New Integration - Qualys Web application Scanning Integration (qualys_was) #14139
Conversation
StacieClark-Elastic added the New Integration StacieClark-Elastic added Team:Security-Service Integrations 
| Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| Do the test expectations need to be updated or is there a breakage? |
packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml Outdated Show resolved Hide resolved
packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-non-verbose-findings.log Outdated Show resolved Hide resolved
packages/qualys_was/data_stream/vulnerability/agent/stream/cel.yml.hbs Outdated Show resolved Hide resolved
packages/qualys_was/kibana/dashboard/qualys_was-e98bb088-8853-4e6a-8887-c3f301100fe6.json Show resolved Hide resolved
packages/qualys_was/data_stream/vulnerability/fields/kb_fields.yml Outdated Show resolved Hide resolved
...lys_was/data_stream/vulnerability/_dev/test/pipeline/test-verbose-findings.log-expected.json Show resolved Hide resolved
andrewkroh added the dashboard 
🚀 Benchmarks reportTo see the full report comment with |
packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
| if: ctx.Finding != null && ctx.Finding.knowledge_base != null && ctx.Finding.knowledge_base.size() > 0 | ||
| tag: pipeline_knowledge_base | ||
| ignore_missing_pipeline: true | ||
| on_failure: |
There was a problem hiding this comment.
| on_failure: | |
| - set: | |
| field: event.kind | |
| value: pipeline_error | |
| tag: set_pipeline_error_into_event_kind | |
| if: ctx.error?.message != null | |
| - append: | |
| field: tags | |
| value: preserve_original_event | |
| allow_duplicates: false | |
| if: ctx.error?.message != null | |
| on_failure: |
There are processors above that can error without failing, so we need to condition the document for retaining the event.original in those cases.
There was a problem hiding this comment.
I'm not sure why I resolve this. There are still cases where this has merit. Maybe remove the set event.kind, but the preserve_original_event into tags is needed.
There was a problem hiding this comment.
I read the comment wrong. I originally put the change after on_failure.
The way I've written the ingest, I don't want it to fail if error.message has been written into by a on_failure nodes in the processor. I added in the append for the tag.
StacieClark-Elastic force-pushed the feature/qualys-was-13569 branch 2 times, most recently from 6454049 to fbe8418 Compare StacieClark-Elastic force-pushed the feature/qualys-was-13569 branch 2 times, most recently from 2a8085d to efecdff Compare | (has(state.vulnerability_filter) ? state | ||
| : | ||
| state.with( |
There was a problem hiding this comment.
The conventional form for multiline ternaries is
condition_expression ? true_branch_expression : false_branch_expression In cases where there is a zero avaluation (e.g. {} here) this has been historically
condition_expression ? {} : false_branch_expression but this is not recognised by celfmt, so these will go away when that is more widely rolled out, and I am not convinced that state is a zero.
Note that the branches are indented relative to the ternary syntax and the : is aligned with the condition expression. Exact indentation is not yet formalised, but will most likely resolve to two spaces to match the YAML convention used here.
packages/qualys_was/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
packages/qualys_was/data_stream/vulnerability/_dev/test/pipeline/test-common-config.yml Outdated Show resolved Hide resolved
There was a problem hiding this comment.
I'll take another look at the program after the indentation is fixed up.
StacieClark-Elastic force-pushed the feature/qualys-was-13569 branch from efecdff to e17b290 Compare | if: ctx.Finding != null && ctx.Finding.knowledge_base != null && ctx.Finding.knowledge_base.size() > 0 | ||
| tag: pipeline_knowledge_base | ||
| ignore_missing_pipeline: true | ||
| on_failure: |
There was a problem hiding this comment.
I'm not sure why I resolve this. There are still cases where this has merit. Maybe remove the set event.kind, but the preserve_original_event into tags is needed.
packages/qualys_was/data_stream/vulnerability/agent/stream/cel.yml.hbs Outdated Show resolved Hide resolved
| "Body": state.Body.encode_json(), | ||
| } | ||
| ).do_request().as(resp, (resp.StatusCode == 200) ? | ||
| try(bytes(resp.Body).decode_json(), "decode_error").as(body, |
There was a problem hiding this comment.
| try(bytes(resp.Body).decode_json(), "decode_error").as(body, | |
| try(resp.Body.decode_json(), "decode_error").as(body, |
StacieClark-Elastic force-pushed the feature/qualys-was-13569 branch from e17b290 to 4276255 Compare | (size(resp.Body) != 0) ? | ||
| string(resp.Body) | ||
| : | ||
| " no body " |
There was a problem hiding this comment.
| " no body " | |
| "no body" |
initial draft for qualys_was. An agentless integration for ingesting web application scanning data
Added system tests. Added another pipeline test
Updated changelog.yml with correct PR number
added package to CODEOWNERS file
Rolled back accidental change to qualys_vmdr integration README
Added back line in default.yml that had been accidentally deleted
Added images of dashboards. Cleanup work to make files adhere to style standards
Cleaned up README
Inverted the branches in 2 places
Restructured cel.yml.hbs file to be easier to read and understand
Suggested changes from review for documentation.
Added comments to CEL script
Changed result_list to type text and do not index it
Removed out of date integrations page screenshot.
Adds original event tag if there is an error
Restored file that should not have been changed
Reformatted the cel script. Fixed an error in the readme. Fixed the regex for the system test config
Minor changes.
Added some more documentation about scan history purging
Included information about scan history being returned in ther 3.20 API and before
Updated generated README
StacieClark-Elastic force-pushed the feature/qualys-was-13569 branch from 6f5c26c to 52114e7 Compare 
|
💚 Build Succeeded
History
|
| Package qualys_was - 0.1.0 containing this change is available at https://epr.elastic.co/package/qualys_was/0.1.0/ |
…_was) (elastic#14139) New Integration for Qualys Web Application Scanning This application makes API calls to a Qualys Web Application scanning service for vulnerability detections then augments the detections with data from API calls to the Qualys Knowledge base for information about the vulnerability detected.
andrewkroh added the documentation 5 participants
Proposed commit message
New Integration for Qualys Web Application Scanning