diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index 1e1a84efdd2..7a61bb9bea4 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -57,6 +57,7 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud | Issue | read:issues | | Vulnerability | read:vulnerabilities | | Cloud Configuration Finding | read:cloud_configuration | + | Cloud Configuration Finding Full Posture | read:cloud_configuration | ### To obtain the Wiz URL 1. Navigate to your user profile and copy the API Endpoint URL. @@ -105,6 +106,16 @@ This is the `Cloud Configuration Finding` dataset. {{fields "cloud_configuration_finding"}} +### Cloud Configuration Finding Full Posture + +This is the `Cloud Configuration Finding Full Posture` dataset. + +#### Example + +{{event "cloud_configuration_finding_full_posture"}} + +{{fields "cloud_configuration_finding_full_posture"}} + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/_dev/deploy/docker/docker-compose.yml b/packages/wiz/_dev/deploy/docker/docker-compose.yml index fd0fe808af1..b66816f821f 100644 --- a/packages/wiz/_dev/deploy/docker/docker-compose.yml +++ b/packages/wiz/_dev/deploy/docker/docker-compose.yml @@ -26,6 +26,19 @@ services: - http-server - --addr=:8090 - --config=/files/config-cloud_configuration_finding.yml + wiz-cloud_configuration_finding_full_posture: + image: docker.elastic.co/observability/stream:v0.15.0 + hostname: wiz-cloud_configuration_finding_full_posture + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-cloud_configuration_finding_full_posture.yml wiz-issue: image: docker.elastic.co/observability/stream:v0.15.0 hostname: wiz-issue diff --git a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml new file mode 100644 index 00000000000..12d25aaf9e0 --- /dev/null +++ b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml @@ -0,0 +1,127 @@ +rules: + - path: /oauth/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":null.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{ minify_json ` + { + "data": { + "configurationFindings": { + "nodes": [ + { + "analyzedAt": "2024-08-07T12:55:52.012378Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "remediation": null, + "resource": { + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "nativeType": "rootUser", + "providerId": "arn:aws:iam::998231069301:root", + "region": null, + "cloudPlatform": "EKS", + "subscription": { + "cloudProvider": "AWS", + "externalId": "998231069301", + "id": "94e76baa-85fd-5928-b829-1669a2ca9660", + "name": "wiz-integrations" + }, + "tags": [], + "type": "USER_ACCOUNT" + }, + "result": "PASS", + "rule": { + "description": "description", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediationInstructions": "instructions", + "shortId": "IAM-006" + }, + "severity": "MEDIUM" + } + ], + "pageInfo": { + "hasNextPage": true, + "endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19" + } + } + } + } + `}} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":"eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19".*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{ minify_json ` + { + "data": { + "configurationFindings": { + "nodes": [ + { + "analyzedAt": "2024-08-15T11:41:17.517926Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "remediation": null, + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-vm", + "nativeType": "Microsoft.Compute/virtualMachines", + "providerId": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloudProvider": "Azure", + "externalId": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "id": "064ecbb5-19ee-540d-b9f5-99c3a4e2d0db", + "name": "partner integrations" + }, + "tags": [], + "type": "VIRTUAL_MACHINE" + }, + "result": "PASS", + "rule": { + "description": "description", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediationInstructions": "remediation", + "shortId": "VirtualMachines-021" + }, + "severity": "LOW", + "evidence": { + "cloudConfigurationLink": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "configurationPath": null, + "currentValue": "The VM is stopped(allocated) since 2024-08-15", + "expectedValue": "The VM should be used or deallocated" + } + } + ], + "pageInfo": { + "hasNextPage": false, + "endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19" + } + } + } + } + `}} diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 99544834b6b..cf1c09d3892 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.0.0" + changes: + - description: Add new Cloud Configuration Finding Full Posture data stream. If you rely on Findings > Misconfigurations view, enable this new data stream. + type: breaking-change + link: https://github.com/elastic/integrations/pull/12961 - version: "2.10.0" changes: - description: Rely on external ecs for ESC fields. event.id changed from text to keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log new file mode 100644 index 00000000000..28c8516df89 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log @@ -0,0 +1,7 @@ +{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} +{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json new file mode 100644 index 00000000000..2933675bb84 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json @@ -0,0 +1,565 @@ +{ + "expected": [ + { + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "failed" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + }, + "status": "OPEN" + } + } + }, + { + "cloud": { + "account": { + "id": "998231069301", + "name": "wiz-integrations" + }, + "provider": "aws", + "service": { + "name": "eks" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", + "type": [ + "info" + ] + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" + }, + "result": { + "evaluation": "passed" + }, + "rule": { + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "resource": { + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", + "subscription": { + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" + }, + "type": "USER_ACCOUNT" + }, + "result": "PASS", + "rule": { + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "short_id": "IAM-006" + } + } + } + }, + { + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", + "outcome": "success", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-vm", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "passed", + "evidence": { + "cloud_configuration_link": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "current_value": "The VM is stopped(allocated) since 2024-08-15", + "expected_value": "The VM should be used or deallocated" + } + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "reference": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "evidence": { + "cloud_configuration_link": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing", + "current_value": "The VM is stopped(allocated) since 2024-08-15", + "expected_value": "The VM should be used or deallocated" + }, + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-vm", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "PASS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "provider_id": "80045425-a0a9-4457-82c2-2c5f47419d83", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + }, + { + "cloud": { + "account": { + "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "provider": "azure", + "region": "eastus" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", + "kind": "state", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "outcome": "unknown", + "type": [ + "info" + ] + }, + "host": { + "name": "annam-vm" + }, + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "sub_type": "Microsoft.Compute/virtualMachines", + "type": "VIRTUAL_MACHINE" + }, + "result": { + "evaluation": "unknown" + }, + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "VirtualMachines-021", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "uuid": "56c8890d-ad68-4659-9414-fb0ed7258c31" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2024-08-15T11:41:17.517Z", + "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", + "resource": { + "id": "8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f", + "name": "annam-VM", + "native_type": "Microsoft.Compute/virtualMachines", + "region": "eastus", + "subscription": { + "cloud_provider": "Azure", + "external_id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", + "name": "partner integrations" + }, + "type": "VIRTUAL_MACHINE" + }, + "result": "IN_PROGRESS", + "rule": { + "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.", + "id": "56c8890d-ad68-4659-9414-fb0ed7258c31", + "name": "Virtual Machine should not be stopped (allocated) for more than a week", + "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", + "short_id": "VirtualMachines-021" + } + } + } + } + ] +} diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-common-config.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..edaaf130bc2 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,6 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields +dynamic_fields: + "@timestamp": ".*" diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/system/test-default-config.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..c9f4467e72f --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: wiz-cloud_configuration_finding_full_posture +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth/token +data_stream: + vars: + interval: 10s + batch_size: 2 + preserve_original_event: true + preserve_duplicate_custom_fields: true +assert: + hit_count: 2 diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..3db2eb81b3f --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs @@ -0,0 +1,149 @@ +config_version: 2 +interval: 24h +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + endpoint_params: + grant_type: client_credentials + audience: wiz-api +redact: + fields: ~ +state: + want_more: false + batch_size: {{batch_size}} + query: >- + query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters $first: Int $after: String $orderBy: ConfigurationFindingOrder){ + configurationFindings(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { + nodes { + id + name + analyzedAt + severity + result + remediation + status + resource { + id + providerId + name + nativeType + type + region + cloudPlatform + subscription { + id + name + externalId + cloudProvider + } + tags { + key + value + } + } + rule { + id + shortId + name + description + remediationInstructions + } + evidence { + currentValue + expectedValue + configurationPath + cloudConfigurationLink + } + } + pageInfo { + hasNextPage + endCursor + } + } + } +program: | + state.with( + post_request( + state.url.trim_right("/") + "/graphql", + "application/json", + { + "query": state.query, + "variables": { + "first": state.batch_size, + "after": state.?end_cursor.value.orValue(null), + "filterBy": { + "includeDeleted": false, + "status": ["OPEN", "RESOLVED"] + } + } + }.encode_json() + ).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, body.?data.configurationFindings.nodes.orValue(null) != null ? + { + "events": body.data.configurationFindings.nodes.map(e, { + "message": e.encode_json(), + }), + "end_cursor": { + ?"value": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false) ? + body.?data.configurationFindings.pageInfo.endCursor + : + optional.none() + }, + "want_more": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false), + } + : + { + "events": [], + "want_more": false, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/graphql:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..1747e6487fd --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,413 @@ +--- +description: Pipeline for processing Cloud Configuration Finding Full Posture logs +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '8.11.0' + - rename: + field: message + tag: rename_message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + description: 'Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.' + - remove: + field: message + tag: remove_message + ignore_missing: true + if: ctx.event?.original != null + description: 'The `message` field is no longer required if the document has an `event.original` field.' + - json: + field: event.original + tag: json_decoding + target_field: json + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: observer.vendor + tag: set_observer_vendor + value: 'Wiz' + - rename: + field: json.resource.subscription.cloudProvider + tag: rename_cloudProvider + target_field: wiz.cloud_configuration_finding_full_posture.resource.subscription.cloud_provider + ignore_missing: true + - lowercase: + field: wiz.cloud_configuration_finding_full_posture.resource.subscription.cloud_provider + target_field: cloud.provider + tag: set_cloud_provider_lowercase + ignore_missing: true + - rename: + field: json.resource.subscription.externalId + tag: rename_subscription_externalId + target_field: wiz.cloud_configuration_finding_full_posture.resource.subscription.external_id + ignore_missing: true + - set: + field: cloud.account.id + tag: set_cloud_account_id + copy_from: wiz.cloud_configuration_finding_full_posture.resource.subscription.external_id + ignore_empty_value: true + - rename: + field: json.resource.subscription.name + tag: rename_subscription_name + target_field: wiz.cloud_configuration_finding_full_posture.resource.subscription.name + ignore_missing: true + - set: + field: cloud.account.name + tag: set_cloud_account_name + copy_from: wiz.cloud_configuration_finding_full_posture.resource.subscription.name + ignore_empty_value: true + - rename: + field: json.resource.region + tag: rename_region + target_field: wiz.cloud_configuration_finding_full_posture.resource.region + ignore_missing: true + - set: + field: cloud.region + tag: set_cloud_region + copy_from: wiz.cloud_configuration_finding_full_posture.resource.region + ignore_empty_value: true + - rename: + field: json.resource.cloudPlatform + tag: rename_cloud_plarform + target_field: wiz.cloud_configuration_finding_full_posture.resource.cloud_platform + ignore_missing: true + - lowercase: + field: wiz.cloud_configuration_finding_full_posture.resource.cloud_platform + target_field: cloud.service.name + tag: set_cloud_service_name_lowercase + ignore_missing: true + - append: + field: event.category + tag: append_event_category + value: configuration + - append: + field: event.type + tag: append_event_type + value: info + - date: + field: json.analyzedAt + target_field: wiz.cloud_configuration_finding_full_posture.analyzed_at + tag: date_set_analyzedat + formats: + - ISO8601 + if: ctx.json?.analyzedAt != null && ctx.json.analyzedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.created + tag: set_event_created + copy_from: wiz.cloud_configuration_finding_full_posture.analyzed_at + ignore_empty_value: true + - rename: + field: json.id + tag: rename_id + target_field: wiz.cloud_configuration_finding_full_posture.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id + copy_from: wiz.cloud_configuration_finding_full_posture.id + ignore_empty_value: true + - set: + field: event.kind + value: state + tag: set_event_kind + - rename: + field: json.name + tag: rename_name + target_field: wiz.cloud_configuration_finding_full_posture.name + ignore_missing: true + - rename: + field: json.rule.description + tag: rename_rule_description + target_field: wiz.cloud_configuration_finding_full_posture.rule.description + ignore_missing: true + - set: + field: message + tag: set_message + copy_from: wiz.cloud_configuration_finding_full_posture.rule.name + ignore_empty_value: true + - set: + field: rule.description + tag: set_rule_description + copy_from: wiz.cloud_configuration_finding_full_posture.rule.description + ignore_empty_value: true + - set: + tag: set_timestamp + field: "@timestamp" + value: "{{{_ingest.timestamp}}}" + - rename: + field: json.rule.id + tag: rename_rule_id + target_field: wiz.cloud_configuration_finding_full_posture.rule.id + ignore_missing: true + - set: + field: rule.uuid + tag: set_rule_uuid + copy_from: wiz.cloud_configuration_finding_full_posture.rule.id + ignore_empty_value: true + - rename: + field: json.rule.shortId + tag: rename_rule_short_id + target_field: wiz.cloud_configuration_finding_full_posture.rule.short_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id + copy_from: wiz.cloud_configuration_finding_full_posture.rule.short_id + ignore_empty_value: true + - rename: + field: json.rule.name + tag: rename_rule_name + target_field: wiz.cloud_configuration_finding_full_posture.rule.name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name + copy_from: wiz.cloud_configuration_finding_full_posture.rule.name + ignore_empty_value: true + - rename: + field: json.rule.remediationInstructions + tag: rename_rule_remediation_instructions + target_field: wiz.cloud_configuration_finding_full_posture.rule.remediation_instructions + ignore_missing: true + - set: + field: rule.remediation + tag: set_rule_remediation + copy_from: wiz.cloud_configuration_finding_full_posture.rule.remediation_instructions + ignore_empty_value: true + - rename: + field: json.resource.id + tag: rename_resource_id + target_field: wiz.cloud_configuration_finding_full_posture.resource.id + ignore_missing: true + - rename: + field: json.resource.providerId + tag: rename_resource_providerId + target_field: wiz.cloud_configuration_finding_full_posture.resource.provider_id + ignore_missing: true + - set: + field: resource.id + tag: set_resource_id_from_provider_id + copy_from: wiz.cloud_configuration_finding_full_posture.resource.provider_id + ignore_empty_value: true + - set: + field: resource.id + tag: set_resource_id_from_resource_id + copy_from: wiz.cloud_configuration_finding_full_posture.resource.id + ignore_empty_value: true + override: false # This ensures the value isn't overwritten if already set + - rename: + field: json.resource.name + tag: rename_resource_name + target_field: wiz.cloud_configuration_finding_full_posture.resource.name + ignore_missing: true + - set: + field: resource.name + tag: set_resource_name + copy_from: wiz.cloud_configuration_finding_full_posture.resource.name + ignore_empty_value: true + - rename: + field: json.resource.type + tag: rename_resource_type + target_field: wiz.cloud_configuration_finding_full_posture.resource.type + ignore_missing: true + - set: + field: resource.type + tag: set_resource_type + copy_from: wiz.cloud_configuration_finding_full_posture.resource.type + ignore_empty_value: true + - rename: + field: json.resource.nativeType + tag: rename_resource_nativeType + target_field: wiz.cloud_configuration_finding_full_posture.resource.native_type + ignore_missing: true + - set: + field: resource.sub_type + tag: set_resource_sub_type + copy_from: wiz.cloud_configuration_finding_full_posture.resource.native_type + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_if_user_account + copy_from: wiz.cloud_configuration_finding_full_posture.resource.name + if: ctx?.resource?.type == 'USER_ACCOUNT' + ignore_empty_value: true + - set: + field: user.id + tag: set_user_id_if_user_account + copy_from: wiz.cloud_configuration_finding_full_posture.resource.provider_id + if: ctx.resource?.type == 'USER_ACCOUNT' + ignore_empty_value: true + - lowercase: + field: wiz.cloud_configuration_finding_full_posture.resource.name + target_field: host.name + tag: set_host_name_lowercase_if_vm + if: ctx?.resource?.type == 'VIRTUAL_MACHINE' + ignore_missing: true + - rename: + field: json.result + tag: rename_result + target_field: wiz.cloud_configuration_finding_full_posture.result + ignore_missing: true + - set: + field: result.evaluation + tag: set_result_evaluation_passed + value: 'passed' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result == 'PASS' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_failed + value: 'failed' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result == 'FAIL' + ignore_empty_value: true + - set: + field: result.evaluation + tag: set_result_evaluation_unknown + value: 'unknown' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result != 'PASS' && ctx?.wiz?.cloud_configuration_finding_full_posture?.result != 'FAIL' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: 'success' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result == 'PASS' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_failure + value: 'failure' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result == 'FAIL' + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: 'unknown' + if: ctx?.wiz?.cloud_configuration_finding_full_posture?.result != 'PASS' && ctx?.wiz?.cloud_configuration_finding_full_posture?.result != 'FAIL' + ignore_empty_value: true + - rename: + field: json.evidence.currentValue + tag: rename_evidence_current_value + target_field: wiz.cloud_configuration_finding_full_posture.evidence.current_value + ignore_missing: true + - set: + field: result.evidence.current_value + tag: set_result_evidence_current_value + copy_from: wiz.cloud_configuration_finding_full_posture.evidence.current_value + ignore_empty_value: true + - rename: + field: json.evidence.expectedValue + tag: rename_evidence_expected_value + target_field: wiz.cloud_configuration_finding_full_posture.evidence.expected_value + ignore_missing: true + - set: + field: result.evidence.expected_value + tag: set_result_evidence_expected_value + copy_from: wiz.cloud_configuration_finding_full_posture.evidence.expected_value + ignore_empty_value: true + - rename: + field: json.evidence.configurationPath + tag: rename_evidence_configuration_path + target_field: wiz.cloud_configuration_finding_full_posture.evidence.configuration_path + ignore_missing: true + - set: + field: result.evidence.configuration_path + tag: set_result_evidence_configuration_path + copy_from: wiz.cloud_configuration_finding_full_posture.evidence.configuration_path + ignore_empty_value: true + - rename: + field: json.evidence.cloudConfigurationLink + tag: rename_evidence_cloud_configuration_link + target_field: wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link + ignore_missing: true + - set: + field: result.evidence.cloud_configuration_link + tag: set_result_evidence_cloud_configuration_link + copy_from: wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link + ignore_empty_value: true + - set: + field: rule.reference + tag: set_rule_reference + copy_from: wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link + ignore_empty_value: true + - rename: + field: json.status + tag: rename_status + target_field: wiz.cloud_configuration_finding_full_posture.status + ignore_missing: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - remove: + field: + - wiz.cloud_configuration_finding_full_posture.analyzed_at + - wiz.cloud_configuration_finding_full_posture.resource.subscription.cloud_provider + - wiz.cloud_configuration_finding_full_posture.resource.subscription.external_id + - wiz.cloud_configuration_finding_full_posture.resource.subscription.name + - wiz.cloud_configuration_finding_full_posture.resource.region + - wiz.cloud_configuration_finding_full_posture.resource.name + - wiz.cloud_configuration_finding_full_posture.resource.type + - wiz.cloud_configuration_finding_full_posture.resource.sub_type + - wiz.cloud_configuration_finding_full_posture.resource.provider_id + - wiz.cloud_configuration_finding_full_posture.id + - wiz.cloud_configuration_finding_full_posture.name + - wiz.cloud_configuration_finding_full_posture.rule.description + - wiz.cloud_configuration_finding_full_posture.rule.name + - wiz.cloud_configuration_finding_full_posture.rule.id + - wiz.cloud_configuration_finding_full_posture.rule.short_id + - wiz.cloud_configuration_finding_full_posture.rule.remediation_instructions + - wiz.cloud_configuration_finding_full_posture.evidence.expected_value + - wiz.cloud_configuration_finding_full_posture.evidence.current_value + - wiz.cloud_configuration_finding_full_posture.evidence.configuration_path + - wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link + - wiz.cloud_configuration_finding_full_posture.status + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + - script: + description: Drops null/empty values recursively. + tag: script_to_drop_null_values + lang: painless + source: | + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/base-fields.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/base-fields.yml new file mode 100644 index 00000000000..e1f3cd199da --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + external: ecs + type: constant_keyword + value: wiz +- name: event.dataset + external: ecs + type: constant_keyword + value: wiz.cloud_configuration_finding_full_posture +- name: '@timestamp' + external: ecs diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/beats.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/beats.yml new file mode 100644 index 00000000000..415aa0612b1 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/beats.yml @@ -0,0 +1,8 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: tags + external: ecs diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml new file mode 100644 index 00000000000..5df98192fcf --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml @@ -0,0 +1,63 @@ +- name: wiz.cloud_configuration_finding_full_posture + type: group + fields: + - name: analyzed_at + type: date + - name: status + type: keyword + - name: name + type: keyword + - name: resource + type: group + fields: + - name: id + type: keyword + - name: provider_id + type: keyword + - name: name + type: keyword + - name: region + type: keyword + - name: type + type: keyword + - name: native_type + type: keyword + - name: cloud_platform + type: keyword + - name: subscription + type: group + fields: + - name: cloud_provider + type: keyword + - name: external_id + type: keyword + - name: name + type: keyword + - name: id + type: keyword + - name: result + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text + - name: rule + type: group + fields: + - name: id + type: keyword + - name: short_id + type: keyword + - name: name + type: keyword + - name: description + type: text + - name: remediation_instructions + type: text diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/resource.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/resource.yml new file mode 100644 index 00000000000..c093c299032 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/resource.yml @@ -0,0 +1,11 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: name + type: keyword + - name: type + type: keyword + - name: sub_type + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/result.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/result.yml new file mode 100644 index 00000000000..c465d18bc64 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/result.yml @@ -0,0 +1,16 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword + - name: evidence + type: group + fields: + - name: current_value + type: text + - name: expected_value + type: text + - name: configuration_path + type: text + - name: cloud_configuration_link + type: text diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/rule.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/rule.yml new file mode 100644 index 00000000000..9def88f8fba --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/rule.yml @@ -0,0 +1,5 @@ +- name: rule + type: group + fields: + - name: remediation + type: keyword diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml new file mode 100644 index 00000000000..e06fe687f9e --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml @@ -0,0 +1,71 @@ +title: Collect full Cloud Configuration Finding posture from Wiz. +type: logs +streams: + - input: cel + title: Cloud Configuration Finding full posture + enabled: false + description: Collect full Cloud Configuration Finding posture from Wiz. + template_path: cel.yml.hbs + vars: + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Wiz API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: enable_request_tracer + type: bool + title: Enable request tracing + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. + Enabling this request tracing compromises security and should only be used for debugging. Disabling the request + tracer will delete any stored traces. + See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) + for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - wiz-cloud_configuration_finding_full_posture + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve wiz.cloud_configuration_finding_full_posture fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. + This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json new file mode 100644 index 00000000000..123c6503f28 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json @@ -0,0 +1,76 @@ +{ + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "FAILED" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + } + } + } +} \ No newline at end of file diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 5ecef842408..4b19d48e717 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -57,6 +57,7 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud | Issue | read:issues | | Vulnerability | read:vulnerabilities | | Cloud Configuration Finding | read:cloud_configuration | + | Cloud Configuration Finding Full Posture | read:cloud_configuration | ### To obtain the Wiz URL 1. Navigate to your user profile and copy the API Endpoint URL. @@ -355,6 +356,142 @@ An example event for `cloud_configuration_finding` looks as following: | wiz.cloud_configuration_finding.rule.short_id | | keyword | +### Cloud Configuration Finding Full Posture + +This is the `Cloud Configuration Finding Full Posture` dataset. + +#### Example + +An example event for `cloud_configuration_finding_full_posture` looks as following: + +```json +{ + "@timestamp": "2023-06-12T11:38:07.900Z", + "cloud": { + "account": { + "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "provider": "azure" + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "category": [ + "configuration" + ], + "created": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "kind": "state", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "outcome": "failure", + "type": [ + "info" + ] + }, + "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "observer": { + "vendor": "Wiz" + }, + "resource": { + "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "sub_type": "Pod", + "type": "POD" + }, + "result": { + "evaluation": "FAILED" + }, + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "Pod-32", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "wiz": { + "cloud_configuration_finding_full_posture": { + "analyzed_at": "2023-06-12T11:38:07.900Z", + "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "resource": { + "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", + "native_type": "Pod", + "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "subscription": { + "cloud_provider": "Azure", + "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", + "name": "Wiz - DEV Outpost" + }, + "type": "POD" + }, + "result": "FAIL", + "rule": { + "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "id": "73553de7-f2ad-4ffb-b425-c69815033530", + "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", + "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", + "short_id": "Pod-32" + } + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.offset | Log offset. | long | +| resource.id | | keyword | +| resource.name | | keyword | +| resource.sub_type | | keyword | +| resource.type | | keyword | +| result.evaluation | | keyword | +| result.evidence.cloud_configuration_link | | text | +| result.evidence.configuration_path | | text | +| result.evidence.current_value | | text | +| result.evidence.expected_value | | text | +| rule.remediation | | keyword | +| tags | List of keywords used to tag each event. | keyword | +| wiz.cloud_configuration_finding_full_posture.analyzed_at | | date | +| wiz.cloud_configuration_finding_full_posture.evidence.cloud_configuration_link | | text | +| wiz.cloud_configuration_finding_full_posture.evidence.configuration_path | | text | +| wiz.cloud_configuration_finding_full_posture.evidence.current_value | | text | +| wiz.cloud_configuration_finding_full_posture.evidence.expected_value | | text | +| wiz.cloud_configuration_finding_full_posture.id | | keyword | +| wiz.cloud_configuration_finding_full_posture.name | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.cloud_platform | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.id | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.name | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.native_type | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.provider_id | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.region | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.subscription.cloud_provider | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.subscription.external_id | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.subscription.name | | keyword | +| wiz.cloud_configuration_finding_full_posture.resource.type | | keyword | +| wiz.cloud_configuration_finding_full_posture.result | | keyword | +| wiz.cloud_configuration_finding_full_posture.rule.description | | text | +| wiz.cloud_configuration_finding_full_posture.rule.id | | keyword | +| wiz.cloud_configuration_finding_full_posture.rule.name | | keyword | +| wiz.cloud_configuration_finding_full_posture.rule.remediation_instructions | | text | +| wiz.cloud_configuration_finding_full_posture.rule.short_id | | keyword | +| wiz.cloud_configuration_finding_full_posture.status | | keyword | + + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml index e18f46626aa..a22071275d0 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/base-fields.yml @@ -12,6 +12,6 @@ - name: event.dataset external: ecs type: constant_keyword - value: wiz.cloud_configuration_finding + value: wiz.cloud_configuration_finding_full_posture - name: '@timestamp' external: ecs diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml index eea63ef4778..5df98192fcf 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml @@ -1,8 +1,12 @@ -- name: wiz.cloud_configuration_finding +- name: wiz.cloud_configuration_finding_full_posture type: group fields: - name: analyzed_at type: date + - name: status + type: keyword + - name: name + type: keyword - name: resource type: group fields: diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml index ada52ed9b5f..4a6d4d9352a 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/transform.yml @@ -1,8 +1,8 @@ source: index: - - "logs-wiz.cloud_configuration_finding-*" + - "logs-wiz.cloud_configuration_finding_full_posture-*" dest: - index: "security_solution-wiz.misconfiguration_latest-v2" + index: "security_solution-wiz.misconfiguration_latest-v3" aliases: - alias: "security_solution-wiz.misconfiguration_latest" move_on_creation: true @@ -20,11 +20,11 @@ sync: retention_policy: time: field: "@timestamp" - max_age: 90d + max_age: 24h settings: unattended: true _meta: managed: true # Bump this version to delete, reinstall, and restart the transform during package. # Version bump is needed if there is any code change in transform. - fleet_transform_version: 0.2.0 + fleet_transform_version: 0.3.0 diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index ae44c4151df..884e4ed3923 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.3 name: wiz title: Wiz -version: "2.10.0" +version: "3.0.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -9,7 +9,7 @@ categories: - cloudsecurity_cdr conditions: kibana: - version: "^8.18.0 || ^9.0.0" + version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" elastic: subscription: "basic" screenshots: