diff --git a/packages/aws/_dev/build/docs/config.md b/packages/aws/_dev/build/docs/config.md index d5fd01b1be1..d2e01d8f98f 100644 --- a/packages/aws/_dev/build/docs/config.md +++ b/packages/aws/_dev/build/docs/config.md @@ -60,6 +60,27 @@ Use this integration if you only need to collect data from the AWS Config servic 1. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. 2. The AWS Config integration performs a full ingestion of all findings during each interval. +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Misconfiguration Findings page. + +Version `4.0.0` of the AWS Config integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of the AWS Config integration to ingest misconfiguration findings from the AWS Config platform into Elastic and get insights directly from the [Misconfiguration Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page). +Version `4.0.0` adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest findings from source indices matching the pattern `logs-aws.config-*` into new destination indices matching the pattern `security_solution-awsconfig.misconfiguration_latest-*`. The Elastic Findings pages will display findings based on the destination indices. + +For existing users of the AWS Config integration, before upgrading to version `4.0.0` please ensure the following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of findings is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs reference ### Config diff --git a/packages/aws/_dev/build/docs/inspector.md b/packages/aws/_dev/build/docs/inspector.md index 71bc2ce472e..a27fdec4d5a 100644 --- a/packages/aws/_dev/build/docs/inspector.md +++ b/packages/aws/_dev/build/docs/inspector.md @@ -28,6 +28,27 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - This data stream doesn't support setting a Role ARN. - Ensure your IAM has the `inspector2:ListFindings` permission granted. Without this permission, API requests will be denied. +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Vulnerability Findings page. + +Version `4.0.0` of the AWS integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of the AWS Inspector integration to ingest their enriched vulnerabilities from the Amazon Inspector platform into Elastic and get insights directly from the Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). +This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-aws.inspector-*` into new destination indices matching the pattern `security_solution-aws.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. + +For existing users of the AWS integration, before upgrading to `4.0.0` please ensure the following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of vulnerabilities is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs ### Inspector diff --git a/packages/aws/changelog.yml b/packages/aws/changelog.yml index 0bb96c27c2b..e6eb7f24d93 100644 --- a/packages/aws/changelog.yml +++ b/packages/aws/changelog.yml @@ -1,4 +1,17 @@ # newer versions go on top +- version: "4.0.0" + changes: + - description: | + Add latest transform to `AWS Config` and `AWS Inspector`. + This enables support for extended protections for `AWS Config` and `AWS Inspector`. + type: enhancement + link: https://github.com/elastic/integrations/pull/15230 + - description: | + The latest transforms requires `transform` node and necessary permissions to use the transform. + The transforms stores the latest copy of vulnerabilities and misconfigurations in the destination indices, which will require additional storage. + Due to change in fingeprinting on source indices, duplicates occur on source indices of `AWS Config` and `AWS Inspector`. + type: breaking-change + link: https://github.com/elastic/integrations/pull/15230 - version: "3.17.0" changes: - description: Enable Agentless deployment for AWS GuardDuty. @@ -14,6 +27,11 @@ - description: Add support for VPC Flow logs versions 6, 7, and 8. type: enhancement link: https://github.com/elastic/integrations/pull/15077 +- version: "3.14.2" + changes: + - description: Remove unused agent files. + type: bugfix + link: https://github.com/elastic/integrations/pull/14995 - version: "3.14.1" changes: - description: Fixed issue where empty DescribeConfigRules responses caused 'index out of bounds' errors in AWS Config integration. diff --git a/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json b/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json index 464fa74a936..0bb461e3597 100644 --- a/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/aws/data_stream/config/_dev/test/pipeline/test-event.log-expected.json @@ -105,7 +105,8 @@ "id": "config-rule-rwpvuz", "name": "access-keys-rotated", "reference": "arn:aws:config:us-east-1:329599655752:config-rule/config-rule-rwpvuz", - "tags": "string" + "tags": "string", + "uuid": "chfNCTELmFlMeMhp21DvcEjdkK0=" }, "tags": [ "preserve_duplicate_custom_fields" diff --git a/packages/aws/data_stream/config/elasticsearch/ilm/default_policy.json b/packages/aws/data_stream/config/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..6fbc1040483 --- /dev/null +++ b/packages/aws/data_stream/config/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "7d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "7d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml b/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml index f3055888180..df22ad199bf 100644 --- a/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml +++ b/packages/aws/data_stream/config/elasticsearch/ingest_pipeline/default.yml @@ -41,14 +41,6 @@ processors: - append: field: error.message value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - - fingerprint: - fields: - - json.EvaluationResultIdentifier.EvaluationResultQualifier.ResourceId - - json.ConfigRuleInvokedTime - - json.ConfigRuleInfo.ConfigRuleId - tag: fingerprint_aws_config - target_field: _id - ignore_missing: true - set: field: cloud.provider tag: set_cloud_provider @@ -94,6 +86,12 @@ processors: tag: set_rule_reference_from_config_config_rule_info_config_rule_arn copy_from: aws.config.rule_info.config_rule_arn ignore_empty_value: true + - fingerprint: + fields: + - rule.reference + tag: fingerprint_rule_uuid + target_field: rule.uuid + ignore_missing: true - rename: field: json.ConfigRuleInfo.ConfigRuleId tag: rename_ConfigRuleInfo_ConfigRuleId diff --git a/packages/aws/data_stream/config/fields/base-fields.yml b/packages/aws/data_stream/config/fields/base-fields.yml index eecc4a25afb..cd993b6033d 100644 --- a/packages/aws/data_stream/config/fields/base-fields.yml +++ b/packages/aws/data_stream/config/fields/base-fields.yml @@ -1,20 +1,16 @@ - name: data_stream.type - type: constant_keyword - description: Data stream type. + external: ecs - name: data_stream.dataset - type: constant_keyword - description: Data stream dataset. + external: ecs - name: data_stream.namespace - type: constant_keyword - description: Data stream namespace. + external: ecs - name: event.module type: constant_keyword - description: Event module. + external: ecs value: aws - name: event.dataset type: constant_keyword value: aws.config - description: Event dataset. + external: ecs - name: '@timestamp' - type: date - description: Event timestamp. + external: ecs diff --git a/packages/aws/data_stream/config/lifecycle.yml b/packages/aws/data_stream/config/lifecycle.yml new file mode 100644 index 00000000000..3fe3776ec1f --- /dev/null +++ b/packages/aws/data_stream/config/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "7d" diff --git a/packages/aws/data_stream/config/manifest.yml b/packages/aws/data_stream/config/manifest.yml index 838fd107250..0bb1b2ea3f0 100644 --- a/packages/aws/data_stream/config/manifest.yml +++ b/packages/aws/data_stream/config/manifest.yml @@ -1,5 +1,6 @@ title: Collect AWS Config Findings logs via API type: logs +ilm_policy: logs-aws.config-default_policy streams: - input: cel title: Collect AWS Config Findings from AWS diff --git a/packages/aws/data_stream/inspector/elasticsearch/ilm/default_policy.json b/packages/aws/data_stream/inspector/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..6fbc1040483 --- /dev/null +++ b/packages/aws/data_stream/inspector/elasticsearch/ilm/default_policy.json @@ -0,0 +1,20 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "7d", + "max_primary_shard_size": "50gb" + } + } + }, + "delete": { + "min_age": "7d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/aws/data_stream/inspector/lifecycle.yml b/packages/aws/data_stream/inspector/lifecycle.yml new file mode 100644 index 00000000000..3fe3776ec1f --- /dev/null +++ b/packages/aws/data_stream/inspector/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "7d" diff --git a/packages/aws/data_stream/inspector/manifest.yml b/packages/aws/data_stream/inspector/manifest.yml index 16ff1c44466..9a5b3bf4c89 100644 --- a/packages/aws/data_stream/inspector/manifest.yml +++ b/packages/aws/data_stream/inspector/manifest.yml @@ -1,5 +1,6 @@ title: Collect Amazon Inspector logs from AWS type: logs +ilm_policy: logs-aws.inspector-default_policy streams: - input: httpjson title: Collect Amazon Inspector Findings from AWS diff --git a/packages/aws/data_stream/securityhub_findings/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/securityhub_findings/_dev/test/system/test-default-config.yml index 1e397d0db01..f8530c36e13 100644 --- a/packages/aws/data_stream/securityhub_findings/_dev/test/system/test-default-config.yml +++ b/packages/aws/data_stream/securityhub_findings/_dev/test/system/test-default-config.yml @@ -34,3 +34,6 @@ data_stream: NZJwli2WcEIuvEP2btR3aq3DSZiJwsgh3YaqA9GFv0e3A7rG5lUwaFFIhSFmNTUo QitGeqCxiwvdjD4d/jkyeG84779ewQQeYyxgOgvQaiS56a4DijLYkIU= -----END CERTIFICATE----- +skip: + reason: "The fleet health status changes to degraded when the HTTPJSON template's value evaluation comes up empty, which leads to system test failures but does not interrupt the data flow." + link: https://github.com/elastic/beats/issues/45664 diff --git a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml index afa23898944..04db38ab3fe 100644 --- a/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml +++ b/packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/system/test-default-config.yml @@ -34,3 +34,6 @@ data_stream: NZJwli2WcEIuvEP2btR3aq3DSZiJwsgh3YaqA9GFv0e3A7rG5lUwaFFIhSFmNTUo QitGeqCxiwvdjD4d/jkyeG84779ewQQeYyxgOgvQaiS56a4DijLYkIU= -----END CERTIFICATE----- +skip: + reason: "The fleet health status changes to degraded when the HTTPJSON template's value evaluation comes up empty, which leads to system test failures but does not interrupt the data flow." + link: https://github.com/elastic/beats/issues/45664 diff --git a/packages/aws/data_stream/securityhub_insights/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/securityhub_insights/_dev/test/system/test-default-config.yml index 2d205903b4f..9e1e45bef77 100644 --- a/packages/aws/data_stream/securityhub_insights/_dev/test/system/test-default-config.yml +++ b/packages/aws/data_stream/securityhub_insights/_dev/test/system/test-default-config.yml @@ -33,3 +33,6 @@ data_stream: 8gqQdAH8DCmCSwT/6JRLbDCCM7njqzGLb3d/hGdZYxVp+Bu0vbuE4BnifTvo79az IqZhWKmJamAm8bHDYVR+QPo7JWkPf117I3YORE3NSC1dfvXk1jOCl+zA7A== -----END CERTIFICATE----- +skip: + reason: "The fleet health status changes to degraded when the HTTPJSON template's value evaluation comes up empty, which leads to system test failures but does not interrupt the data flow." + link: https://github.com/elastic/beats/issues/45664 diff --git a/packages/aws/docs/config.md b/packages/aws/docs/config.md index 5959529e77f..52d0a8f50bf 100644 --- a/packages/aws/docs/config.md +++ b/packages/aws/docs/config.md @@ -60,6 +60,27 @@ Use this integration if you only need to collect data from the AWS Config servic 1. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID. 2. The AWS Config integration performs a full ingestion of all findings during each interval. +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Misconfiguration Findings page. + +Version `4.0.0` of the AWS Config integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of the AWS Config integration to ingest misconfiguration findings from the AWS Config platform into Elastic and get insights directly from the [Misconfiguration Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page). +Version `4.0.0` adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest findings from source indices matching the pattern `logs-aws.config-*` into new destination indices matching the pattern `security_solution-awsconfig.misconfiguration_latest-*`. The Elastic Findings pages will display findings based on the destination indices. + +For existing users of the AWS Config integration, before upgrading to version `4.0.0` please ensure the following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of findings is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs reference ### Config @@ -192,7 +213,7 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | aws.config.annotation | Supplementary information about how the evaluation determined the compliance. | keyword | | aws.config.compliance_type | Indicates whether the AWS resource complies with the AWS Config rule that evaluated it. | keyword | | aws.config.config_rule_invoked_time | The time when the AWS Config rule evaluated the AWS resource. | date | @@ -226,11 +247,11 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur | aws.config.rule_info.source.source_details.message_type | The type of notification that triggers AWS Config to run an evaluation for a rule. | keyword | | aws.config.rule_info.source.source_identifier | For AWS Config Managed rules, a predefined identifier from a list. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | constant_keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| event.dataset | Event dataset. | constant_keyword | -| event.module | Event module. | constant_keyword | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | | input.type | Type of Filebeat input. | keyword | | log.offset | Log offset. | long | | observer.vendor | Vendor name of the observer. | constant_keyword | diff --git a/packages/aws/docs/inspector.md b/packages/aws/docs/inspector.md index 5077e5603ac..6d3945bd480 100644 --- a/packages/aws/docs/inspector.md +++ b/packages/aws/docs/inspector.md @@ -28,6 +28,27 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - This data stream doesn't support setting a Role ARN. - Ensure your IAM has the `inspector2:ListFindings` permission granted. Without this permission, API requests will be denied. +## Troubleshooting + +### Breaking Changes + +#### Support for Elastic Vulnerability Findings page. + +Version `4.0.0` of the AWS integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of the AWS Inspector integration to ingest their enriched vulnerabilities from the Amazon Inspector platform into Elastic and get insights directly from the Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3). +This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-aws.inspector-*` into new destination indices matching the pattern `security_solution-aws.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices. + +For existing users of the AWS integration, before upgrading to `4.0.0` please ensure the following requirements are met: + +1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements). +2. To use transforms, users must have: + - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role), + - management features visible in the Kibana space, and + - security privileges that: + - grant use of transforms, and + - grant access to source and destination indices + For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) +3. Because the latest copy of vulnerabilities is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly. + ## Logs ### Inspector diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/base-fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/base-fields.yml new file mode 100644 index 00000000000..e721ff0e58b --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + type: keyword + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: aws +- name: event.dataset + type: constant_keyword + value: aws.config + external: ecs +- name: '@timestamp' + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/beats.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/ecs.yml new file mode 100644 index 00000000000..2fe489ab9ed --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/ecs.yml @@ -0,0 +1,6 @@ +- name: cloud.provider + type: constant_keyword + external: ecs +- name: observer.vendor + type: constant_keyword + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/fields.yml new file mode 100644 index 00000000000..52bc45e532a --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/fields.yml @@ -0,0 +1,126 @@ +- name: aws + type: group + fields: + - name: config + type: group + fields: + - name: annotation + type: keyword + description: Supplementary information about how the evaluation determined the compliance. + - name: compliance_type + type: keyword + description: Indicates whether the AWS resource complies with the AWS Config rule that evaluated it. + - name: rule_info + type: group + fields: + - name: config_rule_arn + type: keyword + description: The Amazon Resource Name (ARN) of the AWS Config rule. + - name: config_rule_id + type: keyword + description: The ID of the AWS Config rule. + - name: config_rule_name + type: keyword + description: The name that you assign to the AWS Config rule. The name is required if you are adding a new rule. + - name: config_rule_state + type: keyword + description: Indicates whether the AWS Config rule is active or is currently being deleted by AWS Config. + - name: created_by + type: keyword + description: Service principal name of the service that created the rule. + - name: description + type: keyword + description: The description that you provide for the AWS Config rule. + - name: evaluation_modes + type: group + fields: + - name: mode + type: keyword + description: The mode of an evaluation. + - name: input_parameters + type: flattened + description: A string, in JSON format, that is passed to the AWS Config rule Lambda function. + - name: maximum_execution_frequency + type: keyword + description: The maximum frequency with which AWS Config runs evaluations for a rule. + - name: scope + type: group + fields: + - name: compliance_resource_id + type: keyword + description: The ID of the only AWS resource that you want to trigger an evaluation for the rule. + - name: compliance_resource_types + type: keyword + description: The resource types of only those AWS resources that you want to trigger an evaluation for the rule. + - name: tag_key + type: keyword + description: The tag key that is applied to only those AWS resources that you want to trigger an evaluation for the rule. + - name: tag_value + type: keyword + description: The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule. + - name: source + type: group + fields: + - name: custom_policy_details + type: group + fields: + - name: enable_debug_log_delivery + type: boolean + description: The boolean expression for enabling debug logging for your AWS Config Custom Policy rule. + - name: policy_runtime + type: keyword + description: The runtime system for your AWS Config Custom Policy rule. + - name: policy_text + type: keyword + description: The policy definition containing the logic for your AWS Config Custom Policy rule. + - name: owner + type: keyword + description: Indicates whether AWS or the customer owns and manages the AWS Config rule. + - name: source_details + type: group + fields: + - name: event_source + type: keyword + description: The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWS resources. + - name: maximum_execution_frequency + type: keyword + description: The frequency at which you want AWS Config to run evaluations for a custom rule with a periodic trigger. + - name: message_type + type: keyword + description: The type of notification that triggers AWS Config to run an evaluation for a rule. + - name: source_identifier + type: keyword + description: For AWS Config Managed rules, a predefined identifier from a list. + - name: config_rule_invoked_time + type: date + description: The time when the AWS Config rule evaluated the AWS resource. + - name: evaluation_result_identifier + type: group + fields: + - name: evaluation_result_qualifier + type: group + fields: + - name: config_rule_name + type: keyword + description: The name of the AWS Config rule that was used in the evaluation. + - name: evaluation_mode + type: keyword + description: The mode of an evaluation. The valid values are Detective or Proactive. + - name: resource_id + type: keyword + description: The ID of the evaluated AWS resource. + - name: resource_type + type: keyword + description: The type of AWS resource that was evaluated. + - name: ordering_timestamp + type: date + description: The time of the event that triggered the evaluation of your AWS resources. + - name: resource_evaluation_id + type: keyword + description: A Unique ID for an evaluation result. + - name: result_recorded_time + type: date + description: The time when AWS Config recorded the evaluation result. + - name: result_token + type: keyword + description: An encrypted token that associates an evaluation with an AWS Config rule. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/resource.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/resource.yml new file mode 100644 index 00000000000..6975e84ce3b --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/resource.yml @@ -0,0 +1,7 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + - name: type + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/result.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/result.yml new file mode 100644 index 00000000000..75f840ce005 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/result.yml @@ -0,0 +1,5 @@ +- name: result + type: group + fields: + - name: evaluation + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/rule.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/rule.yml new file mode 100644 index 00000000000..b1ccff8a384 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/fields/rule.yml @@ -0,0 +1,5 @@ +- name: rule + type: group + fields: + - name: tags + type: keyword diff --git a/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/transform.yml b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/transform.yml new file mode 100644 index 00000000000..586fb4ec4c6 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_misconfigurations_awsconfig/transform.yml @@ -0,0 +1,33 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-aws.config-*" +dest: + index: "security_solution-awsconfig.misconfiguration_latest-v1" + aliases: + - alias: "security_solution-awsconfig.misconfiguration_latest" + move_on_creation: true +latest: + unique_key: + - rule.uuid + - resource.id + - data_stream.namespace + sort: "@timestamp" +description: >- + Latest Findings from AWS Config. As findings get updated, this transform stores only the latest state of each finding inside the destination index. Thus the transform's destination index contains only the latest state of the finding. +frequency: 5m +settings: + unattended: true +sync: + time: + field: "event.ingested" + delay: 60s +retention_policy: + time: + field: "@timestamp" + max_age: 24h +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during + # package installation. + fleet_transform_version: 0.1.0 diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/agent.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/agent.yml new file mode 100644 index 00000000000..cee3c7a2d0e --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/agent.yml @@ -0,0 +1,50 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset +- name: log.file.device_id + type: keyword + description: Device Id of the log file this event came from. +- name: log.file.inode + type: keyword + description: Inode number of the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/base-fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/base-fields.yml new file mode 100644 index 00000000000..8ed0cf36195 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/base-fields.yml @@ -0,0 +1,17 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs + type: keyword +- name: event.module + external: ecs + type: constant_keyword + value: aws +- name: event.dataset + external: ecs + type: constant_keyword + value: aws.inspector +- name: '@timestamp' + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/ecs.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/ecs.yml new file mode 100644 index 00000000000..cc61312ef72 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/ecs.yml @@ -0,0 +1,7 @@ +# Define ECS constant fields as constant_keyword +- name: observer.vendor + type: constant_keyword + external: ecs +- name: vulnerability.scanner.vendor + type: constant_keyword + external: ecs diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/fields.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/fields.yml new file mode 100644 index 00000000000..12803b8273f --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/fields.yml @@ -0,0 +1,476 @@ +- name: aws.inspector + type: group + fields: + - name: aws_account_id + type: keyword + description: The AWS account ID associated with the finding. + - name: code_vulnerability_details + type: group + fields: + - name: cwes + type: keyword + description: The Common Weakness Enumeration (CWE) item associated with the detected vulnerability. + - name: detector_id + type: keyword + description: The ID for the Amazon CodeGuru detector associated with the finding. For more information on detectors see Amazon CodeGuru Detector Library. + - name: detector_name + type: keyword + description: The name of the detector used to identify the code vulnerability. For more information on detectors see CodeGuru Detector Library. + - name: detector_tags + type: keyword + description: The detector tag associated with the vulnerability. Detector tags group related vulnerabilities by common themes or tactics. For a list of available tags by programming language, see Java tags, or Python tags. + - name: file_path + type: group + fields: + - name: end_line + type: long + description: The line number of the last line of code that a vulnerability was found in. + - name: name + type: keyword + description: The name of the file the code vulnerability was found in. + - name: path + type: keyword + description: The file path to the code that a vulnerability was found in. + - name: start_line + type: long + description: The line number of the first line of code that a vulnerability was found in. + - name: reference_urls + type: keyword + description: A URL containing supporting documentation about the code vulnerability detected. + - name: rule_id + type: keyword + description: The identifier for a rule that was used to detect the code vulnerability. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Name (ARN) of the Lambda layer that the code vulnerability was detected in. + - name: description + type: text + description: The description of the finding. + - name: epss + type: group + fields: + - name: score + type: double + description: The EPSS score. + - name: exploitability_details + type: group + fields: + - name: last_known_exploit_at + type: date + description: The date and time of the last exploit associated with a finding discovered in your environment. + - name: exploit_available + type: keyword + description: If a finding discovered in your environment has an exploit available. + - name: finding_arn + type: keyword + description: The Amazon Resource Number (ARN) of the finding. + - name: first_observed_at + type: date + description: The date and time that the finding was first observed. + - name: fix_available + type: keyword + description: Details on whether a fix is available through a version update. This value can be YES, NO, or PARTIAL. A PARTIAL fix means that some, but not all, of the packages identified in the finding have fixes available through updated versions. + - name: inspector_score + type: double + description: The Amazon Inspector score given to the finding. + - name: inspector_score_details + type: group + fields: + - name: adjusted_cvss + type: group + fields: + - name: adjustments + type: group + fields: + - name: metric + type: keyword + description: The metric used to adjust the CVSS score. + - name: reason + type: keyword + description: The reason the CVSS score has been adjustment. + - name: cvss_source + type: keyword + description: The source of the CVSS data. + - name: score + type: group + fields: + - name: source + type: keyword + description: The source for the CVSS score. + - name: value + type: double + description: The CVSS score. + - name: scoring_vector + type: keyword + description: The vector for the CVSS score. + - name: version + type: keyword + description: The CVSS version used in scoring. + - name: last_observed_at + type: date + description: The date and time that the finding was last observed. + - name: network_reachability_details + type: group + fields: + - name: network_path + type: group + fields: + - name: steps + type: group + fields: + - name: component + type: group + fields: + - name: arn + type: keyword + description: The component ARN. The ARN can be null and is not displayed in the AWS console. + - name: id + type: keyword + description: The component ID. + - name: type + type: keyword + description: The component type. + - name: open_port_range + type: group + fields: + - name: begin + type: long + description: The beginning port in a port range. + - name: end + type: long + description: The ending port in a port range. + - name: protocol + type: keyword + description: The protocol associated with a finding. + - name: package_nested + type: nested + fields: + - name: arch + type: keyword + description: The architecture of the vulnerable package. + - name: epoch + type: long + description: The epoch of the vulnerable package. + - name: file_path + type: keyword + description: The file path of the vulnerable package. + - name: fixed_in_version + type: keyword + description: The version of the package that contains the vulnerability fix. + - name: name + type: keyword + description: The name of the vulnerable package. + - name: package_manager + type: keyword + description: The package manager of the vulnerable package. + - name: release + type: keyword + description: The release of the vulnerable package. + - name: remediation + type: keyword + description: The code to run in your environment to update packages with a fix available. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. + - name: source_layer_hash + type: keyword + description: The source layer hash of the vulnerable package. + - name: version + type: keyword + description: The version of the vulnerable package. + - name: package_vulnerability_details + type: group + fields: + - name: cvss + type: group + fields: + - name: base_score + type: double + description: The base CVSS score used for the finding. + - name: scoring_vector + type: keyword + description: The vector string of the CVSS score. + - name: source + type: keyword + description: The source of the CVSS score. + - name: version + type: keyword + description: The version of CVSS used for the score. + - name: reference_urls + type: keyword + description: One or more URLs that contain details about this vulnerability type. + - name: related_vulnerabilities + type: keyword + description: One or more vulnerabilities related to the one identified in this finding. + - name: source + type: group + fields: + - name: url + type: group + fields: + - name: domain + type: keyword + description: A domain to the source url of the vulnerability information. + - name: extension + type: keyword + description: A extension to the source url of the vulnerability information. + - name: original + type: keyword + description: A original to the source url of the vulnerability information. + - name: path + type: keyword + description: A path to the source url of the vulnerability information. + - name: query + type: keyword + description: A query to the source url of the vulnerability information. + - name: scheme + type: keyword + description: A scheme to the source url of the vulnerability information. + - name: value + type: keyword + description: The source of the vulnerability information. + - name: vendor + type: group + fields: + - name: created_at + type: date + description: The date and time that this vulnerability was first added to the vendor's database. + - name: severity + type: keyword + description: The severity the vendor has given to this vulnerability type. + - name: updated_at + type: date + description: The date and time the vendor last updated this vulnerability in their database. + - name: vulnerability_id + type: keyword + description: The ID given to this vulnerability. + - name: vulnerable_packages + type: group + fields: + - name: arch + type: keyword + description: The architecture of the vulnerable package. + - name: epoch + type: long + description: The epoch of the vulnerable package. + - name: file_path + type: keyword + description: The file path of the vulnerable package. + - name: fixed_in_version + type: keyword + description: The version of the package that contains the vulnerability fix. + - name: name + type: keyword + description: The name of the vulnerable package. + - name: package_manager + type: keyword + description: The package manager of the vulnerable package. + - name: release + type: keyword + description: The release of the vulnerable package. + - name: remediation + type: keyword + description: The code to run in your environment to update packages with a fix available. + - name: source_lambda_layer_arn + type: keyword + description: The Amazon Resource Number (ARN) of the AWS Lambda function affected by a finding. + - name: source_layer_hash + type: keyword + description: The source layer hash of the vulnerable package. + - name: version + type: keyword + description: The version of the vulnerable package. + - name: remediation + type: group + fields: + - name: recommendation + type: group + fields: + - name: text + type: keyword + description: The recommended course of action to remediate the finding. + - name: url + type: group + fields: + - name: domain + type: keyword + description: The domain to the CVE remediation url recommendations. + - name: extension + type: keyword + description: The extension to the CVE remediation url recommendations. + - name: original + type: keyword + description: The original to the CVE remediation url recommendations. + - name: path + type: keyword + description: The path to the CVE remediation url recommendations. + - name: query + type: keyword + description: The query to the CVE remediation url recommendations. + - name: scheme + type: keyword + description: The scheme to the CVE remediation url recommendations. + - name: resources + type: group + fields: + - name: details + type: group + fields: + - name: aws + type: group + fields: + - name: ec2_instance + type: group + fields: + - name: iam_instance_profile_arn + type: keyword + description: The IAM instance profile ARN of the Amazon EC2 instance. + - name: image_id + type: keyword + description: The image ID of the Amazon EC2 instance. + - name: ipv4_addresses + type: ip + description: The IPv4 addresses of the Amazon EC2 instance. + - name: ipv6_addresses + type: ip + description: The IPv6 addresses of the Amazon EC2 instance. + - name: key_name + type: keyword + description: The name of the key pair used to launch the Amazon EC2 instance. + - name: launched_at + type: date + description: The date and time the Amazon EC2 instance was launched at. + - name: platform + type: keyword + description: The platform of the Amazon EC2 instance. + - name: subnet_id + type: keyword + description: The subnet ID of the Amazon EC2 instance. + - name: type + type: keyword + description: The type of the Amazon EC2 instance. + - name: vpc_id + type: keyword + description: The VPC ID of the Amazon EC2 instance. + - name: ecr_container_image + type: group + fields: + - name: architecture + type: keyword + description: The architecture of the Amazon ECR container image. + - name: author + type: keyword + description: The image author of the Amazon ECR container image. + - name: image + type: group + fields: + - name: hash + type: keyword + description: The image hash of the Amazon ECR container image. + - name: tags + type: keyword + description: The image tags attached to the Amazon ECR container image. + - name: in_use_count + type: long + description: The number of Amazon ECS tasks or Amazon EKS pods where the Amazon ECR container image is in use. + - name: last_in_use_at + type: date + description: The last time an Amazon ECR image was used in an Amazon ECS task or Amazon EKS pod. + - name: platform + type: keyword + description: The platform of the Amazon ECR container image. + - name: pushed_at + type: date + description: The date and time the Amazon ECR container image was pushed. + - name: registry + type: keyword + description: The registry the Amazon ECR container image belongs to. + - name: repository_name + type: keyword + description: The name of the repository the Amazon ECR container image resides in. + - name: lambda_function + type: group + fields: + - name: architectures + type: keyword + description: The instruction set architecture that the AWS Lambda function supports. Architecture is a string array with one of the valid values. The default architecture value is x86_64. + - name: code_sha256 + type: keyword + description: The SHA256 hash of the AWS Lambda function's deployment package. + - name: execution_role_arn + type: keyword + description: The AWS Lambda function's execution role. + - name: function_name + type: keyword + description: The name of the AWS Lambda function. + - name: last_modified_at + type: date + description: The date and time that a user last updated the configuration, in ISO 8601 format. + - name: layers + type: keyword + description: The AWS Lambda function's layers. A Lambda function can have up to five layers. + - name: package_type + type: keyword + description: The type of deployment package. Set to Image for container image and set Zip for .zip file archive. + - name: runtime + type: keyword + description: The runtime environment for the AWS Lambda function. + - name: version + type: keyword + description: The version of the AWS Lambda function. + - name: vpc_config + type: group + fields: + - name: security_group_ids + type: keyword + description: The VPC security groups and subnets that are attached to an AWS Lambda function. For more information, see VPC Settings. + - name: subnet_ids + type: keyword + description: A list of VPC subnet IDs. + - name: vpc_id + type: keyword + description: The ID of the VPC. + - name: code_repository + type: group + fields: + - name: integration_arn + type: keyword + description: The Amazon Resource Name (ARN) of the code security integration associated with the repository. + - name: project_name + type: keyword + description: The name of the project in the code repository. + - name: provider_type + type: keyword + description: The type of repository provider (such as GitHub, GitLab, etc.). + - name: id + type: keyword + description: The ID of the resource. + - name: partition + type: keyword + description: The partition of the resource. + - name: region + type: keyword + description: The AWS Region the impacted resource is located in. + - name: tags + type: flattened + description: The tags attached to the resource. + - name: type + type: keyword + description: The type of resource. + - name: severity + type: keyword + description: The severity of the finding. + - name: status + type: keyword + description: The status of the finding. + - name: title + type: keyword + description: The title of the finding. + - name: transform_unique_id + type: keyword + - name: type + type: keyword + description: The type of the finding. + - name: updated_at + type: date + description: The date and time the finding was last updated at. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/package.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/package.yml new file mode 100644 index 00000000000..592d9cde4a0 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/package.yml @@ -0,0 +1,6 @@ +- name: package + type: group + fields: + - name: fixed_version + type: keyword + description: In which version of the package the vulnerability was fixed. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/resource.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/resource.yml new file mode 100644 index 00000000000..d070ae78d30 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/resource.yml @@ -0,0 +1,12 @@ +- name: resource + type: group + fields: + - name: id + type: keyword + description: The ID of the vulnerable resource. + - name: name + type: keyword + description: The name of the vulnerable resource. + - name: type + type: keyword + description: The type of the vulnerable resource. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/vulnerability.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/vulnerability.yml new file mode 100644 index 00000000000..8003fe22da6 --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/fields/vulnerability.yml @@ -0,0 +1,12 @@ +- name: vulnerability + type: group + fields: + - name: cve + type: keyword + description: The CVE id of the vulnerability. + - name: published_date + type: date + description: When the vulnerability was published. + - name: title + type: keyword + description: The human readeable title of the vulnerability. diff --git a/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/transform.yml b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/transform.yml new file mode 100644 index 00000000000..9ca76bca68a --- /dev/null +++ b/packages/aws/elasticsearch/transform/latest_cdr_vulnerabilities_awsinspector/transform.yml @@ -0,0 +1,36 @@ +source: + index: + - "logs-aws.inspector-*" + query: + bool: + must: + - match: + aws.inspector.status: ACTIVE + - match: + aws.inspector.type: PACKAGE_VULNERABILITY +dest: + index: "security_solution-awsinspector.vulnerability_latest-v1" + aliases: + - alias: "security_solution-awsinspector.vulnerability_latest" + move_on_creation: true +latest: + unique_key: + - aws.inspector.transform_unique_id + sort: "@timestamp" +description: Latest Vulnerabilities Findings from Amazon Inspector. +settings: + unattended: true +frequency: 5m +sync: + time: + field: event.ingested + delay: 60s +retention_policy: + time: + field: "@timestamp" + max_age: 90d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 0.1.0 diff --git a/packages/aws/manifest.yml b/packages/aws/manifest.yml index 78546e9e8ae..786deca3566 100644 --- a/packages/aws/manifest.yml +++ b/packages/aws/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: aws title: AWS -version: 3.17.0 +version: 4.0.0 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent. type: integration categories: @@ -15,7 +15,7 @@ conditions: elastic: subscription: basic kibana: - version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" + version: "^8.19.0 || ^9.1.0" screenshots: - src: /img/metricbeat-aws-overview.png title: metricbeat aws overview