Skip to content

[Cloud Security] Add host name to Wiz vulnerability data stream #10997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
Sep 9, 2024
Merged

[Cloud Security] Add host name to Wiz vulnerability data stream #10997

merged 10 commits into from
Sep 9, 2024

Conversation

@CohenIdo
Copy link
Contributor

@CohenIdo CohenIdo commented Sep 4, 2024
edited
Loading

solves:

Summary

Add host.name field for VM assets vulnerable assets and container.name field for "Containers" assets in Wiz vulnerability data stream using ingest pipeline.
@CohenIdo CohenIdo added enhancement New feature or request Team:Cloud Security Cloud Security team [elastic/cloud-security-posture] Integration:wiz Wiz labels Sep 4, 2024
@CohenIdo CohenIdo marked this pull request as ready for review September 5, 2024 09:57
@CohenIdo CohenIdo requested a review from a team as a code owner September 5, 2024 09:57
@andrewkroh andrewkroh added the Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] label Sep 5, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)
eyalkraft
eyalkraft reviewed Sep 5, 2024
View reviewed changes
packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated
Comment on lines 610 to 613
field: container.name
tag: set_continaer_name
copy_from: wiz.vulnerability.vulnerable_asset.name
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect we need to use container.image.name as the vulnerability seems to be found in a container image.

Suggested change
field: container.name
tag: set_continaer_name
copy_from: wiz.vulnerability.vulnerable_asset.name
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'
field: container.image.name
tag: set_continaer_name
copy_from: wiz.vulnerability.vulnerable_asset.name
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'

To be sure, do you have an example for a value coming from the integration @CohenIdo?
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect we need to use container.image.name as the vulnerability seems to be found in a container image.

You right. Fixed.

To be sure, do you have an example for a value coming from the integration?

Here:

image
efd6
efd6 reviewed Sep 5, 2024
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please run elastic-package build.
eyalkraft
eyalkraft reviewed Sep 8, 2024
View reviewed changes
packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated
value: 'Wiz'
- set:
field: container.image.name
tag: set_continaer_name
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
tag: set_continaer_name
tag: set_container_name
@efd6
Copy link
Contributor

efd6 commented Sep 8, 2024

Please rerun elastic-package build. This needs to happen after any change to the fields definitions or any system test --generate run.
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport
efd6
efd6 reviewed Sep 9, 2024
View reviewed changes
packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated
field: container.image.name
tag: set_continaer_name
copy_from: wiz.vulnerability.vulnerable_asset.name
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'
if: ctx.wiz.vulnerability?.vulnerable_asset?.type == 'CONTAINER_IMAGE'

ctx is always non-null.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I missed that wiz is not guarded. It will likely never be null, but it should be guarded anyway.
packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated
field: wiz.vulnerability.vulnerable_asset.name
target_field: host.name
tag: set_host_name_lowercase_if_vm
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'VIRTUAL_MACHINE'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if: ctx?.wiz.vulnerability?.vulnerable_asset?.type == 'VIRTUAL_MACHINE'
if: ctx.wiz.vulnerability?.vulnerable_asset?.type == 'VIRTUAL_MACHINE'
kcreddy
kcreddy approved these changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Can be merged after @efd6 comments are addressed.
@elasticmachine
Copy link

💚 Build Succeeded

History
@elastic-sonarqube
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
76.2% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube
@CohenIdo CohenIdo merged commit 25d3188 into elastic:main Sep 9, 2024
andrewkroh
andrewkroh reviewed Sep 9, 2024
View reviewed changes
packages/wiz/changelog.yml
changes:
- description: Add host.name for the vulnerability data stream.
type: enhancement
link: https://github.com/elastic/integrations/pull/10936
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the wrong PR number.
@kfirpeled kfirpeled changed the title Add host name to Wiz vulnerability data stream [Cloud Security] Add host name to Wiz vulnerability data stream Sep 11, 2024
@andrewkroh andrewkroh mentioned this pull request Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Integration:wiz Wiz Team:Cloud Security Cloud Security team [elastic/cloud-security-posture] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

7 participants

@CohenIdo @elasticmachine @efd6 @maxcold @andrewkroh @kcreddy @eyalkraft