Add Latest Transform - Wiz Vulnerabilities

packages/wiz/changelog.yml

@@ -1,9 +1,14 @@
 # newer versions go on top
+- version: "1.9.0-preview01"
+  changes:
+    - description: Add latest Transform to vulnerability data stream to support CDR
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/10895
 - version: "1.8.0"
   changes:
     - description: Add host.name for the vulnerability data stream.
       type: enhancement
-      link: https://github.com/elastic/integrations/pull/10936
+      link: https://github.com/elastic/integrations/pull/10997
 - version: "1.7.2"
   changes:
     - description: Add cloud_configuration_finding dashboard screendshot.

packages/wiz/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json

@@ -3,6 +3,9 @@
         {
             "@timestamp": "2023-08-16T18:40:57.000Z",
             "cloud": {
+                "account": {
+                    "name": "wiz-integrations"
+                },
                 "provider": "AWS",
                 "region": "us-east-1"
             },

packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml

@@ -602,6 +602,11 @@ processors:
       tag: set_vulnerability_cwe
       copy_from: vulnerability.id
       ignore_empty_value: true
+  - set:
+      field: cloud.account.name
+      tag: set_cloud_account_name
+      copy_from: wiz.vulnerability.vulnerable_asset.subscription.name
+      ignore_empty_value: true
   - set:
       field: observer.vendor
       tag: set_observer_vendor

packages/wiz/data_stream/vulnerability/sample_event.json

@@ -1,19 +1,22 @@
 {
     "@timestamp": "2023-08-16T18:40:57.000Z",
     "agent": {
-        "ephemeral_id": "9f9d5cc1-34a2-4955-9ad0-9cab501b9f08",
-        "id": "9ad264fd-a56f-4427-beb9-158a3b677210",
-        "name": "elastic-agent-74482",
+        "ephemeral_id": "a3854b6d-49eb-4205-9d2e-1f48033efae0",
+        "id": "1ec8140c-1117-4b91-8a6b-737e424d356a",
+        "name": "elastic-agent-90122",
         "type": "filebeat",
         "version": "8.14.3"
     },
     "cloud": {
+        "account": {
+            "name": "wiz-integrations"
+        },
         "provider": "AWS",
         "region": "us-east-1"
     },
     "data_stream": {
         "dataset": "wiz.vulnerability",
-        "namespace": "84866",
+        "namespace": "22916",
         "type": "logs"
     },
     "device": {
@@ -23,7 +26,7 @@
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "9ad264fd-a56f-4427-beb9-158a3b677210",
+        "id": "1ec8140c-1117-4b91-8a6b-737e424d356a",
         "snapshot": false,
         "version": "8.14.3"
     },
@@ -33,7 +36,7 @@
             "vulnerability"
         ],
         "dataset": "wiz.vulnerability",
-        "ingested": "2024-09-08T09:53:18Z",
+        "ingested": "2024-09-10T07:01:34Z",
         "kind": "alert",
         "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}",
         "type": [

packages/wiz/docs/README.md

@@ -630,19 +630,22 @@ An example event for `vulnerability` looks as following:
 {
     "@timestamp": "2023-08-16T18:40:57.000Z",
     "agent": {
-        "ephemeral_id": "9f9d5cc1-34a2-4955-9ad0-9cab501b9f08",
-        "id": "9ad264fd-a56f-4427-beb9-158a3b677210",
-        "name": "elastic-agent-74482",
+        "ephemeral_id": "a3854b6d-49eb-4205-9d2e-1f48033efae0",
+        "id": "1ec8140c-1117-4b91-8a6b-737e424d356a",
+        "name": "elastic-agent-90122",
         "type": "filebeat",
         "version": "8.14.3"
     },
     "cloud": {
+        "account": {
+            "name": "wiz-integrations"
+        },
         "provider": "AWS",
         "region": "us-east-1"
     },
     "data_stream": {
         "dataset": "wiz.vulnerability",
-        "namespace": "84866",
+        "namespace": "22916",
         "type": "logs"
     },
     "device": {
@@ -652,7 +655,7 @@ An example event for `vulnerability` looks as following:
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "9ad264fd-a56f-4427-beb9-158a3b677210",
+        "id": "1ec8140c-1117-4b91-8a6b-737e424d356a",
         "snapshot": false,
         "version": "8.14.3"
     },
@@ -662,7 +665,7 @@ An example event for `vulnerability` looks as following:
             "vulnerability"
         ],
         "dataset": "wiz.vulnerability",
-        "ingested": "2024-09-08T09:53:18Z",
+        "ingested": "2024-09-10T07:01:34Z",
         "kind": "alert",
         "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}",
         "type": [

packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml

@@ -0,0 +1,20 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module.
+  value: wiz
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset.
+  value: wiz.vulnerability
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.

packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/beats.yml

@@ -0,0 +1,6 @@
+- name: input.type
+  type: keyword
+  description: Type of filebeat input.
+- name: log.offset
+  type: long
+  description: Log offset.

packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/fields/fields.yml

@@ -0,0 +1,200 @@
+- name: cloud.account.id
+  external: ecs
+- name: cloud.region
+  external: ecs
+- name: package.name
+  external: ecs
+- name: package.version
+  external: ecs
+- name: vulnerability.description
+  external: ecs
+- name: vulnerability.id
+  external: ecs
+- name: vulnerability.score.base
+  external: ecs
+- name: vulnerability.score.version
+  external: ecs
+- name: vulnerability.severity
+  external: ecs
+- name: wiz
+  type: group
+  fields:
+    - name: vulnerability
+      type: group
+      fields:
+        - name: cve_description
+          type: keyword
+        - name: cvss_severity
+          type: keyword
+        - name: data_source_name
+          type: keyword
+        - name: description
+          type: keyword
+        - name: detailed_name
+          type: keyword
+        - name: detection_method
+          type: keyword
+        - name: epss
+          type: group
+          fields:
+            - name: percentile
+              type: double
+            - name: probability
+              type: double
+            - name: severity
+              type: keyword
+        - name: exploitability_score
+          type: double
+        - name: first_detected_at
+          type: date
+        - name: fixed_version
+          type: keyword
+        - name: has_cisa_kev_exploit
+          type: boolean
+        - name: has_exploit
+          type: boolean
+        - name: id
+          type: keyword
+        - name: ignore_rules
+          type: group
+          fields:
+            - name: enabled
+              type: boolean
+            - name: expired_at
+              type: date
+            - name: id
+              type: keyword
+            - name: name
+              type: keyword
+        - name: impact_score
+          type: double
+        - name: last_detected_at
+          type: date
+        - name: layer_metadata
+          type: group
+          fields:
+            - name: details
+              type: keyword
+            - name: id
+              type: keyword
+            - name: is_base_layer
+              type: boolean
+        - name: link
+          type: keyword
+        - name: location_path
+          type: keyword
+        - name: name
+          type: keyword
+        - name: portal_url
+          type: keyword
+        - name: projects
+          type: group
+          fields:
+            - name: business_unit
+              type: keyword
+            - name: id
+              type: keyword
+            - name: name
+              type: keyword
+            - name: risk_profile
+              type: group
+              fields:
+                - name: business_impact
+                  type: keyword
+            - name: slug
+              type: keyword
+        - name: remedation
+          type: keyword
+        - name: resolution_reason
+          type: keyword
+        - name: resolved_at
+          type: date
+        - name: score
+          type: double
+        - name: status
+          type: keyword
+        - name: validated_in_runtime
+          type: boolean
+        - name: vendor_severity
+          type: keyword
+        - name: version
+          type: keyword
+        - name: vulnerable_asset
+          type: group
+          fields:
+            - name: cloud
+              type: group
+              fields:
+                - name: platform
+                  type: keyword
+                - name: provider_url
+                  type: keyword
+            - name: has_limited_internet_exposure
+              type: boolean
+            - name: has_wide_internet_exposure
+              type: boolean
+            - name: id
+              type: keyword
+            - name: ip_addresses
+              type: ip
+            - name: is_accessible_from
+              type: group
+              fields:
+                - name: other_subscriptions
+                  type: boolean
+                - name: other_vnets
+                  type: boolean
+                - name: vpn
+                  type: boolean
+            - name: name
+              type: keyword
+            - name: operating_system
+              type: keyword
+            - name: provider_unique_id
+              type: keyword
+            - name: region
+              type: keyword
+            - name: status
+              type: keyword
+            - name: subscription
+              type: group
+              fields:
+                - name: external_id
+                  type: keyword
+                - name: id
+                  type: keyword
+                - name: name
+                  type: keyword
+            - name: tags
+              type: group
+              fields:
+                - name: name
+                  type: keyword
+            - name: type
+              type: keyword
+- name: vulnerability
+  type: group
+  fields:
+    - name: cwe
+      type: keyword
+    - name: package
+      type: group
+      fields:
+        - name: version
+          type: keyword
+        - name: fixed_version
+          type: keyword
+        - name: name
+          type: keyword
+- name: resource
+  type: group
+  fields:
+    - name: id
+      type: keyword
+    - name: name
+      type: keyword
+- name: package
+  type: group
+  fields:
+    - name: fixed_version
+      type: keyword

packages/wiz/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml

@@ -0,0 +1,32 @@
+source:
+  index:
+    - "logs-wiz.vulnerability-*"
+dest:
+  index: "security_solution-wiz.vulnerability_latest-v1"
+  aliases:
+    - alias: "security_solution-wiz.vulnerability_latest"
+      move_on_creation: true
+latest:
+  unique_key:
+    - vulnerability.id
+    - resource.id
+    - vulnerability.package.name
+    - vulnerability.package.version
+    - data_stream.namespace
+  sort: "@timestamp"
+description: Latest Cloud Vulnerabilities Findings from Wiz
+settings:
+  unattended: true
+frequency: 5m
+sync:
+  time:
+    field: event.ingested
+retention_policy:
+  time:
+    field: "@timestamp"
+    max_age: 3d
+_meta:
+  managed: true
+  # Bump this version to delete, reinstall, and restart the transform during package.
+  # Version bump is needed if there is any code change in transform.
+  fleet_transform_version: 0.1.0