Add Latest Transform - Wiz Vulnerabilities

[CohenIdo]

solves:

• https://github.com/elastic/security-team/issues/9829

Summary

• Create a latest Transform for the Wiz vulnerabilities data stream to support CDR.

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

@CohenIdo, the CI is failing with error:

error running package asset tests: could not complete test run: can't install the package: there was an apply error: installation failed: can't install the package: could not zip-install package; API status code = 500; response body = {"statusCode":500,"error":"Internal Server Error","message":"security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:admin/delete] is unauthorized for service account [elastic/kibana] on indices [security_solution-wiz.vulnerability_latest-v1], this action is granted by the index privileges [delete_index,manage,all]"}

If you added the necessary permissions into Elasticsearch which will be merged into, say 8.15.2 version, then the manifest.yml should be updated with same version so that CI picks up the version you added permissions in:

conditions:
  kibana:
    version: "^8.15.2"

[maxcold]

As discussed with @CohenIdo we might want to make this change under preview version first as the UX is not yet ready, plus as the change is quite big and requires more e2e testing

[kfirpeled]

lets put this on preview guys
I don't think we should release this change without a full QA cycle
wdyt?

[CohenIdo]

@kfirpeled yes, me and @maxcold were agreed on that and put it on today sync agenda sync to hear other thoughts. So it seems we all agree. will do

[elasticmachine]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[efd6]

Why is this not just a release?

[maxcold]

as the change introduces the transform we want to test the approach extensively before opening it up for users. There are also some UX adjustments we might need to do based on the real data coming from Wiz. Making the integration a preview first, will allow the team better DX for testing the features. This approach works well for us in the cloud_security_posture integration

[CohenIdo]

Just to make it clearer, any bug fix can be merged under 1.7.x and any changes that are for 8.16 will be under 1.8.0-preview0x

[kcreddy]

If bugfixes were continued to be merged under 1.7.x, I think the users will not be seeing them because the mainfest's kibana.version has moved to 8.16.0. The users need to be >= package's kibana.version to get the fixes/upgrades.

[efd6]

Do these need to be added?

[CohenIdo]

Yes, the transform destination index is not predefined in Elasticsearch (unlike the logs-* and metrics-* indices), so the ECS fields are not inherited automatically and must be explicitly defined.

[efd6]

If this is the requirement, this should probably be a draft PR until we get there. If we merge this now, all the subsequent changes will either require 8.16 or have to have back-ports.

[maxcold]

the package will be available in Serverless as the stack version in serverless is 8.16 already. Together with the preview version, this should give the team including our product an easier way to test the new approach we are trying out on Wiz, see https://docs.google.com/document/d/1govaQj_8LwUOLtk3zrcjCEvRgyKWRuC-TUihCrk04ao/edit for more details
Are there changes planned for Wiz integration where backporting a concern?

[efd6]

Are there changes planned for Wiz integration where backporting a concern?

It's difficult to predict bugs.

[maxcold]

I think unexpected bug fixes can be backported to 1.7, I assume the backporting flow exists for this reason. The bumping kibana stack version while using preview versions works quite well for cloud_security_posture, more so with the introduction of serverless. Any concern with this approach for Wiz except the potential backports?

[efd6]

Can you explain what the feature is present in 8.16 that is not present in 8.13? If there is none, what is the reason for wanting to bump this?

[kcreddy]

Can you explain what the feature is present in 8.16 that is not present in 8.13? If there is none, what is the reason for wanting to bump this?

This is the change/feature related to 8.16 thats needed: elastic/elasticsearch#112192.
The transform in this PR needs permissions to create and maintain the latest indices. These permissions are targeted for v8.16.0 in Elasticsearch.

[maxcold]

thanks @kcreddy , that's correct. Plus we release UX features that would leverage the latest transform results, without them having transform would be just a waste of resources. and yes, won't event work properly due to missing privileges

[efd6]

I'm going to remove my block, but despite the documented backport release workflow, in practice, making this change will in all likelihood result in reduction in fixes being released for pre-8.16-dependent versions of the package. This is just an observation on normal dev responses to additional friction from this kind of thing.

[maxcold]

@efd6 thanks for providing more context for your concerns. If I understand correctly, the concerns are not about fixing specific Wiz bugs, but rather about making overall improvements to multiple integrations which is hard then to backport to each of these integrations one by one. I understand this concern, and I think it is a very valid one. But still, I think it's important to have a way not to keep the prs open for months. With serverless and with increased gap between versions it becomes a must in my opinion.

[efd6]

Hold purely to avoid a merge before the version issue is discussed within the team.

[CohenIdo]

Hold purely to avoid a merge before the version issue is discussed within the team.

There is a simple way to backport for the pervious stack version.
Adding @maxcold's investigations findings:
"all the docs I could find is this issue elastic/package-spec#225 (linked in the package-spec) To my understanding, our use of the pre-release version is totally valid. I also don't see a problem with backport flow after I did backport for csp integration. It involves a bit more work (create backport branch via CI and remember to update the changelog in main manually) but I don't see it as a big blocker"

[kcreddy]

More details on supporting bugfixes on older package versions: https://www.elastic.co/guide/en/integrations-developer/current/developer-workflow-support-old-package.html

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b75bcfd

History

• 💚 Build #15691 succeeded 4a7732a
• 💚 Build #15637 succeeded 4c3f8f9
• 💚 Build #15619 succeeded 9f77a15
• 💚 Build #15518 succeeded 49acef6
• 💔 Build #15435 failed 28d6aae
• 💔 Build #15376 failed 2828c70

[elastic-sonarqube]

Quality Gate failed

Failed conditions
5.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

relented

[kcreddy]

LGTM

[elasticmachine]

Package wiz - 1.9.0-preview01 containing this change is available at https://epr.elastic.co/search?package=wiz