elastic · brijesh-elastic · Jul 15, 2025 · Jun 24, 2025 · Jun 24, 2025 · Jun 26, 2025
@@ -1,15 +1,19 @@
 # Inspector
 
-The [AWS Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from AWS Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs.
+The [Amazon Inspector](https://docs.aws.amazon.com/inspector/) integration collects and parses data from Amazon Inspector [Findings](https://docs.aws.amazon.com/inspector/v2/APIReference/API_ListFindings.html) REST APIs.
 
 **IMPORTANT: Extra AWS charges on API requests will be generated by this integration. Check [API Requests](https://www.elastic.co/docs/current/integrations/aws#api-requests) for more details.**
 
 ## Compatibility
+This module is tested against `Amazon Inspector API version 2.0`.
 
-  1. The minimum compatible version of this module is **Elastic Agent 8.4.0**.
-  2. This module is tested against `AWS Inspector API version 2.0`.
+## Agentless-enabled integration
 
-## To collect data from AWS Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps:
+Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html).
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features.
+
+## To collect data from Amazon Inspector API, users must have an Access Key and a Secret Key. To create API token follow below steps:
 
   1. Login to https://console.aws.amazon.com/.
   2. Go to https://console.aws.amazon.com/iam/ to access the IAM console.
@@ -24,6 +28,27 @@ The [AWS Inspector](https://docs.aws.amazon.com/inspector/) integration collects
   - This data stream doesn't support setting a Role ARN.
   - Ensure your IAM has the `inspector2:ListFindings` permission granted. Without this permission, API requests will be denied.
 
+## Troubleshooting
+
+### Breaking Changes
+
+#### Support for Elastic Vulnerability Findings page.
+
+Version `4.0.0` of the AWS integration adds support for [Elastic Cloud Security workflow](https://www.elastic.co/docs/solutions/security/cloud/ingest-third-party-cloud-security-data#_ingest_third_party_security_posture_and_vulnerability_data). The enhancement enables the users of AWS integration to ingest their enriched vulnerabilities from Amazon Inspector platform into Elastic and get insights directly from Elastic [Vulnerability Findings page](https://www.elastic.co/docs/solutions/security/cloud/findings-page-3).
+This update adds [Elastic Latest Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview) which copies the latest vulnerability findings from source indices matching the pattern `logs-aws.inspector-*` into new destination indices matching the pattern `security_solution-aws.vulnerability_latest-*`. The Elastic Vulnerability Findings page will display vulnerabilities based on the destination indices.
+
+For existing users of AWS integration, before upgrading to `4.0.0` please ensure following requirements are met:
+
+1. Users need [Elastic Security solution](https://www.elastic.co/docs/solutions/security) which has requirements documented [here](https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements).
+2. To use transforms, users must have:
+   - at least one [transform node](https://www.elastic.co/docs/deploy-manage/distributed-architecture/clusters-nodes-shards/node-roles#transform-node-role),
+   - management features visible in the Kibana space, and
+   - security privileges that:
+     - grant use of transforms, and
+     - grant access to source and destination indices
+   For more details on Transform Setup, refer to the link [here](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup)
+3. Because the latest copy of vulnerabilities is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly.
+
 ## Logs
 
 ### Inspector

@@ -1,4 +1,21 @@
 # newer versions go on top
+- version: "4.0.0"
+  changes:
+    - description: |
+        Update `inspector` datastream to support the Cloud Detection and Response (CDR) vulnerability workflow.
+        This will require a transform node, the necessary permissions to use the transform, and specified source and destination indices.
+        It also stores the latest copy of vulnerabilities in the destination indices, which will require additional storage.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/14306
+    - description: Parse and map newly introduced fields in the `inspector` data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14306
+    - description: Enable request trace log removal.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14306
+    - description: Remove metadata fields added by the Agentless policy.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/14306
-    - description: Remove metadata fields added by the Agentless policy.
-      type: bugfix
-      link: https://github.com/elastic/integrations/pull/14306
+    - description: Enable Agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14306
-    - description: Remove metadata fields added by the Agentless policy.
-      type: bugfix
-      link: https://github.com/elastic/integrations/pull/14306
+    - description: Enable Agentless deployment.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14306
 - version: "3.11.0"
   changes:
     - description: Fix `tlsVersion` parsing when not properly defined in cloudtrail event.

diff --git a/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml b/packages/aws/data_stream/guardduty/_dev/test/system/test-default-config.yml
@@ -1,4 +1,7 @@
 input: httpjson
+skip:
+  reason: "The cursor is incorrectly set before the chain request call instead of after publishing all the events, which causes the system tests to fail but does not stop the data flow."
+  link: https://github.com/elastic/integrations/issues/14491
 service: guardduty
 vars:
   secret_access_key: xxxx

@@ -1,20 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIDUDCCAjgCCQCsyG2Sw6iMvzANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJY
-WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
-bnkgTHRkMSYwJAYDVQQDDB1pbnNwZWN0b3IyLnh4eHguYW1hem9uYXdzLmNvbTAe
-Fw0yMjA5MTkxMTE3NDlaFw0yMzA5MTkxMTE3NDlaMGoxCzAJBgNVBAYTAlhYMRUw
-EwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBM
-dGQxJjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMIIBIjAN
-BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs65SHVvohc00blWOWaZqqunMMw9G
-nZuhvWMvUdkk2FZE4nmkU0QB1VhewV7Yesfbelhq5OYj6NE2hEl0znSUju8CbQHy
-LfXH+Wp6zBe7o1lVNXVcb7PHwCx/nThXsohEHCHYRu8d9APbY7doUW0amFQOSHCD
-jbqmr1lcOsZ7C57X4A5iQyESaP3ASzYoTitSbsWQWWETq5Kq7Bl2Vm5Pk8p5fg2u
-7cSyY7XtRXxlKW0adAbaOIBe7+JZr5nukUjGWOL139K1Zl/YO/1lxDJvZLwKOffM
-zLTX111B0GX9Lmtk/8A0A6yzuL8u5byKEIGCwD/wW30+763y8TgFaWh0nwIDAQAB
-MA0GCSqGSIb3DQEBCwUAA4IBAQBY4KpmVFmCneRe0vtlx6FA0Pa2N4oAVgQmNs0r
-tySb22AB8c5FBh0KxDYTNRLzVRPOeFxEboDbVVMCIhGHem/EqbxVRiQPP5OJVjqG
-VSAhQ9maRxEnPOJ2BxMGm38etP1+TJkbPgIYmZTSswEODYksnqiC6YeoLVMnWDeX
-o6y1gqSKdndUHf4FO/RxZfrrXv85GwwpgnNGCjv5o09VxlO1yzXDNlml6KCarWuc
-DTMzUkky77XmBVrLVd+YF3jmL9frGB0s6Kud5E691gl9M3hmXJwPnzrEUgUNqrz9
-/eb6vyOPH3qLNpMfE2X12xNJ5cZ5CN7rT37b5Mce4QPNsX2M
+MIIC1zCCAb8CFBhBTt6yEnLtREKHvN40F2qLleIdMA0GCSqGSIb3DQEBCwUAMCgx
+JjAkBgNVBAMMHWluc3BlY3RvcjIueHh4eC5hbWF6b25hd3MuY29tMB4XDTI1MDYy
+NDA5MTQxMloXDTM1MDYyMjA5MTQxMlowKDEmMCQGA1UEAwwdaW5zcGVjdG9yMi54
+eHh4LmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
+AQCbq5ChvdjWiM2/tpew4HATwk9KBXB2J4s70DaqxWJwLKzUYEGWXbujk9ONptE9
+7gkaQEGILWB8vjF47499a0WRt6LeC5KYjH5+Z3MoD+0Eixo2j6rh+jyxTBb64QR8
+GUT3oo0cEDOTXFbVF5ooS1Sber2S5Ww5Edm8jKSYuJ8cJxJDghg9Np4sZZ6JBFIq
+kftDoLCeCZf4W5u8n9/386g47TzgI7ojGEER3m2TXOPVIA7XooeGisqUiOpTPHWA
+0tctkSdjow+JJQ7oUi5NJJKdJ2cPbpA11kv9/9TYIpKZf+jUu8ZxTwAwbTjPLbyo
+qFzle0BYcc4j2zOdKuv4OkPXAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACC7nvmw
++4cR7DslQ6pGRIHbB23yK7ro3cFWqgcxsYg3ntbAJitgKuROWi/rv2vhOB0SfuHT
+9Oc/jcOIilgGni+mfOSTySIYT7B4OeYDjIonYzBsykSWjbt+QtHjJlRwNhZm38ws
+fG/nIjC69GCIS3BUqo9dxgnyCdHn+hO3rO8mE58MKVA/iq7uDuFIdLrU+xY1LFUT
+yb9ZRr3XMjgNFiC3LWnQDycxecFZo4OJcRETyGuwL+HcOybcO00ZOoGHMcemVjTA
+JPlgUImmsN+vezO92i2adepyb75vEbEbILQyz9G1WCg6MA9UWrdT9LtwOxq2+pCt
+KsEFaVXtUm4/YSo=
 -----END CERTIFICATE-----
@@ -3,5 +3,181 @@ rules:
     methods: ["POST"]
     responses:
       - status_code: 200
-        body: |
-          {"findings":[{"awsAccountId":"123456789","description":"Findins message","findingArn":"arn:aws:s3:::sample","firstObservedAt":"1.663703546405E9","inspectorScore":1.2,"inspectorScoreDetails":{"adjustedCvss":{"adjustments":[{"metric":"Base","reason":"use Base metric"}],"cvssSource":"scope1","score":8.9,"scoreSource":"scope2","scoringVector":"Attack Vector","version":"v3.1"}},"lastObservedAt":"1.663703546405E9","networkReachabilityDetails":{"networkPath":{"steps":[{"componentId":"02ce3860-3126-42af-8ac7-c2a661134129","componentType":"type"}]},"openPortRange":{"begin":1234,"end":4567},"protocol":"TCP"},"packageVulnerabilityDetails":{"cvss":[{"baseScore":1.1,"scoringVector":"Attack Vector","source":"scope3","version":"v3.1"}],"referenceUrls":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"],"relatedVulnerabilities":["security"],"source":"example","sourceUrl":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111","vendorCreatedAt":"1.663703546405E9","vendorSeverity":"basic","vendorUpdatedAt":"1.663703546405E9","vulnerabilityId":"123456789","vulnerablePackages":[{"arch":"arch","epoch":123,"filePath":"/example","fixedInVersion":"3","name":"example","packageManager":"BUNDLER","release":"release","sourceLayerHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c","version":"2.0"}]},"remediation":{"recommendation":{"text":"example","Url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111"}},"resources":[{"details":{"awsEc2Instance":{"iamInstanceProfileArn":"arn:aws:s3:::iam","imageId":"123456789","ipV4Addresses":["89.160.20.128","81.2.69.192"],"ipV6Addresses":["2a02:cf40::"],"keyName":"sample","launchedAt":"1.663703546405E9","platform":"EC2","subnetId":"123456","type":"Instance","vpcId":"3265875"},"awsEcrContainerImage":{"architecture":"arch","author":"example","imageHash":"50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545d","imageTags":["sample"],"platform":"ECR","pushedAt":"1.663703546405E9","registry":"ecr registry","repositoryName":"sample"}},"id":"12345678","partition":"partition","region":"us-east-1","tags":{"string1":"string1","string2":"string2"},"type":"AWS_EC2_INSTANCE"}],"severity":"INFORMATIONAL","status":"ACTIVE","title":"sample findings","type":"NETWORK_REACHABILITY","updatedAt":"1.663703546405E9"}]}
+        body: |-
+          {{ minify_json `
+          {
+            "findings": [
+              {
+                "awsAccountId": "123456789012",
+                "description": "The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts).",
+                "epss": {
+                  "score": 0.00024
+                },
+                "exploitAvailable": "NO",
+                "findingArn": "arn:aws:inspector2:us-east-2:123456789012:finding/fb6294abcdef0123456789abcdef8123",
+                "firstObservedAt": 1748539687.919,
+                "fixAvailable": "YES",
+                "inspectorScore": 6.5,
+                "inspectorScoreDetails": {
+                  "adjustedCvss": {
+                    "adjustments": [],
+                    "cvssSource": "NVD",
+                    "score": 6.5,
+                    "scoreSource": "NVD",
+                    "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
+                    "version": "3.1"
+                  }
+                },
+                "lastObservedAt": 1749165796.162,
+                "packageVulnerabilityDetails": {
+                  "cvss": [
+                    {
+                      "baseScore": 6.5,
+                      "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
+                      "source": "NVD",
+                      "version": "3.1"
+                    },
+                    {
+                      "baseScore": 6.5,
+                      "scoringVector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
+                      "source": "NVD",
+                      "version": "3.1"
+                    }
+                  ],
+                  "referenceUrls": [
+                    "https://groups.google.com/g/golang-announce/c/ezSKR9vqbqA",
+                    "https://nvd.nist.gov/vuln/detail/CVE-2025-22872",
+                    "https://alas.aws.amazon.com/AL2023/ALAS-2025-981.html",
+                    "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-064.html",
+                    "https://alas.aws.amazon.com/AL2023/ALAS-2025-980.html",
+                    "https://alas.aws.amazon.com/AL2/ALASDOCKER-2025-063.html",
+                    "https://alas.aws.amazon.com/AL2023/ALAS-2025-979.html",
+                    "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json",
+                    "https://alas.aws.amazon.com/AL2/ALAS-2025-2863.html",
+                    "https://alas.aws.amazon.com/cve/json/v1/CVE-2025-22872.json"
+                  ],
+                  "relatedVulnerabilities": [],
+                  "source": "NVD",
+                  "sourceUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-22872",
+                  "vendorCreatedAt": 1744827364,
+                  "vendorSeverity": "MEDIUM",
+                  "vendorUpdatedAt": 1747437319,
+                  "vulnerabilityId": "CVE-2025-22872",
+                  "vulnerablePackages": [
+                    {
+                      "epoch": 0,
+                      "filePath": "vol-0e47545061282cd35:/p1:opt/cni/bin/aws-cni",
+                      "fixedInVersion": "0.38.0",
+                      "name": "golang.org/x/net",
+                      "packageManager": "GOBINARY",
+                      "version": "v0.1.0"
+                    },
+                    {
+                      "epoch": 0,
+                      "filePath": "vol-0e47545061282cd35:/p1:etc/eks/image-credential-provider/ecr-credential-provider",
+                      "fixedInVersion": "0.38.0",
+                      "name": "golang.org/x/net",
+                      "packageManager": "GOBINARY",
+                      "version": "v0.30.0"
+                    },
+                    {
+                      "epoch": 0,
+                      "filePath": "vol-0e47545061282cd35:/p1:opt/cni/bin/dhcp",
+                      "fixedInVersion": "0.38.0",
+                      "name": "golang.org/x/net",
+                      "packageManager": "GOBINARY",
+                      "version": "v0.30.0"
+                    },
+                    {
+                      "epoch": 0,
+                      "filePath": "vol-0e47545061282cd35:/p1:usr/bin/aws-iam-authenticator",
+                      "fixedInVersion": "0.38.0",
+                      "name": "golang.org/x/net",
+                      "packageManager": "GOBINARY",
+                      "version": "v0.30.0"
+                    },
+                    {
+                      "epoch": 0,
+                      "filePath": "vol-0e47545061282cd35:/p1:usr/bin/kubelet",
+                      "fixedInVersion": "0.38.0",
+                      "name": "golang.org/x/net",
+                      "packageManager": "GOBINARY",
+                      "version": "v0.30.0"
+                    },
+                    {
+                      "arch": "X86_64",
+                      "epoch": 0,
+                      "fixedInVersion": "0:2.0.5-1.amzn2.0.1",
+                      "name": "nerdctl",
+                      "packageManager": "OS",
+                      "release": "1.amzn2.0.1",
+                      "remediation": "yum update nerdctl",
+                      "version": "2.0.4"
+                    }
+                  ]
+                },
+                "remediation": {
+                  "recommendation": {
+                    "text": "None Provided"
+                  }
+                },
+                "resources": [
+                  {
+                    "details": {
+                      "awsEc2Instance": {
+                        "iamInstanceProfileArn": "arn:aws:iam::123456789012:instance-profile/eks-0012345a-1234-5678-1234-6c1abcdef012",
+                        "imageId": "ami-0e0f0123456789abd",
+                        "ipV4Addresses": [
+                          "10.90.1.245",
+                          "10.90.1.45",
+                          "10.90.1.168",
+                          "10.90.1.157",
+                          "1.128.0.1",
+                          "10.90.1.103",
+                          "10.90.1.197",
+                          "10.90.1.220",
+                          "10.90.1.86",
+                          "10.90.1.29",
+                          "10.90.1.18",
+                          "10.90.1.181",
+                          "10.90.1.161",
+                          "10.90.1.229",
+                          "10.90.1.108",
+                          "10.90.1.219",
+                          "10.90.1.9",
+                          "10.90.1.106",
+                          "10.90.1.206"
+                        ],
+                        "ipV6Addresses": [],
+                        "launchedAt": 1748534768,
+                        "platform": "AMAZON_LINUX_2",
+                        "subnetId": "subnet-0ababcdefabcdef8b",
+                        "type": "t3.medium",
+                        "vpcId": "vpc-04ab0123456789123"
+                      }
+                    },
+                    "id": "i-0fabcdefabcdef50b",
+                    "partition": "aws",
+                    "region": "us-east-2",
+                    "tags": {
+                      "aws:autoscaling:groupName": "eks-sei_demo_prod_linux-00c12345-abcd-1234-5678-601234567896",
+                      "aws:ec2launchtemplate:version": "6",
+                      "aws:eks:cluster-name": "sei_demo_prod",
+                      "eks:cluster-name": "sei_demo_prod",
+                      "eks:nodegroup-name": "sei_demo_prod_linux",
+                      "k8s.io/cluster-autoscaler/enabled": "true",
+                      "k8s.io/cluster-autoscaler/sei_demo_prod": "owned",
+                      "kubernetes.io/cluster/sei_demo_prod": "owned"
+                    },
+                    "type": "AWS_EC2_INSTANCE"
+                  }
+                ],
+                "severity": "MEDIUM",
+                "status": "ACTIVE",
+                "title": "CVE-2025-22872 - golang.org/x/net, golang.org/x/net and 4 more",
+                "type": "PACKAGE_VULNERABILITY",
+                "updatedAt": 1749165796.162
+              }
+            ]
+          }
+          `}}