[wiz] Add defend data stream #13688
[wiz] Add defend data stream #13688
Conversation
andrewkroh
added
dashboard
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
/test |
🚀 Benchmarks reportTo see the full report comment with |
| - (Recommended) Obtain or generate authentication info for the third-party product, either a username/password or an authentication token. | ||
|
|
||
| 2. Add a webhook Integration in Wiz | ||
| - In Wiz, go to the Settings > Integrations page, then click Add Integration. |
There was a problem hiding this comment.
| - In Wiz, go to the Settings > Integrations page, then click Add Integration. | |
| - In Wiz, go to the Settings > Integrations page, then click Add Integration. |
| @@ -0,0 +1 @@ | |||
| {"trigger":{"source":"DETECTIONS","type":"Created","ruleId":"a08fe977-3f54-48bf-adcf-f76994739c1f","ruleName":"Detections Webhook Test Rule"},"id":"6a440e9b-c8d8-5482-a0e9-da714359aecf","threatId":"733edfe5-db25-5b14-ac58-dc69d6005c81","threatURL":"https:\/\/test.wiz.io\/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)","title":"Timestomping technique was detected","description":"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.","severity":"MEDIUM","createdAt":"2025-01-21T18:52:16.819883668Z","tdrId":"46fd0cdc-252e-5e69-be6e-66e4851d7ae4","tdrSource":"WIZ_SENSOR","mitreTactics":["TA0005"],"mitreTechniques":["T1070.006"],"cloudAccounts":[{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"}],"cloudOrganizations":[],"timeframe":{"start":"2025-01-21T18:52:15.838Z","end":"2025-01-21T18:52:15.838Z"},"actors":[{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"},{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"}],"resources":[{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"primaryResource":{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"},"triggeringEventsCount":2,"triggeringEvents":[{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https:\/\/console.aws.amazon.com\/cloudtrail\/home?region=us-east-1#\/events\/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program \/usr\/bin\/bash executed the program \/usr\/bin\/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r \/usr\/bin \/tmp\/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"\/usr\/bin\/touch","size":109616,"userId":"0","username":"root"},{"command":"\/bin\/bash -x -c touch -r \/usr\/bin \/tmp\/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"\/usr\/bin\/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"},{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https:\/\/console.aws.amazon.com\/cloudtrail\/home?region=us-east-1#\/events\/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program \/usr\/bin\/bash executed the program \/usr\/bin\/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r \/usr\/bin \/tmp\/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"\/usr\/bin\/touch","size":109616,"userId":"0","username":"root"},{"command":"\/bin\/bash -x -c touch -r \/usr\/bin \/tmp\/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"\/usr\/bin\/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"}]} | |||
There was a problem hiding this comment.
There are a bunch of \/ that suggest this text was copied via a windows machine. Can you check whether the original data includes the unnecessary escapes chars and remove them if not?
| @@ -1,6 +1,7 @@ | |||
| { | |||
| "expected": [ | |||
| { | |||
| "@timestamp": "2025-04-22T09:52:20.947712691Z", | |||
There was a problem hiding this comment.
I don't see a change in the ingest pipeline that explains why these are appearing now. Why are they here?
There was a problem hiding this comment.
Yes, you’re right — we haven’t made any code changes to these data streams. However, while testing everything, we ran the command elastic-package system -v -g, which caused the above change to appear.
Just for your information, @timestamp is mapped to _ingest.timestamp.
There was a problem hiding this comment.
Can you revert this then please?
| ?"primaryResource": obj.?primaryResource, | ||
| ?"triggeringEventsCount": obj.?triggeringEventsCount, | ||
| "triggeringEvent": { | ||
| "actor": obj.actors.filter(a, a.id == r.actor.id)[0], |
There was a problem hiding this comment.
Are we guaranteed to receive the actor that corresponds to r.actor.id? If not,
| "actor": obj.actors.filter(a, a.id == r.actor.id)[0], | |
| ?"actor": obj.actors.filter(a, a.id == r.actor.id)[?0], |
in order to avoid an eval error.
How many actors/triggeringEvents are we receiving on average? Asking because of the n×m time behaviour this gives.
There was a problem hiding this comment.
There is no documented limit on the number of actors we can receive; however, based on live logs, we are currently seeing a maximum of one actor.
There was a problem hiding this comment.
The issue is not the maximum, but rather the minimum; if the result of obj.actors.filter(a, a.id == r.actor.id) is [], then the previous code would fail.
There was a problem hiding this comment.
If there is a possibility of there being more than one, can we leave this as the array in its entirety?
| ?"id": r.?id, | ||
| ?"name": r.?name, | ||
| ?"origin": r.?origin, | ||
| "resources": obj.resources.filter(re, (r.resources.map(r, r.id)).exists(id, id == re.id)), |
There was a problem hiding this comment.
Do you mean obj.resources.filter(re, r.resources.exists(r, r.id == re.id))? The map here allocates an array that's immediately dropped after the exists call. Even as I have it, I'm concerned about the time complexity of this. What is the intended behaviour?
There was a problem hiding this comment.
We have a resources array of objects both outside and inside the triggeringEvent. Since the resources inside the triggeringEvent lack some fields present in the outside resources, we are mapping based on the id field from the inside array and enriching them using the corresponding objects from the outside array.
There was a problem hiding this comment.
OK, in that case, please use the code I pasted above (untested, so please check that it does what you want).
| @@ -37,7 +37,7 @@ | |||
| "id": "", | |||
| "params": { | |||
| "fontSize": 12, | |||
| "markdown": "Navigation\n\n[Wiz Cloud Configuration Finding (This page)](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", | |||
| "markdown": "Navigation\n\nWiz Cloud Configuration Finding\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", | |||
There was a problem hiding this comment.
Why does the order of the navigation list change for each of these pages?
There was a problem hiding this comment.
We have not changed any order here. As suggested in the earlier PRs, we have added all the missing dashboard links. Additionally, for the dashboard we are currently on, we have removed the "(This Page)" text and the link to it, as previously recommended.
There was a problem hiding this comment.
Yeah, sorry, I should have been clearer. The order is the same as it was, but the previously existing order differs depending on which dashboard the user is on. I was wondering why that is the case. You may not know.
|
/test |
💚 Build Succeeded
History
|
|
Proposed commit message
This release includes a defend data stream for supporting detection events forwarding via HTTP Endpoint and associated dashboards and visualizations.
Wiz fields are mapped to their corresponding ECS fields where possible.
Test samples were derived from documentation and subsequently sanitized.
Checklist
changelog.ymlfile.How to test this PR locally
Related issues
Screenshots