Skip to content

[wiz] Add Defend V2 Data Stream#20071

Open
mohitjha-elastic wants to merge 2 commits into
elastic:mainfrom
mohitjha-elastic:wiz-4.6.0
Open

[wiz] Add Defend V2 Data Stream#20071
mohitjha-elastic wants to merge 2 commits into
elastic:mainfrom
mohitjha-elastic:wiz-4.6.0

Conversation

@mohitjha-elastic

@mohitjha-elastic mohitjha-elastic commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Proposed commit message

wiz: add defend_v2 data stream and clean up agentless pipeline processors.

Add the `defend_v2` data stream to the wiz integration. Remove the temporary
processors from all ingest pipelines that stripped the `organization`, `division`, and `team` fields.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/wiz directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issues

@mohitjha-elastic mohitjha-elastic self-assigned this Jul 9, 2026
@mohitjha-elastic mohitjha-elastic requested review from a team as code owners July 9, 2026 18:08
@mohitjha-elastic mohitjha-elastic added documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:wiz Wiz Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jul 9, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown
Contributor

✅ All changelog entries have the correct PR link.

field: cloud.instance.id
tag: append_cloud_instance_id_from_triggering_events
value: '{{{_ingest._value.raw_audit_log_record.common.vm_external_id}}}'
if: ctx._ingest?._value?.raw_audit_log_record?.common?.vm_external_id != null

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🟠 High confidence: high path: packages/wiz/data_stream/defend_v2/elasticsearch/ingest_pipeline/default.yml:397

host.name, cloud.instance.id, file.path and event.action are never populated from triggering-event audit records because of a broken inner if guard; remove the redundant inner if so these mappings match the working sibling processors.

Details

The four foreach processors that map fields out of wiz.defend_v2.triggering_events.nodes[].raw_audit_log_recordcloud.instance.id (tag foreach_triggering_events_into_cloud_instance_id), host.name (foreach_triggering_events_into_host_name), file.path (foreach_triggering_events_into_file_path) and event.action (foreach_triggering_events_into_event_action) — each carry an inner if: ctx._ingest?._value?.raw_audit_log_record?.... In the committed expected output (test-defend-v2.log-expected.json) none of these fields appear on events 2 and 3, even though those events' audit records contain common.vm_external_id, common.host_info.hostname and alert.event.kind. That the source data is present and accessible at that point is proven by the very next processor: the script_set_host_os_type_from_triggering_events painless script reads the same node.raw_audit_log_record.common.host_info.os_type and correctly sets host.os.type: linux on both events. The sibling foreach processors that lack an inner if (process.command_line, process.executable, process.name, source.ip) populate correctly, and event 1 (empty rawAuditLogRecord / null runtimeProgram.name) shows those fields simply omitted — confirming the drop-null script already handles missing values without needing the guard. The result is that these ECS host/action/file attribution fields ship silently unmapped for a security detection data stream, and related.hosts (which is appended from host.name) is consequently never populated either.

Recommendation:

Remove the inner if from the four triggering-event foreach processors so they behave like the working process.* / source.ip foreaches; empty values are already stripped by the trailing script_to_drop_null_values processor. For example, for cloud.instance.id:

- foreach:
    field: wiz.defend_v2.triggering_events.nodes
    tag: foreach_triggering_events_into_cloud_instance_id
    if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List
    processor:
      append:
        field: cloud.instance.id
        tag: append_cloud_instance_id_from_triggering_events
        value: '{{{_ingest._value.raw_audit_log_record.common.vm_external_id}}}'
        allow_duplicates: false
        on_failure:
          - append:
              field: error.message
              tag: append_cloud_instance_id_failure_into_error_message
              value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'

Apply the same change to the host.name, file.path and event.action foreach processors, then regenerate the pipeline test expected file and confirm host.name, cloud.instance.id and event.action now appear on the sensor events.


🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

services:
wiz-audit:
image: docker.elastic.co/observability/stream:v0.22.0
image: docker.elastic.co/observability/stream:v0.20.0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity: 🔵 Low confidence: medium path: packages/wiz/_dev/deploy/docker/docker-compose.yml:4

docker-compose downgrades the elastic/stream mock image from v0.22.0 to v0.20.0 for every service; this looks like an unintended regression — keep v0.22.0.

Details

This PR changes docker.elastic.co/observability/stream from v0.22.0 to v0.20.0 on all eight services (wiz-audit, wiz-cloud_configuration_finding, wiz-cloud_configuration_finding_full_posture, wiz-issue, wiz-vulnerability, wiz-defend-no-auth, wiz-defend-basic, wiz-defend-token) as well as the newly added wiz-defend_v2 service. The change is unrelated to adding the defend_v2 data stream and downgrades the mock HTTP server used by system tests for the whole package, which appears accidental (e.g. copied from an older base). This is dev/test-only infrastructure and does not affect the shipped package, but the downgrade should be reverted to avoid an unintended regression in the test harness.

Recommendation:

Keep the existing stream image version on all services, including the new wiz-defend_v2 service:

  wiz-defend_v2:
    image: docker.elastic.co/observability/stream:v0.22.0
    hostname: wiz-defend_v2
    ports:
      - 8090
    volumes:
      - ./files:/files:ro
    environment:
      PORT: '8090'
    command:
      - http-server
      - --addr=:8090
      - --config=/files/config-defend_v2.yml

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@vera-review-bot

Copy link
Copy Markdown

Review summary

Issues found across the latest commits 3e0f9a0 — 1 high, 1 low
  • 🟠 host.name, cloud.instance.id, file.path and event.action are never populated from triggering-event audit records because of a broken inner if guard (link) (Unresolved)
  • 🔵 docker-compose downgrades the elastic/stream mock image from v0.22.0 to v0.20.0 for every service (link) (Unresolved)

A new commit triggers another review — at most once every 15 minutes. I skip the PR while it's approved or has merge conflicts.

🤖 AI-Generated Review | Vera Review Bot | 📚 Knowledge base: integration-skills

⚠️ Automated review — verify suggestions before applying.

@infra-vault-gh-plugin-prod

infra-vault-gh-plugin-prod Bot commented Jul 9, 2026

Copy link
Copy Markdown

💔 Build Failed

Failed CI Steps

History

cc @mohitjha-elastic

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

TL;DR

The Check integrations wiz failure is a configuration/test-harness regression: this PR downgrades every Wiz mock service from docker.elastic.co/observability/stream:v0.22.0 to v0.20.0, but the Wiz mock configs use the now template function that is only available in v0.22.0. Restore v0.22.0 for all services, including the new wiz-defend_v2 service.

Remediation

  • Change packages/wiz/_dev/deploy/docker/docker-compose.yml back to docker.elastic.co/observability/stream:v0.22.0 on the existing services and use v0.22.0 for the new wiz-defend_v2 service.
  • Re-run the Wiz package check, or at minimum the Wiz system tests, after the image version is restored.
Investigation details

Root Cause

The PR changes packages/wiz/_dev/deploy/docker/docker-compose.yml from stream:v0.22.0 to stream:v0.20.0 at the mock service image declarations, starting at line 4 and again for the new wiz-defend_v2 service around line 69.

That downgrade is incompatible with the existing Wiz mock configs. For example, packages/wiz/_dev/deploy/docker/files/config-vulnerability.yml:23 uses:

"lastDetectedAt": "{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}"

In elastic/stream, tag v0.20.0 registers template funcs such as env, hostname, sum, file, glob, and minify_json, but does not register now. Tag v0.22.0 adds the now template function specifically for dynamic timestamps. A v0.20.0 mock server cannot render these configs, so the Wiz system-test mock setup fails.

Evidence

--- [wiz] failed
🚨 Error: The command exited with status 1
user command error: exit status 1
  • PR diff evidence: packages/wiz/_dev/deploy/docker/docker-compose.yml replaces stream:v0.22.0 with stream:v0.20.0 across the Wiz mock services and adds wiz-defend_v2 with stream:v0.20.0.
  • Tool evidence: elastic/stream v0.22.0 includes the now template function in internal/httpserver/config.go; v0.20.0 does not.

Verification

  • Not run locally; this runner does not have elastic-package available.

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

@andrewkroh andrewkroh added the dashboard Relates to a Kibana dashboard bug, enhancement, or modification. label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dashboard Relates to a Kibana dashboard bug, enhancement, or modification. documentation Improvements or additions to documentation. Applied to PRs that modify *.md files. enhancement New feature or request Integration:wiz Wiz Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Wiz] Support API-based ingestion of Wiz Defend Detections

2 participants