[aws] Update inspector data stream for Cloud Detection and Response (CDR) workflow #14306
Conversation
brijesh-elastic
added
breaking change
dashboard
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
|
@maxcold, I've updated the integration title and all other references of |
🚀 Benchmarks reportTo see the full report comment with |
packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/kibana/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b.json
Outdated
Show resolved
Hide resolved
packages/aws/kibana/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139.json
Outdated
Show resolved
Hide resolved
packages/aws/kibana/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139.json
Outdated
Show resolved
Hide resolved
packages/aws/kibana/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139.json
Outdated
Show resolved
Hide resolved
| move_on_creation: true | ||
| latest: | ||
| unique_key: | ||
| - aws.inspector.transform_unique_id |
There was a problem hiding this comment.
@maxcold, I'm using the aws.inspector.transform_unique_id field as the unique key in the transform because if I use individual fields (vulnerability.id, resource.id, package.id, package.version), the transforms behave strangely. The destination index has a higher event count than the source index, which seems to be caused by the fields resource.id, package.id, and package.version being arrays.
There was a problem hiding this comment.
@maxcold, here's the logic for calculating aws.inspector.transform_unique_id
There was a problem hiding this comment.
thanks! I think it makes sense. I wonder when resource.id can be an array. I guess we had similar situation with AWS Security Hub when resource was defined as array in the docs but we couldn't find any example in the real data. Did you see this case with Amazon Inspector in the wild?
anyway, the unique key logic seems reasonable to me!
There was a problem hiding this comment.
In Amazon Inspector also we're getting the single element in resources.
There was a problem hiding this comment.
guess we had similar situation with AWS Security Hub when resource was defined as array in the docs but we couldn't find any example in the real data. Did you see this case with Amazon Inspector in the wild?
It is similar to AWS SecurityHub.
Added a comment here: https://github.com/elastic/security-team/issues/10753#issuecomment-2921417448
| @@ -1,15 +1,19 @@ | |||
| # Inspector | |||
|
|
|||
| The [AWS Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from AWS Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. | |||
| The [Amazon Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from Amazon Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs. | |||
There was a problem hiding this comment.
@jamiehynds @cpascale43 , we are changing AWS Inspector into Amazon Inspector as it should be with this change. We are only changing UI elements and not updating any field names, so the custom fields are still aws.inspector.*.
Let me know if you have any concerns.
There was a problem hiding this comment.
@maxcold, current kibana version constraint is following:
kibana:
version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0"In Inspector, we don't have missing CVE values for package vulnerabilities. Also, it is not an array and always contain single values. For example: vulnerability.id: CVE-2025-38000
Do we still need to bump the minimum versions here? Related to multiple/empty CVEs: #14079 (comment)
There was a problem hiding this comment.
@kcreddy thanks for highlighting it! I need to test the integration with 8.18 and 9.0 to check that. Right now I'm testing with the latest 9.1 snapshot, will play with 8.18/9.0 version later
There was a problem hiding this comment.
When testing 8.18 I realised that we don't support multiple packages in this version and also have some other rough edges. I think we will need to bump to ^8.19.0 || ^9.1.0" but let's wait for product feedback as well
There was a problem hiding this comment.
aws integration has shared ownership. If we are completely removing support for 8.17 and 8.18, we need everyone's approval on this.
Is it possible to backport this support multiple packages to 8.17.9 and 8.18.4?
There was a problem hiding this comment.
@brijesh-elastic, please update the versions to: ^8.19.0 || ^9.1.0 similar to Tenable and Rapid7.
cc: @maxcold
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
| move_on_creation: true | ||
| latest: | ||
| unique_key: | ||
| - aws.inspector.transform_unique_id |
There was a problem hiding this comment.
@maxcold, here's the logic for calculating aws.inspector.transform_unique_id
|
@kcreddy @brijesh-elastic While testing I see that we don't have the |
@maxcold, that sounds reasonable. We will also populate |
Populated |
packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
andrewkroh
added
the
documentation
andrewkroh
added
bugfix
packages/aws/data_stream/inspector/_dev/deploy/docker/files/config.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/_dev/test/pipeline/test-inspector.log-expected.json
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
| "package": { | ||
| "architecture": [ | ||
| "X86_64" | ||
| ], | ||
| "fixed_version": [ | ||
| "0.38.0", | ||
| "0:2.0.5-1.amzn2.0.1" | ||
| ], | ||
| "name": [ | ||
| "golang.org/x/net", | ||
| "nerdctl" | ||
| ], | ||
| "path": [ | ||
| "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni", | ||
| "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider", | ||
| "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp", | ||
| "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator", | ||
| "vol-0e47545061282cd35:/p1:usr/bin/kubelet" | ||
| ], | ||
| "version": [ | ||
| "v0.1.0", | ||
| "v0.30.0", | ||
| "2.0.4" | ||
| ] |
There was a problem hiding this comment.
@maxcold, the array sizes of package.* fields are not equal. For example, package.name.size() != package.version.size(). Can you confirm if it doesn't cause issues within Findings page?
This happens because the package.* arrays are made not to contain duplicates (for example, golang.org/x/net below).
The nested version of this package field is here.
"package_nested": [
{
"epoch": 0,
"file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni",
"fixed_in_version": "0.38.0",
"name": "golang.org/x/net",
"package_manager": "GOBINARY",
"version": "v0.1.0"
},
{
"epoch": 0,
"file_path": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider",
"fixed_in_version": "0.38.0",
"name": "golang.org/x/net",
"package_manager": "GOBINARY",
"version": "v0.30.0"
},
{
"epoch": 0,
"file_path": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp",
"fixed_in_version": "0.38.0",
"name": "golang.org/x/net",
"package_manager": "GOBINARY",
"version": "v0.30.0"
},
{
"epoch": 0,
"file_path": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator",
"fixed_in_version": "0.38.0",
"name": "golang.org/x/net",
"package_manager": "GOBINARY",
"version": "v0.30.0"
},
{
"epoch": 0,
"file_path": "vol-0e47545061282cd35:/p1:usr/bin/kubelet",
"fixed_in_version": "0.38.0",
"name": "golang.org/x/net",
"package_manager": "GOBINARY",
"version": "v0.30.0"
},
{
"arch": "X86_64",
"epoch": 0,
"fixed_in_version": "0:2.0.5-1.amzn2.0.1",
"name": "nerdctl",
"package_manager": "OS",
"release": "1.amzn2.0.1",
"remediation": "yum update nerdctl",
"version": "2.0.4"
}
],There was a problem hiding this comment.
@kcreddy as we don't correlate these arrays it shouldn't be a problem. @alexreal1314 am I correct?
packages/aws/manifest.yml
Outdated
| @@ -11,7 +11,7 @@ conditions: | |||
| elastic: | |||
| subscription: basic | |||
| kibana: | |||
| version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0" | |||
| version: "~8.16.6 || ~8.17.4 || ^8.19.0 || ^9.1.0" | |||
There was a problem hiding this comment.
@brijesh-elastic @kcreddy as discussed this should be just ^8.19.0 || ^9.1.0, support for 8.16.x and 8.17.x will need to be removed with the adaptation of CDR transform
| if (resources.size() == 1){ | ||
| def res = resources[0]; | ||
|
|
||
| if (res.type == 'AWS_EC2_INSTANCE') { |
There was a problem hiding this comment.
@brijesh-elastic @kcreddy I have a case where resource is not present on the finding, can we have a a case where resources.size() == 1 and res.type !== 'AWS_EC2_INSTANCE'?
might be related to this error im seeing in the document
"error": {
"message": "Processor date with tag date_resources_details_awsEc2Instance_launchedAt in pipeline logs-aws.inspector-4.0.0 failed with message: field [awsEc2Instance] not present as part of path [_ingest._value.details.awsEc2Instance.launchedAt]"
},
cc @maxcold
There was a problem hiding this comment.
important finding @alexreal1314 ! As discussed in our sync, the resource.id is defined as MUST_HAVE mostly because it's used for transform uniqueness in our native integration, but for Amazon Inspector, we chose another field for the uniqueness. If the field can be empty, we need to see if we can fix things that break, eg. opening the flyout from the contextual table. All the rest I think should already be agnostic to not having a resource id
There was a problem hiding this comment.
@brijesh-elastic @maxcold @kcreddy PR to handle missing resource id gracefully in main (9.2.0) and 9.1.0 have been merged. Still i'm curious what may be the reason for the missing resource field, this is the document:
{
"agent": {
"name": "alex-worker2",
"id": "9c0d1500-5aef-4999-9af5-855ff7c37652",
"ephemeral_id": "3c4db4e7-9692-46d6-aa4c-4ab00e8105d0",
"type": "filebeat",
"version": "9.0.3"
},
"package": {
"fixed_version": [
"0:59.6.0-2.amzn2023.0.6"
],
"name": [
"python3-setuptools",
"python3-setuptools-wheel"
],
"version": [
"59.6.0"
],
"architecture": [
"NOARCH"
]
},
"elastic_agent": {
"id": "9c0d1500-5aef-4999-9af5-855ff7c37652",
"version": "9.0.3",
"snapshot": false
},
"vulnerability": {
"reference": [
"https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html",
"https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html",
"https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html",
"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json",
"https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html",
"https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html"
],
"severity": "High",
"score": {
"version": "3.1",
"base": 7.5
},
"scanner": {
"vendor": "Amazon Inspector"
},
"description": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.",
"id": "CVE-2025-47273",
"title": "CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel",
"published_date": "2025-05-17T00:00:00.000Z"
},
"error": {
"message": "Processor date with tag date_resources_details_awsEc2Instance_launchedAt in pipeline logs-aws.inspector-4.0.0 failed with message: field [awsEc2Instance] not present as part of path [_ingest._value.details.awsEc2Instance.launchedAt]"
},
"message": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.",
"tags": [
"forwarded",
"aws-inspector",
"preserve_original_event"
],
"cloud": {
"provider": "aws",
"account": {
"id": "704479110758"
}
},
"input": {
"type": "httpjson"
},
"observer": {
"vendor": "Amazon Inspector"
},
"@timestamp": "2025-06-26T12:42:32.515Z",
"ecs": {
"version": "8.11.0"
},
"related": {
"hash": [
"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80",
"sha256:f2e0a07f71934e38981adf8055d7ac9a0562b6b33ef05c5a9be25f6efc9a5bca"
]
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "aws.inspector"
},
"host": {
"name": "classic-rim.net"
},
"aws": {
"inspector": {
"severity": "HIGH",
"inspector_score": 7.5,
"package_vulnerability_details": {
"related_vulnerabilities": [
"ALAS2-2025-2877",
"ALAS2-2025-2876",
"ALAS2023-2025-1004",
"ALAS2023-2025-1005",
"ALAS2023-2025-1003"
],
"vendor": {
"severity": "Important",
"updated_at": "2025-06-02T00:00:00.000Z"
},
"vulnerable_packages": [
{
"remediation": "sudo dnf check-update",
"package_manager": "OS",
"release": "2.amzn2023.0.5",
"name": "python3-setuptools",
"epoch": 0,
"fixed_in_version": "0:59.6.0-2.amzn2023.0.6",
"source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80",
"arch": "NOARCH",
"version": "59.6.0"
},
{
"remediation": "sudo dnf check-update",
"package_manager": "OS",
"release": "2.amzn2023.0.5",
"name": "python3-setuptools-wheel",
"epoch": 0,
"fixed_in_version": "0:59.6.0-2.amzn2023.0.6",
"source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80",
"arch": "NOARCH",
"version": "59.6.0"
}
],
"source": {
"value": "AMAZON_CVE",
"url": {
"path": "/cve/json/v1/CVE-2025-47273.json",
"extension": "json",
"original": "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json",
"scheme": "https",
"domain": "alas.aws.amazon.com"
}
},
"cvss": [
{
"base_score": 7.5,
"scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"source": "AMAZON_CVE",
"version": "3.1"
},
{
"base_score": 8.8,
"scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"source": "NVD",
"version": "3.1"
}
]
},
"epss": {
"score": 0.0012
},
"package_nested": [
{
"remediation": "sudo dnf check-update",
"package_manager": "OS",
"release": "2.amzn2023.0.5",
"name": "python3-setuptools",
"epoch": 0,
"fixed_in_version": "0:59.6.0-2.amzn2023.0.6",
"source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80",
"arch": "NOARCH",
"version": "59.6.0"
},
{
"remediation": "sudo dnf check-update",
"package_manager": "OS",
"release": "2.amzn2023.0.5",
"name": "python3-setuptools-wheel",
"epoch": 0,
"fixed_in_version": "0:59.6.0-2.amzn2023.0.6",
"source_layer_hash": "sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80",
"arch": "NOARCH",
"version": "59.6.0"
}
],
"inspector_score_details": {
"adjusted_cvss": {
"score": {
"source": "AMAZON_CVE"
},
"scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cvss_source": "AMAZON_CVE"
}
},
"resources": [
{
"partition": "aws",
"details": {
"aws": {
"ecr_container_image": {
"image": {
"hash": "sha256:f2e0a07f71934e38981adf8055d7ac9a0562b6b33ef05c5a9be25f6efc9a5bca",
"tags": [
"latest"
]
},
"registry": "704479110758",
"pushed_at": "2025-04-17T12:24:47.924Z",
"platform": "AMAZON_LINUX_2023",
"repository_name": "orestis-onweek-2",
"architecture": "amd64"
}
}
},
"id": "arn:aws:ecr:us-east-1:704479110758:repository/orestis-onweek-2/sha256:f2e0a07f71934e38981adf8055d7ac9a0562b6b33ef05c5a9be25f6efc9a5bca",
"region": "us-east-1",
"type": "AWS_ECR_CONTAINER_IMAGE"
}
],
"type": "PACKAGE_VULNERABILITY",
"transform_unique_id": "CVE-2025-47273||{0=python3-setuptools, 1=python3-setuptools-wheel}|{0=59.6.0}",
"finding_arn": "arn:aws:inspector2:us-east-1:704479110758:finding/194f71676960026044e67e7c1cf1f0a5",
"exploit_available": "NO",
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"last_observed_at": "2025-06-26T12:42:32.515Z",
"fix_available": "YES",
"first_observed_at": "2025-06-13T08:46:12.050Z",
"status": "ACTIVE"
}
},
"event": {
"agent_id_status": "auth_metadata_missing",
"ingested": "2025-07-09T12:05:54Z",
"original": "{\"awsAccountId\":\"704479110758\",\"description\":\"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.\",\"epss\":{\"score\":0.0012},\"exploitAvailable\":\"NO\",\"findingArn\":\"arn:aws:inspector2:us-east-1:704479110758:finding/194f71676960026044e67e7c1cf1f0a5\",\"firstObservedAt\":1749804372.05,\"fixAvailable\":\"YES\",\"inspectorScore\":7.5,\"inspectorScoreDetails\":{\"adjustedCvss\":{\"adjustments\":[],\"cvssSource\":\"AMAZON_CVE\",\"score\":7.5,\"scoreSource\":\"AMAZON_CVE\",\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"version\":\"3.1\"}},\"lastObservedAt\":1750941752.515,\"packageVulnerabilityDetails\":{\"cvss\":[{\"baseScore\":7.5,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"source\":\"AMAZON_CVE\",\"version\":\"3.1\"},{\"baseScore\":8.8,\"scoringVector\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"source\":\"NVD\",\"version\":\"3.1\"}],\"referenceUrls\":[\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1005.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2877.html\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1003.html\",\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"https://alas.aws.amazon.com/AL2023/ALAS-2025-1004.html\",\"https://alas.aws.amazon.com/AL2/ALAS-2025-2876.html\"],\"relatedVulnerabilities\":[\"ALAS2-2025-2877\",\"ALAS2-2025-2876\",\"ALAS2023-2025-1004\",\"ALAS2023-2025-1005\",\"ALAS2023-2025-1003\"],\"source\":\"AMAZON_CVE\",\"sourceUrl\":\"https://alas.aws.amazon.com/cve/json/v1/CVE-2025-47273.json\",\"vendorCreatedAt\":1747440000,\"vendorSeverity\":\"Important\",\"vendorUpdatedAt\":1748822400,\"vulnerabilityId\":\"CVE-2025-47273\",\"vulnerablePackages\":[{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:59.6.0-2.amzn2023.0.6\",\"name\":\"python3-setuptools\",\"packageManager\":\"OS\",\"release\":\"2.amzn2023.0.5\",\"remediation\":\"sudo dnf check-update\",\"sourceLayerHash\":\"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80\",\"version\":\"59.6.0\"},{\"arch\":\"NOARCH\",\"epoch\":0,\"fixedInVersion\":\"0:59.6.0-2.amzn2023.0.6\",\"name\":\"python3-setuptools-wheel\",\"packageManager\":\"OS\",\"release\":\"2.amzn2023.0.5\",\"remediation\":\"sudo dnf check-update\",\"sourceLayerHash\":\"sha256:023cba81b02358aa89023184475accbaf4d8b7edba68d1c8981e46747029cc80\",\"version\":\"59.6.0\"}]},\"remediation\":{\"recommendation\":{\"text\":\"None Provided\"}},\"resources\":[{\"details\":{\"awsEcrContainerImage\":{\"architecture\":\"amd64\",\"imageHash\":\"sha256:f2e0a07f71934e38981adf8055d7ac9a0562b6b33ef05c5a9be25f6efc9a5bca\",\"imageTags\":[\"latest\"],\"platform\":\"AMAZON_LINUX_2023\",\"pushedAt\":1744892687.924,\"registry\":\"704479110758\",\"repositoryName\":\"orestis-onweek-2\"}},\"id\":\"arn:aws:ecr:us-east-1:704479110758:repository/orestis-onweek-2/sha256:f2e0a07f71934e38981adf8055d7ac9a0562b6b33ef05c5a9be25f6efc9a5bca\",\"partition\":\"aws\",\"region\":\"us-east-1\",\"tags\":{},\"type\":\"AWS_ECR_CONTAINER_IMAGE\"}],\"severity\":\"HIGH\",\"status\":\"ACTIVE\",\"title\":\"CVE-2025-47273 - python3-setuptools, python3-setuptools-wheel\",\"type\":\"PACKAGE_VULNERABILITY\",\"updatedAt\":1750941752.515}",
"created": "2025-07-09T09:57:27.977Z",
"kind": "pipeline_error",
"id": "CVE-2025-47273||{0=python3-setuptools, 1=python3-setuptools-wheel}|{0=59.6.0}|2025-06-26T12:42:32.515Z",
"category": [
"vulnerability"
],
"type": [
"info"
],
"dataset": "aws.inspector"
}
}
There was a problem hiding this comment.
"error": {
"message": "Processor date with tag date_resources_details_awsEc2Instance_launchedAt in pipeline logs-aws.inspector-4.0.0 failed with message: field [awsEc2Instance] not present as part of path [_ingest._value.details.awsEc2Instance.launchedAt]"
},
This error is not related to the case mentioned, but will resolve it next commit.
I have a case where resource is not present on the finding, can we have a a case where resources.size() == 1 and res.type !== 'AWS_EC2_INSTANCE'?
@alexreal1314, what is the expected fields/logic when resources.size() == 1 and res.type !== 'AWS_EC2_INSTANCE'? populating resource.id with aws.inspector.resources[].id?
PR to handle missing resource id gracefully in main (9.2.0) and 9.1.0 have been merged. Still i'm curious what may be the reason for the missing resource field, this is the document:
resource.id is missing because aws.inspector.resources[].type = "AWS_ECR_CONTAINER_IMAGE".
There was a problem hiding this comment.
@brijesh-elastic regarding:
@alexreal1314, what is the expected fields/logic when resources.size() == 1 and res.type !== 'AWS_EC2_INSTANCE'? populating resource.id with aws.inspector.resources[].id?
i don't have the documentation of aws inspector so im no 100% sure, but looking at the sample events provided looks like yes, why do we check for res.type before that?
There was a problem hiding this comment.
Can the issue stem from the fact that we want host.id and host.name only for EC2 instances?
Yes, I think that may've been the case here. @brijesh-elastic , we should populate resource.id and resource.type for all resources from resources[].id and resources[].type. Similar to Security Hub: https://github.com/elastic/integrations/blob/main/packages/aws/data_stream/securityhub_findings/elasticsearch/ingest_pipeline/default.yml#L1604-L1605
cloud.instance.id (from res.id)
cloud.instance.id should only be populated when res.Type = AWS_EC2_INSTANCE. I think you got the rest.
There was a problem hiding this comment.
Thanks @kcreddy, @maxcold, @alexreal1314
Resolve in the commit.
There was a problem hiding this comment.
@alexreal1314, I got confirmation from @nick-alayil that it is okay to remove the transform part from this PR and add it close to 9.2.0 release.
Can you confirm if this issue can be marked resolved? Are there any more tests you would like to do before we remove transform?
There was a problem hiding this comment.
@kcreddy @brijesh-elastic @maxcold issue is resolved, there where no vulnerabilities with missing resource field. Thanks everyone.
There was a problem hiding this comment.
Awesome, thanks @alexreal1314 for confirming
@brijesh-elastic, you can go ahead and remove the transform from the PR and any changes related to it (version constraint, documentation, etc.)
packages/aws/changelog.yml
Outdated
| - description: Update the kibana constraint to support ^8.19.0 || ^9.1.0 | ||
| type: enhancement | ||
| link: https://github.com/elastic/integrations/pull/14306 |
There was a problem hiding this comment.
I don't think this is needed, and as it exists is misleading. The text here says (suggests?) that we are adding support for 8.19.0 and 9.1.0, but this is not what we are doing, we are restricting to these. I would instead suggest that this be removed since the behaviour is already implicitly documented by the integrations addition page for users who care about this.
|
💚 Build Succeeded
History
|
Proposed commit message
Note
To Reviewers:
Checklist
changelog.ymlfile.How to test this PR locally
Related issues