctx.orchestrator.cluster.name = new ArrayList(); - } - if (ctx.orchestrator.cluster.version == null) { - ctx.orchestrator.cluster.version = new ArrayList(); - } - if (ctx.orchestrator.resource == null) { - ctx.orchestrator.resource = new HashMap(); - } - if (ctx.orchestrator.resource.id == null) { - ctx.orchestrator.resource.id = new ArrayList(); - } - if (ctx.orchestrator.resource.name == null) { - ctx.orchestrator.resource.name = new ArrayList(); - } - if (ctx.orchestrator.resource.type == null) { - ctx.orchestrator.resource.type = new ArrayList(); - } if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details?.AwsEcsCluster?.ClusterArn != null) { ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); } @@ -1668,27 +1809,6 @@ processors: } // Extract ECS cloud field - if (ctx.cloud == null) { - ctx.cloud = new HashMap(); - } - if (ctx.cloud.instance == null) { - ctx.cloud.instance = new HashMap(); - } - if (ctx.cloud.instance.id == null) { - ctx.cloud.instance.id = new ArrayList(); - } - if (ctx.cloud.instance.name == null) { - ctx.cloud.instance.name = new ArrayList(); - } - if (ctx.cloud.service == null) { - ctx.cloud.service = new HashMap(); - } - if (ctx.cloud.service.name == null) { - ctx.cloud.service.name = new ArrayList(); - } - if (ctx.cloud.availability_zone == null) { - ctx.cloud.availability_zone = new ArrayList(); - } if (res.Type == 'AwsEc2Instance') { ctx.cloud.instance.id.add(res.Id); ctx.cloud.instance.name.add(res_name); From a73b971c97461539863fe2ad584e23b03ae01b57 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 23 Sep 2024 11:56:18 +0530 Subject: [PATCH 07/28] Add tags and update comments --- .../elasticsearch/ingest_pipeline/default.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index dc5cd4f7dbd..0b3c23f415a 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -10,10 +10,13 @@ processors: - append: field: event.type value: info + tag: set_event_tiype + allow_duplicates: false - append: field: event.category value: configuration tag: append_event_category + allow_duplicates: false - rename: field: message target_field: event.original @@ -696,7 +699,7 @@ processors: field: rule.id tag: set_rule_id_from_generator_id copy_from: aws.securityhub_findings.generator.id - ignore_failure: true + ignore_empty_value: true - rename: field: json.Compliance.SecurityControlId target_field: aws.securityhub_findings.compliance.security_control_id @@ -706,7 +709,7 @@ processors: tag: set_rule_id_from_security_control_id copy_from: aws.securityhub_findings.compliance.security_control_id if: ctx.rule?.id == null - ignore_failure: true + ignore_empty_value: true - rename: field: json.Id target_field: aws.securityhub_findings.id @@ -1547,7 +1550,6 @@ processors: // When a finding has single-resource, we extract fields as single-value so that the Findings UI behaves as expected for almost all cases. // But in the rare multi-resource case, we extract fields into an array to not miss any affected resources for a finding. // This trade-off is okay as not many findings will be affected. When our UI natively supports multi-resources, the single-value resource extraction must be removed. - // This script is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. def resources = ctx.aws.securityhub_findings.resources; @@ -1580,6 +1582,7 @@ processors: ctx.cloud.service = new HashMap(); } + // This extraction logic is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. if (resources.size() == 1){ def res = resources[0]; From 549ea69b8044f6ac7e45c12583596381402a68eb Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 23 Sep 2024 17:48:36 +0530 Subject: [PATCH 08/28] Add visualization to findings dashboard --- ...-c9f103d0-5f63-11ed-bd69-473ce047ef30.json | 627 +++++++++++++++--- ...-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json | 16 +- ...-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json | 16 +- .../tag/aws-security-solution-default.json | 14 + 4 files changed, 568 insertions(+), 105 deletions(-) create mode 100644 packages/aws/kibana/tag/aws-security-solution-default.json diff --git a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json index 90d4f910b6a..04315e0dbf3 100644 --- a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json +++ b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json @@ -3,8 +3,54 @@ "controlGroupInput": { "chainingSystem": "HIERARCHICAL", "controlStyle": "oneLine", - "ignoreParentSettingsJSON": "{\"ignoreFilters\":false,\"ignoreQuery\":false,\"ignoreTimerange\":false,\"ignoreValidations\":false}", - "panelsJSON": "{\"d620f0d7-381f-456f-8660-a6e6838e34fc\":{\"order\":0,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"data_stream.dataset\",\"title\":\"Integrations\",\"id\":\"d620f0d7-381f-456f-8660-a6e6838e34fc\",\"enhancements\":{},\"selectedOptions\":[]}},\"f7d8c037-280e-4387-84e2-fa76ee6124da\":{\"order\":2,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"aws.securityhub_findings.region\",\"title\":\"Region\",\"id\":\"f7d8c037-280e-4387-84e2-fa76ee6124da\",\"enhancements\":{},\"selectedOptions\":[]}},\"c819da49-49e8-4460-8329-8521d7f8ac8a\":{\"order\":1,\"width\":\"medium\",\"grow\":true,\"type\":\"optionsListControl\",\"explicitInput\":{\"fieldName\":\"cloud.account.id\",\"title\":\"Account\",\"id\":\"c819da49-49e8-4460-8329-8521d7f8ac8a\",\"enhancements\":{},\"selectedOptions\":[]}}}" + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "c819da49-49e8-4460-8329-8521d7f8ac8a": { + "explicitInput": { + "enhancements": {}, + "fieldName": "cloud.account.id", + "id": "c819da49-49e8-4460-8329-8521d7f8ac8a", + "selectedOptions": [], + "title": "Account" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "d620f0d7-381f-456f-8660-a6e6838e34fc": { + "explicitInput": { + "enhancements": {}, + "fieldName": "data_stream.dataset", + "id": "d620f0d7-381f-456f-8660-a6e6838e34fc", + "selectedOptions": [], + "title": "Integrations" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "f7d8c037-280e-4387-84e2-fa76ee6124da": { + "explicitInput": { + "enhancements": {}, + "fieldName": "aws.securityhub_findings.region", + "id": "f7d8c037-280e-4387-84e2-fa76ee6124da", + "selectedOptions": [], + "title": "Region" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false }, "description": "AWS Security Hub Findings Summary", "kibanaSavedObjectMeta": { @@ -46,6 +92,42 @@ "useMargins": true }, "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": {}, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "[Findings Action Overview](#/dashboard/aws-3d3dbe00-f79f-11ec-aa7f-c173c0f9e267) | [Findings Malware, Threat Intelligence Indicator and Network Path Overview](#/dashboard/aws-8fcf4c20-f7a3-11ec-aa7f-c173c0f9e267) | [Findings and Insights Overview](#/dashboard/aws-cc571400-dc61-11ec-a6e3-1bc5ab0aa1b4)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 4, + "i": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", + "w": 48, + "x": 0, + "y": 0 + }, + "panelIndex": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", + "title": "Dashboards [Logs AWS]", + "type": "visualization" + }, { "embeddableConfig": { "enhancements": {}, @@ -80,8 +162,7 @@ "y": 4 }, "panelIndex": "cc027475-1e31-4ccf-bdd7-9655809a1c30", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -178,14 +259,13 @@ "gridData": { "h": 15, "i": "146c2ac6-d83d-4fcb-808a-d24c2762f45c", - "w": 24, + "w": 25, "x": 0, "y": 7 }, "panelIndex": "146c2ac6-d83d-4fcb-808a-d24c2762f45c", "title": "Distribution of Events by Account [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -198,6 +278,7 @@ } ], "state": { + "adHocDataViews": {}, "datasourceStates": { "formBased": { "layers": { @@ -235,10 +316,11 @@ "parentFormat": { "id": "terms" }, + "secondaryFields": [], "size": 5 }, "scale": "ordinal", - "sourceField": "aws.securityhub_findings.region" + "sourceField": "cloud.region" } }, "incompleteColumns": {} @@ -247,9 +329,10 @@ } }, "filters": [], + "internalReferences": [], "query": { "language": "kuery", - "query": "" + "query": "event.module : \"aws\" " }, "visualization": { "layers": [ @@ -281,14 +364,396 @@ "gridData": { "h": 15, "i": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7", - "w": 24, - "x": 24, + "w": 23, + "x": 25, "y": 7 }, "panelIndex": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7", "title": "Distribution of Events by Region [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Findings Outcome - Success", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" AND event.outcome : \"success\" " + }, + "visualization": { + "color": "#54B399", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "metricAccessor": "25539159-d53b-4507-9e4b-e5aa60e46960" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 7, + "i": "996217a3-e617-4b6a-b40a-89a521d588dc", + "w": 8, + "x": 0, + "y": 22 + }, + "panelIndex": "996217a3-e617-4b6a-b40a-89a521d588dc", + "title": "Events with Successful Findings [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027", + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027": { + "dataType": "string", + "isBucketed": true, + "label": "Top 10 values of cloud.service.name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cloud.service.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" " + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "legendDisplay": "default", + "metrics": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "de7e9ccb-b11c-4159-9c9d-e52d8bc6f027" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "4de4ac27-d439-4131-81f2-f6f9fcd10387", + "w": 15, + "x": 8, + "y": 22 + }, + "panelIndex": "4de4ac27-d439-4131-81f2-f6f9fcd10387", + "title": "Distribution of Events by AWS Service [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "cdc92661-6c47-4778-8437-561304965eb6", + "6161b72a-cf02-4c69-804e-fa663042331a", + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "6161b72a-cf02-4c69-804e-fa663042331a": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of rule.id", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "rule.id" + }, + "cdc92661-6c47-4778-8437-561304965eb6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Top Rules", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" " + }, + "visualization": { + "columns": [ + { + "columnId": "25539159-d53b-4507-9e4b-e5aa60e46960" + }, + { + "columnId": "cdc92661-6c47-4778-8437-561304965eb6", + "isMetric": false, + "isTransposed": false, + "width": 501.5 + }, + { + "columnId": "6161b72a-cf02-4c69-804e-fa663042331a", + "isMetric": false, + "isTransposed": false, + "width": 270.75 + } + ], + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "69a42735-8625-4f93-af73-09fc337b6bb1", + "w": 25, + "x": 23, + "y": 22 + }, + "panelIndex": "69a42735-8625-4f93-af73-09fc337b6bb1", + "title": "Top Rules Contributing to Findings [Logs AWS]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "45c33cba-b3b0-45a4-91f3-a13600dbfdcc": { + "columnOrder": [ + "25539159-d53b-4507-9e4b-e5aa60e46960" + ], + "columns": { + "25539159-d53b-4507-9e4b-e5aa60e46960": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Findings Outcome - Failure", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"aws.securityhub_findings\" AND event.outcome : \"failure\" " + }, + "visualization": { + "color": "#E7664C", + "layerId": "45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "layerType": "data", + "metricAccessor": "25539159-d53b-4507-9e4b-e5aa60e46960" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 8, + "i": "7419d896-5a39-461c-a72d-09734cc6d67e", + "w": 8, + "x": 0, + "y": 29 + }, + "panelIndex": "7419d896-5a39-461c-a72d-09734cc6d67e", + "title": "Events with Failure Findings [Logs AWS] (copy)", + "type": "lens" }, { "embeddableConfig": { @@ -374,12 +839,11 @@ "i": "7a319626-d1c2-4728-9611-3bbea3c850d4", "w": 24, "x": 0, - "y": 22 + "y": 37 }, "panelIndex": "7a319626-d1c2-4728-9611-3bbea3c850d4", "title": "Count by Severity [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -464,11 +928,10 @@ "i": "7cb13a54-c41f-4653-be22-340b99b6d83c", "w": 24, "x": 24, - "y": 22 + "y": 37 }, "panelIndex": "7cb13a54-c41f-4653-be22-340b99b6d83c", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -603,12 +1066,11 @@ "i": "7c5505a3-f4e0-43af-8e25-260e9e7e8473", "w": 48, "x": 0, - "y": 30 + "y": 45 }, "panelIndex": "7c5505a3-f4e0-43af-8e25-260e9e7e8473", "title": "Distribution of Finding's Severity Over Time [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -718,12 +1180,11 @@ "i": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d", "w": 11, "x": 0, - "y": 39 + "y": 54 }, "panelIndex": "d296bb5b-a63d-4931-84aa-d3a2d0fa754d", "title": "Security Hub - Affected Instance ID [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -864,12 +1325,11 @@ "i": "933df910-8ae4-4a4b-9af7-87b30a92d952", "w": 37, "x": 11, - "y": 39 + "y": 54 }, "panelIndex": "933df910-8ae4-4a4b-9af7-87b30a92d952", "title": "Security Hub - Finding Types [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -979,12 +1439,11 @@ "i": "a4cba719-5f51-4090-910f-12e39dc01239", "w": 11, "x": 0, - "y": 47 + "y": 62 }, "panelIndex": "a4cba719-5f51-4090-910f-12e39dc01239", "title": "Security Hub - Network Direction [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1287,12 +1746,11 @@ "i": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f", "w": 48, "x": 0, - "y": 55 + "y": 70 }, "panelIndex": "5c3b2b5f-b097-4b2e-adae-a4d9149e808f", "title": "Security Hub - Findings [Logs AWS]", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1323,12 +1781,11 @@ "i": "7a8bdb96-e4c4-4e63-bc80-14fbd4b97c2f", "w": 48, "x": 0, - "y": 73 + "y": 88 }, "panelIndex": "7a8bdb96-e4c4-4e63-bc80-14fbd4b97c2f", "title": "", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1602,12 +2059,11 @@ "i": "9c9ea523-c04c-4783-9737-494bb8a1d068", "w": 48, "x": 0, - "y": 76 + "y": 91 }, "panelIndex": "9c9ea523-c04c-4783-9737-494bb8a1d068", "title": "", - "type": "lens", - "version": "8.8.1" + "type": "lens" }, { "embeddableConfig": { @@ -1638,12 +2094,11 @@ "i": "a22c199d-3314-4dc0-9c99-79d7dad12c6c", "w": 48, "x": 0, - "y": 93 + "y": 108 }, "panelIndex": "a22c199d-3314-4dc0-9c99-79d7dad12c6c", "title": "", - "type": "visualization", - "version": "8.8.1" + "type": "visualization" }, { "embeddableConfig": { @@ -1654,12 +2109,11 @@ "i": "7fad8ba7-c80b-45f5-ace4-0757caa63766", "w": 48, "x": 0, - "y": 96 + "y": 111 }, "panelIndex": "7fad8ba7-c80b-45f5-ace4-0757caa63766", "panelRefName": "panel_7fad8ba7-c80b-45f5-ace4-0757caa63766", - "type": "search", - "version": "8.8.1" + "type": "search" }, { "embeddableConfig": { @@ -1670,61 +2124,21 @@ "i": "d730fda4-95c3-4c8f-9236-6dd187a9f63c", "w": 48, "x": 0, - "y": 112 + "y": 127 }, "panelIndex": "d730fda4-95c3-4c8f-9236-6dd187a9f63c", "panelRefName": "panel_d730fda4-95c3-4c8f-9236-6dd187a9f63c", - "type": "search", - "version": "8.8.1" - }, - { - "embeddableConfig": { - "enhancements": {}, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "params": { - "fontSize": 12, - "markdown": "[Findings Action Overview](#/dashboard/aws-3d3dbe00-f79f-11ec-aa7f-c173c0f9e267) | [Findings Malware, Threat Intelligence Indicator and Network Path Overview](#/dashboard/aws-8fcf4c20-f7a3-11ec-aa7f-c173c0f9e267) | [Findings and Insights Overview](#/dashboard/aws-cc571400-dc61-11ec-a6e3-1bc5ab0aa1b4)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 4, - "i": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", - "w": 48, - "x": 0, - "y": 0 - }, - "panelIndex": "d5280fe0-536d-45b0-87c4-1fb9c41065fd", - "title": "Dashboards [Logs AWS]", - "type": "visualization", - "version": "8.8.1" + "type": "search" } ], "timeRestore": false, "title": "[Logs AWS] Security Hub Summary Dashboard", - "version": 1 + "version": 2 }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-10-30T10:13:47.936Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:31:27.865Z", "id": "aws-c9f103d0-5f63-11ed-bd69-473ce047ef30", - "migrationVersion": { - "dashboard": "8.7.0" - }, + "managed": false, "references": [ { "id": "logs-*", @@ -1741,6 +2155,26 @@ "name": "2aeb6bda-8e7f-40bf-a8b3-ea8fdee8dea7:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "996217a3-e617-4b6a-b40a-89a521d588dc:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4de4ac27-d439-4131-81f2-f6f9fcd10387:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69a42735-8625-4f93-af73-09fc337b6bb1:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7419d896-5a39-461c-a72d-09734cc6d67e:indexpattern-datasource-layer-45c33cba-b3b0-45a4-91f3-a13600dbfdcc", + "type": "index-pattern" + }, { "id": "logs-*", "name": "7a319626-d1c2-4728-9611-3bbea3c850d4:indexpattern-datasource-layer-abc2e8dc-c832-4535-bdf4-d39175c25d2e", @@ -1805,7 +2239,14 @@ "id": "logs-*", "name": "controlGroup_c819da49-49e8-4460-8329-8521d7f8ac8a:optionsListDataView", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "dashboard" + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_2762430631_cloud" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json index e4dd11b43a5..ffd2ddc2b34 100644 --- a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json @@ -22,18 +22,22 @@ ], "title": "Security Hub - Raw Events [Logs AWS]" }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-18T08:47:59.330Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:21:41.694Z", "id": "aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.4.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json index c49bdff5dc0..1fa40bfb243 100644 --- a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json @@ -31,18 +31,22 @@ ], "title": "Essential Details - Security Hub [Logs AWS]" }, - "coreMigrationVersion": "8.7.0", - "created_at": "2023-07-18T08:47:59.330Z", + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-23T11:21:41.694Z", "id": "aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5", - "migrationVersion": { - "search": "8.0.0" - }, + "managed": true, "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "aws-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" } ], - "type": "search" + "type": "search", + "typeMigrationVersion": "10.4.0" } \ No newline at end of file diff --git a/packages/aws/kibana/tag/aws-security-solution-default.json b/packages/aws/kibana/tag/aws-security-solution-default.json new file mode 100644 index 00000000000..4b7620ded40 --- /dev/null +++ b/packages/aws/kibana/tag/aws-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#D36086", + "description": "", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-09-10T10:47:15.483Z", + "id": "aws-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file From 09a3e99c71743f4fa6538d23a93c80c70538446c Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 23 Sep 2024 22:55:05 +0530 Subject: [PATCH 09/28] update typeMigrationVersion on kibana searches --- .../kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json | 2 +- .../kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json index ffd2ddc2b34..357290a6554 100644 --- a/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-b111d3a0-5f3e-11ed-b2ee-f91fa284c4b5.json @@ -39,5 +39,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.4.0" + "typeMigrationVersion": "10.3.0" } \ No newline at end of file diff --git a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json index 1fa40bfb243..3d44e55eea8 100644 --- a/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json +++ b/packages/aws/kibana/search/aws-cc2e2cf0-5f3f-11ed-b2ee-f91fa284c4b5.json @@ -48,5 +48,5 @@ } ], "type": "search", - "typeMigrationVersion": "10.4.0" + "typeMigrationVersion": "10.3.0" } \ No newline at end of file From f898ffcedd1ecbc6c5675e4c34b69626195ef767 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 24 Sep 2024 15:16:31 +0530 Subject: [PATCH 10/28] Address PR comments. --- ...est-securityhub-findings.log-expected.json | 28 +++++++++---------- .../elasticsearch/ingest_pipeline/default.yml | 6 ++-- 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index b03fed1ed5a..f446ec3045d 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -432,7 +432,7 @@ "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "remediation": "Run sudo yum update and cross your fingers and toes. \\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes. \r\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -911,7 +911,7 @@ "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "remediation": "Run sudo yum update and cross your fingers and toes. \\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes. \r\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -1117,7 +1117,7 @@ "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://example.com/", "references": "https://example.com/", - "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \\n https://example.com/" + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \r\n https://example.com/" }, "tags": [ "preserve_original_event", @@ -1257,7 +1257,7 @@ "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", "reference": "https://example.com/", "references": "https://example.com/", - "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \\n https://example.com/" + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \r\n https://example.com/" }, "tags": [ "preserve_original_event", @@ -1435,7 +1435,7 @@ "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.6", "NIST.800-53.r5 AC-3", @@ -1593,7 +1593,7 @@ "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "ruleset": [ "NIST.800-53.r5 SC-12(2)", "NIST.800-53.r5 CM-3(6)", @@ -1765,7 +1765,7 @@ "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.2" ] @@ -1926,7 +1926,7 @@ "name": "Attached EBS volumes should be encrypted at-rest", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "ruleset": [ "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", @@ -2087,7 +2087,7 @@ "name": "IAM users should not have IAM policies attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v1.2.0/1.16" ] @@ -2264,7 +2264,7 @@ "name": "EKS cluster endpoints should not be publicly accessible", "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" }, "tags": [ "preserve_original_event", @@ -2403,7 +2403,7 @@ "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/1.22" ] @@ -2556,7 +2556,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" }, "tags": [ "preserve_original_event", @@ -2718,7 +2718,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ "preserve_original_event", @@ -2930,7 +2930,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ "preserve_original_event", diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 6286eb00775..a828c83a533 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -573,7 +573,7 @@ processors: value: '{{{_ingest.on_failure_message}}}' - date: field: json.UpdatedAt - if: ctx.json?.UpdatedAt != null && ctx.json?.UpdatedAt != '' + if: ctx.json?.UpdatedAt != null && ctx.json.UpdatedAt != '' target_field: aws.securityhub_findings.updated_at formats: - ISO8601 @@ -731,7 +731,7 @@ processors: value: '{{{_ingest.on_failure_message}}}' - date: field: json.ProcessedAt - if: ctx.json?.ProcessedAt != null && ctx.json?.ProcessedAt != '' + if: ctx.json?.ProcessedAt != null && ctx.json.ProcessedAt != '' target_field: aws.securityhub_findings.processed_at tag: date_processed_at formats: @@ -1533,7 +1533,7 @@ processors: - set: field: rule.remediation tag: set_rule_remediation - value: '{{{aws.securityhub_findings.remediation.recommendation.text}}} \n {{{aws.securityhub_findings.remediation.recommendation.url}}}' + value: "{{{aws.securityhub_findings.remediation.recommendation.text}}} \r\n {{{aws.securityhub_findings.remediation.recommendation.url}}}" if: ctx.aws?.securityhub_findings?.remediation?.recommendation?.url != null && ctx.aws.securityhub_findings.remediation.recommendation.text != null ignore_empty_value: true - rename: From 0d433272467f1602ac969d6a395c095234147377 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 25 Sep 2024 23:09:38 +0530 Subject: [PATCH 11/28] Address PR comments-1 --- ...est-securityhub-findings.log-expected.json | 48 ++-- .../elasticsearch/ingest_pipeline/default.yml | 227 ++++++++++-------- 2 files changed, 145 insertions(+), 130 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index f446ec3045d..f669a8abcbf 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -432,7 +432,7 @@ "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "remediation": "Run sudo yum update and cross your fingers and toes. \r\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -911,7 +911,7 @@ "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "remediation": "Run sudo yum update and cross your fingers and toes. \r\n http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", + "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", "Req2" @@ -1117,7 +1117,7 @@ "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://example.com/", "references": "https://example.com/", - "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \r\n https://example.com/" + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" }, "tags": [ "preserve_original_event", @@ -1257,7 +1257,7 @@ "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", "reference": "https://example.com/", "references": "https://example.com/", - "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation. \r\n https://example.com/" + "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" }, "tags": [ "preserve_original_event", @@ -1387,7 +1387,7 @@ }, "instance": { "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", - "name": "i-0e2ede89308a594d7" + "name": "instance/i-0e2ede89308a594d7" }, "provider": "aws", "region": "ap-south-1", @@ -1423,7 +1423,7 @@ }, "resource": { "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", - "name": "i-0e2ede89308a594d7", + "name": "instance/i-0e2ede89308a594d7", "type": "AwsEc2Instance" }, "result": { @@ -1435,7 +1435,7 @@ "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.6", "NIST.800-53.r5 AC-3", @@ -1593,7 +1593,7 @@ "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "ruleset": [ "NIST.800-53.r5 SC-12(2)", "NIST.800-53.r5 CM-3(6)", @@ -1753,7 +1753,7 @@ }, "resource": { "id": "arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51", - "name": "sg-0dbc9c6210a0a9c51", + "name": "security-group/sg-0dbc9c6210a0a9c51", "type": "AwsEc2SecurityGroup" }, "result": { @@ -1765,7 +1765,7 @@ "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.2" ] @@ -1914,7 +1914,7 @@ }, "resource": { "id": "arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e", - "name": "vol-03821fa7de881617e", + "name": "volume/vol-03821fa7de881617e", "type": "AwsEc2Volume" }, "result": { @@ -1926,7 +1926,7 @@ "name": "Attached EBS volumes should be encrypted at-rest", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "ruleset": [ "NIST.800-53.r5 CA-9(1)", "NIST.800-53.r5 CM-3(6)", @@ -2075,7 +2075,7 @@ }, "resource": { "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", - "name": "devuser@dev.dev", + "name": "user/developers/devuser@dev.dev", "type": "AwsIamUser" }, "result": { @@ -2087,7 +2087,7 @@ "name": "IAM users should not have IAM policies attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v1.2.0/1.16" ] @@ -2264,7 +2264,7 @@ "name": "EKS cluster endpoints should not be publicly accessible", "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" }, "tags": [ "preserve_original_event", @@ -2391,7 +2391,7 @@ }, "resource": { "id": "AWS::::Account:111111111111", - "name": "AWS::::Account:111111111111", + "name": "111111111111", "type": "AwsAccount" }, "result": { @@ -2403,7 +2403,7 @@ "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/1.22" ] @@ -2544,7 +2544,7 @@ }, "resource": { "id": "arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9", - "name": "subnet-c28c74b9", + "name": "subnet/subnet-c28c74b9", "type": "AwsEc2Subnet" }, "result": { @@ -2556,7 +2556,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" }, "tags": [ "preserve_original_event", @@ -2706,7 +2706,7 @@ }, "resource": { "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", - "name": "894921ab8833ff1e", + "name": "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", "type": "AwsElbv2LoadBalancer" }, "result": { @@ -2718,7 +2718,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ "preserve_original_event", @@ -2913,8 +2913,8 @@ "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" ], "name": [ - "894921ab8833ff1e", - "994921ab8833ff1e" + "loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", + "loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e" ], "type": [ "AwsElbv2LoadBalancer", @@ -2930,7 +2930,7 @@ "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation. \r\n https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ "preserve_original_event", diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index a828c83a533..d4023e096df 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -584,7 +584,7 @@ processors: value: '{{{_ingest.on_failure_message}}}' - set: field: '@timestamp' - copy_from : aws.securityhub_findings.updated_at + copy_from: aws.securityhub_findings.updated_at tag: set_timestamp ignore_empty_value: true - convert: @@ -1533,7 +1533,7 @@ processors: - set: field: rule.remediation tag: set_rule_remediation - value: "{{{aws.securityhub_findings.remediation.recommendation.text}}} \r\n {{{aws.securityhub_findings.remediation.recommendation.url}}}" + value: "{{{aws.securityhub_findings.remediation.recommendation.text}}}\r\n{{{aws.securityhub_findings.remediation.recommendation.url}}}" if: ctx.aws?.securityhub_findings?.remediation?.recommendation?.url != null && ctx.aws.securityhub_findings.remediation.recommendation.text != null ignore_empty_value: true - rename: @@ -1590,54 +1590,63 @@ processors: ctx.resource.type = res.Type; ctx.resource.id = res.Id; def res_name; + String[] tokenList = res.Id.splitOnToken(":"); if (res.Details != null && res.Details[res.Type]?.Name != null) { res_name = res.Details[res.Type].Name; } else { - String[] tokenList = res.Id.splitOnToken("/"); res_name = tokenList[tokenList.length - 1]; } ctx.resource.name = res_name; // Extract ECS user field - if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserName != null) { - ctx.user.name = res.Details.AwsIamUser.UserName; - } - if (res.Type == 'AwsIamAccessKey' && res.Details?.AwsIamAccessKey?.UserName != null) { - ctx.user.name = res.Details.AwsIamAccessKey.UserName; + if (res.Details != null) { + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name = res.Details.AwsIamUser.UserName; + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name = res.Details.AwsIamAccessKey.UserName; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name = res.Details.AwsS3Bucket.OwnerName; + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id = res.Details.AwsIamUser.UserId; + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id = res.Details.AwsS3Bucket.OwnerId; + } } - if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerName != null) { - ctx.user.name = res.Details.AwsS3Bucket.OwnerName; - } - if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserId != null) { - ctx.user.id = res.Details.AwsIamUser.UserId; - } - if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerId != null) { - ctx.user.id = res.Details.AwsS3Bucket.OwnerId; - } // Extract ECS host field if (res.Type == 'AwsEc2Instance' && res.Id != null) { ctx.host.id = res.Id; } + if (res.Details != null) { + if (res.Type == 'AwsEcsTask' && res.Details.AwsEcsTask?.Containers != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + } + } // Extract ECS orchestrator field - if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details?.AwsEcsCluster?.ClusterArn != null) { - ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Arn != null) { - ctx.orchestrator.cluster.id = res.Details.AwsEksCluster.Arn; - } - if (res.Type == 'AwsEcsCluster' && res.Details?.AwsEcsCluster?.ClusterName != null) { - ctx.orchestrator.cluster.name = res.Details.AwsEcsCluster.ClusterName; - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Name != null) { - ctx.orchestrator.cluster.name = res.Details.AwsEksCluster.Name; - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Version != null) { - ctx.orchestrator.cluster.version = res.Details.AwsEksCluster.Version; - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Endpoint != null) { - ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; + if (res.Details != null) { + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id = res.Details.AwsEksCluster.Arn; + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEcsCluster.ClusterName; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name = res.Details.AwsEksCluster.Name; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version = res.Details.AwsEksCluster.Version; + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; + } } if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { ctx.orchestrator.resource.id = res.Id; @@ -1655,29 +1664,30 @@ processors: ctx.cloud.instance.id = res.Id; ctx.cloud.instance.name = res_name; } - String[] cloud_service = res.Id.splitOnToken(":"); - if (cloud_service.length > 2) { - ctx.cloud.service.name = cloud_service[2]; - } - if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details != null && res.Details[res.Type]?.AvailabilityZone != null) { - ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; + if (tokenList.length > 2) { + ctx.cloud.service.name = tokenList[2]; } - if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details != null && res.Details[res.Type]?.AvailabilityZones != null) { - for (def az: res.Details[res.Type].AvailabilityZones){ - ctx.cloud.availability_zone = az; + if (res.Details != null) { + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; } - } - if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details?.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { - for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ - ctx.cloud.availability_zone = az.Value; + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone = az; + } } - } - if (res.Type == 'AwsEc2LaunchTemplate' && res.Details?.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { - ctx.cloud.availability_zone = res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone; - } - if (res.Type == 'AwsElbv2LoadBalancer' && res.Details?.AwsElbv2LoadBalancer?.AvailabilityZones != null) { - for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ - ctx.cloud.availability_zone = az.ZoneName; + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone = az.Value; + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone = res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone; + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone = az.ZoneName; + } } } } @@ -1751,30 +1761,32 @@ processors: ctx.resource.type.add(res.Type); ctx.resource.id.add(res.Id); def res_name; + String[] tokenList = res.Id.splitOnToken(":"); if (res.Details != null && res.Details[res.Type]?.Name != null) { res_name = res.Details[res.Type].Name; } else { - String[] tokenList = res.Id.splitOnToken("/"); res_name = tokenList[tokenList.length - 1]; } ctx.resource.name.add(res_name); // Extract ECS user field - if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserName != null) { - ctx.user.name.add(res.Details.AwsIamUser.UserName); - } - if (res.Type == 'AwsIamAccessKey' && res.Details?.AwsIamAccessKey?.UserName != null) { - ctx.user.name.add(res.Details.AwsIamAccessKey.UserName); + if (res.Details != null) { + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamUser.UserName); + } + if (res.Type == 'AwsIamAccessKey' && res.Details.AwsIamAccessKey?.UserName != null) { + ctx.user.name.add(res.Details.AwsIamAccessKey.UserName); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerName != null) { + ctx.user.name.add(res.Details.AwsS3Bucket.OwnerName); + } + if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserId != null) { + ctx.user.id.add(res.Details.AwsIamUser.UserId); + } + if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { + ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); + } } - if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerName != null) { - ctx.user.name.add(res.Details.AwsS3Bucket.OwnerName); - } - if (res.Type == 'AwsIamUser' && res.Details?.AwsIamUser?.UserId != null) { - ctx.user.id.add(res.Details.AwsIamUser.UserId); - } - if (res.Type == 'AwsS3Bucket' && res.Details?.AwsS3Bucket?.OwnerId != null) { - ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); - } // Extract ECS host field if (res.Type == 'AwsEc2Instance' && res.Id != null) { @@ -1782,23 +1794,25 @@ processors: } // Extract ECS orchestrator field - if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details?.AwsEcsCluster?.ClusterArn != null) { - ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Arn != null) { - ctx.orchestrator.cluster.id.add(res.Details.AwsEksCluster.Arn); - } - if (res.Type == 'AwsEcsCluster' && res.Details?.AwsEcsCluster?.ClusterName != null) { - ctx.orchestrator.cluster.name.add(res.Details.AwsEcsCluster.ClusterName); - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Name != null) { - ctx.orchestrator.cluster.name.add(res.Details.AwsEksCluster.Name); - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Version != null) { - ctx.orchestrator.cluster.version.add(res.Details.AwsEksCluster.Version); - } - if (res.Type == 'AwsEksCluster' && res.Details?.AwsEksCluster?.Endpoint != null) { - ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); + if (res.Details != null) { + if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Arn != null) { + ctx.orchestrator.cluster.id.add(res.Details.AwsEksCluster.Arn); + } + if (res.Type == 'AwsEcsCluster' && res.Details.AwsEcsCluster?.ClusterName != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEcsCluster.ClusterName); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Name != null) { + ctx.orchestrator.cluster.name.add(res.Details.AwsEksCluster.Name); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Version != null) { + ctx.orchestrator.cluster.version.add(res.Details.AwsEksCluster.Version); + } + if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { + ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); + } } if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { ctx.orchestrator.resource.id.add(res.Id); @@ -1816,29 +1830,30 @@ processors: ctx.cloud.instance.id.add(res.Id); ctx.cloud.instance.name.add(res_name); } - String[] cloud_service = res.Id.splitOnToken(":"); - if (cloud_service.length > 2) { - ctx.cloud.service.name.add(cloud_service[2]); + if (tokenList.length > 2) { + ctx.cloud.service.name.add(tokenList[2]); } - if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details != null && res.Details[res.Type]?.AvailabilityZone != null) { - ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); - } - if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details != null && res.Details[res.Type]?.AvailabilityZones != null) { - for (def az: res.Details[res.Type].AvailabilityZones){ - ctx.cloud.availability_zone.add(az); + if (res.Details != null) { + if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); } - } - if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details?.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { - for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ - ctx.cloud.availability_zone.add(az.Value); + if ((['AwsEc2VpcEndpointService', 'AwsElbLoadBalancer', 'AwsRdsDbCluster'].contains(res.Type)) && res.Details[res.Type]?.AvailabilityZones != null) { + for (def az: res.Details[res.Type].AvailabilityZones){ + ctx.cloud.availability_zone.add(az); + } } - } - if (res.Type == 'AwsEc2LaunchTemplate' && res.Details?.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { - ctx.cloud.availability_zone.add(res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone); - } - if (res.Type == 'AwsElbv2LoadBalancer' && res.Details?.AwsElbv2LoadBalancer?.AvailabilityZones != null) { - for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ - ctx.cloud.availability_zone.add(az.ZoneName); + if (res.Type == 'AwsAutoScalingAutoScalingGroup' && res.Details.AwsAutoScalingAutoScalingGroup?.AvailabilityZones != null) { + for (def az: res.Details.AwsAutoScalingAutoScalingGroup.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.Value); + } + } + if (res.Type == 'AwsEc2LaunchTemplate' && res.Details.AwsEc2LaunchTemplate?.LaunchTemplateData?.Placement?.AvailabilityZone != null) { + ctx.cloud.availability_zone.add(res.Details.AwsEc2LaunchTemplate.LaunchTemplateData.Placement.AvailabilityZone); + } + if (res.Type == 'AwsElbv2LoadBalancer' && res.Details.AwsElbv2LoadBalancer?.AvailabilityZones != null) { + for (def az: res.Details.AwsElbv2LoadBalancer.AvailabilityZones){ + ctx.cloud.availability_zone.add(az.ZoneName); + } } } } From 0897d247be25de2bfc6d53e41b62802cedbbdfb4 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 25 Sep 2024 23:59:19 +0530 Subject: [PATCH 12/28] Add PR comment-2 - Add host.ip and host.name --- .../pipeline/test-securityhub-findings.log | 3 +- ...est-securityhub-findings.log-expected.json | 197 ++++++++++++++++++ .../elasticsearch/ingest_pipeline/default.yml | 42 +++- 3 files changed, 239 insertions(+), 3 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log index 3397ee49d79..8a5e52294b8 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log @@ -11,4 +11,5 @@ {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/1.22"],"SecurityControlId":"IAM.27","Status":"PASSED","StatusReasons":[{"Description":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.","ReasonCode":"CONFIG_EVALUATIONS_EMPTY"}]},"CreatedAt":"2024-08-14T12:11:57.803Z","Description":"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T12:11:57.803Z","GeneratorId":"security-control/IAM.27","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","LastObservedAt":"2024-09-11T07:53:19.500Z","ProcessedAt":"2024-09-11T07:53:27.460Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-iam-policy-blacklisted-check-0ab52b49","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:iam::111111111111:root","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation"}},"Resources":[{"Id":"AWS::::Account:111111111111","Partition":"aws","Region":"ap-south-1","Type":"AwsAccount"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"IAM identities should not have the AWSCloudShellFullAccess policy attached","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-11T07:53:19.500Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-resource-tagging-standard/v/1.0.0"}],"SecurityControlId":"EC2.44","SecurityControlParameters":[{"Name":"requiredTagKeys","Value":[]}],"Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.","FindingProviderFields":{"Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation"}},"Resources":[{"Details":{"AwsEc2Subnet":{"AssignIpv6AddressOnCreation":false,"AvailabilityZone":"ap-south-1c","AvailabilityZoneId":"aps1-az2","AvailableIpAddressCount":4091,"CidrBlock":"171.32.32.0/20","DefaultForAz":true,"MapPublicIpOnLaunch":true,"OwnerId":"111111111111","State":"available","SubnetArn":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9","SubnetId":"subnet-c19c74b9","VpcId":"vpc-39017152"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9","Partition":"aws","Region":"ap-south-1","Type":"AwsEc2Subnet"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} {"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} -{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}},{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-18T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e","Tags":{"kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} \ No newline at end of file +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"SecurityControlId":"ELB.6","Status":"FAILED"},"CreatedAt":"2024-08-14T10:14:50.020Z","Description":"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.","FindingProviderFields":{"Severity":{"Label":"MEDIUM","Normalized":40,"Original":"MEDIUM"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-08-14T10:14:50.020Z","GeneratorId":"security-control/EC2.44","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","LastObservedAt":"2024-09-13T22:50:24.617Z","ProcessedAt":"2024-09-13T22:50:27.295Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-tagged-ec2-subnet-4c30afd3","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a","aws/securityhub/ProductName":"Security Hub","aws/securityhub/annotation":"No tags are present."},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation"}},"Resources":[{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-17T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e","Tags":{"kubernetes.io/service-name":"default/traefik","kubernetes.io/cluster/demo":"owned"}},{"Partition":"aws","Type":"AwsElbv2LoadBalancer","Details":{"AwsElbv2LoadBalancer":{"IpAddressType":"ipv4","Type":"network","CreatedTime":"2024-04-18T21:35:20.303Z","Scheme":"internet-facing","VpcId":"vpc-132ddf1f407252a0a","CanonicalHostedZoneId":"ZLPOA36VPKAMP","AvailabilityZones":[{"ZoneName":"ap-south-1b","SubnetId":"subnet-aaa"},{"ZoneName":"ap-south-1a","SubnetId":"subnet-bbb"}],"State":{"Code":"active"},"DNSName":"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com"}},"Region":"ap-south-1","Id":"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e","Tags":{"kubernetes.io/cluster/demo":"owned"}}],"SchemaVersion":"2018-10-08","Severity":{"Label":"LOW","Normalized":1,"Original":"LOW"},"Title":"EC2 subnets should be tagged","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-13T22:50:15.737Z","Workflow":{"Status":"NEW"},"WorkflowState":"NEW"} +{"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"AssociatedStandards":[{"StandardsId":"standards/aws-foundational-security-best-practices/v/1.0.0"},{"StandardsId":"standards/cis-aws-foundations-benchmark/v/3.0.0"},{"StandardsId":"standards/nist-800-53/v/5.0.0"}],"RelatedRequirements":["CIS AWS Foundations Benchmark v3.0.0/5.6","NIST.800-53.r5 AC-3","NIST.800-53.r5 AC-3(15)","NIST.800-53.r5 AC-3(7)","NIST.800-53.r5 AC-6"],"SecurityControlId":"EC2.8","Status":"PASSED"},"CreatedAt":"2024-09-20T10:40:32.189Z","Description":"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.","FindingProviderFields":{"Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Types":["Software and Configuration Checks/Industry and Regulatory Standards"]},"FirstObservedAt":"2024-09-20T10:40:32.189Z","GeneratorId":"security-control/EC2.8","Id":"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","LastObservedAt":"2024-09-21T08:00:01.828Z","ProcessedAt":"2024-09-21T08:00:03.516Z","ProductArn":"arn:aws:securityhub:ap-south-1::product/aws/securityhub","ProductFields":{"RelatedAWSResources:0/name":"securityhub-ec2-imdsv2-check-29027890","RelatedAWSResources:0/type":"AWS::Config::ConfigRule","Resources:0/Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","aws/securityhub/CompanyName":"AWS","aws/securityhub/FindingId":"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe","aws/securityhub/ProductName":"Security Hub"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"ap-south-1","Remediation":{"Recommendation":{"Text":"For information on how to correct this issue, consult the AWS Security Hub controls documentation.","Url":"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation"}},"Resources":[{"Details":{"AwsEc2Instance":{"IamInstanceProfileArn":"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279","ImageId":"ami-04dffe071c46cddd4","IpV4Addresses":["89.160.20.156","89.160.20.157"],"IpV6Addresses":["2a02:cf40::"],"LaunchedAt":"2024-09-20T10:39:35.000Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"disabled","HttpPutResponseHopLimit":2,"HttpTokens":"required","InstanceMetadataTags":"disabled"},"Monitoring":{"State":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-0de300eee88c5c7fd"}],"SubnetId":"subnet-5d15a111","VirtualizationType":"hvm","VpcId":"vpc-39017251"}},"Id":"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8","Partition":"aws","Region":"ap-south-1","Tags":{"Name":"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279","Task":"Cloud Security Posture Management Scanner","aws:cloudformation:logical-id":"ElasticAgentEc2Instance","aws:cloudformation:stack-id":"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279","aws:cloudformation:stack-name":"Elastic-Cloud-Security-Posture-Management"},"Type":"AwsEc2Instance"}],"SchemaVersion":"2018-10-08","Severity":{"Label":"INFORMATIONAL","Normalized":0,"Original":"INFORMATIONAL"},"Title":"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)","Types":["Software and Configuration Checks/Industry and Regulatory Standards"],"UpdatedAt":"2024-09-21T07:59:56.087Z","Workflow":{"Status":"RESOLVED"},"WorkflowState":"NEW"} \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index f669a8abcbf..207bd67cbe4 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -2936,6 +2936,203 @@ "preserve_original_event", "preserve_duplicate_custom_fields" ] + }, + { + "@timestamp": "2024-09-21T07:59:56.087Z", + "aws": { + "securityhub_findings": { + "aws_account_id": "111111111111", + "company": { + "name": "AWS" + }, + "compliance": { + "related_requirements": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ], + "security_control_id": "EC2.8", + "status": "PASSED" + }, + "created_at": "2024-09-20T10:40:32.189Z", + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "first_observed_at": "2024-09-20T10:40:32.189Z", + "generator": { + "id": "security-control/EC2.8" + }, + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "last_observed_at": "2024-09-21T08:00:01.828Z", + "processed_at": "2024-09-21T08:00:03.516Z", + "product": { + "arn": "arn:aws:securityhub:ap-south-1::product/aws/securityhub", + "fields": { + "RelatedAWSResources:0/name": "securityhub-ec2-imdsv2-check-29027890", + "RelatedAWSResources:0/type": "AWS::Config::ConfigRule", + "Resources:0/Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "aws/securityhub/CompanyName": "AWS", + "aws/securityhub/FindingId": "arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "aws/securityhub/ProductName": "Security Hub" + }, + "name": "Security Hub" + }, + "provider_fields": { + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ] + }, + "record_state": "ACTIVE", + "region": "ap-south-1", + "remediation": { + "recommendation": { + "text": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.", + "url": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation" + } + }, + "resources": [ + { + "Details": { + "AwsEc2Instance": { + "IamInstanceProfileArn": "arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279", + "ImageId": "ami-04dffe071c46cddd4", + "IpV4Addresses": [ + "89.160.20.156", + "89.160.20.157" + ], + "IpV6Addresses": [ + "2a02:cf40::" + ], + "LaunchedAt": "2024-09-20T10:39:35.000Z", + "MetadataOptions": { + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "HttpPutResponseHopLimit": 2, + "HttpTokens": "required", + "InstanceMetadataTags": "disabled" + }, + "Monitoring": { + "State": "disabled" + }, + "NetworkInterfaces": [ + { + "NetworkInterfaceId": "eni-0de300eee88c5c7fd" + } + ], + "SubnetId": "subnet-5d15a111", + "VirtualizationType": "hvm", + "VpcId": "vpc-39017251" + } + }, + "Id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "Partition": "aws", + "Region": "ap-south-1", + "Tags": { + "Name": "elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279", + "Task": "Cloud Security Posture Management Scanner", + "aws:cloudformation:logical-id": "ElasticAgentEc2Instance", + "aws:cloudformation:stack-id": "arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279", + "aws:cloudformation:stack-name": "Elastic-Cloud-Security-Posture-Management" + }, + "Type": "AwsEc2Instance" + } + ], + "schema": { + "version": "2018-10-08" + }, + "severity": { + "label": "INFORMATIONAL", + "normalized": "0", + "original": "INFORMATIONAL" + }, + "title": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "types": [ + "Software and Configuration Checks/Industry and Regulatory Standards" + ], + "updated_at": "2024-09-21T07:59:56.087Z", + "workflow": { + "state": "NEW", + "status": "RESOLVED" + } + } + }, + "cloud": { + "account": { + "id": "111111111111" + }, + "instance": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8" + }, + "provider": "aws", + "region": "ap-south-1", + "service": { + "name": "ec2" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-09-21T08:00:03.516Z", + "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", + "kind": "state", + "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-20T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-20T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"LastObservedAt\":\"2024-09-21T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-21T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"IpV4Addresses\":[\"89.160.20.156\",\"89.160.20.157\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"LaunchedAt\":\"2024-09-20T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-21T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", + "outcome": "success", + "severity": 0, + "type": [ + "info" + ] + }, + "host": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "ip": [ + "89.160.20.156", + "89.160.20.157", + "2a02:cf40::" + ] + }, + "observer": { + "vendor": "AWS Security Hub" + }, + "organization": { + "name": "AWS" + }, + "resource": { + "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", + "name": "instance/i-0f2ede89308a594d8", + "type": "AwsEc2Instance" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.", + "id": "security-control/EC2.8", + "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", + "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", + "ruleset": [ + "CIS AWS Foundations Benchmark v3.0.0/5.6", + "NIST.800-53.r5 AC-3", + "NIST.800-53.r5 AC-3(15)", + "NIST.800-53.r5 AC-3(7)", + "NIST.800-53.r5 AC-6" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] } ] } \ No newline at end of file diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index d4023e096df..650a89c2033 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1563,6 +1563,9 @@ processors: if (ctx.host == null) { ctx.host = new HashMap(); } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } if (ctx.orchestrator == null) { ctx.orchestrator = new HashMap(); } @@ -1622,8 +1625,20 @@ processors: ctx.host.id = res.Id; } if (res.Details != null) { - if (res.Type == 'AwsEcsTask' && res.Details.AwsEcsTask?.Containers != null) { - ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name = res.Details.AwsEcsContainer.Name; + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } } } @@ -1720,6 +1735,12 @@ processors: if (ctx.host.id == null) { ctx.host.id = new ArrayList(); } + if (ctx.host.ip == null) { + ctx.host.ip = new ArrayList(); + } + if (ctx.host.name == null) { + ctx.host.name = new ArrayList(); + } if (ctx.orchestrator.type == null) { ctx.orchestrator.type = new ArrayList(); @@ -1792,6 +1813,23 @@ processors: if (res.Type == 'AwsEc2Instance' && res.Id != null) { ctx.host.id.add(res.Id); } + if (res.Details != null) { + if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { + ctx.host.name.add(res.Details.AwsEcsContainer.Name); + } + if (res.Type == 'AwsEc2Instance' && (res.Details.AwsEc2Instance?.IpV4Addresses != null || res.Details.AwsEc2Instance?.IpV6Addresses != null)) { + for (def ipv4 : res.Details.AwsEc2Instance.IpV4Addresses) { + if (ipv4 instanceof String) { + ctx.host.ip.add(ipv4); + } + } + for (def ipv6 : res.Details.AwsEc2Instance.IpV6Addresses) { + if (ipv6 instanceof String) { + ctx.host.ip.add(ipv6); + } + } + } + } // Extract ECS orchestrator field if (res.Details != null) { From 69603d51729dfee260d67da680b1c02ff33ac626 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Thu, 26 Sep 2024 15:06:49 +0530 Subject: [PATCH 13/28] Address PR comments-3. Use constant_keyword --- .../aws/data_stream/securityhub_findings/fields/ecs.yml | 6 ++++++ packages/aws/docs/securityhub.md | 3 +++ 2 files changed, 9 insertions(+) create mode 100644 packages/aws/data_stream/securityhub_findings/fields/ecs.yml diff --git a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml new file mode 100644 index 00000000000..73c6b27cb58 --- /dev/null +++ b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml @@ -0,0 +1,6 @@ +- name: event.kind + type: constant_keyword +- name: observer.vendor + type: constant_keyword +- name: cloud.provider + type: constant_keyword diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index 94e80b8aaa4..dbb9d2dfb2e 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -653,15 +653,18 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.workflow.state | The workflow state of a finding. | keyword | | aws.securityhub_findings.workflow.status | The status of the investigation into the finding. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.provider | | constant_keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| event.kind | | constant_keyword | | event.module | Event module. | constant_keyword | | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | input.type | Input type | keyword | | log.offset | Log offset | long | +| observer.vendor | | constant_keyword | | resource.id | | keyword | | resource.name | | keyword | | resource.sub_type | | keyword | From a80632023edc9676c45c31f9dc3670bf1ffce6e2 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Thu, 26 Sep 2024 15:22:17 +0530 Subject: [PATCH 14/28] Address PR comments-4. Separate res.Details != null condition block and field separation. --- .../elasticsearch/ingest_pipeline/default.yml | 126 +++++++++--------- 1 file changed, 64 insertions(+), 62 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 650a89c2033..5e98f75565c 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1601,8 +1601,9 @@ processors: } ctx.resource.name = res_name; - // Extract ECS user field + // Extract ECS fields from res.Details if (res.Details != null) { + // Extract ECS user field from res.Details if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { ctx.user.name = res.Details.AwsIamUser.UserName; } @@ -1618,13 +1619,8 @@ processors: if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { ctx.user.id = res.Details.AwsS3Bucket.OwnerId; } - } - // Extract ECS host field - if (res.Type == 'AwsEc2Instance' && res.Id != null) { - ctx.host.id = res.Id; - } - if (res.Details != null) { + // Extract ECS host field from res.Details if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { ctx.host.name = res.Details.AwsEcsContainer.Name; } @@ -1640,10 +1636,8 @@ processors: } } } - } - // Extract ECS orchestrator field - if (res.Details != null) { + // Extract ECS orchestrator field from res.Details if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { ctx.orchestrator.cluster.id = res.Details.AwsEcsCluster.ClusterArn; } @@ -1662,27 +1656,8 @@ processors: if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { ctx.orchestrator.cluster.url = res.Details.AwsEksCluster.Endpoint; } - } - if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { - ctx.orchestrator.resource.id = res.Id; - ctx.orchestrator.resource.name = res_name; - ctx.orchestrator.resource.type = res.Type; - if (res.Type.startsWith('AwsEks')) { - ctx.orchestrator.type = 'kubernetes'; - } else { - ctx.orchestrator.type = 'ecs'; - } - } - - // Extract ECS cloud field - if (res.Type == 'AwsEc2Instance') { - ctx.cloud.instance.id = res.Id; - ctx.cloud.instance.name = res_name; - } - if (tokenList.length > 2) { - ctx.cloud.service.name = tokenList[2]; - } - if (res.Details != null) { + + // Extract ECS cloud field from res.Details if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { ctx.cloud.availability_zone = res.Details[res.Type].AvailabilityZone; } @@ -1705,6 +1680,32 @@ processors: } } } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id = res.Id; + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id = res.Id; + ctx.orchestrator.resource.name = res_name; + ctx.orchestrator.resource.type = res.Type; + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type = 'kubernetes'; + } else { + ctx.orchestrator.type = 'ecs'; + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id = res.Id; + ctx.cloud.instance.name = res_name; + } + if (tokenList.length > 2) { + ctx.cloud.service.name = tokenList[2]; + } } - script: description: Extract fields from aws.securityhub_findings.resources. @@ -1790,8 +1791,9 @@ processors: } ctx.resource.name.add(res_name); - // Extract ECS user field + // Extract ECS fields from res.Details if (res.Details != null) { + // Extract ECS user field from res.Details if (res.Type == 'AwsIamUser' && res.Details.AwsIamUser?.UserName != null) { ctx.user.name.add(res.Details.AwsIamUser.UserName); } @@ -1807,13 +1809,8 @@ processors: if (res.Type == 'AwsS3Bucket' && res.Details.AwsS3Bucket?.OwnerId != null) { ctx.user.id.add(res.Details.AwsS3Bucket.OwnerId); } - } - // Extract ECS host field - if (res.Type == 'AwsEc2Instance' && res.Id != null) { - ctx.host.id.add(res.Id); - } - if (res.Details != null) { + // Extract ECS host field from res.Details if (res.Type == 'AwsEcsContainer' && res.Details.AwsEcsContainer?.Name != null) { ctx.host.name.add(res.Details.AwsEcsContainer.Name); } @@ -1829,10 +1826,8 @@ processors: } } } - } - // Extract ECS orchestrator field - if (res.Details != null) { + // Extract ECS orchestrator field from res.Details if (['AwsEcsCluster', 'AwsEcsTask'].contains(res.Type) && res.Details.AwsEcsCluster?.ClusterArn != null) { ctx.orchestrator.cluster.id.add(res.Details.AwsEcsCluster.ClusterArn); } @@ -1851,27 +1846,8 @@ processors: if (res.Type == 'AwsEksCluster' && res.Details.AwsEksCluster?.Endpoint != null) { ctx.orchestrator.cluster.url.add(res.Details.AwsEksCluster.Endpoint); } - } - if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { - ctx.orchestrator.resource.id.add(res.Id); - ctx.orchestrator.resource.name.add(res_name); - ctx.orchestrator.resource.type.add(res.Type); - if (res.Type.startsWith('AwsEks')) { - ctx.orchestrator.type.add('kubernetes'); - } else { - ctx.orchestrator.type.add('ecs'); - } - } - - // Extract ECS cloud field - if (res.Type == 'AwsEc2Instance') { - ctx.cloud.instance.id.add(res.Id); - ctx.cloud.instance.name.add(res_name); - } - if (tokenList.length > 2) { - ctx.cloud.service.name.add(tokenList[2]); - } - if (res.Details != null) { + + // Extract ECS cloud field from res.Details if (['AwsEc2Subnet', 'AwsRedshiftCluster', 'AwsDmsReplicationInstance'].contains(res.Type) && res.Details[res.Type]?.AvailabilityZone != null) { ctx.cloud.availability_zone.add(res.Details[res.Type].AvailabilityZone); } @@ -1894,6 +1870,32 @@ processors: } } } + + // Extract ECS host field not in res.Details + if (res.Type == 'AwsEc2Instance' && res.Id != null) { + ctx.host.id.add(res.Id); + } + + // Extract ECS orchestrator field not in res.Details + if (res.Type.startsWith('AwsEks') || res.Type.startsWith('AwsEcs')) { + ctx.orchestrator.resource.id.add(res.Id); + ctx.orchestrator.resource.name.add(res_name); + ctx.orchestrator.resource.type.add(res.Type); + if (res.Type.startsWith('AwsEks')) { + ctx.orchestrator.type.add('kubernetes'); + } else { + ctx.orchestrator.type.add('ecs'); + } + } + + // Extract ECS cloud field not in res.Details + if (res.Type == 'AwsEc2Instance') { + ctx.cloud.instance.id.add(res.Id); + ctx.cloud.instance.name.add(res_name); + } + if (tokenList.length > 2) { + ctx.cloud.service.name.add(tokenList[2]); + } } - convert: field: json.Sample From e04489a9419239847fbf5a4617e1dd3395bd17f8 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 30 Sep 2024 12:02:38 +0530 Subject: [PATCH 15/28] fix HEAD --- .../elasticsearch/ingest_pipeline/default.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index eef66632011..5e98f75565c 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1584,8 +1584,6 @@ processors: if (ctx.cloud.service == null) { ctx.cloud.service = new HashMap(); } -<<<<<<< HEAD -======= // This extraction logic is only for single resource case. Multiple resources are extracted inside script - script_extract_fields_from_multiple_resources. if (resources.size() == 1){ @@ -1899,7 +1897,6 @@ processors: ctx.cloud.service.name.add(tokenList[2]); } } ->>>>>>> a80632023edc9676c45c31f9dc3670bf1ffce6e2 - convert: field: json.Sample target_field: aws.securityhub_findings.sample From a914bcf7603e1664bcdfae86721f9336fc1ba535 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 30 Sep 2024 12:07:25 +0530 Subject: [PATCH 16/28] ecs fields sorted. --- packages/aws/data_stream/securityhub_findings/fields/ecs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml index 73c6b27cb58..af9fa3a74cd 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml @@ -1,6 +1,6 @@ +- name: cloud.provider + type: constant_keyword - name: event.kind type: constant_keyword - name: observer.vendor type: constant_keyword -- name: cloud.provider - type: constant_keyword From 6d9d901022a6f17a1388aa9180a1b022856abdee Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 2 Oct 2024 21:36:20 +0530 Subject: [PATCH 17/28] Address Pr comments-5. Remove unused fields from mapping. --- .../securityhub_findings/fields/resource.yml | 2 -- .../securityhub_findings/fields/result.yml | 11 ----------- .../data_stream/securityhub_findings/fields/rule.yml | 2 -- packages/aws/docs/securityhub.md | 6 ------ 4 files changed, 21 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/fields/resource.yml b/packages/aws/data_stream/securityhub_findings/fields/resource.yml index c093c299032..6912b7ee058 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/resource.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/resource.yml @@ -7,5 +7,3 @@ type: keyword - name: type type: keyword - - name: sub_type - type: keyword diff --git a/packages/aws/data_stream/securityhub_findings/fields/result.yml b/packages/aws/data_stream/securityhub_findings/fields/result.yml index c465d18bc64..75f840ce005 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/result.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/result.yml @@ -3,14 +3,3 @@ fields: - name: evaluation type: keyword - - name: evidence - type: group - fields: - - name: current_value - type: text - - name: expected_value - type: text - - name: configuration_path - type: text - - name: cloud_configuration_link - type: text diff --git a/packages/aws/data_stream/securityhub_findings/fields/rule.yml b/packages/aws/data_stream/securityhub_findings/fields/rule.yml index b9d505b971f..9b2f00dcd1a 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/rule.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/rule.yml @@ -1,8 +1,6 @@ - name: rule type: group fields: - - name: uuid - type: keyword - name: id type: keyword - name: name diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index dbb9d2dfb2e..47303b55e94 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -667,20 +667,14 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | observer.vendor | | constant_keyword | | resource.id | | keyword | | resource.name | | keyword | -| resource.sub_type | | keyword | | resource.type | | keyword | | result.evaluation | | keyword | -| result.evidence.cloud_configuration_link | | text | -| result.evidence.configuration_path | | text | -| result.evidence.current_value | | text | -| result.evidence.expected_value | | text | | rule.description | | text | | rule.id | | keyword | | rule.name | | keyword | | rule.reference | | text | | rule.references | | text | | rule.remediation | | text | -| rule.uuid | | keyword | | url.user_info | | keyword | From 603643ac69933209c8f8bd6ef9833f74de6fcc9d Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 7 Oct 2024 12:39:59 +0530 Subject: [PATCH 18/28] Add misconfiguration_latest transform --- .../fields/agent.yml | 41 + .../fields/base-fields.yml | 16 + .../fields/ecs.yml | 159 ++++ .../fields/fields.yml | 803 ++++++++++++++++++ .../fields/resource.yml | 9 + .../fields/result.yml | 5 + .../fields/rule.yml | 15 + .../transform.yml | 30 + 8 files changed, 1078 insertions(+) create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/agent.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml create mode 100644 packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/agent.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/agent.yml new file mode 100644 index 00000000000..7573d81577c --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/agent.yml @@ -0,0 +1,41 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml new file mode 100644 index 00000000000..02f896657f1 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: aws +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml new file mode 100644 index 00000000000..b6a6053fbd6 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -0,0 +1,159 @@ +# Define ECS constant fields as constant_keyword +- name: cloud.provider + type: constant_keyword +- name: event.kind + type: constant_keyword +- name: observer.vendor + type: constant_keyword + +# Define ECS fields for transform +- name: cloud.account.id + external: ecs +- name: cloud.availability_zone + external: ecs +- name: cloud.instance.id + external: ecs +- name: cloud.instance.name + external: ecs +- name: cloud.machine.type + external: ecs +- name: cloud.project.id + external: ecs +- name: cloud.region + external: ecs +- name: cloud.service.name + external: ecs +- name: destination.domain + external: ecs +- name: destination.ip + external: ecs +- name: destination.port + external: ecs +- name: ecs.version + external: ecs +- name: event.action + external: ecs +- name: event.agent_id_status + external: ecs +- name: event.category + external: ecs +- name: event.created + external: ecs +- name: event.dataset + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.original + external: ecs +- name: event.outcome + external: ecs +- name: event.severity + external: ecs +- name: event.type + external: ecs +- name: host.id + external: ecs +- name: host.ip + external: ecs +- name: host.name + external: ecs +- name: network.direction + external: ecs +- name: network.protocol + external: ecs +- name: orchestrator.cluster.id + external: ecs +- name: orchestrator.cluster.name + external: ecs +- name: orchestrator.cluster.version + external: ecs +- name: orchestrator.cluster.url + external: ecs +- name: orchestrator.resource.id + external: ecs +- name: orchestrator.resource.name + external: ecs +- name: orchestrator.resource.type + external: ecs +- name: organization.name + external: ecs +- name: process.end + external: ecs +- name: process.executable + external: ecs +- name: process.name + external: ecs +- name: process.parent.pid + external: ecs +- name: process.pid + external: ecs +- name: process.start + external: ecs +- name: rule.ruleset + external: ecs +- name: related.hash + external: ecs +- name: related.hosts + external: ecs +- name: related.ip + external: ecs +- name: related.user + external: ecs +- name: source.domain + external: ecs +- name: source.ip + external: ecs +- name: source.mac + external: ecs +- name: source.port + external: ecs +- name: tags + external: ecs +- name: threat.indicator.last_seen + external: ecs +- name: threat.indicator.type + external: ecs +- name: threat.enrichments + external: ecs +- name: url.domain + external: ecs +- name: url.extension + external: ecs +- name: url.fragment + external: ecs +- name: url.full + external: ecs +- name: url.original + external: ecs +- name: url.password + external: ecs +- name: url.path + external: ecs +- name: url.port + external: ecs +- name: url.query + external: ecs +- name: url.registered_domain + external: ecs +- name: url.scheme + external: ecs +- name: url.subdomain + external: ecs +- name: url.top_level_domain + external: ecs +- name: url.username + external: ecs +- name: user.id + external: ecs +- name: user.name + external: ecs +- name: vulnerability.id + external: ecs +- name: vulnerability.reference + external: ecs +- name: vulnerability.scanner.vendor + external: ecs +- name: vulnerability.id + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml new file mode 100644 index 00000000000..03f083a3e5d --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml @@ -0,0 +1,803 @@ +- name: aws.securityhub_findings + type: group + fields: + - name: action + type: group + fields: + - name: aws_api_call + type: group + fields: + - name: affected_resources + type: flattened + description: Identifies the resources that were affected by the API call. + - name: api + type: keyword + description: The name of the API method that was issued. + - name: caller + type: group + fields: + - name: type + type: keyword + description: Indicates whether the API call originated from a remote IP address(remoteip) or from a DNS domain(domain). + - name: domain_details + type: group + fields: + - name: domain + type: keyword + description: The name of the DNS domain that issued the API call. + - name: first_seen + type: date + description: An ISO8601-formatted timestamp that indicates when the API call was first observed. + - name: last_seen + type: date + description: An ISO8601-formatted timestamp that indicates when the API call was most recently observed. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: service + type: group + fields: + - name: name + type: keyword + description: The name of the Amazon Web Services service that the API method belongs to. + - name: dns_request + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the DNS request was blocked. + - name: domain + type: keyword + description: The DNS domain that is associated with the DNS request. + - name: protocol + type: keyword + description: The protocol that was used for the DNS request. + - name: network_connection + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the network connection attempt was blocked. + - name: direction + type: keyword + description: The direction of the network connection request(IN or OUT). + - name: local + type: group + fields: + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the local connection. + - name: number + type: long + description: The number of the port. + - name: protocol + type: keyword + description: The protocol used to make the network connection request. + - name: remote + type: group + fields: + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the remote connection. + - name: number + type: long + description: The number of the port. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: port_probe + type: group + fields: + - name: blocked + type: boolean + description: Indicates whether the port probe was blocked. + - name: details + type: group + fields: + - name: local + type: group + fields: + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: port + type: group + fields: + - name: name + type: keyword + description: The port name of the local connection. + - name: number + type: long + description: The number of the port. + - name: remote_ip + type: group + fields: + - name: city + type: group + fields: + - name: name + type: keyword + description: The name of the city. + - name: country + type: group + fields: + - name: code + type: keyword + description: The 2-letter ISO 3166 country code for the country. + - name: name + type: keyword + description: The name of the country. + - name: geolocation + type: group + fields: + - name: latitude + type: double + description: The longitude of the location. + - name: longitude + type: double + description: The latitude of the location. + - name: ip + type: group + fields: + - name: address_v4 + type: ip + description: The IP address. + - name: organization + type: group + fields: + - name: asn + type: keyword + description: The Autonomous System Number(ASN) of the internet provider. + - name: asn_organization + type: keyword + description: The name of the organization that registered the ASN. + - name: internet_service_provider + type: keyword + description: The name of the internet provider. + - name: internet_provider + type: keyword + description: The ISP information for the internet provider. + - name: type + type: keyword + description: The type of action that was detected. + - name: aws_account_id + type: keyword + description: The Amazon Web Services account ID that a finding is generated in. + - name: company + type: group + fields: + - name: name + type: keyword + description: The name of the company for the product that generated the finding. + - name: compliance + type: group + fields: + - name: security_control_id + type: keyword + description: Unique identifier of a control across standards. + - name: related_requirements + type: keyword + description: For a control, the industry or regulatory framework requirements that are related to the control. + - name: status + type: keyword + description: The result of a standards check. + - name: status_reasons + type: group + fields: + - name: description + type: keyword + description: The corresponding description for the status reason code. + - name: reason_code + type: keyword + description: A code that represents a reason for the control status. + - name: confidence + type: long + description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: processed_at + type: date + description: Indicates when AWS Security Hub received a finding and begins to process it. + - name: created_at + type: date + description: Indicates when the security-findings provider created the potential security issue that a finding captured. + - name: criticality + type: long + description: The level of importance assigned to the resources associated with the finding. + - name: description + type: keyword + description: A finding's description. + - name: first_observed_at + type: date + description: Indicates when the security-findings provider first observed the potential security issue that a finding captured. + - name: generator + type: group + fields: + - name: id + type: keyword + description: The identifier for the solution-specific component(a discrete unit of logic) that generated a finding. In various security-findings providers' solutions, this generator can be called a rule, a check, a detector, a plugin, etc. + - name: id + type: keyword + description: The security findings provider-specific identifier for a finding. + - name: last_observed_at + type: date + description: Indicates when the security-findings provider most recently observed the potential security issue that a finding captured. + - name: malware + type: group + fields: + - name: name + type: keyword + description: The name of the malware that was observed. + - name: path + type: keyword + description: The file system path of the malware that was observed. + - name: state + type: keyword + description: The state of the malware that was observed. + - name: type + type: keyword + description: The type of the malware that was observed. + - name: network + type: group + fields: + - name: destination + type: group + fields: + - name: domain + type: keyword + description: The destination domain of network-related information about a finding. + - name: ip + type: group + fields: + - name: v4 + type: ip + description: The destination IPv4 address of network-related information about a finding. + - name: v6 + type: ip + description: The destination IPv6 address of network-related information about a finding. + - name: port + type: long + description: The destination port of network-related information about a finding. + - name: direction + type: keyword + description: The direction of network traffic associated with a finding. + - name: open_port_range + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol of network-related information about a finding. + - name: source + type: group + fields: + - name: domain + type: keyword + description: The source domain of network-related information about a finding. + - name: ip + type: group + fields: + - name: v4 + type: ip + description: The source IPv4 address of network-related information about a finding. + - name: v6 + type: ip + description: The source IPv6 address of network-related information about a finding. + - name: mac + type: keyword + description: The source media access control(MAC) address of network-related information about a finding. + - name: port + type: long + description: The source port of network-related information about a finding. + - name: network_path + type: group + fields: + - name: component + type: group + fields: + - name: id + type: keyword + description: The identifier of a component in the network path. + - name: type + type: keyword + description: The type of component. + - name: egress + type: group + fields: + - name: destination + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol used for the component. + - name: source + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: ingress + type: group + fields: + - name: destination + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: protocol + type: keyword + description: The protocol used for the component. + - name: source + type: group + fields: + - name: address + type: keyword + description: The IP addresses of the destination. + - name: port_ranges + type: group + fields: + - name: begin + type: long + description: The first port in the port range. + - name: end + type: long + description: The last port in the port range. + - name: note + type: group + fields: + - name: text + type: keyword + description: The text of a note. + - name: updated_at + type: date + description: The timestamp of when the note was updated. + - name: updated_by + type: keyword + description: The principal that created a note. + - name: patch_summary + type: group + fields: + - name: failed + type: group + fields: + - name: count + type: long + description: The number of patches from the compliance standard that failed to install. + - name: id + type: keyword + description: The identifier of the compliance standard that was used to determine the patch compliance status. + - name: installed + type: group + fields: + - name: count + type: long + description: The number of patches from the compliance standard that were installed successfully. + - name: other + type: group + fields: + - name: count + type: long + description: The number of installed patches that are not part of the compliance standard. + - name: pending_reboot + type: long + description: The number of patches that were applied, but that require the instance to be rebooted in order to be marked as installed. + - name: rejected + type: group + fields: + - name: count + type: long + description: The number of patches that are installed but are also on a list of patches that the customer rejected. + - name: missing + type: group + fields: + - name: count + type: long + description: The number of patches that are part of the compliance standard but are not installed. The count includes patches that failed to install. + - name: operation + type: group + fields: + - name: end_time + type: date + description: Indicates when the operation completed. + - name: start_time + type: date + description: Indicates when the operation started. + - name: type + type: keyword + description: The type of patch operation performed. For Patch Manager, the values are SCAN and INSTALL. + - name: reboot_option + type: keyword + description: The reboot option specified for the instance. + - name: process + type: group + fields: + - name: launched_at + type: date + description: Indicates when the process was launched. + - name: name + type: keyword + description: The name of the process. + - name: parent + type: group + fields: + - name: pid + type: long + description: The parent process ID. + - name: path + type: keyword + description: The path to the process executable. + - name: pid + type: long + description: The process ID. + - name: terminated_at + type: date + description: Indicates when the process was terminated. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. + - name: fields + type: flattened + description: A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. + - name: name + type: keyword + description: The name of the product that generated the finding. + - name: provider_fields + type: group + fields: + - name: confidence + type: long + description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. + - name: criticality + type: long + description: The level of importance assigned to the resources associated with the finding. + - name: related_findings + type: group + fields: + - name: id + type: keyword + description: The product-generated identifier for a related finding. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN of the product that generated a related finding. + - name: severity + type: group + fields: + - name: label + type: keyword + description: The severity label assigned to the finding by the finding provider. + - name: normalized + type: keyword + description: The normalized severity of a finding provider. + - name: original + type: keyword + description: The finding provider's original value for the severity. + - name: product + type: keyword + description: The finding provider's product for the severity. + - name: types + type: keyword + description: One or more finding types in the format of namespace/category/classifier that classify a finding. + - name: record_state + type: keyword + description: The record state of a finding. + - name: region + type: keyword + description: The Region from which the finding was generated. + - name: related_findings + type: group + fields: + - name: id + type: keyword + description: The product-generated identifier for a related finding. + - name: product + type: group + fields: + - name: arn + type: keyword + description: The ARN of the product that generated a related finding. + - name: remediation + type: group + fields: + - name: recommendation + type: group + fields: + - name: text + type: text + description: Describes the recommended steps to take to remediate an issue identified in a finding. + - name: url + type: keyword + description: A URL to a page or site that contains information about how to remediate a finding. + - name: resources + type: flattened + description: A set of resource data types that describe the resources that the finding refers to. + - name: sample + type: boolean + description: Indicates whether the finding is a sample finding. + - name: schema + type: group + fields: + - name: version + type: keyword + description: The schema version that a finding is formatted for. + - name: severity + type: group + fields: + - name: label + type: keyword + description: The severity value of the finding. + - name: normalized + type: keyword + description: The normalized severity of a finding. + - name: original + type: keyword + description: The native severity from the finding product that generated the finding. + - name: product + type: keyword + description: The native severity as defined by the Amazon Web Services service or integrated partner product that generated the finding. + - name: source_url + type: keyword + description: A URL that links to a page about the current finding in the security-findings provider's solution. + - name: threat_intel_indicators + type: group + fields: + - name: category + type: keyword + description: The category of a threat intelligence indicator. + - name: last_observed_at + type: date + description: Indicates when the most recent instance of a threat intelligence indicator was observed. + - name: source + type: keyword + description: The source of the threat intelligence indicator. + - name: source_url + type: keyword + description: The URL to the page or site where you can get more information about the threat intelligence indicator. + - name: type + type: keyword + description: The type of threat intelligence indicator. + - name: value + type: keyword + description: The value of a threat intelligence indicator. + - name: title + type: text + description: A finding's title. + - name: types + type: keyword + description: One or more finding types in the format of namespace/category/classifier that classify a finding. + - name: updated_at + type: date + description: Indicates when the security-findings provider last updated the finding record. + - name: user_defined_fields + type: flattened + description: A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. + - name: verification_state + type: keyword + description: Indicates the veracity of a finding. + - name: vulnerabilities + type: group + fields: + - name: cvss + type: group + fields: + - name: adjustments + type: group + fields: + - name: metric + type: keyword + description: The metric to adjust. + - name: reason + type: keyword + description: The reason for the adjustment. + - name: base_score + type: double + description: The base CVSS score. + - name: base_vector + type: keyword + description: The base scoring vector for the CVSS score. + - name: source + type: keyword + description: The origin of the original CVSS score and vector. + - name: version + type: keyword + description: The version of CVSS for the CVSS score. + - name: id + type: keyword + description: The identifier of the vulnerability. + - name: reference_urls + type: keyword + description: A list of URLs that provide additional information about the vulnerability. + - name: related_vulnerabilities + type: keyword + description: List of vulnerabilities that are related to this vulnerability. + - name: vendor + type: group + fields: + - name: created_at + type: date + description: Indicates when the vulnerability advisory was created. + - name: name + type: keyword + description: The name of the vendor. + - name: severity + type: keyword + description: The severity that the vendor assigned to the vulnerability. + - name: updated_at + type: date + description: Indicates when the vulnerability advisory was last updated. + - name: url + type: keyword + description: The URL of the vulnerability advisory. + - name: vulnerable_packages + type: group + fields: + - name: architecture + type: keyword + description: The architecture used for the software package. + - name: epoch + type: keyword + description: The epoch of the software package. + - name: file_path + type: keyword + description: The file system path to the package manager inventory file. + - name: name + type: keyword + description: The name of the software package. + - name: package_manager + type: keyword + description: The source of the package. + - name: release + type: keyword + description: The release of the software package. + - name: version + type: keyword + description: The version of the software package. + - name: workflow + type: group + fields: + - name: state + type: keyword + description: The workflow state of a finding. + - name: status + type: keyword + description: The status of the investigation into the finding. +- name: url.user_info + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml new file mode 100644 index 00000000000..6912b7ee058 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/resource.yml @@ -0,0 +1,9 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml new file mode 100644 index 00000000000..75f840ce005 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/result.yml @@ -0,0 +1,5 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml new file mode 100644 index 00000000000..9b2f00dcd1a --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml @@ -0,0 +1,15 @@ +- name: rule + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation + type: text + - name: references + type: text + - name: reference + type: text diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml new file mode 100644 index 00000000000..85b921a0bac --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -0,0 +1,30 @@ +source: + index: + - "logs-aws.securityhub_findings-*" +dest: + index: "security_solution-aws.misconfiguration_latest-v1" + aliases: + - alias: "security_solution-aws.misconfiguration_latest" + move_on_creation: true +latest: + unique_key: + - rule.id + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: Latest SecurityHub Findings from AWS +frequency: 5m +sync: + time: + field: event.ingested +retention_policy: + time: + field: "@timestamp" + max_age: 26h +settings: + unattended: true +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 From be802d8816d00a136ee597c63371b0b05ef17fc9 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Fri, 11 Oct 2024 17:39:18 +0530 Subject: [PATCH 19/28] Address PR comment. Update transform retention to 90d. --- .../transform/latest_cdr_misconfigurations/transform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index 85b921a0bac..95a85877138 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -20,7 +20,7 @@ sync: retention_policy: time: field: "@timestamp" - max_age: 26h + max_age: 90d settings: unattended: true _meta: From 6ae75270fcf916ed94372d847bc6fc7cc42857e1 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 15 Oct 2024 10:32:12 +0530 Subject: [PATCH 20/28] Address PR comments. Updated rule fields to keyword. --- .../aws/data_stream/securityhub_findings/fields/rule.yml | 8 +++----- .../latest_cdr_misconfigurations/fields/rule.yml | 8 +++----- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/fields/rule.yml b/packages/aws/data_stream/securityhub_findings/fields/rule.yml index 9b2f00dcd1a..161d82e8666 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/rule.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/rule.yml @@ -6,10 +6,8 @@ - name: name type: keyword - name: description - type: text + type: keyword - name: remediation - type: text - - name: references - type: text + type: keyword - name: reference - type: text + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml index 9b2f00dcd1a..161d82e8666 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml @@ -6,10 +6,8 @@ - name: name type: keyword - name: description - type: text + type: keyword - name: remediation - type: text - - name: references - type: text + type: keyword - name: reference - type: text + type: keyword From 63fdd870ee049819f3785678258e85e719fee3a6 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 15 Oct 2024 11:02:00 +0530 Subject: [PATCH 21/28] update readme --- packages/aws/docs/securityhub.md | 7 +++---- .../transform/latest_cdr_misconfigurations/fields/ecs.yml | 1 - 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index 47303b55e94..3b0c04bcc4c 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -669,12 +669,11 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | resource.name | | keyword | | resource.type | | keyword | | result.evaluation | | keyword | -| rule.description | | text | +| rule.description | | keyword | | rule.id | | keyword | | rule.name | | keyword | -| rule.reference | | text | -| rule.references | | text | -| rule.remediation | | text | +| rule.reference | | keyword | +| rule.remediation | | keyword | | url.user_info | | keyword | diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index b6a6053fbd6..59527b92279 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -5,7 +5,6 @@ type: constant_keyword - name: observer.vendor type: constant_keyword - # Define ECS fields for transform - name: cloud.account.id external: ecs From d349becffc979a3c957e2e5e01d67e3022c86e06 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 15 Oct 2024 11:21:50 +0530 Subject: [PATCH 22/28] Remove references from pipeline tests --- .../test-securityhub-findings.log-expected.json | 15 --------------- .../elasticsearch/ingest_pipeline/default.yml | 5 ----- 2 files changed, 20 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 207bd67cbe4..0bfca797935 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -431,7 +431,6 @@ "id": "acme-vuln-9ab348", "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", @@ -910,7 +909,6 @@ "id": "acme-vuln-9ab348", "name": "EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up", "reference": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", - "references": "http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "remediation": "Run sudo yum update and cross your fingers and toes.\r\nhttp://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html", "ruleset": [ "Req1", @@ -1116,7 +1114,6 @@ "id": "xxx", "name": "EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://example.com/", - "references": "https://example.com/", "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" }, "tags": [ @@ -1256,7 +1253,6 @@ "id": "xxx", "name": "EC2.3 Attached EBS volumes should be encrypted at-rest", "reference": "https://example.com/", - "references": "https://example.com/", "remediation": "For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\r\nhttps://example.com/" }, "tags": [ @@ -1434,7 +1430,6 @@ "id": "security-control/EC2.8", "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.6", @@ -1592,7 +1587,6 @@ "id": "security-control/S3.17", "name": "S3 general purpose buckets should be encrypted at rest with AWS KMS keys", "reference": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/S3.17/remediation", "ruleset": [ "NIST.800-53.r5 SC-12(2)", @@ -1764,7 +1758,6 @@ "id": "security-control/EC2.53", "name": "EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.53/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.2" @@ -1925,7 +1918,6 @@ "id": "security-control/EC2.3", "name": "Attached EBS volumes should be encrypted at-rest", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.3/remediation", "ruleset": [ "NIST.800-53.r5 CA-9(1)", @@ -2086,7 +2078,6 @@ "id": "security-control/SSM.1", "name": "IAM users should not have IAM policies attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.2/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v1.2.0/1.16" @@ -2263,7 +2254,6 @@ "id": "security-control/EKS.1", "name": "EKS cluster endpoints should not be publicly accessible", "reference": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EKS.1/remediation" }, "tags": [ @@ -2402,7 +2392,6 @@ "id": "security-control/IAM.27", "name": "IAM identities should not have the AWSCloudShellFullAccess policy attached", "reference": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/IAM.27/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/1.22" @@ -2555,7 +2544,6 @@ "id": "security-control/EC2.44", "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.44/remediation" }, "tags": [ @@ -2717,7 +2705,6 @@ "id": "security-control/EC2.44", "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ @@ -2929,7 +2916,6 @@ "id": "security-control/EC2.44", "name": "EC2 subnets should be tagged", "reference": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/ELB.6/remediation" }, "tags": [ @@ -3119,7 +3105,6 @@ "id": "security-control/EC2.8", "name": "EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)", "reference": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", - "references": "https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "remediation": "For information on how to correct this issue, consult the AWS Security Hub controls documentation.\r\nhttps://docs.aws.amazon.com/console/securityhub/EC2.8/remediation", "ruleset": [ "CIS AWS Foundations Benchmark v3.0.0/5.6", diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 5e98f75565c..e48d8d0f80c 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -1525,11 +1525,6 @@ processors: tag: set_rule_reference copy_from: aws.securityhub_findings.remediation.recommendation.url ignore_empty_value: true - - set: - field: rule.references - tag: set_rule_references - copy_from: aws.securityhub_findings.remediation.recommendation.url - ignore_empty_value: true - set: field: rule.remediation tag: set_rule_remediation From 451cae908cf540f6c1e3586ac9c5b57f4452a71c Mon Sep 17 00:00:00 2001 From: kcreddy Date: Mon, 28 Oct 2024 23:16:33 +0530 Subject: [PATCH 23/28] update fields to ecs --- packages/aws/changelog.yml | 2 +- .../fields/base-fields.yml | 18 +++++++++--------- .../securityhub_findings/fields/ecs.yml | 1 + .../securityhub_findings/fields/rule.yml | 8 -------- packages/aws/docs/securityhub.md | 15 ++++++--------- .../fields/base-fields.yml | 17 +++++++++-------- .../fields/rule.yml | 10 +++++----- packages/aws/manifest.yml | 2 +- 8 files changed, 32 insertions(+), 41 deletions(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index c1956df702d..9c7ba01e066 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "2.27.0" +- version: "2.31.0" changes: - description: Improve support for CDR in securityhub_findings data stream. type: enhancement diff --git a/packages/aws/data_stream/securityhub_findings/fields/base-fields.yml b/packages/aws/data_stream/securityhub_findings/fields/base-fields.yml index 163750d7fe0..272ddae1efa 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/base-fields.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/base-fields.yml @@ -1,16 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: aws +- name: event.dataset + external: ecs + type: constant_keyword + value: aws.securityhub_findings - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml index af9fa3a74cd..4c81090790d 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml @@ -1,3 +1,4 @@ +# Define ECS constant fields as constant_keyword - name: cloud.provider type: constant_keyword - name: event.kind diff --git a/packages/aws/data_stream/securityhub_findings/fields/rule.yml b/packages/aws/data_stream/securityhub_findings/fields/rule.yml index 161d82e8666..9def88f8fba 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/rule.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/rule.yml @@ -1,13 +1,5 @@ - name: rule type: group fields: - - name: id - type: keyword - - name: name - type: keyword - - name: description - type: keyword - name: remediation type: keyword - - name: reference - type: keyword diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index 3b0c04bcc4c..8726a8ba5f5 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -470,7 +470,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | aws.securityhub_findings.action.aws_api_call.affected_resources | Identifies the resources that were affected by the API call. | flattened | | aws.securityhub_findings.action.aws_api_call.api | The name of the API method that was issued. | keyword | | aws.securityhub_findings.action.aws_api_call.caller.type | Indicates whether the API call originated from a remote IP address(remoteip) or from a DNS domain(domain). | keyword | @@ -654,11 +654,12 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.securityhub_findings.workflow.status | The status of the investigation into the finding. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.provider | | constant_keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | | event.kind | | constant_keyword | -| event.module | Event module. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | host.containerized | If the host is a container. | boolean | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -669,10 +670,6 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | resource.name | | keyword | | resource.type | | keyword | | result.evaluation | | keyword | -| rule.description | | keyword | -| rule.id | | keyword | -| rule.name | | keyword | -| rule.reference | | keyword | | rule.remediation | | keyword | | url.user_info | | keyword | diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml index 02f896657f1..9c30c32e06c 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml @@ -1,16 +1,17 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace + external: ecs type: keyword - description: Data stream namespace. - name: event.module + external: ecs type: constant_keyword - description: Event module. value: aws +- name: event.dataset + external: ecs + type: constant_keyword + value: aws.securityhub_findings - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml index 161d82e8666..d0c77db6e98 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml @@ -2,12 +2,12 @@ type: group fields: - name: id - type: keyword + external: ecs - name: name - type: keyword + external: ecs - name: description - type: keyword - - name: remediation - type: keyword + external: ecs - name: reference + external: ecs + - name: remediation type: keyword diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 2cc7f52ced4..c923e3a27f7 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.0 name: aws title: AWS -version: 2.27.0 +version: 2.31.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: From 0e4409161a73e99763b266042288416edace0599 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Tue, 29 Oct 2024 11:27:32 +0530 Subject: [PATCH 24/28] address pr comments. --- ...est-securityhub-findings.log-expected.json | 75 ------------------- .../elasticsearch/ingest_pipeline/default.yml | 18 ++--- .../securityhub_findings/fields/ecs.yml | 3 + .../fields/ecs.yml | 3 + ...-c9f103d0-5f63-11ed-bd69-473ce047ef30.json | 2 +- 5 files changed, 14 insertions(+), 87 deletions(-) diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json index 0bfca797935..b634dce3c5c 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/pipeline/test-securityhub-findings.log-expected.json @@ -362,7 +362,6 @@ "id": "i-cafebabe", "name": "i-cafebabe" }, - "provider": "aws", "region": "us-east-1" }, "destination": { @@ -382,7 +381,6 @@ "configuration" ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "type": [ @@ -396,9 +394,6 @@ "direction": "inbound", "protocol": "tcp" }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -840,7 +835,6 @@ "id": "i-cafebabe", "name": "i-cafebabe" }, - "provider": "aws", "region": "us-east-1" }, "destination": { @@ -860,7 +854,6 @@ "configuration" ], "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", - "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"PortProbeDetails\":[{\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"RemoteIpDetails\":{\"Country\":{\"CountryName\":\"Example Country\"},\"City\":{\"CityName\":\"Example City\"},\"GeoLocation\":{\"Lon\":0,\"Lat\":0},\"Organization\":{\"AsnOrg\":\"ExampleASO\",\"Org\":\"ExampleOrg\",\"Isp\":\"ExampleISP\",\"Asn\":64496}}}],\"Blocked\":false}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\",\"Description\":\"CloudWatch alarms do not exist in the account\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Type\":\"COIN_MINER\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\"}],\"Network\":{\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourcePort\":\"42\",\"SourceDomain\":\"example1.com\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"DestinationDomain\":\"example2.com\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedBy\":\"jsmith\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\"},\"PatchSummary\":{\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"MissingCount\":\"100\",\"FailedCount\":\"0\",\"InstalledOtherCount\":\"1023\",\"InstalledRejectedCount\":\"0\",\"InstalledPendingReboot\":\"0\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"RebootOption\":\"RebootIfNeeded\",\"Operation\":\"Install\"},\"Process\":{\"Name\":\"syslogd\",\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"ParentPid\":56789,\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"generico/secure-pro/Count\":\"6\",\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"123e4567-e89b-12d3-a456-426655440000\"},{\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\",\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Type\":\"AwsEc2Instance\",\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"}}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Type\":\"HASH_MD5\",\"Value\":\"ae2b1fca515949e5d54fb22b8ed95575\",\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"reviewedByCio\":\"true\",\"comeBackToLater\":\"Check this again on Monday\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "type": [ @@ -874,9 +867,6 @@ "direction": "inbound", "protocol": "tcp" }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1073,7 +1063,6 @@ "id": "xxx", "name": "xxx" }, - "provider": "aws", "region": "us-east-1" }, "ecs": { @@ -1084,7 +1073,6 @@ "configuration" ], "id": "xxxx", - "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"Compliance\":{\"Status\":\"FAILED\"},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-02T16:14:34.949Z\",\"CreatedAt\":\"2022-06-02T16:14:34.949Z\",\"LastObservedAt\":\"2022-06-17T08:43:26.724Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.8\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"xxx\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.8 EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":70,\"Label\":\"HIGH\",\"Product\":70,\"Original\":\"HIGH\"},\"UpdatedAt\":\"2022-06-17T08:43:26.731Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Instance\",\"Details\":{\"AwsEc2Instance\":{\"KeyName\":\"xxx\",\"VpcId\":\"xxx\",\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"xxx\"}],\"ImageId\":\"xxx\",\"SubnetId\":\"xxx\",\"LaunchedAt\":\"2022-06-02T16:11:39.000Z\",\"IamInstanceProfileArn\":\"xxx\"}},\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", "outcome": "failure", "severity": 70, @@ -1095,9 +1083,6 @@ "host": { "id": "xxx" }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1215,7 +1200,6 @@ "account": { "id": "xxx" }, - "provider": "aws", "region": "us-east-1" }, "ecs": { @@ -1226,7 +1210,6 @@ "configuration" ], "id": "xxx", - "kind": "state", "original": "{\"ProductArn\":\"xxx\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"Compliance\":{\"Status\":\"NOT_AVAILABLE\",\"StatusReasons\":[{\"Description\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"ReasonCode\":\"CONFIG_RETURNS_NOT_APPLICABLE\"}]},\"ProductName\":\"Security Hub\",\"FirstObservedAt\":\"2022-06-17T10:25:14.800Z\",\"CreatedAt\":\"2022-06-17T10:25:14.800Z\",\"LastObservedAt\":\"2022-06-17T10:25:18.568Z\",\"CompanyName\":\"AWS\",\"FindingProviderFields\":{\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards/AWS-Foundational-Security-Best-Practices\"],\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"}},\"ProductFields\":{\"StandardsArn\":\"xxx\",\"StandardsSubscriptionArn\":\"xxx\",\"ControlId\":\"EC2.3\",\"RecommendationUrl\":\"https://example.com/\",\"RelatedAWSResources:0/name\":\"xxx\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"StandardsControlArn\":\"xxx\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/annotation\":\"This finding has a compliance status of NOT AVAILABLE because AWS Config sent Security Hub a finding with a compliance state of Not Applicable. The potential reasons for a Not Applicable finding from Config are that (1) a resource has been moved out of scope of the Config rule; (2) the Config rule has been deleted; (3) the resource has been deleted; or (4) the logic of the Config rule itself includes scenarios where Not Applicable is returned. The specific reason why Not Applicable is returned is not available in the Config rule evaluation.\",\"Resources:0/Id\":\"xxx\",\"aws/securityhub/FindingId\":\"xxx\"},\"Remediation\":{\"Recommendation\":{\"Text\":\"For directions on how to fix this issue, consult the AWS Security Hub Foundational Security Best Practices documentation.\",\"Url\":\"https://example.com/\"}},\"SchemaVersion\":\"2018-10-08\",\"GeneratorId\":\"xxx\",\"RecordState\":\"ARCHIVED\",\"Title\":\"EC2.3 Attached EBS volumes should be encrypted at-rest\",\"Workflow\":{\"Status\":\"NEW\"},\"Severity\":{\"Normalized\":40,\"Label\":\"MEDIUM\",\"Product\":40,\"Original\":\"INFORMATIONAL\"},\"UpdatedAt\":\"2022-06-17T10:25:14.800Z\",\"WorkflowState\":\"NEW\",\"AwsAccountId\":\"xxx\",\"Region\":\"us-east-1\",\"Id\":\"xxx\",\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEc2Volume\",\"Region\":\"us-east-1\",\"Id\":\"xxx\"}] }", "outcome": "unknown", "severity": 40, @@ -1234,9 +1217,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1385,7 +1365,6 @@ "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7", "name": "instance/i-0e2ede89308a594d7" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "ec2" @@ -1400,7 +1379,6 @@ ], "created": "2024-09-11T08:00:03.516Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"LastObservedAt\":\"2024-09-11T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-11T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8825ae3b-1f70-4c74-8337-baee8fcad8fd\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"LaunchedAt\":\"2024-09-10T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "severity": 0, @@ -1411,9 +1389,6 @@ "host": { "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0e2ede89308a594d7" }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1545,7 +1520,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "s3" @@ -1560,7 +1534,6 @@ ], "created": "2024-09-13T22:50:30.870Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 SC-12(2)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 SI-7(6)\",\"NIST.800-53.r5 AU-9\"],\"SecurityControlId\":\"S3.17\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:37.338Z\",\"Description\":\"This control checks whether an Amazon S3 general purpose bucket is encrypted with an AWS KMS key (SSE-KMS or DSSE-KMS). The control fails if the bucket is encrypted with default encryption (SSE-S3).\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:37.338Z\",\"GeneratorId\":\"security-control/S3.17\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"LastObservedAt\":\"2024-09-13T22:50:29.249Z\",\"ProcessedAt\":\"2024-09-13T22:50:30.870Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-s3-default-encryption-kms-3a38fc59\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/S3.17/finding/1d687c1f-ef1e-464f-985a-5000efa9d4a1\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Amazon S3 bucket is not encrypted with AWS KMS key.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/S3.17/remediation\"}},\"Resources\":[{\"Details\":{\"AwsS3Bucket\":{\"CreatedAt\":\"2024-08-14T09:32:06.000Z\",\"Name\":\"s3-test-public-bucket\",\"OwnerId\":\"e106g9b5e13878d5133aadfac8a012130c4260091100b311ed476f9e77cdca46\"}},\"Id\":\"arn:aws:s3:::s3-test-public-bucket\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsS3Bucket\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"S3 general purpose buckets should be encrypted at rest with AWS KMS keys\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:13.008Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 40, @@ -1568,9 +1541,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1716,7 +1686,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "ec2" @@ -1731,7 +1700,6 @@ ], "created": "2024-09-11T08:00:08.685Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.2\"],\"SecurityControlId\":\"EC2.53\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-10T11:03:33.389Z\",\"Description\":\"This control checks whether an Amazon EC2 security group allows ingress from 0.0.0.0/0 to remote server administration ports (ports 22 and 3389). The control fails if the security group allows ingress from 0.0.0.0/0 to port 22 or 3389.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T11:03:33.389Z\",\"GeneratorId\":\"security-control/EC2.53\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"LastObservedAt\":\"2024-09-11T08:00:06.960Z\",\"ProcessedAt\":\"2024-09-11T08:00:08.685Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-vpc-sg-port-restriction-check-8bef9db4\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc8c6200a0a9c51\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.53/finding/f21e28e2-1077-4062-ac39-624b2776eb23\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.53/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2SecurityGroup\":{\"GroupId\":\"sg-0dbc8c6200a0a9c51\",\"GroupName\":\"elastic-agent-security-group-e4f7caa0-5f61-11ef-bb07-02fe87118279\",\"IpPermissionsEgress\":[{\"IpProtocol\":\"-1\",\"IpRanges\":[{\"CidrIp\":\"0.0.0.0/0\"}]}],\"OwnerId\":\"111111111111\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:security-group/sg-0dbc9c6210a0a9c51\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"aws:cloudformation:logical-id\":\"ElasticAgentSecurityGroup\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2SecurityGroup\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 security groups should not allow ingress from 0.0.0.0/0 to remote server administration ports\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:59:56.364Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "severity": 0, @@ -1739,9 +1707,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -1876,7 +1841,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "ec2" @@ -1891,7 +1855,6 @@ ], "created": "2024-09-10T16:51:39.864Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"NIST.800-53.r5 CA-9(1)\",\"NIST.800-53.r5 CM-3(6)\",\"NIST.800-53.r5 SC-13\",\"NIST.800-53.r5 SC-28\",\"NIST.800-53.r5 SC-28(1)\",\"NIST.800-53.r5 SC-7(10)\",\"NIST.800-53.r5 SI-7(6)\"],\"SecurityControlId\":\"EC2.3\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T16:51:26.034Z\",\"Description\":\"This AWS control checks whether the EBS volumes that are in an attached state are encrypted.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T16:50:59.623Z\",\"GeneratorId\":\"security-control/EC2.3\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"LastObservedAt\":\"2024-09-10T16:50:59.623Z\",\"ProcessedAt\":\"2024-09-10T16:51:39.864Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-encrypted-volumes-4e81c587\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03822fa7de881616e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.3/finding/972eddbf-43ae-4886-9416-ac9ddc2cecc0\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.3/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Volume\":{\"Attachments\":[{\"AttachTime\":\"2024-09-10T10:39:36.000Z\",\"DeleteOnTermination\":true,\"InstanceId\":\"i-0f1ede89308a584d8\",\"Status\":\"attached\"}],\"CreateTime\":\"2024-09-10T10:39:36.313Z\",\"Encrypted\":false,\"Size\":32,\"SnapshotId\":\"snap-07cb2350b59fa5cce\",\"Status\":\"in-use\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:volume/vol-03821fa7de881617e\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Volume\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Title\":\"Attached EBS volumes should be encrypted at-rest\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-10T16:51:26.034Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 40, @@ -1899,9 +1862,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -2036,7 +1996,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "iam" @@ -2051,7 +2010,6 @@ ], "created": "2024-09-15T16:48:59.493Z", "id": "arn:aws:iam::111111111111:user/developers/devuser@dev.dev", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"},{\"StandardsId\":\"standards/pci-dss/v/3.2.1\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v1.2.0/1.16\"],\"SecurityControlId\":\"IAM.2\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-10T12:40:36.785Z\",\"Description\":\"This AWS control checks that none of your IAM users have policies attached. Instead, IAM users must inherit permissions from IAM groups or roles.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-10T12:40:36.785Z\",\"GeneratorId\":\"security-control/SSM.1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-user-no-policies-check-832bb806\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.2/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsIamUser\",\"Details\":{\"AwsIamUser\":{\"Path\":\"/developers/\",\"AttachedManagedPolicies\":[{\"PolicyArn\":\"arn:aws:iam::aws:policy/AWSSecurityHubFullAccess\",\"PolicyName\":\"AWSSecurityHubFullAccess\"}],\"UserName\":\"Dev UserName\",\"GroupList\":[\"DevUsers\"],\"UserId\":\"DevUserId\",\"CreateDate\":\"2023-01-10T01:07:37.000Z\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:iam::111111111111:user/developers/devuser@dev.dev\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"IAM users should not have IAM policies attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 1, @@ -2059,9 +2017,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -2199,7 +2154,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "eks" @@ -2214,7 +2168,6 @@ ], "created": "2024-09-15T16:48:59.493Z", "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"EKS.1\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-09-11T12:40:36.785Z\",\"Description\":\"This control checks whether an Amazon EKS cluster endpoint is publicly accessible. The control fails if an EKS cluster has an endpoint that is publicly accessible.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-11T12:40:36.785Z\",\"GeneratorId\":\"security-control/EKS.1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"LastObservedAt\":\"2024-09-15T16:48:57.829Z\",\"ProcessedAt\":\"2024-09-15T16:48:59.493Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-eks-endpoint-no-public-access-2dc35c63\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/SSM.1/finding/12b0c84a-bba5-4fb4-bb36-3b0e62b1945c\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"Cluster Endpoint of democluster is Publicly accessible\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EKS.1/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsEksCluster\",\"Details\":{\"AwsEksCluster\":{\"Version\":\"1.27\",\"Arn\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"ResourcesVpcConfig\":{\"EndpointPublicAccess\":true,\"SecurityGroupIds\":[\"sg-111\"],\"SubnetIds\":[\"subnet-aaa\",\"subnet-bbb\"]},\"RoleArn\":\"arn:aws:iam::111111111111:role/EKSClusterRole\",\"Name\":\"democluster\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:eks:ap-south-1:111111111111:cluster/democluster\",\"Tags\":{\"environment\":\"dev\",\"managed_by\":\"terraform\",\"project\":\"demo\",\"team\":\"dev\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"HIGH\",\"Normalized\":70,\"Original\":\"HIGH\"},\"Title\":\"EKS cluster endpoints should not be publicly accessible\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-15T16:48:45.279Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 70, @@ -2222,9 +2175,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "orchestrator": { "cluster": { "id": "arn:aws:eks:ap-south-1:111111111111:cluster/democluster", @@ -2353,7 +2303,6 @@ "account": { "id": "111111111111" }, - "provider": "aws", "region": "ap-south-1" }, "ecs": { @@ -2365,7 +2314,6 @@ ], "created": "2024-09-11T07:53:27.460Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/1.22\"],\"SecurityControlId\":\"IAM.27\",\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\",\"ReasonCode\":\"CONFIG_EVALUATIONS_EMPTY\"}]},\"CreatedAt\":\"2024-08-14T12:11:57.803Z\",\"Description\":\"This control checks whether an IAM identity (user, role, or group) has the AWS managed policy AWSCloudShellFullAccess attached. The control fails if an IAM identity has the AWSCloudShellFullAccess policy attached.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T12:11:57.803Z\",\"GeneratorId\":\"security-control/IAM.27\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"LastObservedAt\":\"2024-09-11T07:53:19.500Z\",\"ProcessedAt\":\"2024-09-11T07:53:27.460Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-iam-policy-blacklisted-check-0ab52b49\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:iam::111111111111:root\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/IAM.27/finding/9ec777ec-6a92-416f-a27c-fa22b5827b6f\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"AWS Config evaluated your resources against the rule. The rule did not apply to the AWS resources in its scope, the specified resources were deleted, or the evaluation results were deleted.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/IAM.27/remediation\"}},\"Resources\":[{\"Id\":\"AWS::::Account:111111111111\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsAccount\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"IAM identities should not have the AWSCloudShellFullAccess policy attached\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-11T07:53:19.500Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "severity": 0, @@ -2373,9 +2321,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -2502,7 +2447,6 @@ "id": "111111111111" }, "availability_zone": "ap-south-1c", - "provider": "aws", "region": "ap-south-1", "service": { "name": "ec2" @@ -2517,7 +2461,6 @@ ], "created": "2024-09-13T22:50:27.295Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-resource-tagging-standard/v/1.0.0\"}],\"SecurityControlId\":\"EC2.44\",\"SecurityControlParameters\":[{\"Name\":\"requiredTagKeys\",\"Value\":[]}],\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether an Amazon EC2 subnet has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the subnet doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the subnet isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.44/finding/0397ae8e-d2b2-4a75-964f-fde027670405\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.44/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Subnet\":{\"AssignIpv6AddressOnCreation\":false,\"AvailabilityZone\":\"ap-south-1c\",\"AvailabilityZoneId\":\"aps1-az2\",\"AvailableIpAddressCount\":4091,\"CidrBlock\":\"171.32.32.0/20\",\"DefaultForAz\":true,\"MapPublicIpOnLaunch\":true,\"OwnerId\":\"111111111111\",\"State\":\"available\",\"SubnetArn\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c19c74b9\",\"SubnetId\":\"subnet-c19c74b9\",\"VpcId\":\"vpc-39017152\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:subnet/subnet-c28c74b9\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Type\":\"AwsEc2Subnet\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 1, @@ -2525,9 +2468,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -2663,7 +2603,6 @@ "id": "111111111111" }, "availability_zone": "ap-south-1a", - "provider": "aws", "region": "ap-south-1", "service": { "name": "elasticloadbalancing" @@ -2678,7 +2617,6 @@ ], "created": "2024-09-13T22:50:27.295Z", "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 1, @@ -2686,9 +2624,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -2862,7 +2797,6 @@ "ap-south-1b", "ap-south-1a" ], - "provider": "aws", "region": "ap-south-1", "service": { "name": [ @@ -2880,7 +2814,6 @@ ], "created": "2024-09-13T22:50:27.295Z", "id": "arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"SecurityControlId\":\"ELB.6\",\"Status\":\"FAILED\"},\"CreatedAt\":\"2024-08-14T10:14:50.020Z\",\"Description\":\"This control checks whether Application, Gateway, and Network Load Balancers have deletion protection enabled. The control fails if deletion protection is disabled.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"MEDIUM\",\"Normalized\":40,\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-08-14T10:14:50.020Z\",\"GeneratorId\":\"security-control/EC2.44\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"LastObservedAt\":\"2024-09-13T22:50:24.617Z\",\"ProcessedAt\":\"2024-09-13T22:50:27.295Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-tagged-ec2-subnet-4c30afd3\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/ELB.6/finding/9e7771db-5b77-48df-a103-1370cf6d401a\",\"aws/securityhub/ProductName\":\"Security Hub\",\"aws/securityhub/annotation\":\"No tags are present.\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/ELB.6/remediation\"}},\"Resources\":[{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-17T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a799f20cd3754462297d4874c25e67ae-894921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a799f20cd3754462297d4874c25e67ae/894921ab8833ff1e\",\"Tags\":{\"kubernetes.io/service-name\":\"default/traefik\",\"kubernetes.io/cluster/demo\":\"owned\"}},{\"Partition\":\"aws\",\"Type\":\"AwsElbv2LoadBalancer\",\"Details\":{\"AwsElbv2LoadBalancer\":{\"IpAddressType\":\"ipv4\",\"Type\":\"network\",\"CreatedTime\":\"2024-04-18T21:35:20.303Z\",\"Scheme\":\"internet-facing\",\"VpcId\":\"vpc-132ddf1f407252a0a\",\"CanonicalHostedZoneId\":\"ZLPOA36VPKAMP\",\"AvailabilityZones\":[{\"ZoneName\":\"ap-south-1b\",\"SubnetId\":\"subnet-aaa\"},{\"ZoneName\":\"ap-south-1a\",\"SubnetId\":\"subnet-bbb\"}],\"State\":{\"Code\":\"active\"},\"DNSName\":\"a888f20cd3754462297d4874c25e67ae-994921ab8833ff1e.elb.ap-south-1.amazonaws.com\"}},\"Region\":\"ap-south-1\",\"Id\":\"arn:aws:elasticloadbalancing:ap-south-1:111111111111:loadbalancer/net/a888f20cd3754462297d4874c25e67ae/994921ab8833ff1e\",\"Tags\":{\"kubernetes.io/cluster/demo\":\"owned\"}}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"LOW\",\"Normalized\":1,\"Original\":\"LOW\"},\"Title\":\"EC2 subnets should be tagged\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-13T22:50:15.737Z\",\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "outcome": "failure", "severity": 1, @@ -2888,9 +2821,6 @@ "info" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, @@ -3055,7 +2985,6 @@ "id": "arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8", "name": "instance/i-0f2ede89308a594d8" }, - "provider": "aws", "region": "ap-south-1", "service": { "name": "ec2" @@ -3070,7 +2999,6 @@ ], "created": "2024-09-21T08:00:03.516Z", "id": "arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe", - "kind": "state", "original": "{\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"AssociatedStandards\":[{\"StandardsId\":\"standards/aws-foundational-security-best-practices/v/1.0.0\"},{\"StandardsId\":\"standards/cis-aws-foundations-benchmark/v/3.0.0\"},{\"StandardsId\":\"standards/nist-800-53/v/5.0.0\"}],\"RelatedRequirements\":[\"CIS AWS Foundations Benchmark v3.0.0/5.6\",\"NIST.800-53.r5 AC-3\",\"NIST.800-53.r5 AC-3(15)\",\"NIST.800-53.r5 AC-3(7)\",\"NIST.800-53.r5 AC-6\"],\"SecurityControlId\":\"EC2.8\",\"Status\":\"PASSED\"},\"CreatedAt\":\"2024-09-20T10:40:32.189Z\",\"Description\":\"This control checks whether your Amazon Elastic Compute Cloud (Amazon EC2) instance metadata version is configured with Instance Metadata Service Version 2 (IMDSv2). The control passes if HttpTokens is set to required for IMDSv2. The control fails if HttpTokens is set to optional.\",\"FindingProviderFields\":{\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"]},\"FirstObservedAt\":\"2024-09-20T10:40:32.189Z\",\"GeneratorId\":\"security-control/EC2.8\",\"Id\":\"arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"LastObservedAt\":\"2024-09-21T08:00:01.828Z\",\"ProcessedAt\":\"2024-09-21T08:00:03.516Z\",\"ProductArn\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub\",\"ProductFields\":{\"RelatedAWSResources:0/name\":\"securityhub-ec2-imdsv2-check-29027890\",\"RelatedAWSResources:0/type\":\"AWS::Config::ConfigRule\",\"Resources:0/Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"aws/securityhub/CompanyName\":\"AWS\",\"aws/securityhub/FindingId\":\"arn:aws:securityhub:ap-south-1::product/aws/securityhub/arn:aws:securityhub:ap-south-1:111111111111:security-control/EC2.8/finding/8925ae3b-1f70-4c74-8337-baee8fcad8fe\",\"aws/securityhub/ProductName\":\"Security Hub\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"ap-south-1\",\"Remediation\":{\"Recommendation\":{\"Text\":\"For information on how to correct this issue, consult the AWS Security Hub controls documentation.\",\"Url\":\"https://docs.aws.amazon.com/console/securityhub/EC2.8/remediation\"}},\"Resources\":[{\"Details\":{\"AwsEc2Instance\":{\"IamInstanceProfileArn\":\"arn:aws:iam::111111111111:instance-profile/elastic-agent-instance-profile-e4f7caa0-6f61-11ef-bb07-02fe87118279\",\"ImageId\":\"ami-04dffe071c46cddd4\",\"IpV4Addresses\":[\"89.160.20.156\",\"89.160.20.157\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"LaunchedAt\":\"2024-09-20T10:39:35.000Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"disabled\",\"HttpPutResponseHopLimit\":2,\"HttpTokens\":\"required\",\"InstanceMetadataTags\":\"disabled\"},\"Monitoring\":{\"State\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-0de300eee88c5c7fd\"}],\"SubnetId\":\"subnet-5d15a111\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"vpc-39017251\"}},\"Id\":\"arn:aws:ec2:ap-south-1:111111111111:instance/i-0f2ede89308a594d8\",\"Partition\":\"aws\",\"Region\":\"ap-south-1\",\"Tags\":{\"Name\":\"elastic-agent-instance-e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"Task\":\"Cloud Security Posture Management Scanner\",\"aws:cloudformation:logical-id\":\"ElasticAgentEc2Instance\",\"aws:cloudformation:stack-id\":\"arn:aws:cloudformation:ap-south-1:111111111111:stack/Elastic-Cloud-Security-Posture-Management/e5f7caa0-6f60-11ef-bb07-02fe87118279\",\"aws:cloudformation:stack-name\":\"Elastic-Cloud-Security-Posture-Management\"},\"Type\":\"AwsEc2Instance\"}],\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"INFORMATIONAL\",\"Normalized\":0,\"Original\":\"INFORMATIONAL\"},\"Title\":\"EC2 instances should use Instance Metadata Service Version 2 (IMDSv2)\",\"Types\":[\"Software and Configuration Checks/Industry and Regulatory Standards\"],\"UpdatedAt\":\"2024-09-21T07:59:56.087Z\",\"Workflow\":{\"Status\":\"RESOLVED\"},\"WorkflowState\":\"NEW\"}", "outcome": "success", "severity": 0, @@ -3086,9 +3014,6 @@ "2a02:cf40::" ] }, - "observer": { - "vendor": "AWS Security Hub" - }, "organization": { "name": "AWS" }, diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 27b22932842..3cf450a5f70 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -4,9 +4,6 @@ processors: - set: field: ecs.version value: '8.11.0' - - set: - field: event.kind - value: state - append: field: event.type value: info @@ -33,14 +30,13 @@ processors: - json.CreatedAt target_field: _id ignore_missing: true - - set: - field: observer.vendor - value: AWS Security Hub - tag: set_observer_vendor - - set: - field: cloud.provider - value: aws - tag: set_cloud_provider + - remove: + field: + - cloud.provider + - event.kind + - observer.vendor + ignore_missing: true + description: Fields defined as constant_keyword are removed from _source for storage efficiency. - rename: field: json.Action.ActionType target_field: aws.securityhub_findings.action.type diff --git a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml index 4c81090790d..0afb365c208 100644 --- a/packages/aws/data_stream/securityhub_findings/fields/ecs.yml +++ b/packages/aws/data_stream/securityhub_findings/fields/ecs.yml @@ -1,7 +1,10 @@ # Define ECS constant fields as constant_keyword - name: cloud.provider type: constant_keyword + value: aws - name: event.kind type: constant_keyword + value: state - name: observer.vendor type: constant_keyword + value: AWS Security Hub diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index 59527b92279..9d9dd64a507 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -1,10 +1,13 @@ # Define ECS constant fields as constant_keyword - name: cloud.provider type: constant_keyword + value: aws - name: event.kind type: constant_keyword + value: state - name: observer.vendor type: constant_keyword + value: AWS Security Hub # Define ECS fields for transform - name: cloud.account.id external: ecs diff --git a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json index 04315e0dbf3..86811cef4d2 100644 --- a/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json +++ b/packages/aws/kibana/dashboard/aws-c9f103d0-5f63-11ed-bd69-473ce047ef30.json @@ -752,7 +752,7 @@ "y": 29 }, "panelIndex": "7419d896-5a39-461c-a72d-09734cc6d67e", - "title": "Events with Failure Findings [Logs AWS] (copy)", + "title": "Events with Failure Findings [Logs AWS]", "type": "lens" }, { From d861580c3e04a68028aaba83476fa5ebadbd4062 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 30 Oct 2024 06:51:39 +0530 Subject: [PATCH 25/28] fix static test --- packages/aws/data_stream/securityhub_findings/sample_event.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws/data_stream/securityhub_findings/sample_event.json b/packages/aws/data_stream/securityhub_findings/sample_event.json index 6a33e31d0fb..341c0882e59 100644 --- a/packages/aws/data_stream/securityhub_findings/sample_event.json +++ b/packages/aws/data_stream/securityhub_findings/sample_event.json @@ -352,7 +352,7 @@ "dataset": "aws.securityhub_findings", "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", "ingested": "2022-07-27T12:47:45Z", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"Blocked\":false,\"PortProbeDetails\":[{\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"RemoteIpDetails\":{\"City\":{\"CityName\":\"Example City\"},\"Country\":{\"CountryName\":\"Example Country\"},\"GeoLocation\":{\"Lat\":0,\"Lon\":0},\"Organization\":{\"Asn\":64496,\"AsnOrg\":\"ExampleASO\",\"Isp\":\"ExampleISP\",\"Org\":\"ExampleOrg\"}}}]}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"CloudWatch alarms do not exist in the account\",\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\",\"Type\":\"COIN_MINER\"}],\"Network\":{\"DestinationDomain\":\"example2.com\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceDomain\":\"example1.com\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"SourcePort\":\"42\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UpdatedBy\":\"jsmith\"},\"PatchSummary\":{\"FailedCount\":\"0\",\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"InstalledOtherCount\":\"1023\",\"InstalledPendingReboot\":\"0\",\"InstalledRejectedCount\":\"0\",\"MissingCount\":\"100\",\"Operation\":\"Install\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"RebootOption\":\"RebootIfNeeded\"},\"Process\":{\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"Name\":\"syslogd\",\"ParentPid\":56789,\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\",\"generico/secure-pro/Count\":\"6\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"},{\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"},\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Type\":\"AwsEc2Instance\"}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"comeBackToLater\":\"Check this again on Monday\",\"reviewedByCio\":\"true\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "type": [ "info" From a0a7e23ccd71eae359f04875a95c133a3882c175 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 30 Oct 2024 08:56:55 +0530 Subject: [PATCH 26/28] update/fix readme --- packages/aws/docs/securityhub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws/docs/securityhub.md b/packages/aws/docs/securityhub.md index eb38cae49e5..c892d773ec5 100644 --- a/packages/aws/docs/securityhub.md +++ b/packages/aws/docs/securityhub.md @@ -386,7 +386,7 @@ An example event for `securityhub_findings` looks as following: "dataset": "aws.securityhub_findings", "id": "us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef", "ingested": "2022-07-27T12:47:45Z", - "kind": "event", + "kind": "state", "original": "{\"Action\":{\"ActionType\":\"PORT_PROBE\",\"PortProbeAction\":{\"Blocked\":false,\"PortProbeDetails\":[{\"LocalIpDetails\":{\"IpAddressV4\":\"1.128.0.0\"},\"LocalPortDetails\":{\"Port\":80,\"PortName\":\"HTTP\"},\"RemoteIpDetails\":{\"City\":{\"CityName\":\"Example City\"},\"Country\":{\"CountryName\":\"Example Country\"},\"GeoLocation\":{\"Lat\":0,\"Lon\":0},\"Organization\":{\"Asn\":64496,\"AsnOrg\":\"ExampleASO\",\"Isp\":\"ExampleISP\",\"Org\":\"ExampleOrg\"}}}]}},\"AwsAccountId\":\"111111111111\",\"CompanyName\":\"AWS\",\"Compliance\":{\"RelatedRequirements\":[\"Req1\",\"Req2\"],\"Status\":\"PASSED\",\"StatusReasons\":[{\"Description\":\"CloudWatch alarms do not exist in the account\",\"ReasonCode\":\"CLOUDWATCH_ALARMS_NOT_PRESENT\"}]},\"Confidence\":42,\"CreatedAt\":\"2017-03-22T13:22:13.933Z\",\"Criticality\":99,\"Description\":\"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.\",\"FindingProviderFields\":{\"Confidence\":42,\"Criticality\":99,\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Severity\":{\"Label\":\"MEDIUM\",\"Original\":\"MEDIUM\"},\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"]},\"FirstObservedAt\":\"2017-03-22T13:22:13.933Z\",\"GeneratorId\":\"acme-vuln-9ab348\",\"Id\":\"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef\",\"LastObservedAt\":\"2017-03-23T13:22:13.933Z\",\"Malware\":[{\"Name\":\"Stringler\",\"Path\":\"/usr/sbin/stringler\",\"State\":\"OBSERVED\",\"Type\":\"COIN_MINER\"}],\"Network\":{\"DestinationDomain\":\"example2.com\",\"DestinationIpV4\":\"1.128.0.0\",\"DestinationIpV6\":\"2a02:cf40::\",\"DestinationPort\":\"80\",\"Direction\":\"IN\",\"OpenPortRange\":{\"Begin\":443,\"End\":443},\"Protocol\":\"TCP\",\"SourceDomain\":\"example1.com\",\"SourceIpV4\":\"1.128.0.0\",\"SourceIpV6\":\"2a02:cf40::\",\"SourceMac\":\"00:0d:83:b1:c0:8e\",\"SourcePort\":\"42\"},\"NetworkPath\":[{\"ComponentId\":\"abc-01a234bc56d8901ee\",\"ComponentType\":\"AWS::EC2::InternetGateway\",\"Egress\":{\"Destination\":{\"Address\":[\"1.128.0.0/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}},\"Ingress\":{\"Destination\":{\"Address\":[\"175.16.199.1/24\"],\"PortRanges\":[{\"Begin\":443,\"End\":443}]},\"Protocol\":\"TCP\",\"Source\":{\"Address\":[\"175.16.199.1/24\"]}}}],\"Note\":{\"Text\":\"Don't forget to check under the mat.\",\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UpdatedBy\":\"jsmith\"},\"PatchSummary\":{\"FailedCount\":\"0\",\"Id\":\"pb-123456789098\",\"InstalledCount\":\"100\",\"InstalledOtherCount\":\"1023\",\"InstalledPendingReboot\":\"0\",\"InstalledRejectedCount\":\"0\",\"MissingCount\":\"100\",\"Operation\":\"Install\",\"OperationEndTime\":\"2018-09-27T23:39:31Z\",\"OperationStartTime\":\"2018-09-27T23:37:31Z\",\"RebootOption\":\"RebootIfNeeded\"},\"Process\":{\"LaunchedAt\":\"2018-09-27T22:37:31Z\",\"Name\":\"syslogd\",\"ParentPid\":56789,\"Path\":\"/usr/sbin/syslogd\",\"Pid\":12345,\"TerminatedAt\":\"2018-09-27T23:37:31Z\"},\"ProductArn\":\"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default\",\"ProductFields\":{\"Service_Name\":\"cloudtrail.amazonaws.com\",\"aws/inspector/AssessmentTargetName\":\"My prod env\",\"aws/inspector/AssessmentTemplateName\":\"My daily CVE assessment\",\"aws/inspector/RulesPackageName\":\"Common Vulnerabilities and Exposures\",\"generico/secure-pro/Count\":\"6\"},\"ProductName\":\"Security Hub\",\"RecordState\":\"ACTIVE\",\"Region\":\"us-east-1\",\"RelatedFindings\":[{\"Id\":\"123e4567-e89b-12d3-a456-426655440000\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"},{\"Id\":\"AcmeNerfHerder-111111111111-x189dx7824\",\"ProductArn\":\"arn:aws:securityhub:us-west-2::product/aws/guardduty\"}],\"Remediation\":{\"Recommendation\":{\"Text\":\"Run sudo yum update and cross your fingers and toes.\",\"Url\":\"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html\"}},\"Resources\":[{\"Details\":{\"IamInstanceProfileArn\":\"arn:aws:iam::123456789012:role/IamInstanceProfileArn\",\"ImageId\":\"ami-79fd7eee\",\"IpV4Addresses\":[\"175.16.199.1\"],\"IpV6Addresses\":[\"2a02:cf40::\"],\"KeyName\":\"testkey\",\"LaunchedAt\":\"2018-09-29T01:25:54Z\",\"MetadataOptions\":{\"HttpEndpoint\":\"enabled\",\"HttpProtocolIpv6\":\"enabled\",\"HttpPutResponseHopLimit\":1,\"HttpTokens\":\"optional\",\"InstanceMetadataTags\":\"disabled\"},\"NetworkInterfaces\":[{\"NetworkInterfaceId\":\"eni-e5aa89a3\"}],\"SubnetId\":\"PublicSubnet\",\"Type\":\"i3.xlarge\",\"VirtualizationType\":\"hvm\",\"VpcId\":\"TestVPCIpv6\"},\"Id\":\"i-cafebabe\",\"Partition\":\"aws\",\"Region\":\"us-west-2\",\"Tags\":{\"billingCode\":\"Lotus-1-2-3\",\"needsPatching\":\"true\"},\"Type\":\"AwsEc2Instance\"}],\"Sample\":true,\"SchemaVersion\":\"2018-10-08\",\"Severity\":{\"Label\":\"CRITICAL\",\"Original\":\"8.3\"},\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"ThreatIntelIndicators\":[{\"Category\":\"BACKDOOR\",\"LastObservedAt\":\"2018-09-27T23:37:31Z\",\"Source\":\"Threat Intel Weekly\",\"SourceUrl\":\"http://threatintelweekly.org/backdoors/8888\",\"Type\":\"IPV4_ADDRESS\",\"Value\":\"175.16.199.1\"}],\"Threats\":[{\"FilePaths\":[{\"FileName\":\"b.txt\",\"FilePath\":\"/tmp/b.txt\",\"Hash\":\"sha256\",\"ResourceId\":\"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f\"}],\"ItemCount\":3,\"Name\":\"Iot.linux.mirai.vwisi\",\"Severity\":\"HIGH\"}],\"Title\":\"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up\",\"Types\":[\"Software and Configuration Checks/Vulnerabilities/CVE\"],\"UpdatedAt\":\"2018-08-31T00:15:09Z\",\"UserDefinedFields\":{\"comeBackToLater\":\"Check this again on Monday\",\"reviewedByCio\":\"true\"},\"VerificationState\":\"UNKNOWN\",\"Vulnerabilities\":[{\"Cvss\":[{\"BaseScore\":4.7,\"BaseVector\":\"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"Version\":\"V3\"},{\"BaseScore\":4.7,\"BaseVector\":\"AV:L/AC:M/Au:N/C:C/I:N/A:N\",\"Version\":\"V2\"}],\"Id\":\"CVE-2020-12345\",\"ReferenceUrls\":[\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418\",\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563\"],\"RelatedVulnerabilities\":[\"CVE-2020-12345\"],\"Vendor\":{\"Name\":\"Alas\",\"Url\":\"https://alas.aws.amazon.com/ALAS-2020-1337.html\",\"VendorCreatedAt\":\"2020-01-16T00:01:43Z\",\"VendorSeverity\":\"Medium\",\"VendorUpdatedAt\":\"2020-01-16T00:01:43Z\"},\"VulnerablePackages\":[{\"Architecture\":\"x86_64\",\"Epoch\":\"1\",\"Name\":\"openssl\",\"Release\":\"16.amzn2.0.3\",\"Version\":\"1.0.2k\"}]}],\"Workflow\":{\"Status\":\"NEW\"},\"WorkflowState\":\"NEW\"}", "type": [ "info" From 10809981f74088910c11176a405febb94b40cccc Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 30 Oct 2024 19:00:15 +0530 Subject: [PATCH 27/28] address pr comments --- packages/aws/changelog.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 3 ++- .../transform/latest_cdr_misconfigurations/fields/ecs.yml | 4 ---- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 862a32c03f8..3cf08a281de 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,7 +1,7 @@ # newer versions go on top - version: "2.31.0" changes: - - description: Improve support for CDR in securityhub_findings data stream. + - description: Improve support for Cloud Detection and Response (CDR) workflows in securityhub_findings data stream. type: enhancement link: https://github.com/elastic/integrations/pull/11158 - version: "2.30.1" diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 3cf450a5f70..74babc74698 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -571,13 +571,14 @@ processors: field: json.UpdatedAt if: ctx.json?.UpdatedAt != null && ctx.json.UpdatedAt != '' target_field: aws.securityhub_findings.updated_at + tag: date_updated_at formats: - ISO8601 - yyyy-MM-dd'T'HH:mm:ss.SSS'Z' on_failure: - append: field: error.message - value: '{{{_ingest.on_failure_message}}}' + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - set: field: '@timestamp' copy_from: aws.securityhub_findings.updated_at diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index 9d9dd64a507..3fd49771d2e 100644 --- a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -41,8 +41,6 @@ external: ecs - name: event.created external: ecs -- name: event.dataset - external: ecs - name: event.id external: ecs - name: event.ingested @@ -157,5 +155,3 @@ external: ecs - name: vulnerability.scanner.vendor external: ecs -- name: vulnerability.id - external: ecs From aafe9a93a42bcbde45a7c1c5b278e1fe45b98a1c Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 30 Oct 2024 21:08:56 +0530 Subject: [PATCH 28/28] address pr comments. Remove unnecessary `ignore_empty_value` option --- .../elasticsearch/ingest_pipeline/default.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml index 74babc74698..c205544f8ad 100644 --- a/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml @@ -523,7 +523,6 @@ processors: tag: set_event_outcome_unknown value: unknown if: ctx.event?.outcome == null - ignore_empty_value: true - foreach: field: json.Compliance.StatusReasons processor: