diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index f59fd24f039..c5c662aac8d 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -1,10 +1,10 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data, cloud configuration findings and audit events, providing you with visibility and context for your cloud environments within Elastic Security. +Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) and [vulnerabilities](https://ela.st/cnvm), providing you with visibility and context for your cloud environments within Elastic Security. ## Data streams -The Wiz integration collects three types of data: Audit, Issue and Vulnerability. +The Wiz integration collects four types of data: Audit, Cloud Configuration Finding, Issue and Vulnerability. Reference for [Graph APIs](https://integrate.wiz.io/reference/prerequisites) of Wiz. diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 1d817ba776e..0aa541720b2 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,5 +1,5 @@ # newer versions go on top -- version: "1.9.0-preview07" +- version: "2.0.0" changes: - description: Relax requirement for vulnerability score to be present. type: bugfix @@ -7,31 +7,44 @@ - description: Retain `cloudConfigurationRuleDescription` from `sourceRule`. type: enhancement link: https://github.com/elastic/integrations/pull/11488 -- version: "1.9.0-preview05" - changes: + - description: Add cloud.account.name mapping to latest_cdr_vulnerabilities transform destination. + type: bugfix + link: https://github.com/elastic/integrations/pull/11414 + - description: Default to resource id when provider_id is missing for resource.id field in cloud_configuration_finding data stream. + type: enhancement + link: https://github.com/elastic/integrations/pull/11414 + - description: Rely on external ecs for ESC fields. rule.reference, rule.descipriton and rule.remediation changed from text to keyword. + type: breaking-change + link: https://github.com/elastic/integrations/pull/11414 + - description: Remove rule.references field and its mapping. Please use the ECS rule.reference field instead. + type: breaking-change + link: https://github.com/elastic/integrations/pull/11414 - description: Increase retention on transfroms to 90 days. type: enhancement link: https://github.com/elastic/integrations/pull/11393 -- version: "1.9.0-preview04" - changes: - description: Update vulnerabilities mappings and ingest pipeline for better support in CDR. type: enhancement link: https://github.com/elastic/integrations/pull/11348 -- version: "1.9.0-preview03" - changes: - description: Add latest Transform to cloud_configuration_finding data stream to support CDR. type: enhancement link: https://github.com/elastic/integrations/pull/10965 -- version: "1.9.0-preview02" - changes: - description: Fix potential `got types.Null, expected iterable type` error. type: bugfix link: https://github.com/elastic/integrations/pull/11098 -- version: "1.9.0-preview01" - changes: - description: Add latest Transform to vulnerability data stream to support CDR type: enhancement link: https://github.com/elastic/integrations/pull/10895 + - description: Add Cloud Configuration Finding to the list of data streams in README + type: bugfix + link: https://github.com/elastic/integrations/pull/11414 +- version: "1.8.2" + changes: + - description: Relax requirement for vulnerability score to be present. + type: bugfix + link: https://github.com/elastic/integrations/pull/11489 + - description: Retain `cloudConfigurationRuleDescription` from `sourceRule`. + type: enhancement + link: https://github.com/elastic/integrations/pull/11489 - version: "1.8.1" changes: - description: Fix potential `got types.Null, expected iterable type` error. diff --git a/packages/wiz/data_stream/audit/fields/base-fields.yml b/packages/wiz/data_stream/audit/fields/base-fields.yml index 5921423d7e9..fcddd1a5e0e 100644 --- a/packages/wiz/data_stream/audit/fields/base-fields.yml +++ b/packages/wiz/data_stream/audit/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.audit - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log index 24e72b8acac..28c8516df89 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log @@ -1,4 +1,7 @@ {"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} {"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} {"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json index cc3a5c33a94..1086bd6abe3 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json @@ -212,7 +212,6 @@ "id": "VirtualMachines-021", "name": "Virtual Machine should not be stopped (allocated) for more than a week", "reference": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", - "references": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" }, @@ -333,6 +332,247 @@ } } } + }, + { + "@timestamp": "2024-08-15T11:41:17.517Z", + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "message": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "@timestamp": "2024-08-15T11:41:17.517Z", + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "message": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "@timestamp": "2024-08-15T11:41:17.517Z", + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "message": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } } ] -} \ No newline at end of file +} diff --git a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml index d08cfbb0c58..a587f5652d7 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml @@ -195,9 +195,15 @@ processors: ignore_missing: true - set: field: resource.id - tag: set_resource_id + tag: set_resource_id_from_provider_id copy_from: wiz.cloud_configuration_finding.resource.provider_id ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_resource_id + copy_from: wiz.cloud_configuration_finding.resource.id + ignore_empty_value: true + override: false # This ensures the value isn't overwritten if already set - rename: field: json.resource.name tag: rename_resource_name @@ -332,11 +338,6 @@ processors: tag: set_rule_reference copy_from: wiz.cloud_configuration_finding.evidence.cloud_configuration_link ignore_empty_value: true - - set: - field: rule.references - tag: set_rule_references - copy_from: wiz.cloud_configuration_finding.evidence.cloud_configuration_link - ignore_empty_value: true - remove: field: json tag: remove_json diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml index 92b378a4c0f..5668b48bfdd 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.cloud_configuration_finding - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml index b3701b581cf..415aa0612b1 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/beats.yml @@ -5,5 +5,4 @@ type: long description: Log offset. - name: tags - type: keyword - description: User defined tags. + external: ecs diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml index b9d505b971f..9def88f8fba 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/rule.yml @@ -1,17 +1,5 @@ - name: rule type: group fields: - - name: uuid - type: keyword - - name: id - type: keyword - - name: name - type: keyword - - name: description - type: text - name: remediation - type: text - - name: references - type: text - - name: reference - type: text + type: keyword diff --git a/packages/wiz/data_stream/issue/fields/base-fields.yml b/packages/wiz/data_stream/issue/fields/base-fields.yml index 7f23b233b9b..52213c7dc37 100644 --- a/packages/wiz/data_stream/issue/fields/base-fields.yml +++ b/packages/wiz/data_stream/issue/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.issue - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/data_stream/vulnerability/fields/base-fields.yml b/packages/wiz/data_stream/vulnerability/fields/base-fields.yml index 328d461298b..d4fe331b892 100644 --- a/packages/wiz/data_stream/vulnerability/fields/base-fields.yml +++ b/packages/wiz/data_stream/vulnerability/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.vulnerability - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index f1fb907b374..0ccd5b01a0c 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -1,10 +1,10 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security, including issues, vulnerability data, cloud configuration findings and audit events, providing you with visibility and context for your cloud environments within Elastic Security. +Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) and [vulnerabilities](https://ela.st/cnvm), providing you with visibility and context for your cloud environments within Elastic Security. ## Data streams -The Wiz integration collects three types of data: Audit, Issue and Vulnerability. +The Wiz integration collects four types of data: Audit, Cloud Configuration Finding, Issue and Vulnerability. Reference for [Graph APIs](https://integrate.wiz.io/reference/prerequisites) of Wiz. @@ -183,12 +183,12 @@ An example event for `audit` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.module | Event module. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | wiz.audit.action | | keyword | @@ -304,12 +304,12 @@ An example event for `cloud_configuration_finding` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.module | Event module. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | resource.id | | keyword | @@ -321,14 +321,8 @@ An example event for `cloud_configuration_finding` looks as following: | result.evidence.configuration_path | | text | | result.evidence.current_value | | text | | result.evidence.expected_value | | text | -| rule.description | | text | -| rule.id | | keyword | -| rule.name | | keyword | -| rule.reference | | text | -| rule.references | | text | -| rule.remediation | | text | -| rule.uuid | | keyword | -| tags | User defined tags. | keyword | +| rule.remediation | | keyword | +| tags | List of keywords used to tag each event. | keyword | | wiz.cloud_configuration_finding.analyzed_at | | date | | wiz.cloud_configuration_finding.evidence.cloud_configuration_link | | text | | wiz.cloud_configuration_finding.evidence.configuration_path | | text | @@ -562,12 +556,12 @@ An example event for `issue` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.module | Event module. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | wiz.issue.created_at | | date | @@ -835,12 +829,12 @@ An example event for `vulnerability` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.module | Event module. | constant_keyword | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of filebeat input. | keyword | | log.offset | Log offset. | long | | package.fixed_version | | keyword | diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml index 2ab117d5fa5..e18f46626aa 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml @@ -1,20 +1,17 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace + external: ecs type: keyword - description: Data stream namespace. - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.cloud_configuration_finding - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml index b3701b581cf..415aa0612b1 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/beats.yml @@ -5,5 +5,4 @@ type: long description: Log offset. - name: tags - type: keyword - description: User defined tags. + external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml index 3984d4d7310..291b675502b 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/ecs.yml @@ -16,8 +16,6 @@ external: ecs - name: host.name external: ecs -- name: event.created - external: ecs - name: event.id external: ecs - name: event.kind @@ -29,4 +27,4 @@ - name: event.type external: ecs - name: observer.vendor - external: ecs \ No newline at end of file + external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml index b9d505b971f..e8ec481898b 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/rule.yml @@ -2,16 +2,14 @@ type: group fields: - name: uuid - type: keyword + external: ecs - name: id - type: keyword + external: ecs - name: name - type: keyword + external: ecs - name: description - type: text - - name: remediation - type: text - - name: references - type: text + external: ecs - name: reference - type: text + external: ecs + - name: remediation + type: keyword diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index 73649720ab3..73f90c62902 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -27,4 +27,4 @@ _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.1.0 \ No newline at end of file + fleet_transform_version: 0.1.0 diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml index 3ce68baca5c..d66d1568b38 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml @@ -1,20 +1,17 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace + external: ecs type: keyword - description: Data stream namespace. - name: event.module + external: ecs type: constant_keyword - description: Event module. value: wiz - name: event.dataset + external: ecs type: constant_keyword - description: Event dataset. value: wiz.vulnerability - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml index f263924d836..0fe162663eb 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml @@ -1,5 +1,7 @@ - name: cloud.account.id external: ecs +- name: cloud.account.name + external: ecs - name: cloud.region external: ecs - name: package.name @@ -20,8 +22,6 @@ external: ecs - name: host.os.family external: ecs -- name: package.name - external: ecs - name: user.name external: ecs - name: cloud.availability_zone diff --git a/packages/wiz/img/wiz-context-entity-flyout.png b/packages/wiz/img/wiz-context-entity-flyout.png new file mode 100644 index 00000000000..276c0378902 Binary files /dev/null and b/packages/wiz/img/wiz-context-entity-flyout.png differ diff --git a/packages/wiz/img/wiz-misconfiguration-findings.png b/packages/wiz/img/wiz-misconfiguration-findings.png new file mode 100644 index 00000000000..998a439ad8f Binary files /dev/null and b/packages/wiz/img/wiz-misconfiguration-findings.png differ diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index dc402d76999..d48b6f1ba43 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: wiz title: Wiz -version: "1.9.0-preview07" +version: "2.0.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -29,6 +29,14 @@ screenshots: title: Wiz Cloud Configuration Finding Dashboard Screenshot size: 600x600 type: image/png + - src: /img/wiz-misconfiguration-findings.png + title: Misconfiguration Findings view with Wiz data in Elastic Security Screenshot + size: 600x600 + type: image/png + - src: /img/wiz-context-entity-flyout.png + title: Misconfiguration Findings view with Wiz data in Elastic Security Screenshot + size: 600x600 + type: image/png icons: - src: /img/wiz-logo.svg title: Wiz logo