aws.securityhub_findings: Improve support for CDR

packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/agent.yml

@@ -0,0 +1,41 @@
+- name: cloud
+  title: Cloud
+  group: 2
+  description: Fields related to the cloud or infrastructure the events are coming from.
+  footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.'
+  type: group
+  fields:
+    - name: image.id
+      type: keyword
+      description: Image ID for the cloud instance.
+- name: host
+  title: Host
+  group: 2
+  description: 'A host is defined as a general computing instance.
+
+    ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.'
+  type: group
+  fields:
+    - name: containerized
+      type: boolean
+      description: >
+        If the host is a container.
+
+    - name: os.build
+      type: keyword
+      example: "18D109"
+      description: >
+        OS build information.
+
+    - name: os.codename
+      type: keyword
+      example: "stretch"
+      description: >
+        OS codename, if any.
+
+- name: input.type
+  type: keyword
+  description: Input type
+- name: log.offset
+  type: long
+  description: Log offset

packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml

@@ -0,0 +1,16 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: aws
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.

packages/aws/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml

@@ -0,0 +1,159 @@
+# Define ECS constant fields as constant_keyword
+- name: cloud.provider
+  type: constant_keyword
+- name: event.kind
+  type: constant_keyword
+- name: observer.vendor
+  type: constant_keyword
+
+# Define ECS fields for transform
+- name: cloud.account.id
+  external: ecs
+- name: cloud.availability_zone
+  external: ecs
+- name: cloud.instance.id
+  external: ecs
+- name: cloud.instance.name
+  external: ecs
+- name: cloud.machine.type
+  external: ecs
+- name: cloud.project.id
+  external: ecs
+- name: cloud.region
+  external: ecs
+- name: cloud.service.name
+  external: ecs
+- name: destination.domain
+  external: ecs
+- name: destination.ip
+  external: ecs
+- name: destination.port
+  external: ecs
+- name: ecs.version
+  external: ecs
+- name: event.action
+  external: ecs
+- name: event.agent_id_status
+  external: ecs
+- name: event.category
+  external: ecs
+- name: event.created
+  external: ecs
+- name: event.dataset
+  external: ecs
+- name: event.id
+  external: ecs
+- name: event.ingested
+  external: ecs
+- name: event.original
+  external: ecs
+- name: event.outcome
+  external: ecs
+- name: event.severity
+  external: ecs
+- name: event.type
+  external: ecs
+- name: host.id
+  external: ecs
+- name: host.ip
+  external: ecs
+- name: host.name
+  external: ecs
+- name: network.direction
+  external: ecs
+- name: network.protocol
+  external: ecs
+- name: orchestrator.cluster.id
+  external: ecs
+- name: orchestrator.cluster.name
+  external: ecs
+- name: orchestrator.cluster.version
+  external: ecs
+- name: orchestrator.cluster.url
+  external: ecs
+- name: orchestrator.resource.id
+  external: ecs
+- name: orchestrator.resource.name
+  external: ecs
+- name: orchestrator.resource.type
+  external: ecs
+- name: organization.name
+  external: ecs
+- name: process.end
+  external: ecs
+- name: process.executable
+  external: ecs
+- name: process.name
+  external: ecs
+- name: process.parent.pid
+  external: ecs
+- name: process.pid
+  external: ecs
+- name: process.start
+  external: ecs
+- name: rule.ruleset
+  external: ecs
+- name: related.hash
+  external: ecs
+- name: related.hosts
+  external: ecs
+- name: related.ip
+  external: ecs
+- name: related.user
+  external: ecs
+- name: source.domain
+  external: ecs
+- name: source.ip
+  external: ecs
+- name: source.mac
+  external: ecs
+- name: source.port
+  external: ecs
+- name: tags
+  external: ecs
+- name: threat.indicator.last_seen
+  external: ecs
+- name: threat.indicator.type
+  external: ecs
+- name: threat.enrichments
+  external: ecs
+- name: url.domain
+  external: ecs
+- name: url.extension
+  external: ecs
+- name: url.fragment
+  external: ecs
+- name: url.full
+  external: ecs
+- name: url.original
+  external: ecs
+- name: url.password
+  external: ecs
+- name: url.path
+  external: ecs
+- name: url.port
+  external: ecs
+- name: url.query
+  external: ecs
+- name: url.registered_domain
+  external: ecs
+- name: url.scheme
+  external: ecs
+- name: url.subdomain
+  external: ecs
+- name: url.top_level_domain
+  external: ecs
+- name: url.username
+  external: ecs
+- name: user.id
+  external: ecs
+- name: user.name
+  external: ecs
+- name: vulnerability.id
+  external: ecs
+- name: vulnerability.reference
+  external: ecs
+- name: vulnerability.scanner.vendor
+  external: ecs
+- name: vulnerability.id
+  external: ecs