diff --git a/packages/wiz/_dev/build/build.yml b/packages/wiz/_dev/build/build.yml index 2bfcfc223b0..d8553567e9c 100644 --- a/packages/wiz/_dev/build/build.yml +++ b/packages/wiz/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: "git@v8.11.0" + reference: "git@v8.17.0" diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index 7a61bb9bea4..8ff74b380cf 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -1,10 +1,22 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) and [vulnerabilities](https://ela.st/cnvm), providing you with visibility and context for your cloud environments within Elastic Security. +[Wiz](https://www.wiz.io/) continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. + +This Wiz integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) [vulnerabilities](https://ela.st/cnvm) and defend which provides real-time threat detection based on runtime signals and cloud activity—giving you visibility and context for your cloud environments within Elastic Security. ## Data streams -The Wiz integration collects four types of data: Audit, Cloud Configuration Finding, Issue and Vulnerability. +The Wiz integration collects five types of data: + +- **Audit** - The Audit log records key events within the Wiz platform, including logins and any mutation API calls executed in the Wiz portal (such as write, edit, delete, and save actions). + +- **Cloud Configuration Finding** - A Cloud Configuration Finding is a result generated when a cloud resource does not pass a specific Cloud Configuration Rule. + +- **Defend** - Detects and alerts on real-time cloud threats using runtime signals, logs, and Wiz’s security graph via webhook integrations. + +- **Issue** - Issues represent active risks or threats identified in your cloud environment. + +- **Vulnerability** - Vulnerabilities are weaknesses in computer systems that can be exploited by malicious attackers. ## Requirements @@ -43,26 +55,14 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud ## Setup -### To collect data from Wiz, the following parameters from your Wiz instance are required: +### To collect logs (Audit, Issue, Vulnerability, Cloud Configuration Findings) via GraphQL API: -1. Client ID -2. Client Secret -3. Token url -4. API Endpoint url -5. Required scopes for each data stream : +### Get the Wiz API URL: - | Data Stream | Scope | - | ------------- | ------------- | - | Audit | admin:audit | - | Issue | read:issues | - | Vulnerability | read:vulnerabilities | - | Cloud Configuration Finding | read:cloud_configuration | - | Cloud Configuration Finding Full Posture | read:cloud_configuration | - -### To obtain the Wiz URL -1. Navigate to your user profile and copy the API Endpoint URL. +1. Go to your user profile. +2. Copy the **API Endpoint URL**. -### Steps to obtain Client ID and Client Secret: +### Steps to get the Client ID and Client Secret: 1. In the Wiz dashboard Navigate to Settings > Service Accounts. 2. Click Add Service Account. @@ -72,17 +72,51 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud 6. Copy the Client Secret. Note that you won't be able to copy it after this stage. 7. Copy the Client ID, which is displayed under the Service Accounts page. +### Required scopes: + + | Data Stream | Scope | + | ------------- | ------------- | + | Audit | admin:audit | + | Issue | read:issues | + | Vulnerability | read:vulnerabilities | + | Cloud Configuration Finding | read:cloud_configuration | + | Cloud Configuration Finding Full Posture | read:cloud_configuration | + +### To collect logs (Defend) via HTTP Endpoint: + +1. Obtain the webhook URL +- Generate a webhook URL for the third-party product. +- (Recommended) Obtain or generate authentication info for the third-party product, either a username/password or an authentication token. + +2. Add a webhook Integration in Wiz +- In Wiz, go to the Settings > Integrations page, then click Add Integration. +- Under SIEM & Automation Tools, click Webhook. +- On the New Integration page: + - Enter a meaningful Name. + - Set the Project Scope. + - Paste the URL you generated earlier. + - (Optional) Click Add Header, then enter the name and value of a custom header to add to every webhook. + - Choose the type of Authentication to use: + - None—Not recommended at all, but hey, it's your data. + - Basic—Provide the Username and Password associated with your HTTP endpoint. + - Token—Enter an authentication token generated by the application that will be called from the webhook. + - For a more secure connection, enter a Client Certificate Authority and/or a Client Certificate to use in addition to whatever Authentication method was selected in the previous step. +- Click Add Integration. +- For more details, go to this [link](https://docs.wiz.io/docs/webhook-integration). + ### Enabling the integration in Elastic: 1. In Kibana go to Management > Integrations 2. In "Search for integrations" search bar, type Wiz 3. Click on the "Wiz" integration from the search results. 4. Click on the "Add Wiz" button to add the integration. -5. Add all the required integration configuration parameters, such as Client ID, Client Secret, URL, and Token URL. For all data streams, these parameters must be provided in order to retrieve logs. -6. Save the integration. +5. Enable the input type corresponding to the log source you wish to collect from. +6. Configure all the required integration parameters, including the listen address, listen port, and authentication method along with its corresponding required fields for the HTTP Endpoint input type. For the CEL input type, ensure you provide the Client ID, Client Secret, URL, and Token URL to successfully retrieve logs. +7. Save the integration. **Note:** - - Vulnerability data_stream pulls vulnerabilities from the previous day. + - Vulnerability data is fetched for the previous day. + - Custom headers are not supported in this integration. Only the standard Authorization header (e.g., Bearer token) is used for API requests. ## Logs Reference @@ -116,6 +150,16 @@ This is the `Cloud Configuration Finding Full Posture` dataset. {{fields "cloud_configuration_finding_full_posture"}} +### Defend + +This is the `Defend` dataset. + +#### Example + +{{event "defend"}} + +{{fields "defend"}} + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/_dev/deploy/docker/docker-compose.yml b/packages/wiz/_dev/deploy/docker/docker-compose.yml index b66816f821f..efed1dd61e6 100644 --- a/packages/wiz/_dev/deploy/docker/docker-compose.yml +++ b/packages/wiz/_dev/deploy/docker/docker-compose.yml @@ -65,3 +65,30 @@ services: - http-server - --addr=:8090 - --config=/files/config-vulnerability.yml + wiz-defend-no-auth: + image: docker.elastic.co/observability/stream:v0.17.1 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9588/ + command: log --start-signal=SIGHUP --delay=5s /sample_logs/defend.log + wiz-defend-basic: + image: docker.elastic.co/observability/stream:v0.17.1 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9589/ + - STREAM_USERNAME=testuser + - STREAM_PASSWORD=xxxx + command: log --start-signal=SIGHUP --webhook-username=testuser --webhook-password=xxxx --delay=5s /sample_logs/defend.log + wiz-defend-token: + image: docker.elastic.co/observability/stream:v0.17.1 + volumes: + - ./sample_logs:/sample_logs:ro + environment: + - STREAM_PROTOCOL=webhook + - STREAM_ADDR=http://elastic-agent:9590/ + - STREAM_WEBHOOK_HEADER=testheader=abc123 + command: log --start-signal=SIGHUP --delay=5s /sample_logs/defend.log diff --git a/packages/wiz/_dev/deploy/docker/sample_logs/defend.log b/packages/wiz/_dev/deploy/docker/sample_logs/defend.log new file mode 100644 index 00000000000..6bab08d1b10 --- /dev/null +++ b/packages/wiz/_dev/deploy/docker/sample_logs/defend.log @@ -0,0 +1 @@ +{"trigger":{"source":"DETECTIONS","type":"Created","ruleId":"a08fe977-3f54-48bf-adcf-f76994739c1f","ruleName":"Detections Webhook Test Rule"},"id":"6a440e9b-c8d8-5482-a0e9-da714359aecf","threatId":"733edfe5-db25-5b14-ac58-dc69d6005c81","threatURL":"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)","title":"Timestomping technique was detected","description":"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.","severity":"MEDIUM","createdAt":"2025-01-21T18:52:16.819883668Z","tdrId":"46fd0cdc-252e-5e69-be6e-66e4851d7ae4","tdrSource":"WIZ_SENSOR","mitreTactics":["TA0005"],"mitreTechniques":["T1070.006"],"cloudAccounts":[{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"}],"cloudOrganizations":[],"timeframe":{"start":"2025-01-21T18:52:15.838Z","end":"2025-01-21T18:52:15.838Z"},"actors":[{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"},{"externalId":"test-actor","id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e","name":"test-actor","nativeType":"Microsoft Entra ID Application Service Principal","type":"SERVICE_ACCOUNT"}],"resources":[{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"primaryResource":{"cloudAccount":{"cloudPlatform":"AWS","externalId":"134653897021","id":"5d67ed02-738e-5217-b065-d93642dd2629"},"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"},"triggeringEventsCount":2,"triggeringEvents":[{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"},{"actor":{"id":"4e1bd57f-49b2-47a8-a4a7-0e66fe89770e"},"actorIP":"81.2.69.192","actorIPMeta":{"autonomousSystemNumber":8075,"autonomousSystemOrganization":"MICROSOFT-CORP-MSN-AS-BLOCK","country":"United States","isForeign":true,"reputation":"Benign","reputationSource":"Recorded Future"},"category":"Detection","cloudPlatform":"AWS","cloudProviderUrl":"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","description":"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container","eventTime":"2025-01-21T18:52:15.838Z","externalId":"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528","id":"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a","name":"Timestomping technique was detected","origin":"WIZ_SENSOR","resources":[{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","name":"test-container","nativeType":"ecs#containerinstance","region":"us-east-1","type":"CONTAINER"}],"runtimeDetails":{"processTree":[{"command":"touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6","id":"1560","path":"/usr/bin/touch","size":109616,"userId":"0","username":"root"},{"command":"/bin/bash -x -c touch -r /usr/bin /tmp/uga","container":{"externalId":"test-container","id":"da259b23-de77-5adb-8336-8c4071696305","imageExternalId":"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb","imageId":"d18500ef-c0f7-5028-8c4c-1cd56c3a6652","name":"test-container"},"executionTime":"2025-01-21T18:52:15.838Z","hash":"91fbd9d8c65de48dc82a1064b8a4fc89f5651778","id":"1560","path":"/usr/bin/bash","size":1265648,"userId":"0","username":"root"}]},"source":"WizSensorAlert##RuleEngine","status":"Success"}]} diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index e99a4e22274..986df4e133e 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "3.2.0" + changes: + - description: Add support for Wiz Defend datastream. + type: enhancement + link: https://github.com/elastic/integrations/pull/13688 - version: "3.1.1" changes: - description: Fix default request trace enabled behavior. diff --git a/packages/wiz/data_stream/audit/manifest.yml b/packages/wiz/data_stream/audit/manifest.yml index be7f37bccfe..b37eb696915 100644 --- a/packages/wiz/data_stream/audit/manifest.yml +++ b/packages/wiz/data_stream/audit/manifest.yml @@ -3,6 +3,7 @@ type: logs streams: - input: cel title: Audit logs + enabled: false description: Collect Audit logs from Wiz. template_path: cel.yml.hbs vars: diff --git a/packages/wiz/data_stream/audit/sample_event.json b/packages/wiz/data_stream/audit/sample_event.json index 4c85f204da3..b27b3fa956f 100644 --- a/packages/wiz/data_stream/audit/sample_event.json +++ b/packages/wiz/data_stream/audit/sample_event.json @@ -1,24 +1,24 @@ { "@timestamp": "2023-07-21T07:07:21.105Z", "agent": { - "ephemeral_id": "5c3096ee-b490-4b19-a848-bfed150c1bca", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "name": "docker-fleet-agent", + "ephemeral_id": "ea58853f-b6e9-4a45-86ba-9551c6aec28f", + "id": "83d115a5-188d-46b5-95ce-7c8e49e04018", + "name": "elastic-agent-37311", "type": "filebeat", - "version": "8.10.1" + "version": "8.18.0" }, "data_stream": { "dataset": "wiz.audit", - "namespace": "ep", + "namespace": "68164", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "snapshot": false, - "version": "8.10.1" + "id": "83d115a5-188d-46b5-95ce-7c8e49e04018", + "snapshot": true, + "version": "8.18.0" }, "event": { "action": "login", @@ -28,7 +28,7 @@ ], "dataset": "wiz.audit", "id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4", - "ingested": "2023-10-03T10:35:48Z", + "ingested": "2025-04-22T09:53:49Z", "kind": "event", "original": "{\"action\":\"Login\",\"actionParameters\":{\"clientID\":\"afsdafasmdgj5c\",\"groups\":null,\"name\":\"example\",\"products\":[\"*\"],\"role\":\"\",\"scopes\":[\"read:issues\",\"read:reports\",\"read:vulnerabilities\",\"update:reports\",\"create:reports\",\"admin:audit\"],\"userEmail\":\"\",\"userID\":\"afsafasdghbhdfg5t35fdgs\",\"userpoolID\":\"us-east-2_GQ3gwvxsQ\"},\"id\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"requestId\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"serviceAccount\":{\"id\":\"mlipebtwsndhxdmnzdwrxzmiolvzt6topjvv4nugzctcsyarazrhg\",\"name\":\"elastic\"},\"sourceIP\":null,\"status\":\"SUCCESS\",\"timestamp\":\"2023-07-21T07:07:21.105685Z\",\"user\":null,\"userAgent\":null}", "outcome": "success", @@ -88,4 +88,4 @@ "timestamp": "2023-07-21T07:07:21.105Z" } } -} \ No newline at end of file +} diff --git a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json index 3ae1ac272cb..e928c9e134d 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json +++ b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json @@ -1,76 +1,110 @@ { - "@timestamp": "2023-06-12T11:38:07.900Z", + "@timestamp": "2024-08-07T12:55:52.012Z", + "agent": { + "ephemeral_id": "3fdb83a8-3bce-4186-8cee-72dd95c25b4d", + "id": "4815c547-4daf-42b8-a256-e931be9bc655", + "name": "elastic-agent-89828", + "type": "filebeat", + "version": "8.18.0" + }, "cloud": { "account": { - "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "id": "998231069301", + "name": "wiz-integrations" }, - "provider": "azure" + "provider": "aws", + "service": { + "name": "eks" + } + }, + "data_stream": { + "dataset": "wiz.cloud_configuration_finding", + "namespace": "30878", + "type": "logs" }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "4815c547-4daf-42b8-a256-e931be9bc655", + "snapshot": true, + "version": "8.18.0" + }, "event": { + "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "created": "2024-08-07T12:55:52.012Z", + "dataset": "wiz.cloud_configuration_finding", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "ingested": "2025-04-22T09:54:52Z", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", - "outcome": "failure", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", "type": [ "info" - ] + ], + "url": "https://app.wiz.io/findings/configuration-findings/cloud#~(filters~(status~()~rule~(equals~(~'563ed717-4fb6-47fd-929e-9c794e201d0a)))~groupBy~(~)~entity~(~'1243196d-a365-589a-a8aa-13817c9877b2*2cCONFIGURATION_FINDING))" + }, + "input": { + "type": "cel" }, - "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "message": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", "observer": { "vendor": "Wiz" }, "resource": { - "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "sub_type": "Pod", - "type": "POD" + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" }, "result": { - "evaluation": "FAILED" + "evaluation": "passed" }, "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "Pod-32", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" }, "tags": [ "preserve_original_event", - "preserve_duplicate_custom_fields" + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-cloud_configuration_finding" ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, "wiz": { "cloud_configuration_finding": { - "analyzed_at": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { - "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "native_type": "Pod", - "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", "subscription": { - "cloud_provider": "Azure", - "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" }, - "type": "POD" + "type": "USER_ACCOUNT" }, - "result": "FAIL", + "result": "PASS", "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "73553de7-f2ad-4ffb-b425-c69815033530", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "short_id": "Pod-32" + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "short_id": "IAM-006" } } } -} \ No newline at end of file +} diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json index 123c6503f28..d0f3f08c5b9 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json @@ -1,76 +1,108 @@ { - "@timestamp": "2023-06-12T11:38:07.900Z", + "@timestamp": "2025-04-22T09:55:55.722365112Z", + "agent": { + "ephemeral_id": "5f4b4a3b-5fe7-41c7-ae81-1859e2eb9fcf", + "id": "54fad7af-68b0-41e9-ba13-01893279295d", + "name": "elastic-agent-30873", + "type": "filebeat", + "version": "8.18.0" + }, "cloud": { "account": { - "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "id": "998231069301", + "name": "wiz-integrations" }, - "provider": "azure" + "provider": "aws", + "service": { + "name": "eks" + } + }, + "data_stream": { + "dataset": "wiz.cloud_configuration_finding_full_posture", + "namespace": "26487", + "type": "logs" }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "54fad7af-68b0-41e9-ba13-01893279295d", + "snapshot": true, + "version": "8.18.0" + }, "event": { + "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "created": "2024-08-07T12:55:52.012Z", + "dataset": "wiz.cloud_configuration_finding_full_posture", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "ingested": "2025-04-22T09:55:55Z", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", - "outcome": "failure", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", "type": [ "info" ] }, - "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "input": { + "type": "cel" + }, "observer": { "vendor": "Wiz" }, "resource": { - "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "sub_type": "Pod", - "type": "POD" + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" }, "result": { - "evaluation": "FAILED" + "evaluation": "passed" }, "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "Pod-32", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + "description": "description", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "instructions", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" }, "tags": [ "preserve_original_event", - "preserve_duplicate_custom_fields" + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-cloud_configuration_finding_full_posture" ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, "wiz": { "cloud_configuration_finding_full_posture": { - "analyzed_at": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { - "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "native_type": "Pod", - "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", "subscription": { - "cloud_provider": "Azure", - "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" }, - "type": "POD" + "type": "USER_ACCOUNT" }, - "result": "FAIL", + "result": "PASS", "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "73553de7-f2ad-4ffb-b425-c69815033530", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "short_id": "Pod-32" + "description": "description", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "instructions", + "short_id": "IAM-006" } } } -} \ No newline at end of file +} diff --git a/packages/wiz/data_stream/defend/_dev/test/pipeline/test-common-config.yml b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..37e8fa225fd --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_duplicate_custom_fields diff --git a/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json new file mode 100644 index 00000000000..127059b1af2 --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json @@ -0,0 +1,173 @@ +{ + "events": [ + { + "@timestamp": "2025-04-15T11:33:57.974Z", + "json": { + "trigger": { + "source": "DETECTIONS", + "type": "Created", + "ruleId": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "ruleName": "Detections Webhook Test Rule" + }, + "id": "6a440e9b-c8d8-5482-a0e9-da714359aecf", + "source": "DETECTIONS", + "threatId": "733edfe5-db25-5b14-ac58-dc69d6005c81", + "threatURL": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)", + "title": "Timestomping technique was detected", + "description": "Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.", + "severity": "MEDIUM", + "createdAt": "2025-01-21T18:52:16.819883668Z", + "tdrId": "46fd0cdc-252e-5e69-be6e-66e4851d7ae4", + "tdrSource": "WIZ_SENSOR", + "mitreTactics": [ + "TA0005" + ], + "mitreTechniques": [ + "T1070.006" + ], + "cloudOrganizations": [ + { + "cloudProvider": "AWS", + "externalId": "o-1234567890", + "name": "AcmeCloudOrg" + } + ], + "detectionUrl": "https://test.wiz.io/detection", + "timeframe": { + "start": "2025-01-21T18:52:15.838Z", + "end": "2025-01-21T18:52:15.838Z" + }, + "primaryActor": { + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor", + "nativeType": "Microsoft Entra ID Application Service Principal", + "type": "SERVICE_ACCOUNT", + "email": "test-actor@wiz.io", + "externalId": "test-actor" + }, + "primaryResource": { + "id": "da259b23-de77-5adb-8336-8c4071696305", + "externalId": "test-container", + "providerUniqueId": "provider-resource-uid-456", + "name": "test-container", + "type": "CONTAINER", + "nativeType": "ecs#containerinstance", + "region": "us-east-1", + "status": "Running", + "cloudAccount": { + "cloudPlatform": "AWS", + "externalId": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "kubernetesNodeId": "node-1234", + "kubernetesNodeName": "eks-node-1", + "kubernetesNamespaceId": "ns-abc", + "kubernetesNamespaceName": "production", + "kubernetesClusterId": "cluster-5678", + "kubernetesClusterName": "prod-cluster", + "cloudProviderUrl": "https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks" + }, + "triggeringEventsCount": 1, + "triggeringEvent": { + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "externalId": "Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "name": "Timestomping technique was detected", + "description": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "cloudProviderUrl": "https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "cloudPlatform": "AWS", + "origin": "WIZ_SENSOR", + "eventTime": "2025-01-21T18:52:15.838Z", + "source": "WizSensorAlert##RuleEngine", + "category": "Detection", + "status": "Success", + "actor": { + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "externalId": "actor-external-id", + "providerUniqueId": "provider-actor-id", + "name": "Test Actor", + "type": "Process", + "nativeType": "ecs#task", + "actingAs": { + "id": "assumed-role-id", + "name": "AssumedRole", + "type": "IAMRole", + "nativeType": "aws#iamrole" + } + }, + "actorIP": "81.2.69.192", + "actorIPMeta": { + "country": "United States", + "autonomousSystemNumber": 8075, + "autonomousSystemOrganization": "MICROSOFT-CORP-MSN-AS-BLOCK", + "reputation": "Benign", + "reputationDescription": "No malicious activity detected", + "reputationSource": "Recorded Future", + "relatedAttackGroupNames": "None", + "isForeign": true + }, + "resources": [ + { + "id": "da259b23-de77-5adb-8336-8c4071696305", + "externalId": "test-container", + "providerUniqueId": "provider-resource-uid-456", + "name": "test-container", + "type": "CONTAINER", + "nativeType": "ecs#containerinstance", + "region": "us-east-1", + "status": "Running", + "cloudAccount": { + "cloudPlatform": "AWS", + "externalId": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "kubernetesNodeId": "node-1234", + "kubernetesNodeName": "eks-node-1", + "kubernetesNamespaceId": "ns-abc", + "kubernetesNamespaceName": "production", + "kubernetesClusterId": "cluster-5678", + "kubernetesClusterName": "prod-cluster", + "cloudProviderUrl": "https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks" + } + ], + "runtimeDetails": { + "processTree": [ + { + "command": "touch -r /usr/bin /tmp/uga", + "container": { + "externalId": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "imageExternalId": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "imageId": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "executionTime": "2025-01-21T18:52:15.838Z", + "hash": "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "id": "1560", + "path": "/usr/bin/touch", + "size": 109616, + "userId": "0", + "username": "root" + } + ] + } + } + }, + "input": { + "type": "http_endpoint" + }, + "agent": { + "id": "e425ece7-9fc7-4079-848d-704d48af5c13", + "name": "localhost.localdomain", + "type": "filebeat", + "version": "9.1.0", + "ephemeral_id": "25c849e7-4ea6-4751-805c-4156d849a2e5" + }, + "ecs": { + "version": "8.0.0" + }, + "host": { + "name": "localhost.localdomain" + } + } + ] +} \ No newline at end of file diff --git a/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json-expected.json b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json-expected.json new file mode 100644 index 00000000000..5723d840ef0 --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/pipeline/test-defend.json-expected.json @@ -0,0 +1,265 @@ +{ + "expected": [ + { + "@timestamp": "2025-01-21T18:52:15.838Z", + "agent": { + "ephemeral_id": "25c849e7-4ea6-4751-805c-4156d849a2e5", + "id": "e425ece7-9fc7-4079-848d-704d48af5c13", + "name": "localhost.localdomain", + "type": "filebeat", + "version": "9.1.0" + }, + "cloud": { + "provider": "AWS" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "action": "created", + "category": [ + "threat" + ], + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "kind": "event", + "original": "{\"severity\":\"MEDIUM\",\"threatId\":\"733edfe5-db25-5b14-ac58-dc69d6005c81\",\"detectionUrl\":\"https://test.wiz.io/detection\",\"description\":\"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.\",\"source\":\"DETECTIONS\",\"trigger\":{\"ruleName\":\"Detections Webhook Test Rule\",\"source\":\"DETECTIONS\",\"ruleId\":\"a08fe977-3f54-48bf-adcf-f76994739c1f\",\"type\":\"Created\"},\"tdrId\":\"46fd0cdc-252e-5e69-be6e-66e4851d7ae4\",\"title\":\"Timestomping technique was detected\",\"triggeringEventsCount\":1,\"mitreTechniques\":[\"T1070.006\"],\"primaryResource\":{\"externalId\":\"test-container\",\"kubernetesNamespaceId\":\"ns-abc\",\"type\":\"CONTAINER\",\"cloudProviderUrl\":\"https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks\",\"kubernetesClusterName\":\"prod-cluster\",\"providerUniqueId\":\"provider-resource-uid-456\",\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"kubernetesNamespaceName\":\"production\",\"nativeType\":\"ecs#containerinstance\",\"kubernetesNodeName\":\"eks-node-1\",\"name\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"kubernetesClusterId\":\"cluster-5678\",\"kubernetesNodeId\":\"node-1234\",\"status\":\"Running\"},\"tdrSource\":\"WIZ_SENSOR\",\"createdAt\":\"2025-01-21T18:52:16.819883668Z\",\"timeframe\":{\"start\":\"2025-01-21T18:52:15.838Z\",\"end\":\"2025-01-21T18:52:15.838Z\"},\"mitreTactics\":[\"TA0005\"],\"id\":\"6a440e9b-c8d8-5482-a0e9-da714359aecf\",\"primaryActor\":{\"nativeType\":\"Microsoft Entra ID Application Service Principal\",\"name\":\"test-actor\",\"externalId\":\"test-actor\",\"id\":\"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e\",\"type\":\"SERVICE_ACCOUNT\",\"email\":\"test-actor@wiz.io\"},\"threatURL\":\"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)\",\"triggeringEvent\":{\"cloudPlatform\":\"AWS\",\"origin\":\"WIZ_SENSOR\",\"description\":\"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container\",\"externalId\":\"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"resources\":[{\"externalId\":\"test-container\",\"kubernetesNamespaceId\":\"ns-abc\",\"type\":\"CONTAINER\",\"cloudProviderUrl\":\"https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks\",\"kubernetesClusterName\":\"prod-cluster\",\"providerUniqueId\":\"provider-resource-uid-456\",\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"kubernetesNamespaceName\":\"production\",\"nativeType\":\"ecs#containerinstance\",\"kubernetesNodeName\":\"eks-node-1\",\"name\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"kubernetesClusterId\":\"cluster-5678\",\"kubernetesNodeId\":\"node-1234\",\"status\":\"Running\"}],\"source\":\"WizSensorAlert##RuleEngine\",\"runtimeDetails\":{\"processTree\":[{\"container\":{\"imageId\":\"d18500ef-c0f7-5028-8c4c-1cd56c3a6652\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"imageExternalId\":\"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\"},\"executionTime\":\"2025-01-21T18:52:15.838Z\",\"path\":\"/usr/bin/touch\",\"size\":109616,\"id\":\"1560\",\"userId\":\"0\",\"command\":\"touch -r /usr/bin /tmp/uga\",\"hash\":\"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6\",\"username\":\"root\"}]},\"cloudProviderUrl\":\"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"actor\":{\"providerUniqueId\":\"provider-actor-id\",\"nativeType\":\"ecs#task\",\"name\":\"Test Actor\",\"externalId\":\"actor-external-id\",\"actingAs\":{\"nativeType\":\"aws#iamrole\",\"name\":\"AssumedRole\",\"id\":\"assumed-role-id\",\"type\":\"IAMRole\"},\"id\":\"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e\",\"type\":\"Process\"},\"actorIPMeta\":{\"reputationDescription\":\"No malicious activity detected\",\"reputationSource\":\"Recorded Future\",\"country\":\"United States\",\"relatedAttackGroupNames\":\"None\",\"isForeign\":true,\"reputation\":\"Benign\",\"autonomousSystemNumber\":8075,\"autonomousSystemOrganization\":\"MICROSOFT-CORP-MSN-AS-BLOCK\"},\"eventTime\":\"2025-01-21T18:52:15.838Z\",\"name\":\"Timestomping technique was detected\",\"id\":\"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a\",\"category\":\"Detection\",\"actorIP\":\"81.2.69.192\",\"status\":\"Success\"},\"cloudOrganizations\":[{\"cloudProvider\":\"AWS\",\"name\":\"AcmeCloudOrg\",\"externalId\":\"o-1234567890\"}]}", + "outcome": "success", + "provider": "WizSensorAlert##RuleEngine", + "reference": "https://test.wiz.io/detection", + "severity": 47, + "type": [ + "indicator" + ] + }, + "host": { + "name": "localhost.localdomain" + }, + "input": { + "type": "http_endpoint" + }, + "message": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "hash": [ + "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "test-actor@wiz.io", + "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "test-actor", + "Test Actor", + "0", + "root" + ] + }, + "rule": { + "id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "name": "Detections Webhook Test Rule" + }, + "source": { + "as": { + "number": 8075, + "organization": { + "name": "MICROSOFT-CORP-MSN-AS-BLOCK" + } + }, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_duplicate_custom_fields" + ], + "threat": { + "indicator": { + "id": [ + "733edfe5-db25-5b14-ac58-dc69d6005c81" + ], + "reference": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)" + }, + "tactic": { + "id": [ + "TA0005" + ] + }, + "technique": { + "id": [ + "T1070.006" + ] + } + }, + "user": { + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "Test Actor" + }, + "wiz": { + "defend": { + "cloudOrganizations": [ + { + "cloudProvider": "AWS", + "externalId": "o-1234567890", + "name": "AcmeCloudOrg" + } + ], + "created_at": "2025-01-21T18:52:16.819Z", + "description": "Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.", + "detection_url": "https://test.wiz.io/detection", + "friendly_name": "Detections Webhook Test Rule", + "id": "6a440e9b-c8d8-5482-a0e9-da714359aecf", + "mitreTactics": [ + "TA0005" + ], + "mitreTechniques": [ + "T1070.006" + ], + "primary_actor": { + "email": "test-actor@wiz.io", + "external_id": "test-actor", + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor", + "native_type": "Microsoft Entra ID Application Service Principal", + "type": "SERVICE_ACCOUNT" + }, + "primary_resource": { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "cloud_provider_url": "https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks", + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "kubernetes_cluster_id": "cluster-5678", + "kubernetes_cluster_name": "prod-cluster", + "kubernetes_namespace_id": "ns-abc", + "kubernetes_namespace_name": "production", + "kubernetes_node_id": "node-1234", + "kubernetes_node_name": "eks-node-1", + "name": "test-container", + "native_type": "ecs#containerinstance", + "provider_unique_id": "provider-resource-uid-456", + "region": "us-east-1", + "status": "Running", + "type": "CONTAINER" + }, + "severity": "MEDIUM", + "source": "DETECTIONS", + "tdr_id": "46fd0cdc-252e-5e69-be6e-66e4851d7ae4", + "tdr_source": "WIZ_SENSOR", + "threat_id": "733edfe5-db25-5b14-ac58-dc69d6005c81", + "threat_url": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)", + "timeframe": { + "end": "2025-01-21T18:52:15.838Z", + "start": "2025-01-21T18:52:15.838Z" + }, + "title": "Timestomping technique was detected", + "trigger": { + "rule_id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "rule_name": "Detections Webhook Test Rule", + "source": "DETECTIONS", + "type": "Created" + }, + "triggering_event": { + "actor": { + "acting_as": { + "id": "assumed-role-id", + "name": "AssumedRole", + "native_type": "aws#iamrole", + "type": "IAMRole" + }, + "external_id": "actor-external-id", + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "Test Actor", + "native_type": "ecs#task", + "provider_unique_id": "provider-actor-id", + "type": "Process" + }, + "actor_ip": "81.2.69.192", + "actor_ip_meta": { + "autonomous_system_number": 8075, + "autonomous_system_organization": "MICROSOFT-CORP-MSN-AS-BLOCK", + "country": "United States", + "is_foreign": true, + "related_attack_group_names": "None", + "reputation": "Benign", + "reputation_description": "No malicious activity detected", + "reputation_source": "Recorded Future" + }, + "category": "Detection", + "cloud_platform": "AWS", + "cloud_provider_url": "https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "description": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "event_time": "2025-01-21T18:52:15.838Z", + "external_id": "Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "name": "Timestomping technique was detected", + "origin": "WIZ_SENSOR", + "resources": [ + { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "cloud_provider_url": "https://console.aws.amazon.com/ecs/home?region=us-east-1#/clusters/prod-cluster/tasks", + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "kubernetes_cluster_id": "cluster-5678", + "kubernetes_cluster_name": "prod-cluster", + "kubernetes_namespace_id": "ns-abc", + "kubernetes_namespace_name": "production", + "kubernetes_node_id": "node-1234", + "kubernetes_node_name": "eks-node-1", + "name": "test-container", + "native_type": "ecs#containerinstance", + "provider_unique_id": "provider-resource-uid-456", + "region": "us-east-1", + "status": "Running", + "type": "CONTAINER" + } + ], + "runtime_details": { + "process_tree": [ + { + "command": "touch -r /usr/bin /tmp/uga", + "container": { + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "image_external_id": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "image_id": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "execution_time": "2025-01-21T18:52:15.838Z", + "hash": "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "id": "1560", + "path": "/usr/bin/touch", + "size": 109616, + "user_id": "0", + "username": "root" + } + ] + }, + "source": "WizSensorAlert##RuleEngine", + "status": "Success" + }, + "triggering_events_count": 1 + } + } + } + ] +} diff --git a/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-basic-config.yml b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-basic-config.yml new file mode 100644 index 00000000000..9c4278c82b2 --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-basic-config.yml @@ -0,0 +1,13 @@ +service: wiz-defend-basic +service_notify_signal: SIGHUP +input: http_endpoint +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9589 + url: / + basic_auth: "true" + username: testuser + password: xxxx + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-no-auth-config.yml b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-no-auth-config.yml new file mode 100644 index 00000000000..caa1a58532f --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-no-auth-config.yml @@ -0,0 +1,11 @@ +service: wiz-defend-no-auth +service_notify_signal: SIGHUP +input: http_endpoint +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9588 + url: / + basic_auth: "false" + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-token-config.yml b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-token-config.yml new file mode 100644 index 00000000000..a60863b9842 --- /dev/null +++ b/packages/wiz/data_stream/defend/_dev/test/system/test-http-endpoint-token-config.yml @@ -0,0 +1,13 @@ +service: wiz-defend-token +service_notify_signal: SIGHUP +input: http_endpoint +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9590 + url: / + basic_auth: "false" + secret_header: testheader + secret_value: abc123 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/wiz/data_stream/defend/agent/stream/http_endpoint.yml.hbs b/packages/wiz/data_stream/defend/agent/stream/http_endpoint.yml.hbs new file mode 100644 index 00000000000..4ad51402e77 --- /dev/null +++ b/packages/wiz/data_stream/defend/agent/stream/http_endpoint.yml.hbs @@ -0,0 +1,82 @@ +listen_address: {{listen_address}} +listen_port: {{listen_port}} +{{#if url}} +url: {{url}} +{{/if}} +basic_auth: {{basic_auth}} +{{#if basic_auth}} +username: {{username}} +password: {{password}} +{{/if}} +{{#if token}} +secret.header: Authorization +secret.value: Bearer {{token}} +{{/if}} +prefix: "json" +program: | + obj.triggeringEvents.map(r, { + ?"trigger": obj.?trigger, + ?"id": obj.?id, + ?"threatId": obj.?threatId, + ?"threatURL": obj.?threatURL, + ?"title": obj.?title, + ?"source": obj.?source, + ?"detectionUrl": obj.?detectionUrl, + ?"description": obj.?description, + ?"severity": obj.?severity, + "createdAt": string(obj.createdAt), + ?"tdrId": obj.?tdrId, + ?"tdrSource": obj.?tdrSource, + ?"mitreTactics": obj.?mitreTactics, + ?"mitreTechniques": obj.?mitreTechniques, + ?"cloudAccounts": obj.?cloudAccounts, + ?"cloudOrganizations": obj.?cloudOrganizations, + ?"timeframe": obj.?timeframe, + ?"primaryActor": obj.?primaryActor, + ?"primaryResource": obj.?primaryResource, + ?"triggeringEventsCount": obj.?triggeringEventsCount, + "triggeringEvent": { + ?"actor": obj.actors.filter(a, a.id == r.actor.id)[?0], + ?"actorIP": r.?actorIP, + ?"actorIPMeta": r.?actorIPMeta, + ?"category": r.?category, + ?"cloudPlatform": r.?cloudPlatform, + ?"cloudProviderUrl": r.?cloudProviderUrl, + ?"description": r.?description, + ?"eventTime": r.?eventTime, + ?"externalId": r.?externalId, + ?"id": r.?id, + ?"name": r.?name, + ?"origin": r.?origin, + "resources": obj.resources.filter(re, r.resources.exists(r, r.id == re.id)), + ?"runtimeDetails": r.?runtimeDetails, + ?"source": r.?source, + ?"status": r.?status + } + }) +{{#if preserve_original_event}} +preserve_original_event: true +{{/if}} +{{#if preserve_duplicate_custom_fields}} +preserve_duplicate_custom_fields: true +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..c9281ac3d61 --- /dev/null +++ b/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,993 @@ +--- +description: Pipeline for processing Wiz Defend logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.17.0 + - set: + field: observer.product + tag: set_observer_product + value: Defend + - set: + field: observer.vendor + tag: set_observer_vendor + value: Wiz + - set: + field: event.kind + tag: set_event_kind + value: event + - append: + field: event.type + tag: append_event_type + value: indicator + - append: + field: event.category + tag: append_event_category + value: threat + - script: + tag: script_add_event_original + lang: painless + description: Add "event.original" + if: ctx.json instanceof Map + source: | + def stringified_orig = Json.dump(ctx.json); + if (stringified_orig != null) { + ctx.event = ctx.event ?: [:]; + ctx.event.original = stringified_orig; + } + - rename: + field: json.cloudOrganizations + tag: rename_cloudOrganizations + target_field: wiz.defend.cloudOrganizations + ignore_missing: true + - date: + field: json.createdAt + tag: date_createdAt + target_field: wiz.defend.created_at + formats: + - ISO8601 + if: ctx.json?.createdAt != null && ctx.json.createdAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.description + tag: rename_description + target_field: wiz.defend.description + ignore_missing: true + - rename: + field: json.detectionUrl + tag: rename_detectionUrl + target_field: wiz.defend.detection_url + ignore_missing: true + - set: + field: event.reference + tag: set_event_reference_from_defend_detection_url + copy_from: wiz.defend.detection_url + ignore_empty_value: true + - rename: + field: json.id + tag: rename_id + target_field: wiz.defend.id + ignore_missing: true + - foreach: + field: json.mitreTactics + tag: foreach_mitreTactics_into_threat_tactic_id + if: ctx.json?.mitreTactics instanceof List + processor: + append: + field: threat.tactic.id + tag: append_mitreTactics_into_threat_tactic_id + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.mitreTactics + tag: rename_mitreTactics + target_field: wiz.defend.mitreTactics + ignore_missing: true + - foreach: + field: json.mitreTechniques + tag: foreach_mitreTechniques_into_threat_technique_id + if: ctx.json?.mitreTechniques instanceof List + processor: + append: + field: threat.technique.id + tag: append_mitreTechniques_into_threat_technique_id + value: '{{{_ingest._value}}}' + allow_duplicates: false + - rename: + field: json.mitreTechniques + tag: rename_mitreTechniques + target_field: wiz.defend.mitreTechniques + ignore_missing: true + - rename: + field: json.primaryActor.email + tag: rename_primaryActor_email + target_field: wiz.defend.primary_actor.email + ignore_missing: true + - append: + field: related.user + tag: append_user_on_behalf_of_primary_actor_email + value: '{{{wiz.defend.primary_actor.email}}}' + if: ctx.wiz?.defend?.primary_actor?.email != null + allow_duplicates: false + - rename: + field: json.primaryActor.externalId + tag: rename_primaryActor_externalId + target_field: wiz.defend.primary_actor.external_id + ignore_missing: true + - rename: + field: json.primaryActor.id + tag: rename_primaryActor_id + target_field: wiz.defend.primary_actor.id + ignore_missing: true + - append: + field: related.user + tag: append_user_on_behalf_of_primary_actor_id + value: '{{{wiz.defend.primary_actor.id}}}' + if: ctx.wiz?.defend?.primary_actor?.id != null + allow_duplicates: false + - rename: + field: json.primaryActor.name + tag: rename_primaryActor_name + target_field: wiz.defend.primary_actor.name + ignore_missing: true + - append: + field: related.user + tag: append_user_on_behalf_of_primary_actor_name + value: '{{{wiz.defend.primary_actor.name}}}' + if: ctx.wiz?.defend?.primary_actor?.name != null + allow_duplicates: false + - rename: + field: json.primaryActor.nativeType + tag: rename_primaryActor_nativeType + target_field: wiz.defend.primary_actor.native_type + ignore_missing: true + - rename: + field: json.primaryActor.type + tag: rename_primaryActor_type + target_field: wiz.defend.primary_actor.type + ignore_missing: true + - rename: + field: json.primaryResource.cloudAccount.cloudPlatform + tag: rename_primaryResource_cloudAccount_cloudPlatform + target_field: wiz.defend.primary_resource.cloud_account.cloud_platform + ignore_missing: true + - rename: + field: json.primaryResource.cloudAccount.externalId + tag: rename_primaryResource_cloudAccount_externalId + target_field: wiz.defend.primary_resource.cloud_account.external_id + ignore_missing: true + - rename: + field: json.primaryResource.cloudAccount.id + tag: rename_primaryResource_cloudAccount_id + target_field: wiz.defend.primary_resource.cloud_account.id + ignore_missing: true + - rename: + field: json.primaryResource.cloudProviderUrl + tag: rename_primaryResource_cloudProviderUrl + target_field: wiz.defend.primary_resource.cloud_provider_url + ignore_missing: true + - rename: + field: json.primaryResource.externalId + tag: rename_primaryResource_externalId + target_field: wiz.defend.primary_resource.external_id + ignore_missing: true + - rename: + field: json.primaryResource.id + tag: rename_primaryResource_id + target_field: wiz.defend.primary_resource.id + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesClusterId + tag: rename_primaryResource_kubernetesClusterId + target_field: wiz.defend.primary_resource.kubernetes_cluster_id + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesClusterName + tag: rename_primaryResource_kubernetesClusterName + target_field: wiz.defend.primary_resource.kubernetes_cluster_name + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesNamespaceId + tag: rename_primaryResource_kubernetesNamespaceId + target_field: wiz.defend.primary_resource.kubernetes_namespace_id + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesNamespaceName + tag: rename_primaryResource_kubernetesNamespaceName + target_field: wiz.defend.primary_resource.kubernetes_namespace_name + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesNodeId + tag: rename_primaryResource_kubernetesNodeId + target_field: wiz.defend.primary_resource.kubernetes_node_id + ignore_missing: true + - rename: + field: json.primaryResource.kubernetesNodeName + tag: rename_primaryResource_kubernetesNodeName + target_field: wiz.defend.primary_resource.kubernetes_node_name + ignore_missing: true + - rename: + field: json.primaryResource.name + tag: rename_primaryResource_name + target_field: wiz.defend.primary_resource.name + ignore_missing: true + - rename: + field: json.primaryResource.nativeType + tag: rename_primaryResource_nativeType + target_field: wiz.defend.primary_resource.native_type + ignore_missing: true + - rename: + field: json.primaryResource.providerUniqueId + tag: rename_primaryResource_providerUniqueId + target_field: wiz.defend.primary_resource.provider_unique_id + ignore_missing: true + - rename: + field: json.primaryResource.region + tag: rename_primaryResource_region + target_field: wiz.defend.primary_resource.region + ignore_missing: true + - rename: + field: json.primaryResource.status + tag: rename_primaryResource_status + target_field: wiz.defend.primary_resource.status + ignore_missing: true + - rename: + field: json.primaryResource.type + tag: rename_primaryResource_type + target_field: wiz.defend.primary_resource.type + ignore_missing: true + - rename: + field: json.severity + tag: rename_severity + target_field: wiz.defend.severity + ignore_missing: true + - script: + lang: painless + description: Script to set event.severity. + tag: set_event_severity + if: ctx.wiz?.defend?.severity instanceof String + source: |- + ctx.event = ctx.event ?: [:]; + String severity = ctx.wiz.defend.severity; + if (severity.equalsIgnoreCase("low")) { + ctx.event.severity = 21; + } else if (severity.equalsIgnoreCase("informational")) { + ctx.event.severity = 21; + } else if (severity.equalsIgnoreCase("medium")) { + ctx.event.severity = 47; + } else if (severity.equalsIgnoreCase("high")) { + ctx.event.severity = 73; + } else if (severity.equalsIgnoreCase("critical")) { + ctx.event.severity = 99; + } + - rename: + field: json.source + tag: rename_source + target_field: wiz.defend.source + ignore_missing: true + - rename: + field: json.tdrId + tag: rename_tdrId + target_field: wiz.defend.tdr_id + ignore_missing: true + - rename: + field: json.tdrSource + tag: rename_tdrSource + target_field: wiz.defend.tdr_source + ignore_missing: true + - rename: + field: json.threatId + tag: rename_threatId + target_field: wiz.defend.threat_id + ignore_missing: true + - append: + field: threat.indicator.id + tag: set_threat_indicator_id + value: '{{{wiz.defend.threat_id}}}' + allow_duplicates: false + if: ctx.wiz?.defend?.threat_id != null + - rename: + field: json.threatURL + tag: rename_threatURL + target_field: wiz.defend.threat_url + ignore_missing: true + - set: + field: threat.indicator.reference + tag: set_threat_indicator_reference_from_defend_threat_url + copy_from: wiz.defend.threat_url + ignore_empty_value: true + - date: + field: json.timeframe.end + tag: date_timeframe_end + target_field: wiz.defend.timeframe.end + formats: + - ISO8601 + if: ctx.json?.timeframe?.end != null && ctx.json.timeframe.end != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: json.timeframe.start + tag: date_timeframe_start + target_field: wiz.defend.timeframe.start + formats: + - ISO8601 + if: ctx.json?.timeframe?.start != null && ctx.json.timeframe.start != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.title + tag: rename_title + target_field: wiz.defend.title + ignore_missing: true + - rename: + field: json.trigger.ruleId + tag: rename_trigger_ruleId + target_field: wiz.defend.trigger.rule_id + ignore_missing: true + - set: + field: rule.id + tag: set_rule_id_from_defend_trigger_rule_id + copy_from: wiz.defend.trigger.rule_id + ignore_empty_value: true + - rename: + field: json.trigger.ruleName + tag: rename_trigger_ruleName + target_field: wiz.defend.trigger.rule_name + ignore_missing: true + - set: + field: rule.name + tag: set_rule_name_from_defend_trigger_rule_name + copy_from: wiz.defend.trigger.rule_name + ignore_empty_value: true + - set: + field: wiz.defend.friendly_name + tag: set_wiz_defend_friendly_name_from_defend_trigger_rule_name + copy_from: wiz.defend.trigger.rule_name + ignore_empty_value: true + - rename: + field: json.trigger.source + tag: rename_trigger_source + target_field: wiz.defend.trigger.source + ignore_missing: true + - rename: + field: json.trigger.type + tag: rename_trigger_type + target_field: wiz.defend.trigger.type + ignore_missing: true + - set: + field: event.action + tag: set_event_action_from_defend_trigger_type + copy_from: wiz.defend.trigger.type + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - split: + field: event.action + tag: split_event_action + separator: \s+ + ignore_missing: true + if: ctx.event?.action != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - join: + field: event.action + tag: join_event_action + separator: '-' + if: ctx.event?.action instanceof List + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.triggeringEvent.actor.actingAs.id + tag: rename_triggeringEvent_actor_actingAs_id + target_field: wiz.defend.triggering_event.actor.acting_as.id + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.actingAs.name + tag: rename_triggeringEvent_actor_actingAs_name + target_field: wiz.defend.triggering_event.actor.acting_as.name + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.actingAs.nativeType + tag: rename_triggeringEvent_actor_actingAs_nativeType + target_field: wiz.defend.triggering_event.actor.acting_as.native_type + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.actingAs.type + tag: rename_triggeringEvent_actor_actingAs_type + target_field: wiz.defend.triggering_event.actor.acting_as.type + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.externalId + tag: rename_triggeringEvent_actor_externalId + target_field: wiz.defend.triggering_event.actor.external_id + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.id + tag: rename_triggeringEvent_actor_id + target_field: wiz.defend.triggering_event.actor.id + ignore_missing: true + - append: + field: related.user + tag: append_user_on_behalf_of_triggering_event_actor_id + value: '{{{wiz.defend.triggering_event.actor.id}}}' + if: ctx.wiz?.defend?.triggering_event?.actor?.id != null + allow_duplicates: false + - set: + field: user.id + tag: set_user_id_from_defend_triggering_event_actor_id + copy_from: wiz.defend.triggering_event.actor.id + ignore_empty_value: true + - rename: + field: json.triggeringEvent.actor.name + tag: rename_triggeringEvent_actor_name + target_field: wiz.defend.triggering_event.actor.name + ignore_missing: true + - append: + field: related.user + tag: append_user_on_behalf_of_triggering_event_actor_name + value: '{{{wiz.defend.triggering_event.actor.name}}}' + if: ctx.wiz?.defend?.triggering_event?.actor?.name != null + allow_duplicates: false + - set: + field: user.name + tag: set_user_name_from_defend_triggering_event_actor_name + copy_from: wiz.defend.triggering_event.actor.name + ignore_empty_value: true + - rename: + field: json.triggeringEvent.actor.nativeType + tag: rename_triggeringEvent_actor_nativeType + target_field: wiz.defend.triggering_event.actor.native_type + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.providerUniqueId + tag: rename_triggeringEvent_actor_providerUniqueId + target_field: wiz.defend.triggering_event.actor.provider_unique_id + ignore_missing: true + - rename: + field: json.triggeringEvent.actor.type + tag: rename_triggeringEvent_actor_type + target_field: wiz.defend.triggering_event.actor.type + ignore_missing: true + - geoip: + field: json.triggeringEvent.actorIP + target_field: source.geo + ignore_missing: true + - append: + field: related.ip + value: "{{{json.triggeringEvent.actorIP}}}" + ignore_failure: true + if: ctx.json?.triggeringEvent?.actorIP != null + allow_duplicates: false + - convert: + field: json.triggeringEvent.actorIP + tag: convert_triggeringEvent_actorIP_to_ip + target_field: wiz.defend.triggering_event.actor_ip + type: ip + ignore_missing: true + if: ctx.json?.triggeringEvent?.actorIP != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: json.triggeringEvent.actorIPMeta.autonomousSystemNumber + tag: convert_triggeringEvent_actorIPMeta_autonomousSystemNumber_to_long + target_field: wiz.defend.triggering_event.actor_ip_meta.autonomous_system_number + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.as.number + tag: set_source_as_number_from_defend_triggering_event_actor_ip_meta_autonomous_system_number + copy_from: wiz.defend.triggering_event.actor_ip_meta.autonomous_system_number + ignore_empty_value: true + - rename: + field: json.triggeringEvent.actorIPMeta.autonomousSystemOrganization + tag: rename_triggeringEvent_actorIPMeta_autonomousSystemOrganization + target_field: wiz.defend.triggering_event.actor_ip_meta.autonomous_system_organization + ignore_missing: true + - set: + field: source.as.organization.name + tag: set_source_as_organization_name_from_defend_triggering_event_actor_ip_meta_autonomous_system_organization + copy_from: wiz.defend.triggering_event.actor_ip_meta.autonomous_system_organization + ignore_empty_value: true + - rename: + field: json.triggeringEvent.actorIPMeta.country + tag: rename_triggeringEvent_actorIPMeta_country + target_field: wiz.defend.triggering_event.actor_ip_meta.country + ignore_missing: true + - convert: + field: json.triggeringEvent.actorIPMeta.isForeign + tag: convert_triggeringEvent_actorIPMeta_isForeign_to_boolean + target_field: wiz.defend.triggering_event.actor_ip_meta.is_foreign + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.triggeringEvent.actorIPMeta.relatedAttackGroupNames + tag: rename_triggeringEvent_actorIPMeta_relatedAttackGroupNames + target_field: wiz.defend.triggering_event.actor_ip_meta.related_attack_group_names + ignore_missing: true + - rename: + field: json.triggeringEvent.actorIPMeta.reputation + tag: rename_triggeringEvent_actorIPMeta_reputation + target_field: wiz.defend.triggering_event.actor_ip_meta.reputation + ignore_missing: true + - rename: + field: json.triggeringEvent.actorIPMeta.reputationDescription + tag: rename_triggeringEvent_actorIPMeta_reputationDescription + target_field: wiz.defend.triggering_event.actor_ip_meta.reputation_description + ignore_missing: true + - rename: + field: json.triggeringEvent.actorIPMeta.reputationSource + tag: rename_triggeringEvent_actorIPMeta_reputationSource + target_field: wiz.defend.triggering_event.actor_ip_meta.reputation_source + ignore_missing: true + - rename: + field: json.triggeringEvent.category + tag: rename_triggeringEvent_category + target_field: wiz.defend.triggering_event.category + ignore_missing: true + - rename: + field: json.triggeringEvent.cloudPlatform + tag: rename_triggeringEvent_cloudPlatform + target_field: wiz.defend.triggering_event.cloud_platform + ignore_missing: true + - set: + field: cloud.provider + tag: set_cloud_provider_from_defend_triggering_event_cloud_platform + copy_from: wiz.defend.triggering_event.cloud_platform + ignore_empty_value: true + - rename: + field: json.triggeringEvent.cloudProviderUrl + tag: rename_triggeringEvent_cloudProviderUrl + target_field: wiz.defend.triggering_event.cloud_provider_url + ignore_missing: true + - rename: + field: json.triggeringEvent.description + tag: rename_triggeringEvent_description + target_field: wiz.defend.triggering_event.description + ignore_missing: true + - set: + field: message + tag: set_message_from_defend_triggering_event_description + copy_from: wiz.defend.triggering_event.description + ignore_empty_value: true + - date: + field: json.triggeringEvent.eventTime + tag: date_triggeringEvent_eventTime + target_field: wiz.defend.triggering_event.event_time + formats: + - ISO8601 + if: ctx.json?.triggeringEvent?.eventTime != null && ctx.json.triggeringEvent.eventTime != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + tag: set_@timestamp_from_defend_triggering_event_event_time + copy_from: wiz.defend.triggering_event.event_time + ignore_empty_value: true + - rename: + field: json.triggeringEvent.externalId + tag: rename_triggeringEvent_externalId + target_field: wiz.defend.triggering_event.external_id + ignore_missing: true + - rename: + field: json.triggeringEvent.id + tag: rename_triggeringEvent_id + target_field: wiz.defend.triggering_event.id + ignore_missing: true + - set: + field: event.id + tag: set_event_id_from_defend_triggering_event_id + copy_from: wiz.defend.triggering_event.id + ignore_empty_value: true + - rename: + field: json.triggeringEvent.name + tag: rename_triggeringEvent_name + target_field: wiz.defend.triggering_event.name + ignore_missing: true + - rename: + field: json.triggeringEvent.origin + tag: rename_triggeringEvent_origin + target_field: wiz.defend.triggering_event.origin + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_cloudAccount_cloudPlatform + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.cloudAccount.cloudPlatform + tag: rename_triggeringEvent_resources_cloudAccount_cloudPlatform + target_field: _ingest._value.cloud_account.cloud_platform + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_cloudAccount_externalId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.cloudAccount.externalId + tag: rename_triggeringEvent_resources_cloudAccount_externalId + target_field: _ingest._value.cloud_account.external_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_cloudAccount_id + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.cloudAccount.id + tag: rename_triggeringEvent_resources_cloudAccount_id + target_field: _ingest._value.cloud_account.id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_cloud_provider_url + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.cloudProviderUrl + tag: rename_triggeringEvent_resources_cloudProviderUrl + target_field: _ingest._value.cloud_provider_url + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_externalId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.externalId + tag: rename_triggeringEvent_resources_externalId + target_field: _ingest._value.external_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesClusterId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesClusterId + tag: rename_triggeringEvent_resources_kubernetesClusterId + target_field: _ingest._value.kubernetes_cluster_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesClusterName + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesClusterName + tag: rename_triggeringEvent_resources_kubernetesClusterName + target_field: _ingest._value.kubernetes_cluster_name + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesNamespaceId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesNamespaceId + tag: rename_triggeringEvent_resources_kubernetesNamespaceId + target_field: _ingest._value.kubernetes_namespace_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesNamespaceName + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesNamespaceName + tag: rename_triggeringEvent_resources_kubernetesNamespaceName + target_field: _ingest._value.kubernetes_namespace_name + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesNodeId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesNodeId + tag: rename_triggeringEvent_resources_kubernetesNodeId + target_field: _ingest._value.kubernetes_node_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_kubernetesNodeName + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.kubernetesNodeName + tag: rename_triggeringEvent_resources_kubernetesNodeName + target_field: _ingest._value.kubernetes_node_name + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_nativeType + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.nativeType + tag: rename_triggeringEvent_resources_nativeType + target_field: _ingest._value.native_type + ignore_missing: true + - foreach: + field: json.triggeringEvent.resources + tag: foreach_triggeringEvent_resources_providerUniqueId + if: ctx.json?.triggeringEvent?.resources instanceof List + processor: + rename: + field: _ingest._value.providerUniqueId + tag: rename_triggeringEvent_resources_providerUniqueId + target_field: _ingest._value.provider_unique_id + ignore_missing: true + - rename: + field: json.triggeringEvent.resources + tag: rename_triggeringEvent_resources + target_field: wiz.defend.triggering_event.resources + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_container_externalId + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + rename: + field: _ingest._value.container.externalId + tag: rename_triggeringEvent_runtimeDetails_processTree_container_externalId + target_field: _ingest._value.container.external_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_container_imageExternalId + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + rename: + field: _ingest._value.container.imageExternalId + tag: rename_triggeringEvent_runtimeDetails_processTree_container_imageExternalId + target_field: _ingest._value.container.image_external_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_container_imageId + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + rename: + field: _ingest._value.container.imageId + tag: rename_triggeringEvent_runtimeDetails_processTree_container_imageId + target_field: _ingest._value.container.image_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_executionTime + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + date: + field: _ingest._value.executionTime + tag: date_triggeringEvent_runtimeDetails_processTree_executionTime + target_field: _ingest._value.execution_time + formats: + - ISO8601 + on_failure: + - remove: + field: _ingest._value.executionTime + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_userId + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + rename: + field: _ingest._value.userId + tag: rename_triggeringEvent_runtimeDetails_processTree_userId + target_field: _ingest._value.user_id + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_triggeringEvent_runtimeDetails_processTree_execution_time + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + remove: + field: _ingest._value.executionTime + tag: remove_triggeringEvent_runtimeDetails_processTree + ignore_missing: true + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_processTree_add_user_id_into_related_user + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + append: + field: related.user + tag: append_user_id_into_related_user + value: '{{{_ingest._value.user_id}}}' + allow_duplicates: false + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_processTree_add_username_into_related_user + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + append: + field: related.user + tag: append_username_into_related_user + value: '{{{_ingest._value.username}}}' + allow_duplicates: false + - foreach: + field: json.triggeringEvent.runtimeDetails.processTree + tag: foreach_processTree_add_hash_into_related_hash + if: ctx.json?.triggeringEvent?.runtimeDetails?.processTree instanceof List + processor: + append: + field: related.hash + tag: append_hash_into_related_hash + value: '{{{_ingest._value.hash}}}' + allow_duplicates: false + - rename: + field: json.triggeringEvent.runtimeDetails.processTree + tag: rename_triggeringEvent_runtimeDetails_processTree + target_field: wiz.defend.triggering_event.runtime_details.process_tree + ignore_missing: true + - rename: + field: json.triggeringEvent.source + tag: rename_triggeringEvent_source + target_field: wiz.defend.triggering_event.source + ignore_missing: true + - set: + field: event.provider + tag: set_event_provider_from_defend_triggering_event_source + copy_from: wiz.defend.triggering_event.source + ignore_empty_value: true + - rename: + field: json.triggeringEvent.status + tag: rename_triggeringEvent_status + target_field: wiz.defend.triggering_event.status + ignore_missing: true + - script: + lang: painless + description: Script to set event.outcome. + tag: set_event_outcome + if: ctx.wiz?.defend?.triggering_event?.status instanceof String + source: |- + String status = ctx.wiz.defend.triggering_event.status.toLowerCase(); + if (status.contains('success')) { + ctx.event.outcome = "success"; + } else if (status.contains('fail')) { + ctx.event.outcome = "failure"; + } else { + ctx.event.outcome = "unknown"; + } + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - rename: + field: json.triggeringEvent.subjectResourceId + tag: rename_triggeringEvent_subjectResourceId + target_field: wiz.defend.triggering_event.subject_resource_id + ignore_missing: true + - convert: + field: json.triggeringEvent.subjectResourceIp + tag: convert_triggeringEvent_subjectResourceIp_to_ip + target_field: wiz.defend.triggering_event.subject_resource_ip + type: ip + ignore_missing: true + if: ctx.json?.triggeringEvent?.subjectResourceIp != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.ip + value: "{{{wiz.defend.triggering_event.subject_resource_ip}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.wiz?.defend?.triggering_event?.subject_resource_ip != null + - set: + field: destination.ip + tag: set_destination_ip_from_defend_triggering_event_subject_resource_ip + copy_from: wiz.defend.triggering_event.subject_resource_ip + ignore_empty_value: true + - rename: + field: json.triggeringEventsCount + tag: rename_triggeringEventsCount + target_field: wiz.defend.triggering_events_count + ignore_missing: true + - remove: + field: + - wiz.defend.detection_url + - wiz.defend.threat_id + - wiz.defend.threat_url + - wiz.defend.trigger.rule_id + - wiz.defend.trigger.rule_name + - wiz.defend.trigger.type + - wiz.defend.triggering_event.actor.id + - wiz.defend.triggering_event.actor.name + - wiz.defend.triggering_event.actor_ip_meta.autonomous_system_number + - wiz.defend.triggering_event.actor_ip_meta.autonomous_system_organization + - wiz.defend.triggering_event.cloud_platform + - wiz.defend.triggering_event.description + - wiz.defend.triggering_event.event_time + - wiz.defend.triggering_event.id + - wiz.defend.triggering_event.source + - wiz.defend.triggering_event.subject_resource_ip + - wiz.defend.mitreTactics + - wiz.defend.mitreTactics + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + description: This script processor iterates over the whole document to remove fields with null values. + tag: script_to_drop_null_values + lang: painless + source: | + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/wiz/data_stream/defend/fields/base-fields.yml b/packages/wiz/data_stream/defend/fields/base-fields.yml new file mode 100644 index 00000000000..409fb3a1acc --- /dev/null +++ b/packages/wiz/data_stream/defend/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: wiz +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: wiz.defend +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/wiz/data_stream/defend/fields/beats.yml b/packages/wiz/data_stream/defend/fields/beats.yml new file mode 100644 index 00000000000..d5fd38748ba --- /dev/null +++ b/packages/wiz/data_stream/defend/fields/beats.yml @@ -0,0 +1,6 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.offset + type: long + description: Log offset. diff --git a/packages/wiz/data_stream/defend/fields/fields.yml b/packages/wiz/data_stream/defend/fields/fields.yml new file mode 100644 index 00000000000..16d744d2ac2 --- /dev/null +++ b/packages/wiz/data_stream/defend/fields/fields.yml @@ -0,0 +1,375 @@ +- name: wiz.defend + type: group + fields: + - name: friendly_name + type: keyword + - name: cloudOrganizations + type: group + fields: + - name: cloudProvider + type: keyword + - name: externalId + type: keyword + - name: name + type: keyword + - name: created_at + type: date + description: ISO8601 timestamp for when detection was created. + - name: description + type: keyword + description: Description providing more details on the detection. + - name: detection_url + type: keyword + description: URL linking to more details on the detection. + - name: id + type: keyword + description: Unique identifier for the detection. + - name: mitreTactics + type: keyword + - name: mitreTechniques + type: keyword + - name: primary_actor + type: group + fields: + - name: email + type: keyword + description: Primary Actor Email. + - name: external_id + type: keyword + description: Primary Actor External ID. + - name: id + type: keyword + description: Primary Actor ID. + - name: name + type: keyword + description: Primary Actor Name. + - name: native_type + type: keyword + description: Primary Actor Native Type. + - name: type + type: keyword + description: Primary Actor Type. + - name: primary_resource + type: group + fields: + - name: cloud_account + type: group + fields: + - name: cloud_platform + type: keyword + description: Cloud Platform associated with Cloud Account for primary resource. + - name: external_id + type: keyword + description: External ID for cloud account for primary resource. + - name: id + type: keyword + description: ID for cloud account for primary resource. + - name: cloud_provider_url + type: keyword + description: URL to resource in cloud provider console for primary resource. + - name: external_id + type: keyword + description: External ID of primary resource. + - name: id + type: keyword + description: ID of primary resource. + - name: kubernetes_cluster_id + type: keyword + description: ID of the Kubernetes cluster for primary resource. + - name: kubernetes_cluster_name + type: keyword + description: Name of the Kubernetes cluster for primary resource. + - name: kubernetes_namespace_id + type: keyword + description: ID of the Kubernetes namespace for primary resource. + - name: kubernetes_namespace_name + type: keyword + description: Name of the Kubernetes namespace for primary resource. + - name: kubernetes_node_id + type: keyword + description: ID of the Kubernetes node for primary resource. + - name: kubernetes_node_name + type: keyword + description: Name of the Kubernetes node for primary resource. + - name: name + type: keyword + description: Name of the resource for primary resource. + - name: native_type + type: keyword + description: Native type classification for primary resource. + - name: provider_unique_id + type: keyword + description: Unique identifier from the provider for primary resource. + - name: region + type: keyword + description: Geographic region for primary resource. + - name: status + type: keyword + description: Current status of the resource for primary resource. + - name: type + type: keyword + description: Type of resource for primary resource. + - name: severity + type: keyword + description: Severity level of the detection. + - name: source + type: keyword + description: Source of the detection, will be "DETECTIONS". + - name: tdr_id + type: keyword + description: TDR identifier. + - name: tdr_source + type: keyword + description: TDR source. + - name: threat_id + type: keyword + description: ID of the associated threat. + - name: threat_url + type: keyword + description: URL linking to more details on the threat. + - name: timeframe + type: group + fields: + - name: end + type: date + description: End timeframe for detection frametime. + - name: start + type: date + description: Start timeframe for detection frametime. + - name: title + type: keyword + description: Title or summary of the detection. + - name: trigger + type: group + fields: + - name: rule_id + type: keyword + description: Triggered Rule ID. + - name: rule_name + type: keyword + description: Triggered Rule Name. + - name: source + type: keyword + description: Triggered Source Name. + - name: type + type: keyword + description: Triggered Source Type. + - name: triggering_event + type: group + fields: + - name: actor + type: group + fields: + - name: acting_as + type: group + fields: + - name: id + type: keyword + description: Actor ID. + - name: name + type: keyword + description: Name of the actor. + - name: native_type + type: keyword + description: Native type classification. + - name: type + type: keyword + description: Type of the actor. + - name: external_id + type: keyword + description: External ID. + - name: id + type: keyword + description: Actor ID. + - name: name + type: keyword + description: Name of the actor. + - name: native_type + type: keyword + description: Native type classification. + - name: provider_unique_id + type: keyword + description: Unique identifier from the provider. + - name: type + type: keyword + description: Type of the actor. + - name: actor_ip + type: ip + description: IP address of the actor. + - name: actor_ip_meta + type: group + fields: + - name: autonomous_system_number + type: long + description: ASN number. + - name: autonomous_system_organization + type: keyword + description: Organization associated with ASN (ASO). + - name: country + type: keyword + description: Country of origin for IP. + - name: is_foreign + type: boolean + description: Whether IP is from foreign source. + - name: related_attack_group_names + type: keyword + description: Attack groups associated with IP. + - name: reputation + type: keyword + description: IP reputation rating. + - name: reputation_description + type: keyword + description: Description of IP reputation. + - name: reputation_source + type: keyword + description: Source of reputation data. + - name: category + type: keyword + description: Event category. + - name: cloud_platform + type: keyword + description: Cloud platform where event occurred. + - name: cloud_provider_url + type: keyword + description: URL to event in cloud provider console. + - name: description + type: keyword + description: Description of the event. + - name: event_time + type: date + description: ISO8601 timestamp of when event occurred. + - name: external_id + type: keyword + description: Event External ID. + - name: id + type: keyword + description: Event ID. + - name: name + type: keyword + description: Name of the event. + - name: origin + type: keyword + description: Origin of the event. + - name: resources + type: group + fields: + - name: cloud_account + type: group + fields: + - name: cloud_platform + type: keyword + description: Cloud Platform associated with Cloud Account. + - name: external_id + type: keyword + description: External ID for cloud account. + - name: id + type: keyword + description: ID for cloud account. + - name: cloud_provider_url + type: keyword + description: URL to resource in cloud provider console. + - name: external_id + type: keyword + description: External ID. + - name: id + type: keyword + description: Resource ID. + - name: kubernetes_cluster_id + type: keyword + description: ID of the Kubernetes cluster. + - name: kubernetes_cluster_name + type: keyword + description: Name of the Kubernetes cluster. + - name: kubernetes_namespace_id + type: keyword + description: ID of the Kubernetes namespace. + - name: kubernetes_namespace_name + type: keyword + description: Name of the Kubernetes namespace. + - name: kubernetes_node_id + type: keyword + description: ID of the Kubernetes node. + - name: kubernetes_node_name + type: keyword + description: Name of the Kubernetes node. + - name: name + type: keyword + description: Name of the resource. + - name: native_type + type: keyword + description: Native type classification. + - name: provider_unique_id + type: keyword + description: Unique identifier from the provider. + - name: region + type: keyword + description: Geographic region. + - name: status + type: keyword + description: Current status of the resource. + - name: type + type: keyword + description: Type of resource. + - name: runtime_details + type: group + fields: + - name: process_tree + type: group + fields: + - name: command + type: keyword + description: Process command line. + - name: container + type: group + fields: + - name: external_id + type: keyword + description: Container External ID. + - name: id + type: keyword + description: Container ID. + - name: image_external_id + type: keyword + description: Container Image External ID. + - name: image_id + type: keyword + description: Container Image ID. + - name: name + type: keyword + description: Container Name. + - name: execution_time + type: date + description: ISO8601 timestamp when process executed. + - name: hash + type: keyword + description: Executable SHA1 hash. + - name: id + type: keyword + description: Process Tree ID. + - name: path + type: keyword + description: Executable path. + - name: size + type: long + description: Executable size in bytes. + - name: user_id + type: keyword + description: User ID that executed process. + - name: username + type: keyword + description: Username that executed process. + - name: source + type: keyword + description: Source of the event. + - name: status + type: keyword + description: Status of the event. + - name: subject_resource_id + type: keyword + description: ID of the primary affected resource. + - name: subject_resource_ip + type: ip + description: IP of the primary affected resource. + - name: triggering_events_count + type: long + description: Count of events that triggered detection. diff --git a/packages/wiz/data_stream/defend/manifest.yml b/packages/wiz/data_stream/defend/manifest.yml new file mode 100644 index 00000000000..96106fac83c --- /dev/null +++ b/packages/wiz/data_stream/defend/manifest.yml @@ -0,0 +1,106 @@ +title: Collect Detection events from Wiz Defend. +type: logs +streams: + - input: http_endpoint + template_path: http_endpoint.yml.hbs + enabled: false + title: Defend logs + description: Collect Detection events from Wiz Defend. + vars: + - name: listen_address + type: text + title: Listen Address + description: Bind address for the listener. Use 0.0.0.0 to listen on all interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The port number the listener binds to. + multi: false + required: true + show_user: true + default: 9588 + - name: url + type: text + title: URL + description: This option specifies which URL path to accept requests on. Defaults to /. + multi: false + required: false + show_user: false + default: / + - name: basic_auth + title: Authentiation (Basic) + type: bool + default: false + description: | + Enables or disables HTTP basic auth for each incoming request. If enabled, both the username and password must be configured. + required: false + show_user: true + - name: username + type: text + title: Username + description: If basic_auth is enabled, this is the username used for authentication against the HTTP listener. Requires password to also be set. + required: false + show_user: true + - name: password + type: password + title: Password + description: If basic_auth is enabled, this is the password used for authentication against the HTTP listener. Requires username to also be set. + required: false + show_user: true + secret: true + - name: token + type: password + title: Authentiation (Token) + description: The token value required to authenticate via `Token`. + required: false + show_user: true + secret: true + - name: ssl + type: yaml + title: TLS + description: Options for enabling TLS for the listening webhook endpoint. See the [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html) for a list of all options. + multi: false + required: false + show_user: false + default: | + # enabled: true + # certificate: "/etc/pki/client/cert.pem" + # key: "/etc/pki/client/cert.key" + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - wiz-defend + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve wiz.defend fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + diff --git a/packages/wiz/data_stream/defend/sample_event.json b/packages/wiz/data_stream/defend/sample_event.json new file mode 100644 index 00000000000..1c93fda59c1 --- /dev/null +++ b/packages/wiz/data_stream/defend/sample_event.json @@ -0,0 +1,245 @@ +{ + "@timestamp": "2025-01-21T18:52:15.838Z", + "agent": { + "ephemeral_id": "10c542b8-ed29-40a5-9d04-f32da0fef9bc", + "id": "c4be22ec-fa52-4247-accb-8c8e1762c834", + "name": "elastic-agent-50085", + "type": "filebeat", + "version": "8.18.0" + }, + "cloud": { + "provider": "AWS" + }, + "data_stream": { + "dataset": "wiz.defend", + "namespace": "18676", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "c4be22ec-fa52-4247-accb-8c8e1762c834", + "snapshot": true, + "version": "8.18.0" + }, + "event": { + "action": "created", + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "wiz.defend", + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "ingested": "2025-04-28T09:00:38Z", + "kind": "event", + "original": "{\"severity\":\"MEDIUM\",\"threatId\":\"733edfe5-db25-5b14-ac58-dc69d6005c81\",\"description\":\"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.\",\"trigger\":{\"ruleName\":\"Detections Webhook Test Rule\",\"source\":\"DETECTIONS\",\"type\":\"Created\",\"ruleId\":\"a08fe977-3f54-48bf-adcf-f76994739c1f\"},\"tdrId\":\"46fd0cdc-252e-5e69-be6e-66e4851d7ae4\",\"title\":\"Timestomping technique was detected\",\"triggeringEventsCount\":2,\"tdrSource\":\"WIZ_SENSOR\",\"primaryResource\":{\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"nativeType\":\"ecs#containerinstance\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"type\":\"CONTAINER\"},\"mitreTechniques\":[\"T1070.006\"],\"cloudAccounts\":[{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"}],\"timeframe\":{\"start\":\"2025-01-21T18:52:15.838Z\",\"end\":\"2025-01-21T18:52:15.838Z\"},\"createdAt\":\"2025-01-21T18:52:16.819883668Z\",\"mitreTactics\":[\"TA0005\"],\"id\":\"6a440e9b-c8d8-5482-a0e9-da714359aecf\",\"threatURL\":\"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)\",\"triggeringEvent\":{\"cloudPlatform\":\"AWS\",\"origin\":\"WIZ_SENSOR\",\"externalId\":\"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"description\":\"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container\",\"resources\":[{\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"nativeType\":\"ecs#containerinstance\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"type\":\"CONTAINER\"}],\"source\":\"WizSensorAlert##RuleEngine\",\"runtimeDetails\":{\"processTree\":[{\"container\":{\"imageId\":\"d18500ef-c0f7-5028-8c4c-1cd56c3a6652\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"imageExternalId\":\"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\"},\"executionTime\":\"2025-01-21T18:52:15.838Z\",\"path\":\"/usr/bin/touch\",\"size\":109616,\"id\":\"1560\",\"userId\":\"0\",\"hash\":\"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6\",\"command\":\"touch -r /usr/bin /tmp/uga\",\"username\":\"root\"},{\"container\":{\"imageId\":\"d18500ef-c0f7-5028-8c4c-1cd56c3a6652\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"imageExternalId\":\"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\"},\"executionTime\":\"2025-01-21T18:52:15.838Z\",\"path\":\"/usr/bin/bash\",\"size\":1265648,\"id\":\"1560\",\"userId\":\"0\",\"hash\":\"91fbd9d8c65de48dc82a1064b8a4fc89f5651778\",\"command\":\"/bin/bash -x -c touch -r /usr/bin /tmp/uga\",\"username\":\"root\"}]},\"cloudProviderUrl\":\"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"actor\":{\"nativeType\":\"Microsoft Entra ID Application Service Principal\",\"name\":\"test-actor\",\"externalId\":\"test-actor\",\"id\":\"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e\",\"type\":\"SERVICE_ACCOUNT\"},\"actorIPMeta\":{\"reputationSource\":\"Recorded Future\",\"country\":\"United States\",\"isForeign\":true,\"reputation\":\"Benign\",\"autonomousSystemNumber\":8075,\"autonomousSystemOrganization\":\"MICROSOFT-CORP-MSN-AS-BLOCK\"},\"name\":\"Timestomping technique was detected\",\"eventTime\":\"2025-01-21T18:52:15.838Z\",\"id\":\"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a\",\"category\":\"Detection\",\"status\":\"Success\",\"actorIP\":\"81.2.69.192\"},\"cloudOrganizations\":[]}", + "outcome": "success", + "provider": "WizSensorAlert##RuleEngine", + "severity": 47, + "type": [ + "indicator" + ] + }, + "input": { + "type": "http_endpoint" + }, + "message": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "hash": [ + "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "91fbd9d8c65de48dc82a1064b8a4fc89f5651778" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "test-actor", + "0", + "root" + ] + }, + "rule": { + "id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "name": "Detections Webhook Test Rule" + }, + "source": { + "as": { + "number": 8075, + "organization": { + "name": "MICROSOFT-CORP-MSN-AS-BLOCK" + } + }, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-defend" + ], + "threat": { + "indicator": { + "id": [ + "733edfe5-db25-5b14-ac58-dc69d6005c81" + ], + "reference": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)" + }, + "tactic": { + "id": [ + "TA0005" + ] + }, + "technique": { + "id": [ + "T1070.006" + ] + } + }, + "user": { + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor" + }, + "wiz": { + "defend": { + "created_at": "2025-01-21T18:52:16.819Z", + "description": "Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.", + "friendly_name": "Detections Webhook Test Rule", + "id": "6a440e9b-c8d8-5482-a0e9-da714359aecf", + "mitreTactics": [ + "TA0005" + ], + "mitreTechniques": [ + "T1070.006" + ], + "primary_resource": { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "name": "test-container", + "native_type": "ecs#containerinstance", + "region": "us-east-1", + "type": "CONTAINER" + }, + "severity": "MEDIUM", + "tdr_id": "46fd0cdc-252e-5e69-be6e-66e4851d7ae4", + "tdr_source": "WIZ_SENSOR", + "threat_id": "733edfe5-db25-5b14-ac58-dc69d6005c81", + "threat_url": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)", + "timeframe": { + "end": "2025-01-21T18:52:15.838Z", + "start": "2025-01-21T18:52:15.838Z" + }, + "title": "Timestomping technique was detected", + "trigger": { + "rule_id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "rule_name": "Detections Webhook Test Rule", + "source": "DETECTIONS", + "type": "Created" + }, + "triggering_event": { + "actor": { + "external_id": "test-actor", + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor", + "native_type": "Microsoft Entra ID Application Service Principal", + "type": "SERVICE_ACCOUNT" + }, + "actor_ip": "81.2.69.192", + "actor_ip_meta": { + "autonomous_system_number": 8075, + "autonomous_system_organization": "MICROSOFT-CORP-MSN-AS-BLOCK", + "country": "United States", + "is_foreign": true, + "reputation": "Benign", + "reputation_source": "Recorded Future" + }, + "category": "Detection", + "cloud_platform": "AWS", + "cloud_provider_url": "https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "description": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "event_time": "2025-01-21T18:52:15.838Z", + "external_id": "Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "name": "Timestomping technique was detected", + "origin": "WIZ_SENSOR", + "resources": [ + { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "name": "test-container", + "native_type": "ecs#containerinstance", + "region": "us-east-1", + "type": "CONTAINER" + } + ], + "runtime_details": { + "process_tree": [ + { + "command": "touch -r /usr/bin /tmp/uga", + "container": { + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "image_external_id": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "image_id": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "execution_time": "2025-01-21T18:52:15.838Z", + "hash": "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "id": "1560", + "path": "/usr/bin/touch", + "size": 109616, + "user_id": "0", + "username": "root" + }, + { + "command": "/bin/bash -x -c touch -r /usr/bin /tmp/uga", + "container": { + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "image_external_id": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "image_id": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "execution_time": "2025-01-21T18:52:15.838Z", + "hash": "91fbd9d8c65de48dc82a1064b8a4fc89f5651778", + "id": "1560", + "path": "/usr/bin/bash", + "size": 1265648, + "user_id": "0", + "username": "root" + } + ] + }, + "source": "WizSensorAlert##RuleEngine", + "status": "Success" + }, + "triggering_events_count": 2 + } + } +} diff --git a/packages/wiz/data_stream/issue/manifest.yml b/packages/wiz/data_stream/issue/manifest.yml index 046e5612666..570ef48b51e 100644 --- a/packages/wiz/data_stream/issue/manifest.yml +++ b/packages/wiz/data_stream/issue/manifest.yml @@ -3,6 +3,7 @@ type: logs streams: - input: cel title: Issue logs + enabled: false description: Collect Issue logs from Wiz. template_path: cel.yml.hbs vars: diff --git a/packages/wiz/data_stream/issue/sample_event.json b/packages/wiz/data_stream/issue/sample_event.json index 16e7e70f274..c7cddbac7bb 100644 --- a/packages/wiz/data_stream/issue/sample_event.json +++ b/packages/wiz/data_stream/issue/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2023-07-31T06:26:08.708Z", + "@timestamp": "2023-07-21T06:26:08.708Z", "agent": { - "ephemeral_id": "e74ac4d2-8565-45ee-8c61-c66b6f3151bf", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "name": "docker-fleet-agent", + "ephemeral_id": "1c453cfc-4ac3-49f8-80da-720ce2fb2df2", + "id": "ef1f42d0-9e3f-41dd-8482-9dbff945c288", + "name": "elastic-agent-39824", "type": "filebeat", - "version": "8.10.1" + "version": "8.18.0" }, "cloud": { "provider": "Kubernetes", @@ -13,31 +13,32 @@ }, "data_stream": { "dataset": "wiz.issue", - "namespace": "ep", + "namespace": "41856", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "snapshot": false, - "version": "8.10.1" + "id": "ef1f42d0-9e3f-41dd-8482-9dbff945c288", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-08-23T07:56:09.903Z", + "created": "2023-08-21T07:56:09.903Z", "dataset": "wiz.issue", - "id": "fff9cffd-64a7-412c-9535-cf837f4b0b40", - "ingested": "2023-10-03T10:22:42Z", + "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", + "ingested": "2025-04-22T10:00:06Z", "kind": "event", - "original": "{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"dueAt\":\"2023-08-30T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"e507d472-b7da-5f05-9b25-72a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"fff9cffd-64a7-412c-9535-cf837f4b0b40\",\"notes\":[{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-09T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRule\":{\"__typename\":\"Control\",\"controlDescription\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-31T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", + "original": "{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"dueAt\":\"2023-08-28T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"f307d472-b7da-5t05-9b25-71a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"ggf9cggd-64a7-412c-9445-cf837f4b0b10\",\"notes\":[{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-09-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-07T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"jf77n35n-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d5h1545-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRule\":{\"__typename\":\"Control\",\"controlDescription\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-21T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", "type": [ "info" - ] + ], + "url": "https://app.wiz.io/issues#~(filters~(status~())~issue~'ggf9cggd-64a7-412c-9445-cf837f4b0b10)" }, "input": { "type": "cel" @@ -58,15 +59,15 @@ }, "wiz": { "issue": { - "created_at": "2023-08-23T07:56:09.903Z", - "due_at": "2023-08-30T21:00:00.000Z", + "created_at": "2023-08-21T07:56:09.903Z", + "due_at": "2023-08-28T21:00:00.000Z", "entity_snapshot": { "cloud": { "platform": "Kubernetes", "provider_url": "https://portal.az.com/#@sectest.on.com/resource//subscriptions/" }, "external_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12", - "id": "e507d472-b7da-5f05-9b25-72a271336b14", + "id": "f307d472-b7da-5t05-9b25-71a271336b14", "name": "system:aggregate-to-edit", "native_type": "ClusterRole", "provider_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12", @@ -83,18 +84,18 @@ }, "type": "ACCESS_ROLE" }, - "id": "fff9cffd-64a7-412c-9535-cf837f4b0b40", + "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", "notes": [ { - "created_at": "2023-08-23T07:56:09.903Z", + "created_at": "2023-08-21T07:56:09.903Z", "service_account": { "name": "rev-ke" }, "text": "updated", - "updated_at": "2023-08-09T23:10:22.588Z" + "updated_at": "2023-09-09T23:10:22.588Z" }, { - "created_at": "2023-08-09T23:08:49.918Z", + "created_at": "2023-08-07T23:08:49.918Z", "service_account": { "name": "rev-ke2" }, @@ -104,7 +105,7 @@ ], "projects": [ { - "id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8", + "id": "jf77n35n-a7b6-5762-8a53-8e8f59e68bd8", "name": "Project 2", "risk_profile": { "business_impact": "MBI" @@ -122,7 +123,7 @@ }, { "business_unit": "Dev", - "id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178", + "id": "d5h1545-aec0-52fc-80ab-bacd7b02f178", "name": "Project1", "risk_profile": { "business_impact": "MBI" @@ -178,17 +179,17 @@ "framework": { "name": "Wiz for Risk Assessment" }, - "name": "Container \u0026 Kubernetes Security" + "name": "Container & Kubernetes Security" }, "title": "Cluster misconfiguration" } ] }, "status": { - "changed_at": "2023-07-31T06:26:08.708Z", + "changed_at": "2023-07-21T06:26:08.708Z", "value": "IN_PROGRESS" }, "updated_at": "2023-08-14T06:06:18.331Z" } } -} \ No newline at end of file +} diff --git a/packages/wiz/data_stream/vulnerability/manifest.yml b/packages/wiz/data_stream/vulnerability/manifest.yml index b34d02b9525..dce2fec47b0 100644 --- a/packages/wiz/data_stream/vulnerability/manifest.yml +++ b/packages/wiz/data_stream/vulnerability/manifest.yml @@ -3,6 +3,7 @@ type: logs streams: - input: cel title: Vulnerability logs + enabled: false description: Collect Vulnerability logs from Wiz. template_path: cel.yml.hbs vars: diff --git a/packages/wiz/data_stream/vulnerability/sample_event.json b/packages/wiz/data_stream/vulnerability/sample_event.json index f78096fd83e..c8e6bfb1ba4 100644 --- a/packages/wiz/data_stream/vulnerability/sample_event.json +++ b/packages/wiz/data_stream/vulnerability/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2023-08-16T18:40:57.000Z", "agent": { - "ephemeral_id": "19d5ed25-e2f4-49cb-852c-a5f8f9ee00a9", - "id": "45e59d63-f461-4f3a-9aae-587e6b33e84a", - "name": "elastic-agent-94391", + "ephemeral_id": "4c555afd-d62f-4893-8145-235a7a2aa42e", + "id": "c3610579-6628-4346-bac5-22eb264323cb", + "name": "elastic-agent-39585", "type": "filebeat", - "version": "8.17.0" + "version": "8.18.0" }, "cloud": { "account": { @@ -16,7 +16,7 @@ }, "data_stream": { "dataset": "wiz.vulnerability", - "namespace": "85547", + "namespace": "50935", "type": "logs" }, "device": { @@ -26,9 +26,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "45e59d63-f461-4f3a-9aae-587e6b33e84a", - "snapshot": false, - "version": "8.17.0" + "id": "c3610579-6628-4346-bac5-22eb264323cb", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", @@ -37,7 +37,7 @@ ], "dataset": "wiz.vulnerability", "id": "5e95ff50-5490-514e-87f7-11e56f3230ff", - "ingested": "2025-03-20T17:51:16Z", + "ingested": "2025-04-22T10:01:05Z", "kind": "alert", "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}", "type": [ diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 4b19d48e717..529621d7481 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -1,10 +1,22 @@ # Wiz -Wiz continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. This [Wiz](https://www.wiz.io/) integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) and [vulnerabilities](https://ela.st/cnvm), providing you with visibility and context for your cloud environments within Elastic Security. +[Wiz](https://www.wiz.io/) continuously prioritizes critical risks based on a deep cloud analysis across misconfigurations, network exposure, secrets, vulnerabilities, malware, and identities to build a single prioritized view of risk for your cloud. + +This Wiz integration enables you to consume and analyze Wiz data within Elastic Security including issues, audit events, [misconfigurations](https://ela.st/cspm) [vulnerabilities](https://ela.st/cnvm) and defend which provides real-time threat detection based on runtime signals and cloud activity—giving you visibility and context for your cloud environments within Elastic Security. ## Data streams -The Wiz integration collects four types of data: Audit, Cloud Configuration Finding, Issue and Vulnerability. +The Wiz integration collects five types of data: + +- **Audit** - The Audit log records key events within the Wiz platform, including logins and any mutation API calls executed in the Wiz portal (such as write, edit, delete, and save actions). + +- **Cloud Configuration Finding** - A Cloud Configuration Finding is a result generated when a cloud resource does not pass a specific Cloud Configuration Rule. + +- **Defend** - Detects and alerts on real-time cloud threats using runtime signals, logs, and Wiz’s security graph via webhook integrations. + +- **Issue** - Issues represent active risks or threats identified in your cloud environment. + +- **Vulnerability** - Vulnerabilities are weaknesses in computer systems that can be exploited by malicious attackers. ## Requirements @@ -43,26 +55,14 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud ## Setup -### To collect data from Wiz, the following parameters from your Wiz instance are required: +### To collect logs (Audit, Issue, Vulnerability, Cloud Configuration Findings) via GraphQL API: -1. Client ID -2. Client Secret -3. Token url -4. API Endpoint url -5. Required scopes for each data stream : +### Get the Wiz API URL: - | Data Stream | Scope | - | ------------- | ------------- | - | Audit | admin:audit | - | Issue | read:issues | - | Vulnerability | read:vulnerabilities | - | Cloud Configuration Finding | read:cloud_configuration | - | Cloud Configuration Finding Full Posture | read:cloud_configuration | - -### To obtain the Wiz URL -1. Navigate to your user profile and copy the API Endpoint URL. +1. Go to your user profile. +2. Copy the **API Endpoint URL**. -### Steps to obtain Client ID and Client Secret: +### Steps to get the Client ID and Client Secret: 1. In the Wiz dashboard Navigate to Settings > Service Accounts. 2. Click Add Service Account. @@ -72,17 +72,51 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud 6. Copy the Client Secret. Note that you won't be able to copy it after this stage. 7. Copy the Client ID, which is displayed under the Service Accounts page. +### Required scopes: + + | Data Stream | Scope | + | ------------- | ------------- | + | Audit | admin:audit | + | Issue | read:issues | + | Vulnerability | read:vulnerabilities | + | Cloud Configuration Finding | read:cloud_configuration | + | Cloud Configuration Finding Full Posture | read:cloud_configuration | + +### To collect logs (Defend) via HTTP Endpoint: + +1. Obtain the webhook URL +- Generate a webhook URL for the third-party product. +- (Recommended) Obtain or generate authentication info for the third-party product, either a username/password or an authentication token. + +2. Add a webhook Integration in Wiz +- In Wiz, go to the Settings > Integrations page, then click Add Integration. +- Under SIEM & Automation Tools, click Webhook. +- On the New Integration page: + - Enter a meaningful Name. + - Set the Project Scope. + - Paste the URL you generated earlier. + - (Optional) Click Add Header, then enter the name and value of a custom header to add to every webhook. + - Choose the type of Authentication to use: + - None—Not recommended at all, but hey, it's your data. + - Basic—Provide the Username and Password associated with your HTTP endpoint. + - Token—Enter an authentication token generated by the application that will be called from the webhook. + - For a more secure connection, enter a Client Certificate Authority and/or a Client Certificate to use in addition to whatever Authentication method was selected in the previous step. +- Click Add Integration. +- For more details, go to this [link](https://docs.wiz.io/docs/webhook-integration). + ### Enabling the integration in Elastic: 1. In Kibana go to Management > Integrations 2. In "Search for integrations" search bar, type Wiz 3. Click on the "Wiz" integration from the search results. 4. Click on the "Add Wiz" button to add the integration. -5. Add all the required integration configuration parameters, such as Client ID, Client Secret, URL, and Token URL. For all data streams, these parameters must be provided in order to retrieve logs. -6. Save the integration. +5. Enable the input type corresponding to the log source you wish to collect from. +6. Configure all the required integration parameters, including the listen address, listen port, and authentication method along with its corresponding required fields for the HTTP Endpoint input type. For the CEL input type, ensure you provide the Client ID, Client Secret, URL, and Token URL to successfully retrieve logs. +7. Save the integration. **Note:** - - Vulnerability data_stream pulls vulnerabilities from the previous day. + - Vulnerability data is fetched for the previous day. + - Custom headers are not supported in this integration. Only the standard Authorization header (e.g., Bearer token) is used for API requests. ## Logs Reference @@ -98,24 +132,24 @@ An example event for `audit` looks as following: { "@timestamp": "2023-07-21T07:07:21.105Z", "agent": { - "ephemeral_id": "5c3096ee-b490-4b19-a848-bfed150c1bca", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "name": "docker-fleet-agent", + "ephemeral_id": "ea58853f-b6e9-4a45-86ba-9551c6aec28f", + "id": "83d115a5-188d-46b5-95ce-7c8e49e04018", + "name": "elastic-agent-37311", "type": "filebeat", - "version": "8.10.1" + "version": "8.18.0" }, "data_stream": { "dataset": "wiz.audit", - "namespace": "ep", + "namespace": "68164", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "snapshot": false, - "version": "8.10.1" + "id": "83d115a5-188d-46b5-95ce-7c8e49e04018", + "snapshot": true, + "version": "8.18.0" }, "event": { "action": "login", @@ -125,7 +159,7 @@ An example event for `audit` looks as following: ], "dataset": "wiz.audit", "id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4", - "ingested": "2023-10-03T10:35:48Z", + "ingested": "2025-04-22T09:53:49Z", "kind": "event", "original": "{\"action\":\"Login\",\"actionParameters\":{\"clientID\":\"afsdafasmdgj5c\",\"groups\":null,\"name\":\"example\",\"products\":[\"*\"],\"role\":\"\",\"scopes\":[\"read:issues\",\"read:reports\",\"read:vulnerabilities\",\"update:reports\",\"create:reports\",\"admin:audit\"],\"userEmail\":\"\",\"userID\":\"afsafasdghbhdfg5t35fdgs\",\"userpoolID\":\"us-east-2_GQ3gwvxsQ\"},\"id\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"requestId\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"serviceAccount\":{\"id\":\"mlipebtwsndhxdmnzdwrxzmiolvzt6topjvv4nugzctcsyarazrhg\",\"name\":\"elastic\"},\"sourceIP\":null,\"status\":\"SUCCESS\",\"timestamp\":\"2023-07-21T07:07:21.105685Z\",\"user\":null,\"userAgent\":null}", "outcome": "success", @@ -232,77 +266,111 @@ An example event for `cloud_configuration_finding` looks as following: ```json { - "@timestamp": "2023-06-12T11:38:07.900Z", + "@timestamp": "2024-08-07T12:55:52.012Z", + "agent": { + "ephemeral_id": "3fdb83a8-3bce-4186-8cee-72dd95c25b4d", + "id": "4815c547-4daf-42b8-a256-e931be9bc655", + "name": "elastic-agent-89828", + "type": "filebeat", + "version": "8.18.0" + }, "cloud": { "account": { - "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "id": "998231069301", + "name": "wiz-integrations" }, - "provider": "azure" + "provider": "aws", + "service": { + "name": "eks" + } + }, + "data_stream": { + "dataset": "wiz.cloud_configuration_finding", + "namespace": "30878", + "type": "logs" }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "4815c547-4daf-42b8-a256-e931be9bc655", + "snapshot": true, + "version": "8.18.0" + }, "event": { + "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "created": "2024-08-07T12:55:52.012Z", + "dataset": "wiz.cloud_configuration_finding", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "ingested": "2025-04-22T09:54:52Z", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", - "outcome": "failure", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", "type": [ "info" - ] + ], + "url": "https://app.wiz.io/findings/configuration-findings/cloud#~(filters~(status~()~rule~(equals~(~'563ed717-4fb6-47fd-929e-9c794e201d0a)))~groupBy~(~)~entity~(~'1243196d-a365-589a-a8aa-13817c9877b2*2cCONFIGURATION_FINDING))" + }, + "input": { + "type": "cel" }, - "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "message": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", "observer": { "vendor": "Wiz" }, "resource": { - "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "sub_type": "Pod", - "type": "POD" + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" }, "result": { - "evaluation": "FAILED" + "evaluation": "passed" }, "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "Pod-32", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" }, "tags": [ "preserve_original_event", - "preserve_duplicate_custom_fields" + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-cloud_configuration_finding" ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, "wiz": { "cloud_configuration_finding": { - "analyzed_at": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { - "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "native_type": "Pod", - "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", "subscription": { - "cloud_provider": "Azure", - "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" }, - "type": "POD" + "type": "USER_ACCOUNT" }, - "result": "FAIL", + "result": "PASS", "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "73553de7-f2ad-4ffb-b425-c69815033530", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "short_id": "Pod-32" + "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", + "short_id": "IAM-006" } } } @@ -366,77 +434,109 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi ```json { - "@timestamp": "2023-06-12T11:38:07.900Z", + "@timestamp": "2025-04-22T09:55:55.722365112Z", + "agent": { + "ephemeral_id": "5f4b4a3b-5fe7-41c7-ae81-1859e2eb9fcf", + "id": "54fad7af-68b0-41e9-ba13-01893279295d", + "name": "elastic-agent-30873", + "type": "filebeat", + "version": "8.18.0" + }, "cloud": { "account": { - "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "id": "998231069301", + "name": "wiz-integrations" }, - "provider": "azure" + "provider": "aws", + "service": { + "name": "eks" + } + }, + "data_stream": { + "dataset": "wiz.cloud_configuration_finding_full_posture", + "namespace": "26487", + "type": "logs" }, "ecs": { "version": "8.11.0" }, + "elastic_agent": { + "id": "54fad7af-68b0-41e9-ba13-01893279295d", + "snapshot": true, + "version": "8.18.0" + }, "event": { + "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "created": "2024-08-07T12:55:52.012Z", + "dataset": "wiz.cloud_configuration_finding_full_posture", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", + "ingested": "2025-04-22T09:55:55Z", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", - "outcome": "failure", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "outcome": "success", "type": [ "info" ] }, - "message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", + "input": { + "type": "cel" + }, "observer": { "vendor": "Wiz" }, "resource": { - "id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "sub_type": "Pod", - "type": "POD" + "id": "arn:aws:iam::998231069301:root", + "name": "Root user", + "sub_type": "rootUser", + "type": "USER_ACCOUNT" }, "result": { - "evaluation": "FAILED" + "evaluation": "passed" }, "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "Pod-32", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "uuid": "73553de7-f2ad-4ffb-b425-c69815033530" + "description": "description", + "id": "IAM-006", + "name": "Root account access keys should not exist", + "remediation": "instructions", + "uuid": "563ed717-4fb6-47fd-929e-9c794e201d0a" }, "tags": [ "preserve_original_event", - "preserve_duplicate_custom_fields" + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-cloud_configuration_finding_full_posture" ], + "user": { + "id": "arn:aws:iam::998231069301:root", + "name": "Root user" + }, "wiz": { "cloud_configuration_finding_full_posture": { - "analyzed_at": "2023-06-12T11:38:07.900Z", - "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", + "analyzed_at": "2024-08-07T12:55:52.012Z", + "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { - "id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99", - "name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx", - "native_type": "Pod", - "provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99", + "cloud_platform": "EKS", + "id": "f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea", + "name": "Root user", + "native_type": "rootUser", + "provider_id": "arn:aws:iam::998231069301:root", "subscription": { - "cloud_provider": "Azure", - "external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", - "name": "Wiz - DEV Outpost" + "cloud_provider": "AWS", + "external_id": "998231069301", + "name": "wiz-integrations" }, - "type": "POD" + "type": "USER_ACCOUNT" }, - "result": "FAIL", + "result": "PASS", "rule": { - "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.", - "id": "73553de7-f2ad-4ffb-b425-c69815033530", - "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", - "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", - "short_id": "Pod-32" + "description": "description", + "id": "563ed717-4fb6-47fd-929e-9c794e201d0a", + "name": "Root account access keys should not exist", + "remediation_instructions": "instructions", + "short_id": "IAM-006" } } } @@ -492,6 +592,387 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi | wiz.cloud_configuration_finding_full_posture.status | | keyword | +### Defend + +This is the `Defend` dataset. + +#### Example + +An example event for `defend` looks as following: + +```json +{ + "@timestamp": "2025-01-21T18:52:15.838Z", + "agent": { + "ephemeral_id": "10c542b8-ed29-40a5-9d04-f32da0fef9bc", + "id": "c4be22ec-fa52-4247-accb-8c8e1762c834", + "name": "elastic-agent-50085", + "type": "filebeat", + "version": "8.18.0" + }, + "cloud": { + "provider": "AWS" + }, + "data_stream": { + "dataset": "wiz.defend", + "namespace": "18676", + "type": "logs" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "c4be22ec-fa52-4247-accb-8c8e1762c834", + "snapshot": true, + "version": "8.18.0" + }, + "event": { + "action": "created", + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "wiz.defend", + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "ingested": "2025-04-28T09:00:38Z", + "kind": "event", + "original": "{\"severity\":\"MEDIUM\",\"threatId\":\"733edfe5-db25-5b14-ac58-dc69d6005c81\",\"description\":\"Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.\",\"trigger\":{\"ruleName\":\"Detections Webhook Test Rule\",\"source\":\"DETECTIONS\",\"type\":\"Created\",\"ruleId\":\"a08fe977-3f54-48bf-adcf-f76994739c1f\"},\"tdrId\":\"46fd0cdc-252e-5e69-be6e-66e4851d7ae4\",\"title\":\"Timestomping technique was detected\",\"triggeringEventsCount\":2,\"tdrSource\":\"WIZ_SENSOR\",\"primaryResource\":{\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"nativeType\":\"ecs#containerinstance\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"type\":\"CONTAINER\"},\"mitreTechniques\":[\"T1070.006\"],\"cloudAccounts\":[{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"}],\"timeframe\":{\"start\":\"2025-01-21T18:52:15.838Z\",\"end\":\"2025-01-21T18:52:15.838Z\"},\"createdAt\":\"2025-01-21T18:52:16.819883668Z\",\"mitreTactics\":[\"TA0005\"],\"id\":\"6a440e9b-c8d8-5482-a0e9-da714359aecf\",\"threatURL\":\"https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)\",\"triggeringEvent\":{\"cloudPlatform\":\"AWS\",\"origin\":\"WIZ_SENSOR\",\"externalId\":\"Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"description\":\"The program /usr/bin/bash executed the program /usr/bin/touch on container test-container\",\"resources\":[{\"cloudAccount\":{\"cloudPlatform\":\"AWS\",\"externalId\":\"134653897021\",\"id\":\"5d67ed02-738e-5217-b065-d93642dd2629\"},\"nativeType\":\"ecs#containerinstance\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\",\"region\":\"us-east-1\",\"type\":\"CONTAINER\"}],\"source\":\"WizSensorAlert##RuleEngine\",\"runtimeDetails\":{\"processTree\":[{\"container\":{\"imageId\":\"d18500ef-c0f7-5028-8c4c-1cd56c3a6652\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"imageExternalId\":\"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\"},\"executionTime\":\"2025-01-21T18:52:15.838Z\",\"path\":\"/usr/bin/touch\",\"size\":109616,\"id\":\"1560\",\"userId\":\"0\",\"hash\":\"a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6\",\"command\":\"touch -r /usr/bin /tmp/uga\",\"username\":\"root\"},{\"container\":{\"imageId\":\"d18500ef-c0f7-5028-8c4c-1cd56c3a6652\",\"name\":\"test-container\",\"externalId\":\"test-container\",\"imageExternalId\":\"sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb\",\"id\":\"da259b23-de77-5adb-8336-8c4071696305\"},\"executionTime\":\"2025-01-21T18:52:15.838Z\",\"path\":\"/usr/bin/bash\",\"size\":1265648,\"id\":\"1560\",\"userId\":\"0\",\"hash\":\"91fbd9d8c65de48dc82a1064b8a4fc89f5651778\",\"command\":\"/bin/bash -x -c touch -r /usr/bin /tmp/uga\",\"username\":\"root\"}]},\"cloudProviderUrl\":\"https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528\",\"actor\":{\"nativeType\":\"Microsoft Entra ID Application Service Principal\",\"name\":\"test-actor\",\"externalId\":\"test-actor\",\"id\":\"4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e\",\"type\":\"SERVICE_ACCOUNT\"},\"actorIPMeta\":{\"reputationSource\":\"Recorded Future\",\"country\":\"United States\",\"isForeign\":true,\"reputation\":\"Benign\",\"autonomousSystemNumber\":8075,\"autonomousSystemOrganization\":\"MICROSOFT-CORP-MSN-AS-BLOCK\"},\"name\":\"Timestomping technique was detected\",\"eventTime\":\"2025-01-21T18:52:15.838Z\",\"id\":\"2b46aa0d-9f46-5cb9-a6ae-e83ca514144a\",\"category\":\"Detection\",\"status\":\"Success\",\"actorIP\":\"81.2.69.192\"},\"cloudOrganizations\":[]}", + "outcome": "success", + "provider": "WizSensorAlert##RuleEngine", + "severity": 47, + "type": [ + "indicator" + ] + }, + "input": { + "type": "http_endpoint" + }, + "message": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "hash": [ + "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "91fbd9d8c65de48dc82a1064b8a4fc89f5651778" + ], + "ip": [ + "81.2.69.192" + ], + "user": [ + "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "test-actor", + "0", + "root" + ] + }, + "rule": { + "id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "name": "Detections Webhook Test Rule" + }, + "source": { + "as": { + "number": 8075, + "organization": { + "name": "MICROSOFT-CORP-MSN-AS-BLOCK" + } + }, + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + } + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "wiz-defend" + ], + "threat": { + "indicator": { + "id": [ + "733edfe5-db25-5b14-ac58-dc69d6005c81" + ], + "reference": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)" + }, + "tactic": { + "id": [ + "TA0005" + ] + }, + "technique": { + "id": [ + "T1070.006" + ] + } + }, + "user": { + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor" + }, + "wiz": { + "defend": { + "created_at": "2025-01-21T18:52:16.819Z", + "description": "Process executed the touch binary with the relevant command line flag used to modify files date information such as creation time, and last modification time. This could indicate the presence of a threat actor achieving defense evasion using the Timestomping technique.", + "friendly_name": "Detections Webhook Test Rule", + "id": "6a440e9b-c8d8-5482-a0e9-da714359aecf", + "mitreTactics": [ + "TA0005" + ], + "mitreTechniques": [ + "T1070.006" + ], + "primary_resource": { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "name": "test-container", + "native_type": "ecs#containerinstance", + "region": "us-east-1", + "type": "CONTAINER" + }, + "severity": "MEDIUM", + "tdr_id": "46fd0cdc-252e-5e69-be6e-66e4851d7ae4", + "tdr_source": "WIZ_SENSOR", + "threat_id": "733edfe5-db25-5b14-ac58-dc69d6005c81", + "threat_url": "https://test.wiz.io/issues#~(issue~'733edfe5-db25-5b14-ac58-dc69d6005c81)", + "timeframe": { + "end": "2025-01-21T18:52:15.838Z", + "start": "2025-01-21T18:52:15.838Z" + }, + "title": "Timestomping technique was detected", + "trigger": { + "rule_id": "a08fe977-3f54-48bf-adcf-f76994739c1f", + "rule_name": "Detections Webhook Test Rule", + "source": "DETECTIONS", + "type": "Created" + }, + "triggering_event": { + "actor": { + "external_id": "test-actor", + "id": "4e1bd57f-49b2-47a8-a4a7-0e66fe0b770e", + "name": "test-actor", + "native_type": "Microsoft Entra ID Application Service Principal", + "type": "SERVICE_ACCOUNT" + }, + "actor_ip": "81.2.69.192", + "actor_ip_meta": { + "autonomous_system_number": 8075, + "autonomous_system_organization": "MICROSOFT-CORP-MSN-AS-BLOCK", + "country": "United States", + "is_foreign": true, + "reputation": "Benign", + "reputation_source": "Recorded Future" + }, + "category": "Detection", + "cloud_platform": "AWS", + "cloud_provider_url": "https://console.aws.amazon.com/cloudtrail/home?region=us-east-1#/events/Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "description": "The program /usr/bin/bash executed the program /usr/bin/touch on container test-container", + "event_time": "2025-01-21T18:52:15.838Z", + "external_id": "Ptrace##test-container-SensorRuleEngine##sen-id-142-bd820642-34f2-4d3c-90b6-c384df0fd528", + "id": "2b46aa0d-9f46-5cb9-a6ae-e83ca514144a", + "name": "Timestomping technique was detected", + "origin": "WIZ_SENSOR", + "resources": [ + { + "cloud_account": { + "cloud_platform": "AWS", + "external_id": "134653897021", + "id": "5d67ed02-738e-5217-b065-d93642dd2629" + }, + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "name": "test-container", + "native_type": "ecs#containerinstance", + "region": "us-east-1", + "type": "CONTAINER" + } + ], + "runtime_details": { + "process_tree": [ + { + "command": "touch -r /usr/bin /tmp/uga", + "container": { + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "image_external_id": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "image_id": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "execution_time": "2025-01-21T18:52:15.838Z", + "hash": "a0d0c6248d07a8fa8e3b6a94e218ff9c8c372ad6", + "id": "1560", + "path": "/usr/bin/touch", + "size": 109616, + "user_id": "0", + "username": "root" + }, + { + "command": "/bin/bash -x -c touch -r /usr/bin /tmp/uga", + "container": { + "external_id": "test-container", + "id": "da259b23-de77-5adb-8336-8c4071696305", + "image_external_id": "sha256:dcad76015854d8bcab3041a631d9d25d777325bb78abfa8ab0882e1b85ad84bb", + "image_id": "d18500ef-c0f7-5028-8c4c-1cd56c3a6652", + "name": "test-container" + }, + "execution_time": "2025-01-21T18:52:15.838Z", + "hash": "91fbd9d8c65de48dc82a1064b8a4fc89f5651778", + "id": "1560", + "path": "/usr/bin/bash", + "size": 1265648, + "user_id": "0", + "username": "root" + } + ] + }, + "source": "WizSensorAlert##RuleEngine", + "status": "Success" + }, + "triggering_events_count": 2 + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of Filebeat input. | keyword | +| log.offset | Log offset. | long | +| wiz.defend.cloudOrganizations.cloudProvider | | keyword | +| wiz.defend.cloudOrganizations.externalId | | keyword | +| wiz.defend.cloudOrganizations.name | | keyword | +| wiz.defend.created_at | ISO8601 timestamp for when detection was created. | date | +| wiz.defend.description | Description providing more details on the detection. | keyword | +| wiz.defend.detection_url | URL linking to more details on the detection. | keyword | +| wiz.defend.friendly_name | | keyword | +| wiz.defend.id | Unique identifier for the detection. | keyword | +| wiz.defend.mitreTactics | | keyword | +| wiz.defend.mitreTechniques | | keyword | +| wiz.defend.primary_actor.email | Primary Actor Email. | keyword | +| wiz.defend.primary_actor.external_id | Primary Actor External ID. | keyword | +| wiz.defend.primary_actor.id | Primary Actor ID. | keyword | +| wiz.defend.primary_actor.name | Primary Actor Name. | keyword | +| wiz.defend.primary_actor.native_type | Primary Actor Native Type. | keyword | +| wiz.defend.primary_actor.type | Primary Actor Type. | keyword | +| wiz.defend.primary_resource.cloud_account.cloud_platform | Cloud Platform associated with Cloud Account for primary resource. | keyword | +| wiz.defend.primary_resource.cloud_account.external_id | External ID for cloud account for primary resource. | keyword | +| wiz.defend.primary_resource.cloud_account.id | ID for cloud account for primary resource. | keyword | +| wiz.defend.primary_resource.cloud_provider_url | URL to resource in cloud provider console for primary resource. | keyword | +| wiz.defend.primary_resource.external_id | External ID of primary resource. | keyword | +| wiz.defend.primary_resource.id | ID of primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_cluster_id | ID of the Kubernetes cluster for primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_cluster_name | Name of the Kubernetes cluster for primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_namespace_id | ID of the Kubernetes namespace for primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_namespace_name | Name of the Kubernetes namespace for primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_node_id | ID of the Kubernetes node for primary resource. | keyword | +| wiz.defend.primary_resource.kubernetes_node_name | Name of the Kubernetes node for primary resource. | keyword | +| wiz.defend.primary_resource.name | Name of the resource for primary resource. | keyword | +| wiz.defend.primary_resource.native_type | Native type classification for primary resource. | keyword | +| wiz.defend.primary_resource.provider_unique_id | Unique identifier from the provider for primary resource. | keyword | +| wiz.defend.primary_resource.region | Geographic region for primary resource. | keyword | +| wiz.defend.primary_resource.status | Current status of the resource for primary resource. | keyword | +| wiz.defend.primary_resource.type | Type of resource for primary resource. | keyword | +| wiz.defend.severity | Severity level of the detection. | keyword | +| wiz.defend.source | Source of the detection, will be "DETECTIONS". | keyword | +| wiz.defend.tdr_id | TDR identifier. | keyword | +| wiz.defend.tdr_source | TDR source. | keyword | +| wiz.defend.threat_id | ID of the associated threat. | keyword | +| wiz.defend.threat_url | URL linking to more details on the threat. | keyword | +| wiz.defend.timeframe.end | End timeframe for detection frametime. | date | +| wiz.defend.timeframe.start | Start timeframe for detection frametime. | date | +| wiz.defend.title | Title or summary of the detection. | keyword | +| wiz.defend.trigger.rule_id | Triggered Rule ID. | keyword | +| wiz.defend.trigger.rule_name | Triggered Rule Name. | keyword | +| wiz.defend.trigger.source | Triggered Source Name. | keyword | +| wiz.defend.trigger.type | Triggered Source Type. | keyword | +| wiz.defend.triggering_event.actor.acting_as.id | Actor ID. | keyword | +| wiz.defend.triggering_event.actor.acting_as.name | Name of the actor. | keyword | +| wiz.defend.triggering_event.actor.acting_as.native_type | Native type classification. | keyword | +| wiz.defend.triggering_event.actor.acting_as.type | Type of the actor. | keyword | +| wiz.defend.triggering_event.actor.external_id | External ID. | keyword | +| wiz.defend.triggering_event.actor.id | Actor ID. | keyword | +| wiz.defend.triggering_event.actor.name | Name of the actor. | keyword | +| wiz.defend.triggering_event.actor.native_type | Native type classification. | keyword | +| wiz.defend.triggering_event.actor.provider_unique_id | Unique identifier from the provider. | keyword | +| wiz.defend.triggering_event.actor.type | Type of the actor. | keyword | +| wiz.defend.triggering_event.actor_ip | IP address of the actor. | ip | +| wiz.defend.triggering_event.actor_ip_meta.autonomous_system_number | ASN number. | long | +| wiz.defend.triggering_event.actor_ip_meta.autonomous_system_organization | Organization associated with ASN (ASO). | keyword | +| wiz.defend.triggering_event.actor_ip_meta.country | Country of origin for IP. | keyword | +| wiz.defend.triggering_event.actor_ip_meta.is_foreign | Whether IP is from foreign source. | boolean | +| wiz.defend.triggering_event.actor_ip_meta.related_attack_group_names | Attack groups associated with IP. | keyword | +| wiz.defend.triggering_event.actor_ip_meta.reputation | IP reputation rating. | keyword | +| wiz.defend.triggering_event.actor_ip_meta.reputation_description | Description of IP reputation. | keyword | +| wiz.defend.triggering_event.actor_ip_meta.reputation_source | Source of reputation data. | keyword | +| wiz.defend.triggering_event.category | Event category. | keyword | +| wiz.defend.triggering_event.cloud_platform | Cloud platform where event occurred. | keyword | +| wiz.defend.triggering_event.cloud_provider_url | URL to event in cloud provider console. | keyword | +| wiz.defend.triggering_event.description | Description of the event. | keyword | +| wiz.defend.triggering_event.event_time | ISO8601 timestamp of when event occurred. | date | +| wiz.defend.triggering_event.external_id | Event External ID. | keyword | +| wiz.defend.triggering_event.id | Event ID. | keyword | +| wiz.defend.triggering_event.name | Name of the event. | keyword | +| wiz.defend.triggering_event.origin | Origin of the event. | keyword | +| wiz.defend.triggering_event.resources.cloud_account.cloud_platform | Cloud Platform associated with Cloud Account. | keyword | +| wiz.defend.triggering_event.resources.cloud_account.external_id | External ID for cloud account. | keyword | +| wiz.defend.triggering_event.resources.cloud_account.id | ID for cloud account. | keyword | +| wiz.defend.triggering_event.resources.cloud_provider_url | URL to resource in cloud provider console. | keyword | +| wiz.defend.triggering_event.resources.external_id | External ID. | keyword | +| wiz.defend.triggering_event.resources.id | Resource ID. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_cluster_id | ID of the Kubernetes cluster. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_cluster_name | Name of the Kubernetes cluster. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_namespace_id | ID of the Kubernetes namespace. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_namespace_name | Name of the Kubernetes namespace. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_node_id | ID of the Kubernetes node. | keyword | +| wiz.defend.triggering_event.resources.kubernetes_node_name | Name of the Kubernetes node. | keyword | +| wiz.defend.triggering_event.resources.name | Name of the resource. | keyword | +| wiz.defend.triggering_event.resources.native_type | Native type classification. | keyword | +| wiz.defend.triggering_event.resources.provider_unique_id | Unique identifier from the provider. | keyword | +| wiz.defend.triggering_event.resources.region | Geographic region. | keyword | +| wiz.defend.triggering_event.resources.status | Current status of the resource. | keyword | +| wiz.defend.triggering_event.resources.type | Type of resource. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.command | Process command line. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.container.external_id | Container External ID. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.container.id | Container ID. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.container.image_external_id | Container Image External ID. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.container.image_id | Container Image ID. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.container.name | Container Name. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.execution_time | ISO8601 timestamp when process executed. | date | +| wiz.defend.triggering_event.runtime_details.process_tree.hash | Executable SHA1 hash. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.id | Process Tree ID. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.path | Executable path. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.size | Executable size in bytes. | long | +| wiz.defend.triggering_event.runtime_details.process_tree.user_id | User ID that executed process. | keyword | +| wiz.defend.triggering_event.runtime_details.process_tree.username | Username that executed process. | keyword | +| wiz.defend.triggering_event.source | Source of the event. | keyword | +| wiz.defend.triggering_event.status | Status of the event. | keyword | +| wiz.defend.triggering_event.subject_resource_id | ID of the primary affected resource. | keyword | +| wiz.defend.triggering_event.subject_resource_ip | IP of the primary affected resource. | ip | +| wiz.defend.triggering_events_count | Count of events that triggered detection. | long | + + ### Issue This is the `Issue` dataset. @@ -502,13 +983,13 @@ An example event for `issue` looks as following: ```json { - "@timestamp": "2023-07-31T06:26:08.708Z", + "@timestamp": "2023-07-21T06:26:08.708Z", "agent": { - "ephemeral_id": "e74ac4d2-8565-45ee-8c61-c66b6f3151bf", - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "name": "docker-fleet-agent", + "ephemeral_id": "1c453cfc-4ac3-49f8-80da-720ce2fb2df2", + "id": "ef1f42d0-9e3f-41dd-8482-9dbff945c288", + "name": "elastic-agent-39824", "type": "filebeat", - "version": "8.10.1" + "version": "8.18.0" }, "cloud": { "provider": "Kubernetes", @@ -516,31 +997,32 @@ An example event for `issue` looks as following: }, "data_stream": { "dataset": "wiz.issue", - "namespace": "ep", + "namespace": "41856", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "927b2eff-4394-4486-ab77-d6bfa7c529cf", - "snapshot": false, - "version": "8.10.1" + "id": "ef1f42d0-9e3f-41dd-8482-9dbff945c288", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", "category": [ "configuration" ], - "created": "2023-08-23T07:56:09.903Z", + "created": "2023-08-21T07:56:09.903Z", "dataset": "wiz.issue", - "id": "fff9cffd-64a7-412c-9535-cf837f4b0b40", - "ingested": "2023-10-03T10:22:42Z", + "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", + "ingested": "2025-04-22T10:00:06Z", "kind": "event", - "original": "{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"dueAt\":\"2023-08-30T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"e507d472-b7da-5f05-9b25-72a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"fff9cffd-64a7-412c-9535-cf837f4b0b40\",\"notes\":[{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-09T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRule\":{\"__typename\":\"Control\",\"controlDescription\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-31T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", + "original": "{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"dueAt\":\"2023-08-28T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"f307d472-b7da-5t05-9b25-71a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"ggf9cggd-64a7-412c-9445-cf837f4b0b10\",\"notes\":[{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-09-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-07T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"jf77n35n-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d5h1545-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRule\":{\"__typename\":\"Control\",\"controlDescription\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-21T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", "type": [ "info" - ] + ], + "url": "https://app.wiz.io/issues#~(filters~(status~())~issue~'ggf9cggd-64a7-412c-9445-cf837f4b0b10)" }, "input": { "type": "cel" @@ -561,15 +1043,15 @@ An example event for `issue` looks as following: }, "wiz": { "issue": { - "created_at": "2023-08-23T07:56:09.903Z", - "due_at": "2023-08-30T21:00:00.000Z", + "created_at": "2023-08-21T07:56:09.903Z", + "due_at": "2023-08-28T21:00:00.000Z", "entity_snapshot": { "cloud": { "platform": "Kubernetes", "provider_url": "https://portal.az.com/#@sectest.on.com/resource//subscriptions/" }, "external_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12", - "id": "e507d472-b7da-5f05-9b25-72a271336b14", + "id": "f307d472-b7da-5t05-9b25-71a271336b14", "name": "system:aggregate-to-edit", "native_type": "ClusterRole", "provider_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12", @@ -586,18 +1068,18 @@ An example event for `issue` looks as following: }, "type": "ACCESS_ROLE" }, - "id": "fff9cffd-64a7-412c-9535-cf837f4b0b40", + "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", "notes": [ { - "created_at": "2023-08-23T07:56:09.903Z", + "created_at": "2023-08-21T07:56:09.903Z", "service_account": { "name": "rev-ke" }, "text": "updated", - "updated_at": "2023-08-09T23:10:22.588Z" + "updated_at": "2023-09-09T23:10:22.588Z" }, { - "created_at": "2023-08-09T23:08:49.918Z", + "created_at": "2023-08-07T23:08:49.918Z", "service_account": { "name": "rev-ke2" }, @@ -607,7 +1089,7 @@ An example event for `issue` looks as following: ], "projects": [ { - "id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8", + "id": "jf77n35n-a7b6-5762-8a53-8e8f59e68bd8", "name": "Project 2", "risk_profile": { "business_impact": "MBI" @@ -625,7 +1107,7 @@ An example event for `issue` looks as following: }, { "business_unit": "Dev", - "id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178", + "id": "d5h1545-aec0-52fc-80ab-bacd7b02f178", "name": "Project1", "risk_profile": { "business_impact": "MBI" @@ -681,14 +1163,14 @@ An example event for `issue` looks as following: "framework": { "name": "Wiz for Risk Assessment" }, - "name": "Container \u0026 Kubernetes Security" + "name": "Container & Kubernetes Security" }, "title": "Cluster misconfiguration" } ] }, "status": { - "changed_at": "2023-07-31T06:26:08.708Z", + "changed_at": "2023-07-21T06:26:08.708Z", "value": "IN_PROGRESS" }, "updated_at": "2023-08-14T06:06:18.331Z" @@ -770,11 +1252,11 @@ An example event for `vulnerability` looks as following: { "@timestamp": "2023-08-16T18:40:57.000Z", "agent": { - "ephemeral_id": "19d5ed25-e2f4-49cb-852c-a5f8f9ee00a9", - "id": "45e59d63-f461-4f3a-9aae-587e6b33e84a", - "name": "elastic-agent-94391", + "ephemeral_id": "4c555afd-d62f-4893-8145-235a7a2aa42e", + "id": "c3610579-6628-4346-bac5-22eb264323cb", + "name": "elastic-agent-39585", "type": "filebeat", - "version": "8.17.0" + "version": "8.18.0" }, "cloud": { "account": { @@ -785,7 +1267,7 @@ An example event for `vulnerability` looks as following: }, "data_stream": { "dataset": "wiz.vulnerability", - "namespace": "85547", + "namespace": "50935", "type": "logs" }, "device": { @@ -795,9 +1277,9 @@ An example event for `vulnerability` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "45e59d63-f461-4f3a-9aae-587e6b33e84a", - "snapshot": false, - "version": "8.17.0" + "id": "c3610579-6628-4346-bac5-22eb264323cb", + "snapshot": true, + "version": "8.18.0" }, "event": { "agent_id_status": "verified", @@ -806,7 +1288,7 @@ An example event for `vulnerability` looks as following: ], "dataset": "wiz.vulnerability", "id": "5e95ff50-5490-514e-87f7-11e56f3230ff", - "ingested": "2025-03-20T17:51:16Z", + "ingested": "2025-04-22T10:01:05Z", "kind": "alert", "original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}", "type": [ diff --git a/packages/wiz/img/wiz-defend-dashboard.png b/packages/wiz/img/wiz-defend-dashboard.png new file mode 100644 index 00000000000..7c1e8bad7e7 Binary files /dev/null and b/packages/wiz/img/wiz-defend-dashboard.png differ diff --git a/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json b/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json new file mode 100644 index 00000000000..fc0d8397a8a --- /dev/null +++ b/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json @@ -0,0 +1,2919 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "8e5f0dbe-44b1-4df2-867c-74e248c27f38": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": true, + "fieldName": "event.action", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Trigger Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "ae2b0313-95e1-4ecc-8ddf-04549f7871ba": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "wiz.defend.severity", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "c4086230-8937-4b90-8e90-6c94e34b48b8": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "event.provider", + "searchTechnique": "prefix", + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Source" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "This dashboard shows Detection Logs collected by the Wiz Defend integration.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d5419375-833b-4eeb-8119-6950d64230d9": { + "columnOrder": [ + "ae333c2a-5a00-4008-89a6-969caf914e83", + "c6d798c8-accb-4ae1-975b-652a8eed2d07" + ], + "columns": { + "ae333c2a-5a00-4008-89a6-969caf914e83": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Trigger Rule Names", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "c6d798c8-accb-4ae1-975b-652a8eed2d07": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "ae333c2a-5a00-4008-89a6-969caf914e83", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "d5419375-833b-4eeb-8119-6950d64230d9", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", + "w": 24, + "x": 24, + "y": 123 + }, + "panelIndex": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", + "title": "Top 10 Trigger Rules with Highest Detections [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde": { + "columnOrder": [ + "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", + "601214c5-35bf-44dd-8d1f-2e8a0334ee44" + ], + "columns": { + "601214c5-35bf-44dd-8d1f-2e8a0334ee44": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Commands", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.command" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", + "w": 24, + "x": 0, + "y": 123 + }, + "panelIndex": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", + "title": "Top 10 Common Malicious Commands", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d2b4912e-3ced-49ac-aa99-2969720e2f1f": { + "columnOrder": [ + "68141a00-8b12-4f48-810a-1ff8b3eeabf7", + "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", + "484781b7-7d30-4ad1-8b17-8e8e6abf9e40" + ], + "columns": { + "484781b7-7d30-4ad1-8b17-8e8e6abf9e40": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "68141a00-8b12-4f48-810a-1ff8b3eeabf7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.name" + }, + "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "68141a00-8b12-4f48-810a-1ff8b3eeabf7", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "427510cc-fc9e-4691-9fac-4d5a3e377700", + "w": 24, + "x": 0, + "y": 108 + }, + "panelIndex": "427510cc-fc9e-4691-9fac-4d5a3e377700", + "title": "Top 10 Containers with Highest Detections [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-76037f8d-37f5-405c-9974-6afefd777737", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "76037f8d-37f5-405c-9974-6afefd777737": { + "columnOrder": [ + "c645c311-34c1-415f-b5cf-2db750c4d709", + "226bbb04-3506-47e0-89e0-c4467ec25bef" + ], + "columns": { + "226bbb04-3506-47e0-89e0-c4467ec25bef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "c645c311-34c1-415f-b5cf-2db750c4d709": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Resource Types", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.resources.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "c645c311-34c1-415f-b5cf-2db750c4d709", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", + "isMetric": true, + "isTransposed": false + } + ], + "layerId": "76037f8d-37f5-405c-9974-6afefd777737", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", + "w": 24, + "x": 24, + "y": 108 + }, + "panelIndex": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", + "title": "Top 10 Resource Types with Highest Detections [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c1458332-407f-40dc-85ca-3c69a75f6153": { + "columnOrder": [ + "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", + "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", + "466b3487-b5e1-461d-8b18-2d274ae72d05" + ], + "columns": { + "3f0dc38a-9424-4a96-8ac2-fd9de5aad734": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat URL", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.reference" + }, + "466b3487-b5e1-461d-8b18-2d274ae72d05": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "isMetric": true, + "isTransposed": false + } + ], + "headerRowHeight": "custom", + "headerRowHeightLines": 3, + "layerId": "c1458332-407f-40dc-85ca-3c69a75f6153", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", + "w": 24, + "x": 0, + "y": 138 + }, + "panelIndex": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", + "title": "Top 10 Detected Threats [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "5d7b131e-a2dc-453a-897a-c384a62a3fc6": { + "columnOrder": [ + "06e6d10f-51b4-458b-b70b-ace175849baf", + "9663e831-b7ed-474f-b699-34b54039c383", + "052b1acc-59b8-43f9-b9f6-d627732628a9" + ], + "columns": { + "052b1acc-59b8-43f9-b9f6-d627732628a9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "06e6d10f-51b4-458b-b70b-ace175849baf": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Triggering Event Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "9663e831-b7ed-474f-b699-34b54039c383": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Triggering Event Source", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 20 + }, + "scale": "ordinal", + "sourceField": "event.provider" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "06e6d10f-51b4-458b-b70b-ace175849baf", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "9663e831-b7ed-474f-b699-34b54039c383", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "77df9a6b-af9e-412f-a916-fc83bd7c3194", + "w": 24, + "x": 24, + "y": 138 + }, + "panelIndex": "77df9a6b-af9e-412f-a916-fc83bd7c3194", + "title": "Detection Triggering Event Details [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 14, + "i": "bb78eccf-6271-4494-a767-bb65bf1cbdc0", + "w": 48, + "x": 0, + "y": 153 + }, + "panelIndex": "bb78eccf-6271-4494-a767-bb65bf1cbdc0", + "panelRefName": "panel_bb78eccf-6271-4494-a767-bb65bf1cbdc0", + "title": "Detection Essential Details [Logs Wiz]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "53610d78-e92c-427d-bfcf-374a2135f8e3": { + "columnOrder": [ + "2a335dea-e98d-4537-9d8b-5b305747306d", + "bcf37841-f643-449b-8367-7d53656c7da1" + ], + "columns": { + "2a335dea-e98d-4537-9d8b-5b305747306d": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Detection Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "wiz.defend.created_at" + }, + "bcf37841-f643-449b-8367-7d53656c7da1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "bcf37841-f643-449b-8367-7d53656c7da1" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "53610d78-e92c-427d-bfcf-374a2135f8e3", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "2a335dea-e98d-4537-9d8b-5b305747306d" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 15, + "i": "cc20569b-60f2-4fc0-93cc-1152902c76a0", + "w": 40, + "x": 8, + "y": 0 + }, + "panelIndex": "cc20569b-60f2-4fc0-93cc-1152902c76a0", + "title": "Detections over Time [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "65bbc691-ab9f-40f0-8258-66f28c54eeff": { + "columnOrder": [ + "08ae64da-5722-4701-b325-0d76a2e0d46b", + "09e064d7-68b4-4ee8-92b8-f71499245cd1" + ], + "columns": { + "08ae64da-5722-4701-b325-0d76a2e0d46b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "MITRE Tactic", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "09e064d7-68b4-4ee8-92b8-f71499245cd1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.tactic.id" + }, + "09e064d7-68b4-4ee8-92b8-f71499245cd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "09e064d7-68b4-4ee8-92b8-f71499245cd1" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "65bbc691-ab9f-40f0-8258-66f28c54eeff", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "08ae64da-5722-4701-b325-0d76a2e0d46b" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 10, + "i": "1a0212e1-6df2-4187-8bb0-029f04f196d1", + "w": 20, + "x": 28, + "y": 15 + }, + "panelIndex": "1a0212e1-6df2-4187-8bb0-029f04f196d1", + "title": "Detections by MITRE Tactic [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c": { + "columnOrder": [ + "d4e3a535-a7cf-48ca-b284-ad56d5794f16", + "a6cebce0-c3fb-457b-832b-a0356ad54c2a" + ], + "columns": { + "a6cebce0-c3fb-457b-832b-a0356ad54c2a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "d4e3a535-a7cf-48ca-b284-ad56d5794f16": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "MITRE Techniques", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a6cebce0-c3fb-457b-832b-a0356ad54c2a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.technique.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "a6cebce0-c3fb-457b-832b-a0356ad54c2a" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "d4e3a535-a7cf-48ca-b284-ad56d5794f16" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 10, + "i": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", + "w": 20, + "x": 8, + "y": 15 + }, + "panelIndex": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", + "title": "Detections by MITRE Techniques [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n**Wiz**\n\nWiz Defend\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n**Overview**\n\nThis dashboard provides visibility into detection events, enabling effective threat monitoring across cloud and container environments. It features a Control Panel for filtering by severity and trigger type, and includes visualizations such as detections over time, top cloud accounts, containers, and resource types with highest detections. It highlights trends by MITRE tactics and techniques, actor types, and trigger types through pie and bar charts, while a geographic map displays actor IP distribution. A table details triggering events, and additional tables showcase top threats, rules, and common malicious commands, supporting deeper investigation and response.\n\n[**Integrations Page**](/app/integrations/detail/wiz/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 35, + "i": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6": { + "columnOrder": [ + "6cfe7580-3c96-467d-95d9-a205dfe98731", + "c0c347fa-83ea-4150-8e00-e7abb037a687" + ], + "columns": { + "6cfe7580-3c96-467d-95d9-a205dfe98731": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Actor Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c0c347fa-83ea-4150-8e00-e7abb037a687", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.actor.type" + }, + "c0c347fa-83ea-4150-8e00-e7abb037a687": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "c0c347fa-83ea-4150-8e00-e7abb037a687" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6cfe7580-3c96-467d-95d9-a205dfe98731" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "4ce47b03-10cc-4fe3-9de3-c239e5184334", + "w": 22, + "x": 26, + "y": 65 + }, + "panelIndex": "4ce47b03-10cc-4fe3-9de3-c239e5184334", + "title": "Detections by Actor Type [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "a954312a-b2e7-4160-8c32-42fdbaa7c639": { + "columnOrder": [ + "cd325623-f160-42ec-92c2-029282ad3708", + "aac53614-9481-4184-a12b-ce05ec5924ce" + ], + "columns": { + "aac53614-9481-4184-a12b-ce05ec5924ce": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "cd325623-f160-42ec-92c2-029282ad3708": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Detection Event Source", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "aac53614-9481-4184-a12b-ce05ec5924ce", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.provider" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "a954312a-b2e7-4160-8c32-42fdbaa7c639", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "xlarge", + "metrics": [ + "aac53614-9481-4184-a12b-ce05ec5924ce" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "cd325623-f160-42ec-92c2-029282ad3708" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "d1455288-89ba-4146-b530-dda7f9663bbc", + "w": 26, + "x": 0, + "y": 47 + }, + "panelIndex": "d1455288-89ba-4146-b530-dda7f9663bbc", + "title": "Detection Source Distribution [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "9722040c-5b00-410c-a720-87bfb162c84a": { + "columnOrder": [ + "e22cefb5-f7de-422d-a95b-4a2f3f552eec", + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" + ], + "columns": { + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "e22cefb5-f7de-422d-a95b-4a2f3f552eec": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Triggering Types", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "9722040c-5b00-410c-a720-87bfb162c84a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "e22cefb5-f7de-422d-a95b-4a2f3f552eec" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "ace8bb17-267f-4942-9748-17f9f10749e0", + "w": 22, + "x": 26, + "y": 47 + }, + "panelIndex": "ace8bb17-267f-4942-9748-17f9f10749e0", + "title": "Detections by Trigger Type [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "84a5677b-c5e3-4940-8c67-7576961e2f79": { + "columnOrder": [ + "53ccfb54-7eaa-49da-99b1-912239fea452", + "72f83e5b-995e-44a3-8165-cdbffbe48c55" + ], + "columns": { + "53ccfb54-7eaa-49da-99b1-912239fea452": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "72f83e5b-995e-44a3-8165-cdbffbe48c55", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.severity" + }, + "72f83e5b-995e-44a3-8165-cdbffbe48c55": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "84a5677b-c5e3-4940-8c67-7576961e2f79", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "72f83e5b-995e-44a3-8165-cdbffbe48c55" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "53ccfb54-7eaa-49da-99b1-912239fea452" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 18, + "i": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", + "w": 26, + "x": 0, + "y": 65 + }, + "panelIndex": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", + "title": "Detections by Severity [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151": { + "columnOrder": [ + "442a0743-a4e1-4ab0-893b-ee248d2a2bf2", + "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + ], + "columns": { + "442a0743-a4e1-4ab0-893b-ee248d2a2bf2": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Affected Resource Types", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "acb81f97-78f9-4aaf-903c-06ac7d34cf99", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.resources.type" + }, + "acb81f97-78f9-4aaf-903c-06ac7d34cf99": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "442a0743-a4e1-4ab0-893b-ee248d2a2bf2" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 10, + "i": "5249b0f0-30ea-472f-99e7-ebd31a239802", + "w": 40, + "x": 8, + "y": 25 + }, + "panelIndex": "5249b0f0-30ea-472f-99e7-ebd31a239802", + "title": "Affected Resources by Type [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "6be8a450-9cac-43cb-a7e1-3b5b3f504af4": { + "columnOrder": [ + "c462537a-e3f3-4542-9f21-c0cdb590f6ef", + "0f5de969-06b2-4d1a-9877-c174e448940a", + "d9b10eed-3ab7-4bda-b924-9406edf2306d" + ], + "columns": { + "0f5de969-06b2-4d1a-9877-c174e448940a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Account ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.resources.cloud_account.id" + }, + "c462537a-e3f3-4542-9f21-c0cdb590f6ef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.resources.cloud_account.cloud_platform" + }, + "d9b10eed-3ab7-4bda-b924-9406edf2306d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "alignment": "center", + "columnId": "c462537a-e3f3-4542-9f21-c0cdb590f6ef", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "0f5de969-06b2-4d1a-9877-c174e448940a", + "isMetric": false, + "isTransposed": false + } + ], + "headerRowHeight": "custom", + "headerRowHeightLines": 3, + "layerId": "6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 12, + "i": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", + "w": 48, + "x": 0, + "y": 35 + }, + "panelIndex": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", + "title": "Top 10 Cloud Accounts with Highest Detections [Logs Wiz]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "f9c7cfa2-0061-466f-8909-040b89ecd361": { + "columnOrder": [ + "dff56fec-70cc-4d6d-8a79-5c2794322a5a", + "9e564606-3929-45ec-91ac-71dbacc739e3" + ], + "columns": { + "9e564606-3929-45ec-91ac-71dbacc739e3": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "dff56fec-70cc-4d6d-8a79-5c2794322a5a": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Country ISO Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9e564606-3929-45ec-91ac-71dbacc739e3", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 5 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_iso_code" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "f9c7cfa2-0061-466f-8909-040b89ecd361", + "layerType": "data", + "regionAccessor": "dff56fec-70cc-4d6d-8a79-5c2794322a5a", + "valueAccessor": "9e564606-3929-45ec-91ac-71dbacc739e3" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsChoropleth" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false + }, + "gridData": { + "h": 25, + "i": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", + "w": 48, + "x": 0, + "y": 83 + }, + "panelIndex": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", + "title": "Detections by Actor IP [Logs Wiz]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs Wiz] Defend", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T10:47:33.605Z", + "id": "wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "wiz-f71321c0-a641-4411-a33e-f39569c2c7be", + "name": "bb78eccf-6271-4494-a767-bb65bf1cbdc0:panel_bb78eccf-6271-4494-a767-bb65bf1cbdc0", + "type": "search" + }, + { + "id": "logs-*", + "name": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc:indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb:indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "427510cc-fc9e-4691-9fac-4d5a3e377700:indexpattern-datasource-layer-d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dc38a316-4a46-4c12-81d2-e78c90d1ceed:indexpattern-datasource-layer-76037f8d-37f5-405c-9974-6afefd777737", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44:indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77df9a6b-af9e-412f-a916-fc83bd7c3194:indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cc20569b-60f2-4fc0-93cc-1152902c76a0:indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1a0212e1-6df2-4187-8bb0-029f04f196d1:indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e:indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ce47b03-10cc-4fe3-9de3-c239e5184334:indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d1455288-89ba-4146-b530-dda7f9663bbc:indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ace8bb17-267f-4942-9748-17f9f10749e0:indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c:indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5249b0f0-30ea-472f-99e7-ebd31a239802:indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518:indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7:indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ae2b0313-95e1-4ecc-8ddf-04549f7871ba:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_8e5f0dbe-44b1-4df2-867c-74e248c27f38:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_c4086230-8937-4b90-8e90-6c94e34b48b8:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json index 3d93a40f417..d159ef944c6 100644 --- a/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json +++ b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json @@ -37,7 +37,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\n[Wiz Cloud Configuration Finding (This page)](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", + "markdown": "Navigation\n\nWiz Cloud Configuration Finding\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", "openLinksInNewTab": false }, "title": "", diff --git a/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json b/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json index 641311b92fc..540b85f8756 100644 --- a/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json +++ b/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json @@ -37,7 +37,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\n[Wiz Vulnerability (This page)](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Vulnerability overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested vulnerabilities.\n\nIt provides information about vulnerability and vulnerability assets. It also displays the distribution of vulnerabilities according to detection method and status. It also contains details regarding count of vulnerabilities over time.", + "markdown": "Navigation\n\nWiz Vulnerability\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Vulnerability overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested vulnerabilities.\n\nIt provides information about vulnerability and vulnerability assets. It also displays the distribution of vulnerabilities according to detection method and status. It also contains details regarding count of vulnerabilities over time.", "openLinksInNewTab": false }, "title": "", diff --git a/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json b/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json index c66d970483e..0773d282db4 100644 --- a/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json +++ b/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json @@ -37,7 +37,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\n[Wiz Audit (This page)](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Wiz Issues](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows an Audit overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested audit data.\n\nIt provides information about audit data by user. It also displays the actions performed on time and the status of those actions in the pie chart. It displays the top 10 source IPs with their count.", + "markdown": "Navigation\n\nWiz Audit\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\nOverview\n\nThis dashboard shows an Audit overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested audit data.\n\nIt provides information about audit data by user. It also displays the actions performed on time and the status of those actions in the pie chart. It displays the top 10 source IPs with their count.", "openLinksInNewTab": false }, "title": "", diff --git a/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json b/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json index d8906d79236..6ee96ee0c91 100644 --- a/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json +++ b/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json @@ -37,7 +37,7 @@ "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\n[Wiz Issue (This page)](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Issue overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested issues.\n\nIt provides information about issue data. It also displays the distribution of issues according to status, severity and entity type. It also contains details regarding count of issues over time.", + "markdown": "Navigation\n\nWiz Issue\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Issue overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested issues.\n\nIt provides information about issue data. It also displays the distribution of issues according to status, severity and entity type. It also contains details regarding count of issues over time.", "openLinksInNewTab": false }, "title": "", diff --git a/packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json b/packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json new file mode 100644 index 00000000000..cbe434cb82e --- /dev/null +++ b/packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "columns": [ + "rule.name", + "rule.id", + "event.action", + "threat.indicator.id", + "threat.indicator.reference", + "wiz.defend.created_at", + "wiz.defend.severity", + "event.reference", + "threat.tactic.id", + "threat.technique.id" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Detection Essential Details [Logs Wiz]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-04-21T06:50:17.258Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "wiz-f71321c0-a641-4411-a33e-f39569c2c7be", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index a48923b61a1..fa110e8d839 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.2.3 name: wiz title: Wiz -version: "3.1.1" +version: "3.2.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -37,6 +37,10 @@ screenshots: title: Misconfiguration Findings view with Wiz data in Elastic Security Screenshot size: 600x600 type: image/png + - src: /img/wiz-defend-dashboard.png + title: Wiz Defend Dashboard Screenshot + size: 600x600 + type: image/png icons: - src: /img/wiz-logo.svg title: Wiz logo @@ -125,6 +129,9 @@ policy_templates: # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk # sxSmbIUfc2SGJGCJD4I= # -----END CERTIFICATE----- + - type: http_endpoint + title: Collect Wiz Defend logs via HTTP Endpoint + description: Collecting Detection events from Wiz Defend via HTTP Endpoint. owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/wiz/validation.yml b/packages/wiz/validation.yml index d291922c236..c7bf004b676 100644 --- a/packages/wiz/validation.yml +++ b/packages/wiz/validation.yml @@ -1,3 +1,4 @@ errors: exclude_checks: - SVR00002 # Mandatory filters in dashboards + - SVR00004 # References in dashboards.