-
Notifications
You must be signed in to change notification settings - Fork 423
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws.securityhub_findings: Improve support for CDR #11158
base: main
Are you sure you want to change the base?
Conversation
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The issue refers to a document upload, but I cannot find it. So I cannot see whether this follows what has been designed. Is there a reason this is not a public document in the issue?
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
- set: | ||
field: rule.remediation | ||
tag: set_rule_remediation | ||
value: '{{{aws.securityhub_findings.remediation.recommendation.text}}} \n {{{aws.securityhub_findings.remediation.recommendation.url}}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this \n
intentional? It won't be expanded since we are in single quotes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing this out. I've modified it in f898ffc to make it similar to Wiz.
Line 45 in 4c38387
"remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@maxcold, does this make sense to use \r\n
as delimiter to append remediation.text
and remediation.url
to derive the field rule.remediation
? The outcome is similar to Wiz.
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not completely comfortable approving this based on a set of linked proposals that don't have a conclusion (there are items that appear to be still under discussion) and are spread across those documents. IMO a summary acceptance document should be prepared and made public so that users can see what the intended behaviour is, and so that reviewers and maintainers can have truth to base future work on.
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
String[] tokenList = res.Id.splitOnToken("/"); | ||
res_name = tokenList[tokenList.length - 1]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there is no /
, !bang. Is there guaranteed to be one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As per https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html, it is possible that /
may not occur. Also, for S3 object, taking the last /
would only provide incomplete object prefix.
Hence, I updated to split on :
and take the last :
. This would mean previous i-0e2ede89308a594d7
would now be instance/i-0e2ede89308a594d7
, i.e., an additional <resource-type>/
will be added as prefix. Is this tradeoff okay?
Note that this case of deriving resource.name
by /
or :
will only happen if the .Name
is not present in Details
.
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that some fields (host.name
, rule.author
) that were mapped here are missing.
++ Logistically, I think a markdown doc in https://github.com/elastic/integrations/tree/main/docs would be ideal for integration developers. It's public, version controlled, and close to the integrations that will implement its guidance. @maxcold, WDYT? |
- Add host.ip and host.name
@CohenIdo, The Also, I missed adding As per clarification from @maxcold, I skipped |
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
Regards to #11158 (review): @maxcold / @CohenIdo, could you make the guide |
Quality Gate failedFailed conditions |
💚 Build Succeeded
History
cc @kcreddy |
Proposed commit message
Improve support for CDR.
securityhub_findings
data stream's ingest pipeline to support CDR.securityhub_findings
data stream's mappings according to the new fields.Fixes: #11040
Note to reviewers: Please DM me for access to the document(s) linked in the issue, it might help in the review.
Checklist
changelog.yml
file.How to test this PR locally
Related issues
Screenshots