Add new Wiz Cloud Configuration Finding Full Posture data stream and update misconfig transform to use it #12961
Conversation
…base latest misconfig findings on it
maxcold
added
enhancement
andrewkroh
added
the
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
packages/wiz/changelog.yml
Outdated
| @@ -1,4 +1,9 @@ | |||
| # newer versions go on top | |||
| - version: "3.0.0" | |||
| changes: | |||
| - description: Add new Cloud Configiruation Finding Full Posture data stream and use it as a source for latest_cdr_misconfigurations transform. If you had Cloud Configiruation Finding enabled and relied on Findings > Misconfigurations view, you need to enable the Cloud Configiruation Finding Full Posture data stream. | |||
There was a problem hiding this comment.
This is too long for a changelog entry. Also, spelling.
packages/wiz/data_stream/cloud_configuration_finding/manifest.yml
Outdated
Show resolved
Hide resolved
packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs
Outdated
Show resolved
Hide resolved
packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs
Outdated
Show resolved
Hide resolved
packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Do these need to be in their own files? (following three files also)
There was a problem hiding this comment.
I took this approach from our native Cloud Security Posture integration https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture/data_stream/findings/fields
Find it easier to navigate when split by ECS part. Is there a convention around that?
There was a problem hiding this comment.
I can't think of any other integrations of ours that do this.
There was a problem hiding this comment.
any specific issue with it?
There was a problem hiding this comment.
Just to clarify, I can move everything to one or a smaller number of files if you think it is a hard requirement. I just don't understand the guidance here. I see different approaches in different data streams and am not sure what is the preferred way and why. For example, just took a random data stream: https://github.com/elastic/integrations/tree/main/packages/windows/data_stream/sysmon_operational/fields. What is the logic of the split by files there? I'm not sure. I haven't had issues with the split we have in cloud_security_posture integration; that's why the question
packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml
Outdated
Show resolved
Hide resolved
packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml
Show resolved
Hide resolved
| description: Collect logs from Wiz with Elastic Agent. | ||
| type: integration | ||
| categories: | ||
| - security | ||
| - cloudsecurity_cdr | ||
| conditions: | ||
| kibana: | ||
| version: "^8.16.0 || ^9.0.0" | ||
| version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" |
There was a problem hiding this comment.
Can you explain why this complexity is required?
There was a problem hiding this comment.
When adding a new data stream as a source for the transform we need a change in Elasticsearch, see related PR elastic/elasticsearch#124074 This change was backported to 8.16.x, 8.17.x, that's why it will only work starting from 8.16.6 and 8.17.4
There was a problem hiding this comment.
But wouldn't this change make make users believe agentless is compatible on ~8.16.6 || ~8.17.4?
Because we are merging the PR into main which had agentless change: #13105
There was a problem hiding this comment.
@kcreddy this is a good question, thanks for bringing it up. I will ask the agentless team starting from which version we support the deployment_modes . But even if we don't support them in 8.16 and 8.17 which we probably don't, I wonder if smth breaks because of this new addition to the manifest, eg. validation. If agentless options just won't be available, I think it should be fine, Agentless feature by itself is going GA in 8.18, so it should be clear for the users.
But ofc we can go with only 8.18/9.0 for this change, it will just reduce the adoption
There was a problem hiding this comment.
The deployment_mode was added in package-spec and Fleet support in 8.16, in 8.17 it was add for the Fleet extensions like CSPM.
There was a problem hiding this comment.
I tested and 8.16.6-SNAPSHOT works fine with the changes I have here. Plus the mode itself was added in 8.16 #12961 (comment)
There was a problem hiding this comment.
Sounds good. Thanks for testing @maxcold 👍🏼
This reverts commit d3ad0ea.
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
did you mean adding system tests for the new data stream or smth else? |
|
/test |
...ta_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
...l_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json
Outdated
Show resolved
Hide resolved
packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_psoture.yml
Outdated
Show resolved
Hide resolved
🚀 Benchmarks reportTo see the full report comment with |
packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml
Show resolved
Hide resolved
| description: Collect logs from Wiz with Elastic Agent. | ||
| type: integration | ||
| categories: | ||
| - security | ||
| - cloudsecurity_cdr | ||
| conditions: | ||
| kibana: | ||
| version: "^8.16.0 || ^9.0.0" | ||
| version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" |
There was a problem hiding this comment.
But wouldn't this change make make users believe agentless is compatible on ~8.16.6 || ~8.17.4?
Because we are merging the PR into main which had agentless change: #13105
Co-authored-by: Krishna Chaitanya Reddy Burri <krish.reddy91@gmail.com>
packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml
Show resolved
Hide resolved
| description: Collect logs from Wiz with Elastic Agent. | ||
| type: integration | ||
| categories: | ||
| - security | ||
| - cloudsecurity_cdr | ||
| conditions: | ||
| kibana: | ||
| version: "^8.16.0 || ^9.0.0" | ||
| version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" |
There was a problem hiding this comment.
The deployment_mode was added in package-spec and Fleet support in 8.16, in 8.17 it was add for the Fleet extensions like CSPM.
| @@ -0,0 +1,149 @@ | |||
| config_version: 2 | |||
| interval: 24h | |||
There was a problem hiding this comment.
If I look at this CEL program, it is almost identical to its corresponding incremental data stream cloud_configuration_finding. There are few differences such as hardcoded interval, removing incremental data fetching using analyzedAt, and removing handling of cursor.
What if we present user with an option inside the existing data stream cloud_configuration_finding itself, such as a boolean variable full_pull which defaults to true, and let the user choose full or incremental payloads?
Was this already thought about? Are there any issues you foresaw? It seems the only reason we are adding this new data stream is to match it with Cloud Security Posture style 24h pull, and the data is exactly same as existing cloud_configuration_finding.
The problem with multiple data streams handling same API is in maintenance during enhancement/bugfixes which needs to be propagated to multiple places now (which sometimes not all developers may know).
There was a problem hiding this comment.
@kcreddy thanks for bringing it up! yes, this indeed is the challenge we discussed with product and opted out for a separate data stream due to the following challenges:
- integration default UX can become very confusing when different options are presented to users and it's not clear how they work in combination. For example, if we present the full posture option on the existing data stream, it's not possible to hide other params (initial lookback interval and period interval) . So it will be confusing for the users how do they relate to each other and if they work together. Ofc we can solve it in the docs and in the field descriptions but it's not a good UX
- another problem is that the data from incremental and full posture are two separate usecases solving different problems. Users might want to have them both potentially. Incremental to base their alerts on and full posture to enable our Cloud Security flows (Findings page and context in different places of Security solution). Adding the option to existing data stream will make users to chose one flow, which might be limiting. Ofc it is probably possible to solve all with a more complex CEL logic, but in my opinion it defeats this purpose
The problem with multiple data streams handling same API is in maintenance during enhancement/bugfixes which needs to be propagated to multiple places now- overly complex data stream with two modes that can coexist or work separately is very hard to maintain without incidental bugs in my opinion.
There was a problem hiding this comment.
I think to add onto good UX, maybe we should also change the title and description of existing cloud_configuration_finding data stream? Do you think Full posture vs Incremental posture are self-intuitive or do you think documenting the difference in the integration docs makes more sense?
There was a problem hiding this comment.
Also, is this going to be applied to all existing and future implementations, such as AWS Security Hub, which pulls incrementally?
How about vulnerability flows?
There was a problem hiding this comment.
I think to add onto good UX, maybe we should also change the title and description of existing cloud_configuration_finding data stream? Do you think Full posture vs Incremental posture are self-intuitive or do you think documenting the difference in the integration docs makes more sense?
Do we want to change the existing data stream to state clearly "Incremental"? Also what do we do about the documentation, do we want to document that users need to enable this new data stream if they want to leverage CDR flows?
There was a problem hiding this comment.
@kcreddy , yes, the plan is to implement similar for AWS Security Hub. For vulnerability flows we decided not to deal with the problem of incremental data flow for now. The posture much more relevant for CSPM data (Misconfiguration Fingings). Even though it's nice to have the full data of all the vulnerabilities in the system (and as we know our InfoSec team pulls the whole data set from Qualys) , it's less critical
| Content-Type: | ||
| - application/json | ||
| body: | | ||
| {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id <value>\n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} |
There was a problem hiding this comment.
For the same of future maintenance, please pretty print the object and use the minify_json helper (example). Also below.
packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs
Outdated
Show resolved
Hide resolved
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
There was a problem hiding this comment.
LGTM.
The reasons behind adding a new data-stream is here: #12961 (comment)
Can wait for @efd6 approval before merging.
packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml
Outdated
Show resolved
Hide resolved
packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml
Outdated
Show resolved
Hide resolved
packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml
Outdated
Show resolved
Hide resolved
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
|
💚 Build Succeeded
History
|
|
Package wiz - 3.0.0 containing this change is available at https://epr.elastic.co/package/wiz/3.0.0/ |
Proposed commit message
Adding a new
Wiz Cloud Configuration Finding Full Posturedata stream, which in contrast to the existingWiz Cloud Configuration Findingdata stream, ingests all Cloud Configuration Finding data every 24h to match the logic of the native Cloud Security Posture integration used bycloudbeat. Updated latest misconfigurations transform to use this new data stream as a source. Due to the change in the transform, this might be a breaking change for customers, they need to enable the new data stream when updating to still receive findings in their Findings > Misconfigurations view and other flows relying on cloud security posture dataChecklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
elastic-package buildelastic-package stack upRelated issues
Related to:
Screenshots