Add new AWS Security Hub Findings Full Posture data stream and update misconfig transform to use it

[maxcold]

Proposed commit message

Similar to #12961, adding a new AWS Security Hub Findings Full Posture data stream, which in contrast to the existing AWS Security Hub Findings data stream, ingests all Security Hub Findings data every 24h to match the logic of the native Cloud Security Posture integration used by cloudbeat. Updated latest misconfigurations transform to use this new data stream as a source. Due to the change in the transform, this might be a breaking change for customers, they need to enable the new data stream when updating to still receive findings in their Findings > Misconfigurations view and other flows relying on cloud security posture data

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• [ ]

How to test this PR locally

1. build package with elastic-package build
2. start the stack corresponding to the Kibana version from the manifest with elastic-package stack up
3. Install the integration and ingest AWS Security Hub Findings Full Posture data, findings from AWS should appear in Findings > Misconfiguration

Related issues

Related to:

• Implement full posture data stream for AWS SecurityHub findings kibana#208933
• Add new Wiz Cloud Configuration Finding Full Posture data stream and update misconfig transform to use it #12961

Screenshots

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package aws 👍(11) 💚(5) 💔(4)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
inspector	1988.07	1658.37	-329.7 (-16.58%)	💔
route53_public_logs	12820.51	10000	-2820.51 (-22%)	💔
apigateway_logs	9803.92	6410.26	-3393.66 (-34.62%)	💔
firewall_logs	3623.19	2808.99	-814.2 (-22.47%)	💔

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[seanrathier]

Wow, lots of detail here beyond my current integration knowledge so I will approve. Maybe another reviewer will notice something.

[maxcold]

@kcreddy it looks like 100 is maximum in AWS SDK, i get error

Error while processing http request: failed to collect first response: failed to execute http POST: server responded with status code 400: {"Code":"InvalidInputException","Type":"InvalidInputException","RequestId":"a31ba92d-e9e8-4299-b2e3-493651a7fdb0","Message":"Invalid parameter 'MaxResults'. '500' is greater than maximum value: 100."}

[kcreddy]

Thanks for the info

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 0244fba

History

• 💚 Build #24829 succeeded 78704c6
• 💚 Build #24777 succeeded a55ea64
• 💔 Build #24752 failed 51a7692
• 💔 Build #24743 failed ec92e42
• 💔 Build #24742 failed 83bb07d
• 💔 Build #24741 failed 78d21b7

[elastic-sonarqube]

Quality Gate failed

Failed conditions
73.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[elastic-vault-github-plugin-prod]

Package aws - 3.0.0 containing this change is available at https://epr.elastic.co/package/aws/3.0.0/