[rapid7_insightvm] Add asset_vulnerability data stream for Cloud Detection and Response (CDR) workflow

[brijesh-elastic]

Proposed commit message

rapid7_insightvm: Add asset_vulnerability data stream for Cloud Detection and Response (CDR) workflow

This adds a breaking change, as it involves deprecating asset data stream using HTTPJSON input and
adding new data_stream asset_vulnerability using CEL input.

The new data stream, asset_vulnerability, will retrieve a list of assets and the vulnerabilities contained within each.
Additionally, it will enrich the vulnerability details by querying vulnerability endpoint.
The agent will publish one document per vulnerability per host.

ECS mapping and transforms have also been added to facilitate
the Cloud Native Vulnerability Management (CNVM)[1] workflow.

Enabled agentless deployment for rapid7 insightvm
Upgraded the format_version to 3.3.5
Updated Kibana version constraints to ^8.19.0 || ^9.1.0

[1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html

Note

To Reviewers:

• Please refer to this guide: https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide which was used for proposed changes.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/rapid7_insightvm directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes Change Rapid7 InsightVM integration to one doc per vulnerability #9354
• Closes Rapid7 Insight VM: Implement mappings for Cloud Security Workflows #13775
• Closes Rapid7 InsightVM: Implement transform for Cloud Security Workflows #13776
• Relates [meta][CDR] Update Rapid7 integration to Leverage Native CDR Workflows #13647

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[maxcold]

nit: comment mentions Tenable, should be Rapid7 I guess

[kcreddy]

Addressed in 9bd0b7b

[maxcold]

There is no initial interval as far as I can see. Do we do full scan periodically? In that case we need to set the @timestamp of the documents to the ingestion time, like we did for AWS SecurityHub full posture data stream https://github.com/elastic/integrations/pull/13372/files#diff-2aebbf76c4f4587a0d3701264a03075f4886df078bb04d4b41e40ec329902488R592 This way we won't have the problem of old documents outside of the retention period

[brijesh-elastic]

For Rapid7, it will collect all the vulnerabilities present in all the assets during the first interval. After subsequent intervals, it will collect only the new and remediated vulnerabilities that have introduced since the last interval.

cc: @kcreddy

[kcreddy]

@maxcold, we are going with incremental load to keep lower memory footprint as @brijesh-elastic observed agentless agent restarts in Serverless environments.

But I see your point. We need to match the transform retention with initial_interval, otherwise even if we ingest 2 years worth of data if our transform retention is much lower, all the documents are deleted inside destination indices. Is this correct understanding?
If this is the case, we can add initial_interval like with other incremental integrations.

[maxcold]

Yes, if we go with incremental I think we need to follow other integraitons approach and have initial_interval. It will at least give users the option to ingest some initial data for the CDR flows. But I'm not sure I understand how do we then have the data from 2023 in the envs if you do incremental updates only?

[kcreddy]

But I'm not sure I understand how do we then have the data from 2023 in the envs if you do incremental updates only?

In the absence of initial_interval, the first fetch ingests all historical data. All fetches after this will be incremental.

@brijesh-elastic is already working on adding initial_interval option, so that first fetch only has user-defined initial interval data instead of ingesting all historical data.

[maxcold]

tested cloud security UIs with the changes, everything works well as far as i can tell

[efd6]

I think the behaviour is better, but I still have concerns about #14079 (comment).

[chemamartinez]

Regarding comments I added, LGTM.

[kcreddy]

nit only. LGTM for my comments 👍🏼 . Please wait for @efd6 approval.

[kcreddy]

Can you also add a changelog entry for this change (bugfix) similar to #14172

[efd6]

Nice work. Nit only, then LGTM

[efd6]

Suggested change

	optional.of(("last_scan_end > " + string((timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339)))),
	optional.of(("last_scan_end > " + (timestamp(interval_time) - duration(state.initial_interval)).format(time_layout.RFC3339))),

timestamp.format returns a string.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: d1ae436

History

• 💚 Build #27363 succeeded 04f7bbc
• 💚 Build #27325 succeeded 5fbe5cf
• 💚 Build #27282 succeeded 132cb48
• 💚 Build #27190 succeeded 471e7fe
• 💚 Build #27181 succeeded 1ff28b2
• 💚 Build #27134 succeeded 9bd0b7b

cc @brijesh-elastic

[elastic-sonarqube]

Quality Gate failed

Failed conditions
75.0% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

[elastic-vault-github-plugin-prod]

Package rapid7_insightvm - 2.0.0 containing this change is available at https://epr.elastic.co/package/rapid7_insightvm/2.0.0/