elastic · maxcold · Oct 30, 2024 · Sep 17, 2024 · Sep 17, 2024 · Sep 17, 2024
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.26.0"
+  changes:
+    - description: Improve support for CDR in securityhub_findings data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/11158
 - version: "2.25.0-preview01"
   changes:
     - description: Add related.entity field.

@@ -0,0 +1,6 @@
+- name: cloud.provider
+  type: constant_keyword
+- name: event.kind
+  type: constant_keyword
+- name: observer.vendor
+  type: constant_keyword
@@ -271,6 +271,9 @@
     - name: compliance
       type: group
       fields:
+        - name: security_control_id
+          type: keyword
+          description: Unique identifier of a control across standards.
         - name: related_requirements
           type: keyword
           description: For a control, the industry or regulatory framework requirements that are related to the control.
@@ -289,6 +292,9 @@
     - name: confidence
       type: long
       description: A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify.
+    - name: processed_at
+      type: date
+      description: Indicates when AWS Security Hub received a finding and begins to process it.
     - name: created_at
       type: date
       description: Indicates when the security-findings provider created the potential security issue that a finding captured.

@@ -0,0 +1,11 @@
+- name: resource
+  type: group
+  fields:
+    - name: id
+      type: keyword
+    - name: name
+      type: keyword
+    - name: type
+      type: keyword
+    - name: sub_type
+      type: keyword
@@ -0,0 +1,16 @@
+- name: result
+  type: group
+  fields:
+    - name: evaluation
+      type: keyword
+    - name: evidence
+      type: group
+      fields:
+        - name: current_value
+          type: text
+        - name: expected_value
+          type: text
+        - name: configuration_path
+          type: text
+        - name: cloud_configuration_link
+          type: text
@@ -0,0 +1,17 @@
+- name: rule
+  type: group
+  fields:
+    - name: uuid
+      type: keyword
+    - name: id
+      type: keyword
+    - name: name
+      type: keyword
+    - name: description
+      type: text
+    - name: remediation
+      type: text
+    - name: references
+      type: text
+    - name: reference
+      type: text
@@ -526,6 +526,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | aws.securityhub_findings.aws_account_id | The Amazon Web Services account ID that a finding is generated in. | keyword |
 | aws.securityhub_findings.company.name | The name of the company for the product that generated the finding. | keyword |
 | aws.securityhub_findings.compliance.related_requirements | For a control, the industry or regulatory framework requirements that are related to the control. | keyword |
+| aws.securityhub_findings.compliance.security_control_id | Unique identifier of a control across standards. | keyword |
 | aws.securityhub_findings.compliance.status | The result of a standards check. | keyword |
 | aws.securityhub_findings.compliance.status_reasons.description | The corresponding description for the status reason code. | keyword |
 | aws.securityhub_findings.compliance.status_reasons.reason_code | A code that represents a reason for the control status. | keyword |
@@ -590,6 +591,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | aws.securityhub_findings.process.path | The path to the process executable. | keyword |
 | aws.securityhub_findings.process.pid | The process ID. | long |
 | aws.securityhub_findings.process.terminated_at | Indicates when the process was terminated. | date |
+| aws.securityhub_findings.processed_at | Indicates when AWS Security Hub received a finding and begins to process it. | date |
 | aws.securityhub_findings.product.arn | The ARN generated by Security Hub that uniquely identifies a product that generates findings. This can be the ARN for a third-party product that is integrated with Security Hub, or the ARN for a custom integration. | keyword |
 | aws.securityhub_findings.product.fields | A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. | flattened |
 | aws.securityhub_findings.product.name | The name of the product that generated the finding. | keyword |
@@ -651,15 +653,34 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 | aws.securityhub_findings.workflow.state | The workflow state of a finding. | keyword |
 | aws.securityhub_findings.workflow.status | The status of the investigation into the finding. | keyword |
 | cloud.image.id | Image ID for the cloud instance. | keyword |
+| cloud.provider |  | constant_keyword |
 | data_stream.dataset | Data stream dataset. | constant_keyword |
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
+| event.kind |  | constant_keyword |
 | event.module | Event module. | constant_keyword |
 | host.containerized | If the host is a container. | boolean |
 | host.os.build | OS build information. | keyword |
 | host.os.codename | OS codename, if any. | keyword |
 | input.type | Input type | keyword |
 | log.offset | Log offset | long |
+| observer.vendor |  | constant_keyword |
+| resource.id |  | keyword |
+| resource.name |  | keyword |
+| resource.sub_type |  | keyword |
+| resource.type |  | keyword |
+| result.evaluation |  | keyword |
+| result.evidence.cloud_configuration_link |  | text |
+| result.evidence.configuration_path |  | text |
+| result.evidence.current_value |  | text |
+| result.evidence.expected_value |  | text |
+| rule.description |  | text |
+| rule.id |  | keyword |
+| rule.name |  | keyword |
+| rule.reference |  | text |
+| rule.references |  | text |
+| rule.remediation |  | text |
+| rule.uuid |  | keyword |
 | url.user_info |  | keyword |