From 09428276ce77a5a9b45797d70c3f5b43215ee9eb Mon Sep 17 00:00:00 2001 From: Kfir Peled Date: Thu, 26 Jan 2023 11:16:15 +0200 Subject: [PATCH 1/4] Fix ECS import method --- .../_dev/build/build.yml | 3 + packages/cloud_security_posture/changelog.yml | 5 ++ .../data_stream/findings/fields/ecs.yml | 85 ------------------- packages/cloud_security_posture/manifest.yml | 2 +- 4 files changed, 9 insertions(+), 86 deletions(-) create mode 100644 packages/cloud_security_posture/_dev/build/build.yml diff --git a/packages/cloud_security_posture/_dev/build/build.yml b/packages/cloud_security_posture/_dev/build/build.yml new file mode 100644 index 00000000000..5661d603a89 --- /dev/null +++ b/packages/cloud_security_posture/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.3.0 diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index 6375daf4d7d..8b8f8362281 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.9" + changes: + - description: Fix ECS import + type: enhancement + link: https://github.com/elastic/integrations/pull/ - version: "1.2.8" changes: - description: Add cloud fields to mapping diff --git a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml index a420c390df8..266ddbf195a 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml @@ -1,213 +1,128 @@ - name: "@timestamp" external: ecs - type: date - name: agent.ephemeral_id external: ecs - type: keyword - name: agent.id external: ecs - type: keyword - name: agent.name external: ecs - type: keyword - name: agent.type external: ecs - type: keyword - name: agent.version external: ecs - type: keyword - name: ecs.version external: ecs - type: keyword - name: event.agent_id_status external: ecs - type: keyword - name: event.ingested external: ecs - type: date - name: file.accessed external: ecs - type: date - name: file.ctime external: ecs - type: date - name: file.directory external: ecs - type: keyword - name: file.extension external: ecs - type: keyword - name: file.gid external: ecs - type: keyword - name: file.group external: ecs - type: keyword - name: file.inode external: ecs - type: keyword - name: file.mode external: ecs - type: keyword - name: file.mtime external: ecs - type: date - name: file.name external: ecs - type: keyword - name: file.owner external: ecs - type: keyword - name: file.path external: ecs - type: keyword - name: file.size external: ecs - type: long - name: file.type external: ecs - type: keyword - name: file.uid external: ecs - type: keyword - name: host.architecture external: ecs - type: keyword -- name: host.containerized - external: ecs - type: boolean - name: host.hostname external: ecs - type: keyword - name: host.ip external: ecs - type: ip - name: host.mac external: ecs - type: keyword - name: host.name external: ecs - type: keyword -- name: host.os.codename - external: ecs - type: keyword - name: host.os.family external: ecs - type: keyword - name: host.os.full external: ecs - type: keyword - name: host.os.kernel external: ecs - type: keyword - name: host.os.name external: ecs - type: keyword - name: host.os.platform external: ecs - type: keyword - name: host.os.type external: ecs - type: keyword - name: host.os.version external: ecs - type: keyword - name: message external: ecs - type: match_only_text - name: process.args external: ecs - type: keyword - name: process.args_count external: ecs - type: long - name: process.command_line external: ecs - type: wildcard - name: process.name external: ecs - type: keyword - name: process.parent.pid external: ecs - type: long - name: process.parent.start external: ecs - type: date - name: process.pgid external: ecs - type: long - name: process.pid external: ecs - type: long - name: process.start external: ecs - type: date - name: process.title external: ecs - type: keyword - name: process.uptime external: ecs - type: long -- name: rule.benchmark.id - external: ecs - type: keyword -- name: rule.benchmark.name - external: ecs - type: keyword -- name: rule.benchmark.version - external: ecs - type: keyword - name: rule.description external: ecs - type: keyword - name: rule.id external: ecs - type: keyword - name: rule.name external: ecs - type: keyword -- name: rule.section - external: ecs - type: keyword -- name: rule.tags - external: ecs - type: keyword - name: rule.version external: ecs - type: keyword - name: event.category external: ecs - type: keyword - name: event.created external: ecs - type: date - name: event.ingested external: ecs - type: date - name: event.id external: ecs - type: keyword - name: event.kind external: ecs - type: keyword - name: event.sequence external: ecs - type: long - name: event.outcome external: ecs - type: keyword - name: event.type external: ecs - type: keyword - name: orchestrator.cluster.name external: ecs - type: keyword - name: cloud.account.id external: ecs - type: keyword - name: cloud.account.name external: ecs - type: keyword - name: cloud.provider external: ecs - type: keyword diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index d7a43331ee0..7fea849e806 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: cloud_security_posture title: "Security Posture Management (CSPM/KSPM)" -version: 1.2.8 +version: 1.2.9 release: ga license: basic description: "DO NOT USE MAIN TILE (WIP)" From 8d64bb4dc83b4b97629bce9ed5efb469d42d0bbf Mon Sep 17 00:00:00 2001 From: Kfir Peled <61654899+kfirpeled@users.noreply.github.com> Date: Thu, 26 Jan 2023 11:20:07 +0200 Subject: [PATCH 2/4] fixed pr no. in changelog --- packages/cloud_security_posture/changelog.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/cloud_security_posture/changelog.yml b/packages/cloud_security_posture/changelog.yml index 8b8f8362281..40cd654cc2c 100644 --- a/packages/cloud_security_posture/changelog.yml +++ b/packages/cloud_security_posture/changelog.yml @@ -3,7 +3,7 @@ changes: - description: Fix ECS import type: enhancement - link: https://github.com/elastic/integrations/pull/ + link: https://github.com/elastic/integrations/pull/5106 - version: "1.2.8" changes: - description: Add cloud fields to mapping From d2cc334cf30a800e4218661f98a893e42f7422b5 Mon Sep 17 00:00:00 2001 From: Kfir Peled Date: Thu, 26 Jan 2023 12:55:44 +0200 Subject: [PATCH 3/4] updated format version, ECS to 8.6, ECS ingested version, and other fixes --- .../_dev/build/build.yml | 2 +- .../elasticsearch/ingest_pipeline/default.yml | 4 +-- .../findings/fields/base-fields.yml | 3 -- .../data_stream/findings/fields/ecs.yml | 2 -- .../data_stream/findings/fields/rule.yml | 30 ------------------- packages/cloud_security_posture/manifest.yml | 7 +++-- 6 files changed, 7 insertions(+), 41 deletions(-) diff --git a/packages/cloud_security_posture/_dev/build/build.yml b/packages/cloud_security_posture/_dev/build/build.yml index 5661d603a89..4ed337a4188 100644 --- a/packages/cloud_security_posture/_dev/build/build.yml +++ b/packages/cloud_security_posture/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.3.0 + reference: git@v8.6.0 diff --git a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml index e88f8675a9f..9224edb344c 100644 --- a/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml +++ b/packages/cloud_security_posture/data_stream/findings/elasticsearch/ingest_pipeline/default.yml @@ -2,8 +2,8 @@ description: Pipeline for cloudbeat findings processors: - set: - field: event.ingested - value: '{{_ingest.timestamp}}' + field: ecs.version + value: '8.6.0' on_failure: - set: field: error.message diff --git a/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml index 7c798f4534c..a3e80e3a547 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml @@ -7,6 +7,3 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml index 266ddbf195a..f631dd03d0b 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml @@ -106,8 +106,6 @@ external: ecs - name: event.created external: ecs -- name: event.ingested - external: ecs - name: event.id external: ecs - name: event.kind diff --git a/packages/cloud_security_posture/data_stream/findings/fields/rule.yml b/packages/cloud_security_posture/data_stream/findings/fields/rule.yml index 198410c45bf..c121259aaa6 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/rule.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/rule.yml @@ -36,29 +36,6 @@ ignore_above: 1024 description: Type of the compliance benchmark. default_field: false - - name: description - level: extended - type: keyword - ignore_above: 1024 - description: The description of the rule generating the event. - example: Block requests to public DNS over HTTPS / TLS protocols - default_field: false - - name: id - level: extended - type: keyword - ignore_above: 1024 - description: > - A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event. - - example: 101 - default_field: false - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: The name of the rule or signature generating the event. - example: BLOCK_DNS_over_TLS - default_field: false - name: section level: extended type: keyword @@ -71,13 +48,6 @@ ignore_above: 1024 description: List of keywords used to tag the rule. default_field: false - - name: version - level: extended - type: keyword - ignore_above: 1024 - description: The version / revision of the rule being used for analysis. - example: 1.1 - default_field: false - name: rule_number level: extended type: keyword diff --git a/packages/cloud_security_posture/manifest.yml b/packages/cloud_security_posture/manifest.yml index 7fea849e806..c5e0753e986 100644 --- a/packages/cloud_security_posture/manifest.yml +++ b/packages/cloud_security_posture/manifest.yml @@ -1,9 +1,9 @@ -format_version: 1.0.0 +format_version: 2.3.0 name: cloud_security_posture title: "Security Posture Management (CSPM/KSPM)" version: 1.2.9 -release: ga -license: basic +source: + license: "Elastic-2.0" description: "DO NOT USE MAIN TILE (WIP)" type: integration categories: @@ -16,6 +16,7 @@ categories: - google_cloud conditions: kibana.version: "^8.7.0" + elastic.subscription: basic screenshots: - src: /img/dashboard.png title: Dashboard page From 4c5a3683f46f2a3820e3b7e5e6ada678110e498a Mon Sep 17 00:00:00 2001 From: Kfir Peled Date: Mon, 30 Jan 2023 20:20:58 +0200 Subject: [PATCH 4/4] moved timestamp declaration to base-fields --- .../data_stream/findings/fields/base-fields.yml | 3 +++ .../cloud_security_posture/data_stream/findings/fields/ecs.yml | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml index a3e80e3a547..d3b0f5a163e 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/base-fields.yml @@ -7,3 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. +- name: "@timestamp" + type: date + description: Event timestamp. \ No newline at end of file diff --git a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml index f631dd03d0b..f4a0be9467d 100644 --- a/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml +++ b/packages/cloud_security_posture/data_stream/findings/fields/ecs.yml @@ -1,5 +1,3 @@ -- name: "@timestamp" - external: ecs - name: agent.ephemeral_id external: ecs - name: agent.id