diff --git a/packages/wiz/_dev/build/build.yml b/packages/wiz/_dev/build/build.yml index d8553567e9c..091473aeb21 100644 --- a/packages/wiz/_dev/build/build.yml +++ b/packages/wiz/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: "git@v8.17.0" + reference: "git@v9.3.0" diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index 71b1964c18b..3332f5ff798 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -6,7 +6,7 @@ The Wiz integration enables you to consume and analyze Wiz data within Elastic S ## Data streams -The Wiz integration collects five types of data: +The Wiz integration collects six types of data: - **Audit** - The Audit log records key events within the Wiz platform, including logins and any mutation API calls executed in the Wiz portal (such as write, edit, delete, and save actions). @@ -14,6 +14,8 @@ The Wiz integration collects five types of data: - **Defend** - Detects and alerts on real-time cloud threats using runtime signals, logs, and Wiz’s security graph via webhook integrations. +- **Defend v2** - Detections generated by Threat Detection Rules, which give enhanced granularity and visibility into network activities and potential security incidents. + - **Issue** - Issues represent active risks or threats identified in your cloud environment. - **Vulnerability** - Vulnerabilities are weaknesses in computer systems that can be exploited by malicious attackers. @@ -26,7 +28,7 @@ This integration supports using Elastic Agent or agentless ingestion of data. Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). -The minimum **kibana.version** required is **8.10.1**. +The minimum **kibana.version** required is **8.19.2** or **9.1.2**. This module has been tested against the **Wiz API Version v1**. ## Agentless-enabled integration @@ -62,6 +64,7 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud | Vulnerability | read:vulnerabilities | | Cloud Configuration Finding | read:cloud_configuration | | Cloud Configuration Finding Full Posture | read:cloud_configuration | + | Defend v2 | read:detections, read:cloud_events_cloud, read:cloud_events_sensor, read:security_scans | ### Collect logs (Defend) via HTTP Endpoint @@ -153,6 +156,16 @@ This is the `Defend` dataset. {{fields "defend"}} +### Defend v2 + +This is the `Defend v2` dataset. + +#### Example + +{{event "defend_v2"}} + +{{fields "defend_v2"}} + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/_dev/deploy/docker/docker-compose.yml b/packages/wiz/_dev/deploy/docker/docker-compose.yml index d9fc7892dd7..5b9f726a131 100644 --- a/packages/wiz/_dev/deploy/docker/docker-compose.yml +++ b/packages/wiz/_dev/deploy/docker/docker-compose.yml @@ -1,7 +1,7 @@ version: '2.3' services: wiz-audit: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: wiz-audit ports: - 8090 @@ -14,7 +14,7 @@ services: - --addr=:8090 - --config=/files/config-audit.yml wiz-cloud_configuration_finding: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: wiz-cloud_configuration_finding ports: - 8090 @@ -27,7 +27,7 @@ services: - --addr=:8090 - --config=/files/config-cloud_configuration_finding.yml wiz-cloud_configuration_finding_full_posture: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: wiz-cloud_configuration_finding_full_posture ports: - 8090 @@ -40,7 +40,7 @@ services: - --addr=:8090 - --config=/files/config-cloud_configuration_finding_full_posture.yml wiz-issue: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: wiz-issue ports: - 8090 @@ -53,7 +53,7 @@ services: - --addr=:8090 - --config=/files/config-issue.yml wiz-vulnerability: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 hostname: wiz-vulnerability ports: - 8090 @@ -65,8 +65,21 @@ services: - http-server - --addr=:8090 - --config=/files/config-vulnerability.yml + wiz-defend_v2: + image: docker.elastic.co/observability/stream:v0.20.0 + hostname: wiz-defend_v2 + ports: + - 8090 + volumes: + - ./files:/files:ro + environment: + PORT: '8090' + command: + - http-server + - --addr=:8090 + - --config=/files/config-defend_v2.yml wiz-defend-no-auth: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -75,7 +88,7 @@ services: - STREAM_ADDR=http://elastic-agent:9588/ command: log --start-signal=SIGHUP --delay=5s /sample_logs/defend.log wiz-defend-basic: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 volumes: - ./sample_logs:/sample_logs:ro environment: @@ -86,7 +99,7 @@ services: - STREAM_PASSWORD=xxxx command: log --start-signal=SIGHUP --webhook-username=testuser --webhook-password=xxxx --delay=5s /sample_logs/defend.log wiz-defend-token: - image: docker.elastic.co/observability/stream:v0.22.0 + image: docker.elastic.co/observability/stream:v0.20.0 volumes: - ./sample_logs:/sample_logs:ro environment: diff --git a/packages/wiz/_dev/deploy/docker/files/config-defend_v2.yml b/packages/wiz/_dev/deploy/docker/files/config-defend_v2.yml new file mode 100644 index 00000000000..de62df33d01 --- /dev/null +++ b/packages/wiz/_dev/deploy/docker/files/config-defend_v2.yml @@ -0,0 +1,585 @@ +rules: + - path: /oauth/token + methods: ['POST'] + responses: + - status_code: 200 + headers: + Content-Type: + - 'application/json' + body: | + {"access_token":"xxxx","expires_in":3600,"token_type":"Bearer","refresh_token":"yyyy"} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":null.*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{ minify_json ` + { + "data": { + "detections": { + "nodes": [ + { + "type": "MATCH_ONLY", + "origins": [ + "AWS_GUARD_DUTY" + ], + "actors": [ + { + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "name": "192.0.2.10", + "externalId": "192.0.2.10", + "providerUniqueId": null, + "type": "NETWORK_ADDRESS" + } + ], + "resources": [ + { + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "externalId": "i-0000000000000001", + "providerUniqueId": null, + "type": "VIRTUAL_MACHINE" + } + ], + "cloudAccounts": [ + { + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account", + "externalId": "100000000001", + "cloudProvider": "AWS" + } + ], + "cloudOrganizations": null, + "createdAt": "2026-07-01T15:12:18.1559021Z", + "updatedAt": "2026-07-01T15:13:36.3181301Z", + "id": "edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980", + "severity": "LOW", + "description": "An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.", + "primaryResource": { + "type": "VIRTUAL_MACHINE", + "name": "example-vm-1", + "externalId": "i-0000000000000001", + "region": "us-east-2", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2" + }, + "issue": null, + "primaryActor": { + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS", + "nativeType": null, + "email": null, + "userAgent": null, + "MFA": null, + "federated": false, + "friendlyName": null, + "accessKeyId": null, + "externalId": "192.0.2.10", + "providerUniqueId": null, + "hasHighPrivileges": false, + "hasAdminPrivileges": false, + "hasHighKubernetesPrivileges": false, + "hasAdminKubernetesPrivileges": false, + "inactiveInLast90Days": false, + "actingAs": null, + "cloudAccount": null + }, + "triggeringEvents": { + "totalCountV2": 1, + "nodes": [ + { + "id": "031e0c27-55c2-4496-92d9-4b7a97324515", + "description": "192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", + "actorIP": "192.0.2.10", + "timestamp": "2026-07-01T15:05:03.533Z", + "rawAuditLogRecord": {}, + "commandLine": null, + "runtimeProgram": { + "name": null + }, + "parentRuntimeProgram": { + "name": null + } + } + ] + }, + "ruleMatch": { + "rule": { + "id": "f0568339-eb51-486b-bac1-7a835689f051", + "name": "UnauthorizedAccess:EC2/SSHBruteForce", + "builtin": true, + "securitySubCategories": [ + { + "id": "wsct-id-3522", + "title": "Brute Force", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + }, + { + "id": "wsct-id-3518", + "title": "Brute Force: Password Guessing", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + }, + { + "id": "wsct-id-3517", + "title": "Brute Force: Password Cracking", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + }, + { + "id": "wsct-id-3519", + "title": "Brute Force: Password Spraying", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + }, + { + "id": "wsct-id-3524", + "title": "Brute Force: Credential Stuffing", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + }, + { + "id": "wsct-id-6532", + "title": "Generic malicious activity", + "category": { + "id": "wct-id-2116", + "name": "Generic malicious activity", + "framework": { + "id": "wf-id-103" + } + } + }, + { + "id": "wsct-id-10678", + "title": "Credentials guessing", + "category": { + "id": "wct-id-1854", + "name": "Initial Access", + "framework": { + "id": "wf-id-83" + } + } + }, + { + "id": "wsct-id-10714", + "title": "Abnormal-sourced communication", + "category": { + "id": "wct-id-1861", + "name": "C2 & Exfiltration", + "framework": { + "id": "wf-id-83" + } + } + }, + { + "id": "wsct-id-20507", + "title": "Brute Force", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + }, + { + "id": "wsct-id-20508", + "title": "Brute Force: Password Guessing", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + }, + { + "id": "wsct-id-20509", + "title": "Brute Force: Password Cracking", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + }, + { + "id": "wsct-id-20510", + "title": "Brute Force: Password Spraying", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + }, + { + "id": "wsct-id-20511", + "title": "Brute Force: Credential Stuffing", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + } + ] + } + } + }, + { + "type": "GENERATED_THREAT", + "origins": [ + "WIZ_SENSOR" + ], + "actors": null, + "resources": [ + { + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "externalId": "i-0000000000000002", + "providerUniqueId": "arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002", + "type": "VIRTUAL_MACHINE" + } + ], + "cloudAccounts": [ + { + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account", + "externalId": "100000000001", + "cloudProvider": "AWS" + } + ], + "cloudOrganizations": null, + "createdAt": "2026-06-30T10:53:40.8782105Z", + "updatedAt": "2026-07-01T08:19:49.6407109Z", + "id": "1456bbb9-19ef-4847-a80c-a2b400ba3db7", + "severity": "MEDIUM", + "description": "", + "primaryResource": { + "type": "VIRTUAL_MACHINE", + "name": "example-vm-2", + "externalId": "i-0000000000000002", + "region": "us-east-2", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab" + }, + "issue": { + "id": "e0321809-7913-4693-aa03-7dad19d38d65" + }, + "primaryActor": { + "id": "", + "name": null, + "type": "UNKNOWN", + "nativeType": null, + "email": null, + "userAgent": null, + "MFA": null, + "federated": false, + "friendlyName": null, + "accessKeyId": null, + "externalId": null, + "providerUniqueId": null, + "hasHighPrivileges": false, + "hasAdminPrivileges": false, + "hasHighKubernetesPrivileges": false, + "hasAdminKubernetesPrivileges": false, + "inactiveInLast90Days": false, + "actingAs": null, + "cloudAccount": null + }, + "triggeringEvents": { + "totalCountV2": 1, + "nodes": [ + { + "id": "38d4c457-8310-4286-9b15-4dca6d102f46", + "description": "The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}", + "actorIP": "192.0.2.13", + "timestamp": "2026-07-01T08:18:21.326Z", + "rawAuditLogRecord": { + "common": { + "vmExternalId": "i-0000000000000002", + "hostInfo": { + "hostname": "sensor-host-1", + "osType": "Linux" + } + }, + "alert": { + "event": { + "kind": "network_accept" + } + } + }, + "commandLine": "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", + "runtimeProgram": { + "name": "/usr/sbin/sshd" + }, + "parentRuntimeProgram": { + "name": "/usr/lib/systemd/systemd" + } + } + ] + }, + "ruleMatch": { + "rule": { + "id": "49ed0540-4dff-4193-87cc-c4b5d6d9c305", + "name": "Service account token was accessed", + "builtin": false, + "securitySubCategories": [ + { + "id": "wsct-id-9465", + "title": "Credential access", + "category": { + "id": "wct-id-2123", + "name": "Credential access", + "framework": { + "id": "wf-id-103" + } + } + }, + { + "id": "wsct-id-10708", + "title": "Secret theft", + "category": { + "id": "wct-id-1860", + "name": "Credential Access", + "framework": { + "id": "wf-id-83" + } + } + } + ] + } + } + } + ], + "pageInfo": { + "hasNextPage": true, + "endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVXBkYXRlZEF0IiwiVmFsdWUiOiIyMDI2LTA3LTAxVDE1OjEzOjM2LjMxODEzMDFaIn1dfQ==" + }, + "totalCount": 3 + } + } + } + `}} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":"eyJmaWVsZHMiOlt7IkZpZWxkIjoiVXBkYXRlZEF0IiwiVmFsdWUiOiIyMDI2LTA3LTAxVDE1OjEzOjM2LjMxODEzMDFaIn1dfQ==".*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{ minify_json ` + { + "data": { + "detections": { + "nodes": [ + { + "type": "MATCH_ONLY", + "origins": [ + "WIZ_SENSOR" + ], + "actors": null, + "resources": [ + { + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "externalId": "i-0000000000000002", + "providerUniqueId": "arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002", + "type": "VIRTUAL_MACHINE" + } + ], + "cloudAccounts": [ + { + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account", + "externalId": "100000000001", + "cloudProvider": "AWS" + } + ], + "cloudOrganizations": null, + "createdAt": "2026-06-30T10:53:40.8782105Z", + "updatedAt": "2026-07-01T08:19:49.6407109Z", + "id": "83200e8c-0d19-476a-af65-843f9d3c1711", + "severity": "MEDIUM", + "description": "The program **/usr/sbin/sshd** accepted an incoming connection from **192.0.2.17**", + "primaryResource": { + "type": "VIRTUAL_MACHINE", + "name": "example-vm-2", + "externalId": "i-0000000000000002", + "region": "us-east-2", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab" + }, + "issue": null, + "primaryActor": { + "id": "", + "name": null, + "type": "UNKNOWN", + "nativeType": null, + "email": null, + "userAgent": null, + "MFA": null, + "federated": false, + "friendlyName": null, + "accessKeyId": null, + "externalId": null, + "providerUniqueId": null, + "hasHighPrivileges": false, + "hasAdminPrivileges": false, + "hasHighKubernetesPrivileges": false, + "hasAdminKubernetesPrivileges": false, + "inactiveInLast90Days": false, + "actingAs": null, + "cloudAccount": null + }, + "triggeringEvents": { + "totalCountV2": 1, + "nodes": [ + { + "id": "38d4c457-8310-4286-9b15-4dca6d102f46", + "description": "The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}", + "actorIP": "192.0.2.13", + "timestamp": "2026-07-01T08:18:21.326Z", + "rawAuditLogRecord": { + "common": { + "vmExternalId": "i-0000000000000002", + "hostInfo": { + "hostname": "sensor-host-1", + "osType": "Linux" + } + }, + "alert": { + "event": { + "kind": "network_accept" + } + } + }, + "commandLine": "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", + "runtimeProgram": { + "name": "/usr/sbin/sshd" + }, + "parentRuntimeProgram": { + "name": "/usr/lib/systemd/systemd" + } + } + ] + }, + "ruleMatch": { + "rule": { + "id": "a3a8322e-4d2c-40b1-943f-db6dd6f81d02", + "name": "Suspected SSH brute-force attempts originating from a publicly accessible IP address", + "builtin": true, + "securitySubCategories": [ + { + "id": "wsct-id-10678", + "title": "Credentials guessing", + "category": { + "id": "wct-id-1854", + "name": "Initial Access", + "framework": { + "id": "wf-id-83" + } + } + }, + { + "id": "wsct-id-20507", + "title": "Brute Force", + "category": { + "id": "wct-id-2772", + "name": "Credential Access", + "framework": { + "id": "wf-id-181" + } + } + }, + { + "id": "wsct-id-3522", + "title": "Brute Force", + "category": { + "id": "wct-id-822", + "name": "Credential Access", + "framework": { + "id": "wf-id-34" + } + } + } + ] + } + } + } + ], + "pageInfo": { + "hasNextPage": true, + "endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVXBkYXRlZEF0IiwiVmFsdWUiOiIyMDI2LTA3LTAxVDE1OjE0OjA2LjE3MDM1MDFaIn1dfQ==" + }, + "totalCount": 2 + } + } + } + `}} + - path: /graphql + methods: ['POST'] + request_headers: + Authorization: + - 'Bearer xxxx' + request_body: /.*"after":"eyJmaWVsZHMiOlt7IkZpZWxkIjoiVXBkYXRlZEF0IiwiVmFsdWUiOiIyMDI2LTA3LTAxVDE1OjE0OjA2LjE3MDM1MDFaIn1dfQ==".*/ + responses: + - status_code: 200 + headers: + Content-Type: + - application/json + body: |- + {{ minify_json ` + { + "data": { + "detections": { + "nodes": [], + "pageInfo": { + "hasNextPage": false, + "endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVXBkYXRlZEF0IiwiVmFsdWUiOiIyMDI2LTA3LTAxVDE1OjE0OjA2LjE3MDM1MDFaIn1dfQ==" + }, + "totalCount": 3 + } + } + } + `}} diff --git a/packages/wiz/_dev/deploy/docker/files/config-vulnerability.yml b/packages/wiz/_dev/deploy/docker/files/config-vulnerability.yml index 7ab180bdf99..8adda3a43fa 100644 --- a/packages/wiz/_dev/deploy/docker/files/config-vulnerability.yml +++ b/packages/wiz/_dev/deploy/docker/files/config-vulnerability.yml @@ -20,7 +20,7 @@ rules: Content-Type: - application/json body: | - {"data": {"vulnerabilityFindings": {"nodes": [{"id":"5e95ff50-5490-514e-87f7-11e56f3230ff","portalUrl":"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))","name":"CVE-2020-3333","CVEDescription":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","CVSSSeverity":"MEDIUM","score":5.5,"exploitabilityScore":1.8,"impactScore":3.6,"dataSourceName":"data Source","hasExploit":false,"hasCisaKevExploit":false,"status":"OPEN","vendorSeverity":"MEDIUM","firstDetectedAt":"2025-12-01T11:36:10.063767Z","lastDetectedAt":"{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt":"2026-03-15T18:40:57Z","description":"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.","remediation":"yumupdatelibtiff","detailedName":"libtiff","version":"4.0.3-35.amzn2","fixedVersion":"4.0.3-35.amzn2.0.1","detectionMethod":"PACKAGE","link":"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath":"package/library/file","resolutionReason":"resolutionReason","epssSeverity":"LOW","epssPercentile":46.2,"epssProbability":0.1,"validatedInRuntime":true,"layerMetadata":{"id":"5e95ff50-5490-514e-87f7-11e56f3230ff","details":"xxxx","isBaseLayer":true},"projects":[{"id":"83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name":"Project2","slug":"project-2","businessUnit":"","riskProfile":{"businessImpact":"MBI"}},{"id":"af52828c-4eb1-5c4e-847c-ebc3a5ead531","name":"project4","slug":"project-4","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}},{"id":"d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name":"Project1","slug":"project1","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}}],"ignoreRules":{"enabled":true,"expiredAt":"2026-03-15T18:40:57Z","id":"aj3jqtvnaf","name":"abc"},"vulnerableAsset":{"id":"c828de0d-4c42-5b1c-946b-2edee094d0b3","type":"VIRTUAL_MACHINE","name":"test-4","region":"us-east-1","providerUniqueId":"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL":"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform":"AWS","status":"Active","subscriptionName":"wiz-integrations","subscriptionExternalId":"998231069301","subscriptionId":"94e76baa-85fd-5928-b829-1669a2ca9660","tags":{"Name":"test-4"},"hasLimitedInternetExposure":true,"hasWideInternetExposure":true,"isAccessibleFromVPN":false,"isAccessibleFromOtherVnets":false,"isAccessibleFromOtherSubscriptions":false,"operatingSystem":"Linux","ipAddresses":["89.160.20.112","89.160.20.128"]}},{"id": "84e6f460-fd37-5de0-a36f-e14203d9cc6a","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'5vfv8dawefsd*2cSECURITY_TOOL_FINDING))","name": "CVE-2022-0909","CVEDescription": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-03T11:36:10.067346Z","lastDetectedAt": "{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2022-0909`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0909) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alias.aws.amazon.com/AL2.html","locationPath": null,"resolutionReason": null,"epssSeverity": "LOW","epssPercentile": 29.8,"epssProbability": 0.1,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:875231069301:instance/i-0a0f7e6sic8a5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e6sic8a5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}},{"id": "be844291-f480-5541-a300-1edaaebb788d","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'be844291-h92sc-5541-a300-1edaaebb788d*2cSECURITY_TOOL_FINDING))","name": "CVE-2016-9532","CVEDescription": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-05T11:36:10.078415Z","lastDetectedAt": "{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2016-9532`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2016-9532) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath": null,"resolutionReason": null,"epssSeverity": "HIGH","epssPercentile": 77.7,"epssProbability": 0.7,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} + {"data": {"vulnerabilityFindings": {"nodes": [{"id":"5e95ff50-5490-514e-87f7-11e56f3230ff","portalUrl":"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))","name":"CVE-2020-3333","CVEDescription":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","CVSSSeverity":"MEDIUM","score":5.5,"exploitabilityScore":1.8,"impactScore":3.6,"dataSourceName":"data Source","hasExploit":false,"hasCisaKevExploit":false,"status":"OPEN","vendorSeverity":"MEDIUM","firstDetectedAt":"2025-12-01T11:36:10.063767Z","lastDetectedAt":"2026-03-15T18:40:57Z","resolvedAt":"2026-03-15T18:40:57Z","description":"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.","remediation":"yumupdatelibtiff","detailedName":"libtiff","version":"4.0.3-35.amzn2","fixedVersion":"4.0.3-35.amzn2.0.1","detectionMethod":"PACKAGE","link":"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath":"package/library/file","resolutionReason":"resolutionReason","epssSeverity":"LOW","epssPercentile":46.2,"epssProbability":0.1,"validatedInRuntime":true,"layerMetadata":{"id":"5e95ff50-5490-514e-87f7-11e56f3230ff","details":"xxxx","isBaseLayer":true},"projects":[{"id":"83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name":"Project2","slug":"project-2","businessUnit":"","riskProfile":{"businessImpact":"MBI"}},{"id":"af52828c-4eb1-5c4e-847c-ebc3a5ead531","name":"project4","slug":"project-4","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}},{"id":"d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name":"Project1","slug":"project1","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}}],"ignoreRules":{"enabled":true,"expiredAt":"2026-03-15T18:40:57Z","id":"aj3jqtvnaf","name":"abc"},"vulnerableAsset":{"id":"c828de0d-4c42-5b1c-946b-2edee094d0b3","type":"VIRTUAL_MACHINE","name":"test-4","region":"us-east-1","providerUniqueId":"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL":"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform":"AWS","status":"Active","subscriptionName":"wiz-integrations","subscriptionExternalId":"998231069301","subscriptionId":"94e76baa-85fd-5928-b829-1669a2ca9660","tags":{"Name":"test-4"},"hasLimitedInternetExposure":true,"hasWideInternetExposure":true,"isAccessibleFromVPN":false,"isAccessibleFromOtherVnets":false,"isAccessibleFromOtherSubscriptions":false,"operatingSystem":"Linux","ipAddresses":["89.160.20.112","89.160.20.128"]}},{"id": "84e6f460-fd37-5de0-a36f-e14203d9cc6a","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'5vfv8dawefsd*2cSECURITY_TOOL_FINDING))","name": "CVE-2022-0909","CVEDescription": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-03T11:36:10.067346Z","lastDetectedAt": "2026-03-21T09:44:57Z","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2022-0909`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0909) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alias.aws.amazon.com/AL2.html","locationPath": null,"resolutionReason": null,"epssSeverity": "LOW","epssPercentile": 29.8,"epssProbability": 0.1,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:875231069301:instance/i-0a0f7e6sic8a5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e6sic8a5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}},{"id": "be844291-f480-5541-a300-1edaaebb788d","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'be844291-h92sc-5541-a300-1edaaebb788d*2cSECURITY_TOOL_FINDING))","name": "CVE-2016-9532","CVEDescription": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-05T11:36:10.078415Z","lastDetectedAt": "2026-03-21T09:44:57Z","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2016-9532`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2016-9532) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath": null,"resolutionReason": null,"epssSeverity": "HIGH","epssPercentile": 77.7,"epssProbability": 0.7,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} - path: /graphql methods: ['POST'] request_headers: @@ -33,4 +33,4 @@ rules: Content-Type: - application/json body: | - {"data": {"vulnerabilityFindings": {"nodes": [{"id":"6agsdg-5190-514f-89f7-12e56f6230ff","portalUrl":"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))","name":"CVE-2020-3344","CVEDescription":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","CVSSSeverity":"MEDIUM","score":6.5,"exploitabilityScore":1.8,"impactScore":4.6,"dataSourceName":"data Source","hasExploit":false,"hasCisaKevExploit":false,"status":"OPEN","vendorSeverity":"MEDIUM","firstDetectedAt":"2025-12-10T11:36:10.063767Z","lastDetectedAt":"{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt":"2026-03-17T19:40:57Z","description":"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.","remediation":"yumupdatelibtiff","detailedName":"libtiff","version":"4.0.3-35.amzn2","fixedVersion":"4.0.3-35.amzn2.0.1","detectionMethod":"PACKAGE","link":"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath":"package/library/file","resolutionReason":"resolutionReason","epssSeverity":"LOW","epssPercentile":46.2,"epssProbability":0.1,"validatedInRuntime":true,"layerMetadata":{"id":"5t95gf50-5490-514e-87f7-11e56f3230ff","details":"xxxx","isBaseLayer":true},"projects":[{"id":"hgah564jn-a7b6-5762-8a53-8e8f59e68bd8","name":"Project2","slug":"project-2","businessUnit":"","riskProfile":{"businessImpact":"MBI"}},{"id":"fb5644tt-4eb1-5c4e-847c-ebc3a5ead531","name":"project4","slug":"project-4","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}},{"id":"d56lln08-aec0-52fc-80ab-bacd7b02f178","name":"Project1","slug":"project1","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}}],"ignoreRules":{"enabled":true,"expiredAt":"2026-03-15T18:40:57Z","id":"aj3jqtvnaf","name":"abc"},"vulnerableAsset":{"id":"c4546hng-4c42-5b1c-946b-2edee094d0b3","type":"VIRTUAL_MACHINE","name":"test-4","region":"us-east-1","providerUniqueId":"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL":"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform":"AWS","status":"Active","subscriptionName":"wiz-integrations","subscriptionExternalId":"998231069301","subscriptionId":"94e76baa-85fd-5928-b829-1669a2ca9660","tags":{"Name":"test-4"},"hasLimitedInternetExposure":true,"hasWideInternetExposure":true,"isAccessibleFromVPN":false,"isAccessibleFromOtherVnets":false,"isAccessibleFromOtherSubscriptions":false,"operatingSystem":"Linux","ipAddresses":["89.160.20.112","89.160.20.128"]}},{"id": "84e6f460-fd37-5de0-a36f-e14203d9cc6a","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'5vfv8dawefsd*2cSECURITY_TOOL_FINDING))","name": "CVE-2022-0999","CVEDescription": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-15T11:36:10.067346Z","lastDetectedAt": "{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2022-0909`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0909) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alias.aws.amazon.com/AL2.html","locationPath": null,"resolutionReason": null,"epssSeverity": "LOW","epssPercentile": 29.8,"epssProbability": 0.1,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5702-8a13-8e8f88e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "hht3453hhh-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50mb-aec0-52fc-89ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:875231069301:instance/i-0a0f7e6sic8a5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e6sic8a5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}},{"id": "be844291-f480-5541-a300-1edaaebb788d","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'be844291-h92sc-5541-a300-1edaaebb788d*2cSECURITY_TOOL_FINDING))","name": "CVE-2016-9532","CVEDescription": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-05T11:36:10.078415Z","lastDetectedAt": "{{ (now "-720h").Format "2006-01-02T15:04:05Z07:00" }}","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2016-9532`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2016-9532) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath": null,"resolutionReason": null,"epssSeverity": "HIGH","epssPercentile": 77.7,"epssProbability": 0.7,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}}],"pageInfo": {"hasNextPage": false,"endCursor": "eyWWWVsZHMiOlt009IfaZdpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} + {"data": {"vulnerabilityFindings": {"nodes": [{"id":"6agsdg-5190-514f-89f7-12e56f6230ff","portalUrl":"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))","name":"CVE-2020-3344","CVEDescription":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","CVSSSeverity":"MEDIUM","score":6.5,"exploitabilityScore":1.8,"impactScore":4.6,"dataSourceName":"data Source","hasExploit":false,"hasCisaKevExploit":false,"status":"OPEN","vendorSeverity":"MEDIUM","firstDetectedAt":"2025-12-10T11:36:10.063767Z","lastDetectedAt":"2026-03-17T18:40:57Z","resolvedAt":"2026-03-17T19:40:57Z","description":"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.","remediation":"yumupdatelibtiff","detailedName":"libtiff","version":"4.0.3-35.amzn2","fixedVersion":"4.0.3-35.amzn2.0.1","detectionMethod":"PACKAGE","link":"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath":"package/library/file","resolutionReason":"resolutionReason","epssSeverity":"LOW","epssPercentile":46.2,"epssProbability":0.1,"validatedInRuntime":true,"layerMetadata":{"id":"5t95gf50-5490-514e-87f7-11e56f3230ff","details":"xxxx","isBaseLayer":true},"projects":[{"id":"hgah564jn-a7b6-5762-8a53-8e8f59e68bd8","name":"Project2","slug":"project-2","businessUnit":"","riskProfile":{"businessImpact":"MBI"}},{"id":"fb5644tt-4eb1-5c4e-847c-ebc3a5ead531","name":"project4","slug":"project-4","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}},{"id":"d56lln08-aec0-52fc-80ab-bacd7b02f178","name":"Project1","slug":"project1","businessUnit":"Dev","riskProfile":{"businessImpact":"MBI"}}],"ignoreRules":{"enabled":true,"expiredAt":"2026-03-15T18:40:57Z","id":"aj3jqtvnaf","name":"abc"},"vulnerableAsset":{"id":"c4546hng-4c42-5b1c-946b-2edee094d0b3","type":"VIRTUAL_MACHINE","name":"test-4","region":"us-east-1","providerUniqueId":"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL":"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform":"AWS","status":"Active","subscriptionName":"wiz-integrations","subscriptionExternalId":"998231069301","subscriptionId":"94e76baa-85fd-5928-b829-1669a2ca9660","tags":{"Name":"test-4"},"hasLimitedInternetExposure":true,"hasWideInternetExposure":true,"isAccessibleFromVPN":false,"isAccessibleFromOtherVnets":false,"isAccessibleFromOtherSubscriptions":false,"operatingSystem":"Linux","ipAddresses":["89.160.20.112","89.160.20.128"]}},{"id": "84e6f460-fd37-5de0-a36f-e14203d9cc6a","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'5vfv8dawefsd*2cSECURITY_TOOL_FINDING))","name": "CVE-2022-0999","CVEDescription": "Divide By Zero error in tiffcrop in libtiff 4.3.0 allows attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources, the fix is available with commit f8d0f9aa.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-15T11:36:10.067346Z","lastDetectedAt": "2026-03-21T09:44:57Z","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2022-0909`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2022-0909) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alias.aws.amazon.com/AL2.html","locationPath": null,"resolutionReason": null,"epssSeverity": "LOW","epssPercentile": 29.8,"epssProbability": 0.1,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5702-8a13-8e8f88e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "hht3453hhh-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50mb-aec0-52fc-89ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:875231069301:instance/i-0a0f7e6sic8a5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e6sic8a5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}},{"id": "be844291-f480-5541-a300-1edaaebb788d","portalUrl": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'be844291-h92sc-5541-a300-1edaaebb788d*2cSECURITY_TOOL_FINDING))","name": "CVE-2016-9532","CVEDescription": "Integer overflow in the writeBufferToSeparateStrips function in tiffcrop.c in LibTIFF before 4.0.7 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tif file.","CVSSSeverity": "MEDIUM","score": 5.5,"exploitabilityScore": 1.8,"impactScore": 3.6,"dataSourceName": null,"hasExploit": false,"hasCisaKevExploit": false,"status": "OPEN","vendorSeverity": "MEDIUM","firstDetectedAt": "2025-12-05T11:36:10.078415Z","lastDetectedAt": "2026-03-21T09:44:57Z","resolvedAt": null,"description": "The package `libtiff` version `4.0.3-35.amzn2` was detected in `YUM package manager` on a machine running `Amazon 2 (Karoo)` is vulnerable to `CVE-2016-9532`, which exists in versions `< 4.0.3-35.amzn2.0.1`.\n\nThe vulnerability was found in the [Official Amazon Linux Security Advisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html) with vendor severity: `Medium` ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2016-9532) severity: `Medium`).\n\nThe vulnerability can be remediated by updating the package to version `4.0.3-35.amzn2.0.1` or higher, using `yum update libtiff`.","remediation": "yum update libtiff","detailedName": "libtiff","version": "4.0.3-35.amzn2","fixedVersion": "4.0.3-35.amzn2.0.1","detectionMethod": "PACKAGE","link": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html","locationPath": null,"resolutionReason": null,"epssSeverity": "HIGH","epssPercentile": 77.7,"epssProbability": 0.7,"validatedInRuntime": null,"layerMetadata": null,"projects": [{"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8","name": "Project 2","slug": "project-2","businessUnit": "","riskProfile": {"businessImpact": "MBI"}},{"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531","name": "project 4","slug": "project-4","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}},{"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178","name": "Project1","slug": "project1","businessUnit": "Dev","riskProfile": {"businessImpact": "MBI"}}],"ignoreRules": null,"vulnerableAsset": {"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3","type": "VIRTUAL_MACHINE","name": "test-4","region": "us-east-1","providerUniqueId": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3","cloudProviderURL": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3","cloudPlatform": "AWS","status": "Active","subscriptionName": "wiz-integrations","subscriptionExternalId": "998231069301","subscriptionId": "94e76baa-85fd-5928-b829-1669a2ca9660","tags": {"Name": "test-4"},"hasLimitedInternetExposure": true,"hasWideInternetExposure": true,"isAccessibleFromVPN": false,"isAccessibleFromOtherVnets": false,"isAccessibleFromOtherSubscriptions": false,"operatingSystem": "Linux","ipAddresses": ["175.16.199.0","216.160.83.56"]}}],"pageInfo": {"hasNextPage": false,"endCursor": "eyWWWVsZHMiOlt009IfaZdpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 8e8f4289797..45d217db05c 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,12 @@ # newer versions go on top +- version: "4.6.0" + changes: + - description: Add defend_v2 data stream for Wiz Detections API v2. + type: enhancement + link: https://github.com/elastic/integrations/pull/20071 + - description: Remove the temporary processor that stripped the `organization`, `division`, and `team` fields added by the Agentless policy, as the Agentless platform no longer injects these fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/20071 - version: "4.5.0" changes: - description: Note maximum historical data in setting descriptions. diff --git a/packages/wiz/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/audit/elasticsearch/ingest_pipeline/default.yml index 59718e1a588..8be1f1876c0 100644 --- a/packages/wiz/data_stream/audit/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -9,17 +9,6 @@ processors: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null description: error message set and no data to process. - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - rename: field: message tag: rename_message_to_event_original diff --git a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml index 28f9f4557fc..24997d08497 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml @@ -1,17 +1,6 @@ --- description: Pipeline for processing Cloud Configuration Finding logs processors: - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - set: field: ecs.version tag: set_ecs_version diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json index 957a3ef821f..5668847f471 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json @@ -1,7 +1,7 @@ { "expected": [ { - "@timestamp": "2026-05-22T13:03:10.863717174Z", + "@timestamp": "2026-07-03T06:42:39.574450944Z", "cloud": { "account": { "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", @@ -78,7 +78,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863733312Z", + "@timestamp": "2026-07-03T06:42:39.574463Z", "cloud": { "account": { "id": "998231069301", @@ -162,7 +162,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863737107Z", + "@timestamp": "2026-07-03T06:42:39.574465064Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -254,7 +254,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863740181Z", + "@timestamp": "2026-07-03T06:42:39.574466710Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -335,7 +335,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863743149Z", + "@timestamp": "2026-07-03T06:42:39.574468252Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -416,7 +416,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863746126Z", + "@timestamp": "2026-07-03T06:42:39.574470180Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -496,7 +496,7 @@ } }, { - "@timestamp": "2026-05-22T13:03:10.863749018Z", + "@timestamp": "2026-07-03T06:42:39.574471690Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml index 1abe4db5046..e41cfe0c6de 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml @@ -1,17 +1,6 @@ --- description: Pipeline for processing Cloud Configuration Finding Full Posture logs processors: - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - set: field: ecs.version tag: set_ecs_version diff --git a/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml index 5d3241af0a2..5499bca510e 100644 --- a/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/defend/elasticsearch/ingest_pipeline/default.yml @@ -1,17 +1,6 @@ --- description: Pipeline for processing Wiz Defend logs. processors: - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - set: field: ecs.version tag: set_ecs_version diff --git a/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-common-config.yml b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log new file mode 100644 index 00000000000..e28d24d89b4 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log @@ -0,0 +1,3 @@ +{"type":"MATCH_ONLY","origins":["AWS_GUARD_DUTY"],"actors":[{"id":"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5","name":"192.0.2.10","externalId":"192.0.2.10","providerUniqueId":null,"type":"NETWORK_ADDRESS"}],"resources":[{"id":"afd6a19a-3f4e-4a69-9faf-4c313217b0e2","name":"example-vm-1","externalId":"i-0000000000000001","providerUniqueId":null,"type":"VIRTUAL_MACHINE"}],"cloudAccounts":[{"id":"32a7e699-c09f-4afc-abf2-1e00e2998350","name":"example-cloud-account","externalId":"100000000001","cloudProvider":"AWS"}],"cloudOrganizations":null,"createdAt":"2026-07-01T15:12:18.1559021Z","updatedAt":"2026-07-01T15:13:36.3181301Z","id":"edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980","severity":"LOW","description":"An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.","primaryResource":{"type":"VIRTUAL_MACHINE","name":"example-vm-1","externalId":"i-0000000000000001","region":"us-east-2","id":"afd6a19a-3f4e-4a69-9faf-4c313217b0e2"},"issue":null,"primaryActor":{"id":"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5","name":"192.0.2.10","type":"NETWORK_ADDRESS","nativeType":null,"email":null,"userAgent":null,"MFA":null,"federated":false,"friendlyName":null,"accessKeyId":null,"externalId":"192.0.2.10","providerUniqueId":null,"hasHighPrivileges":false,"hasAdminPrivileges":false,"hasHighKubernetesPrivileges":false,"hasAdminKubernetesPrivileges":false,"inactiveInLast90Days":false,"actingAs":null,"cloudAccount":null},"triggeringEvents":{"totalCountV2":1,"nodes":[{"id":"031e0c27-55c2-4496-92d9-4b7a97324515","description":"192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.","actorIP":"192.0.2.10","timestamp":"2026-07-01T15:05:03.533Z","rawAuditLogRecord":{},"commandLine":null,"runtimeProgram":{"name":null},"parentRuntimeProgram":{"name":null}}]},"ruleMatch":{"rule":{"id":"f0568339-eb51-486b-bac1-7a835689f051","name":"UnauthorizedAccess:EC2/SSHBruteForce","builtin":true,"securitySubCategories":[{"id":"wsct-id-3522","title":"Brute Force","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}},{"id":"wsct-id-3518","title":"Brute Force: Password Guessing","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}},{"id":"wsct-id-3517","title":"Brute Force: Password Cracking","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}},{"id":"wsct-id-3519","title":"Brute Force: Password Spraying","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}},{"id":"wsct-id-3524","title":"Brute Force: Credential Stuffing","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}},{"id":"wsct-id-6532","title":"Generic malicious activity","category":{"id":"wct-id-2116","name":"Generic malicious activity","framework":{"id":"wf-id-103"}}},{"id":"wsct-id-10678","title":"Credentials guessing","category":{"id":"wct-id-1854","name":"Initial Access","framework":{"id":"wf-id-83"}}},{"id":"wsct-id-10714","title":"Abnormal-sourced communication","category":{"id":"wct-id-1861","name":"C2 & Exfiltration","framework":{"id":"wf-id-83"}}},{"id":"wsct-id-20507","title":"Brute Force","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}},{"id":"wsct-id-20508","title":"Brute Force: Password Guessing","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}},{"id":"wsct-id-20509","title":"Brute Force: Password Cracking","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}},{"id":"wsct-id-20510","title":"Brute Force: Password Spraying","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}},{"id":"wsct-id-20511","title":"Brute Force: Credential Stuffing","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}}]}}} +{"type":"GENERATED_THREAT","origins":["WIZ_SENSOR"],"actors":null,"resources":[{"id":"44fa8d41-8cf2-4032-afbf-098cade5d5ab","name":"example-vm-2","externalId":"i-0000000000000002","providerUniqueId":"arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002","type":"VIRTUAL_MACHINE"}],"cloudAccounts":[{"id":"32a7e699-c09f-4afc-abf2-1e00e2998350","name":"example-cloud-account","externalId":"100000000001","cloudProvider":"AWS"}],"cloudOrganizations":null,"createdAt":"2026-06-30T10:53:40.8782105Z","updatedAt":"2026-07-01T08:19:49.6407109Z","id":"1456bbb9-19ef-4847-a80c-a2b400ba3db7","severity":"MEDIUM","description":"","primaryResource":{"type":"VIRTUAL_MACHINE","name":"example-vm-2","externalId":"i-0000000000000002","region":"us-east-2","id":"44fa8d41-8cf2-4032-afbf-098cade5d5ab"},"issue":{"id":"e0321809-7913-4693-aa03-7dad19d38d65"},"primaryActor":{"id":"","name":null,"type":"UNKNOWN","nativeType":null,"email":null,"userAgent":null,"MFA":null,"federated":false,"friendlyName":null,"accessKeyId":null,"externalId":null,"providerUniqueId":null,"hasHighPrivileges":false,"hasAdminPrivileges":false,"hasHighKubernetesPrivileges":false,"hasAdminKubernetesPrivileges":false,"inactiveInLast90Days":false,"actingAs":null,"cloudAccount":null},"triggeringEvents":{"totalCountV2":1,"nodes":[{"id":"38d4c457-8310-4286-9b15-4dca6d102f46","description":"The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}","actorIP":"192.0.2.13","timestamp":"2026-07-01T08:18:21.326Z","rawAuditLogRecord":{"common":{"vmExternalId":"i-0000000000000002","hostInfo":{"hostname":"sensor-host-1","osType":"Linux"}},"alert":{"event":{"kind":"network_accept"}}},"commandLine":"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups","runtimeProgram":{"name":"/usr/sbin/sshd"},"parentRuntimeProgram":{"name":"/usr/lib/systemd/systemd"}}]},"ruleMatch":{"rule":{"id":"49ed0540-4dff-4193-87cc-c4b5d6d9c305","name":"Service account token was accessed","builtin":false,"securitySubCategories":[{"id":"wsct-id-9465","title":"Credential access","category":{"id":"wct-id-2123","name":"Credential access","framework":{"id":"wf-id-103"}}},{"id":"wsct-id-10708","title":"Secret theft","category":{"id":"wct-id-1860","name":"Credential Access","framework":{"id":"wf-id-83"}}}]}}} +{"type":"MATCH_ONLY","origins":["WIZ_SENSOR"],"actors":null,"resources":[{"id":"44fa8d41-8cf2-4032-afbf-098cade5d5ab","name":"example-vm-2","externalId":"i-0000000000000002","providerUniqueId":"arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002","type":"VIRTUAL_MACHINE"}],"cloudAccounts":[{"id":"32a7e699-c09f-4afc-abf2-1e00e2998350","name":"example-cloud-account","externalId":"100000000001","cloudProvider":"AWS"}],"cloudOrganizations":null,"createdAt":"2026-06-30T10:53:40.8782105Z","updatedAt":"2026-07-01T08:19:49.6407109Z","id":"83200e8c-0d19-476a-af65-843f9d3c1711","severity":"MEDIUM","description":"The program **/usr/sbin/sshd** accepted an incoming connection from **192.0.2.17**","primaryResource":{"type":"VIRTUAL_MACHINE","name":"example-vm-2","externalId":"i-0000000000000002","region":"us-east-2","id":"44fa8d41-8cf2-4032-afbf-098cade5d5ab"},"issue":null,"primaryActor":{"id":"","name":null,"type":"UNKNOWN","nativeType":null,"email":null,"userAgent":null,"MFA":null,"federated":false,"friendlyName":null,"accessKeyId":null,"externalId":null,"providerUniqueId":null,"hasHighPrivileges":false,"hasAdminPrivileges":false,"hasHighKubernetesPrivileges":false,"hasAdminKubernetesPrivileges":false,"inactiveInLast90Days":false,"actingAs":null,"cloudAccount":null},"triggeringEvents":{"totalCountV2":1,"nodes":[{"id":"38d4c457-8310-4286-9b15-4dca6d102f46","description":"The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}","actorIP":"192.0.2.13","timestamp":"2026-07-01T08:18:21.326Z","rawAuditLogRecord":{"common":{"vmExternalId":"i-0000000000000002","hostInfo":{"hostname":"sensor-host-1","osType":"Linux"}},"alert":{"event":{"kind":"network_accept"}}},"commandLine":"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups","runtimeProgram":{"name":"/usr/sbin/sshd"},"parentRuntimeProgram":{"name":"/usr/lib/systemd/systemd"}}]},"ruleMatch":{"rule":{"id":"a3a8322e-4d2c-40b1-943f-db6dd6f81d02","name":"Suspected SSH brute-force attempts originating from a publicly accessible IP address","builtin":true,"securitySubCategories":[{"id":"wsct-id-10678","title":"Credentials guessing","category":{"id":"wct-id-1854","name":"Initial Access","framework":{"id":"wf-id-83"}}},{"id":"wsct-id-20507","title":"Brute Force","category":{"id":"wct-id-2772","name":"Credential Access","framework":{"id":"wf-id-181"}}},{"id":"wsct-id-3522","title":"Brute Force","category":{"id":"wct-id-822","name":"Credential Access","framework":{"id":"wf-id-34"}}}]}}} diff --git a/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log-expected.json b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log-expected.json new file mode 100644 index 00000000000..0906e871f7d --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/_dev/test/pipeline/test-defend-v2.log-expected.json @@ -0,0 +1,690 @@ +{ + "expected": [ + { + "@timestamp": "2026-07-01T15:13:36.318Z", + "cloud": { + "account": { + "id": [ + "100000000001" + ], + "name": [ + "example-cloud-account" + ] + }, + "provider": [ + "AWS" + ], + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980", + "kind": "alert", + "original": "{\"type\":\"MATCH_ONLY\",\"origins\":[\"AWS_GUARD_DUTY\"],\"actors\":[{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"type\":\"NETWORK_ADDRESS\"}],\"resources\":[{\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"providerUniqueId\":null,\"type\":\"VIRTUAL_MACHINE\"}],\"cloudAccounts\":[{\"id\":\"32a7e699-c09f-4afc-abf2-1e00e2998350\",\"name\":\"example-cloud-account\",\"externalId\":\"100000000001\",\"cloudProvider\":\"AWS\"}],\"cloudOrganizations\":null,\"createdAt\":\"2026-07-01T15:12:18.1559021Z\",\"updatedAt\":\"2026-07-01T15:13:36.3181301Z\",\"id\":\"edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980\",\"severity\":\"LOW\",\"description\":\"An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.\",\"primaryResource\":{\"type\":\"VIRTUAL_MACHINE\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"region\":\"us-east-2\",\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\"},\"issue\":null,\"primaryActor\":{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"type\":\"NETWORK_ADDRESS\",\"nativeType\":null,\"email\":null,\"userAgent\":null,\"MFA\":null,\"federated\":false,\"friendlyName\":null,\"accessKeyId\":null,\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"hasHighPrivileges\":false,\"hasAdminPrivileges\":false,\"hasHighKubernetesPrivileges\":false,\"hasAdminKubernetesPrivileges\":false,\"inactiveInLast90Days\":false,\"actingAs\":null,\"cloudAccount\":null},\"triggeringEvents\":{\"totalCountV2\":1,\"nodes\":[{\"id\":\"031e0c27-55c2-4496-92d9-4b7a97324515\",\"description\":\"192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.\",\"actorIP\":\"192.0.2.10\",\"timestamp\":\"2026-07-01T15:05:03.533Z\",\"rawAuditLogRecord\":{},\"commandLine\":null,\"runtimeProgram\":{\"name\":null},\"parentRuntimeProgram\":{\"name\":null}}]},\"ruleMatch\":{\"rule\":{\"id\":\"f0568339-eb51-486b-bac1-7a835689f051\",\"name\":\"UnauthorizedAccess:EC2/SSHBruteForce\",\"builtin\":true,\"securitySubCategories\":[{\"id\":\"wsct-id-3522\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3518\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3517\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3519\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3524\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-6532\",\"title\":\"Generic malicious activity\",\"category\":{\"id\":\"wct-id-2116\",\"name\":\"Generic malicious activity\",\"framework\":{\"id\":\"wf-id-103\"}}},{\"id\":\"wsct-id-10678\",\"title\":\"Credentials guessing\",\"category\":{\"id\":\"wct-id-1854\",\"name\":\"Initial Access\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-10714\",\"title\":\"Abnormal-sourced communication\",\"category\":{\"id\":\"wct-id-1861\",\"name\":\"C2 & Exfiltration\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-20507\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20508\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20509\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20510\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20511\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}}]}}}", + "severity": 21, + "type": [ + "indicator" + ] + }, + "message": "An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "ip": [ + "192.0.2.10" + ] + }, + "rule": { + "category": [ + "Credential Access", + "Generic malicious activity", + "Initial Access", + "C2 & Exfiltration" + ], + "id": "f0568339-eb51-486b-bac1-7a835689f051", + "name": "UnauthorizedAccess:EC2/SSHBruteForce" + }, + "source": { + "geo": { + "city_name": "Las Vegas", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 36.17497, + "lon": -115.13722 + }, + "region_iso_code": "US-NV", + "region_name": "Nevada" + }, + "ip": [ + "192.0.2.10" + ] + }, + "tags": [ + "preserve_original_event" + ], + "wiz": { + "defend_v2": { + "actors": [ + { + "external_id": "192.0.2.10", + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + } + ], + "cloud_accounts": [ + { + "cloud_provider": "AWS", + "external_id": "100000000001", + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account" + } + ], + "created_at": "2026-07-01T15:12:18.155Z", + "origins": [ + "AWS_GUARD_DUTY" + ], + "primary_actor": { + "external_id": "192.0.2.10", + "federated": false, + "has_admin_kubernetes_privileges": false, + "has_admin_privileges": false, + "has_high_kubernetes_privileges": false, + "has_high_privileges": false, + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "inactive_in_last_90_days": false, + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + }, + "primary_resource": { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + }, + "resources": [ + { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + } + ], + "rule_match": { + "rule": { + "builtin": true, + "security_sub_categories": [ + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3522", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3518", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3517", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3519", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3524", + "title": "Brute Force: Credential Stuffing" + }, + { + "category": { + "framework": { + "id": "wf-id-103" + }, + "id": "wct-id-2116", + "name": "Generic malicious activity" + }, + "id": "wsct-id-6532", + "title": "Generic malicious activity" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1854", + "name": "Initial Access" + }, + "id": "wsct-id-10678", + "title": "Credentials guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1861", + "name": "C2 & Exfiltration" + }, + "id": "wsct-id-10714", + "title": "Abnormal-sourced communication" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20507", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20508", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20509", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20510", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20511", + "title": "Brute Force: Credential Stuffing" + } + ] + } + }, + "severity": "LOW", + "triggering_events": { + "nodes": [ + { + "actor_ip": "192.0.2.10", + "description": "192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", + "id": "031e0c27-55c2-4496-92d9-4b7a97324515", + "timestamp": "2026-07-01T15:05:03.533Z" + } + ], + "total_count": 1 + }, + "type": "MATCH_ONLY" + } + } + }, + { + "@timestamp": "2026-07-01T08:19:49.640Z", + "cloud": { + "account": { + "id": [ + "100000000001" + ], + "name": [ + "example-cloud-account" + ] + }, + "provider": [ + "AWS" + ], + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "1456bbb9-19ef-4847-a80c-a2b400ba3db7", + "kind": "alert", + "original": "{\"type\":\"GENERATED_THREAT\",\"origins\":[\"WIZ_SENSOR\"],\"actors\":null,\"resources\":[{\"id\":\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\",\"name\":\"example-vm-2\",\"externalId\":\"i-0000000000000002\",\"providerUniqueId\":\"arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002\",\"type\":\"VIRTUAL_MACHINE\"}],\"cloudAccounts\":[{\"id\":\"32a7e699-c09f-4afc-abf2-1e00e2998350\",\"name\":\"example-cloud-account\",\"externalId\":\"100000000001\",\"cloudProvider\":\"AWS\"}],\"cloudOrganizations\":null,\"createdAt\":\"2026-06-30T10:53:40.8782105Z\",\"updatedAt\":\"2026-07-01T08:19:49.6407109Z\",\"id\":\"1456bbb9-19ef-4847-a80c-a2b400ba3db7\",\"severity\":\"MEDIUM\",\"description\":\"\",\"primaryResource\":{\"type\":\"VIRTUAL_MACHINE\",\"name\":\"example-vm-2\",\"externalId\":\"i-0000000000000002\",\"region\":\"us-east-2\",\"id\":\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\"},\"issue\":{\"id\":\"e0321809-7913-4693-aa03-7dad19d38d65\"},\"primaryActor\":{\"id\":\"\",\"name\":null,\"type\":\"UNKNOWN\",\"nativeType\":null,\"email\":null,\"userAgent\":null,\"MFA\":null,\"federated\":false,\"friendlyName\":null,\"accessKeyId\":null,\"externalId\":null,\"providerUniqueId\":null,\"hasHighPrivileges\":false,\"hasAdminPrivileges\":false,\"hasHighKubernetesPrivileges\":false,\"hasAdminKubernetesPrivileges\":false,\"inactiveInLast90Days\":false,\"actingAs\":null,\"cloudAccount\":null},\"triggeringEvents\":{\"totalCountV2\":1,\"nodes\":[{\"id\":\"38d4c457-8310-4286-9b15-4dca6d102f46\",\"description\":\"The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\\\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\\\" cloudEventId=\\\"38d4c457-8310-4286-9b15-4dca6d102f46\\\" cloudEventTimestamp=\\\"2026-07-01T08:18:21.326Z\\\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\\\-vm\\\\-2]{resourceId=\\\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\\\" resourceType=\\\"VIRTUAL_MACHINE\\\" nativeType=\\\"virtualMachine\\\"}\",\"actorIP\":\"192.0.2.13\",\"timestamp\":\"2026-07-01T08:18:21.326Z\",\"rawAuditLogRecord\":{\"common\":{\"vmExternalId\":\"i-0000000000000002\",\"hostInfo\":{\"hostname\":\"sensor-host-1\",\"osType\":\"Linux\"}},\"alert\":{\"event\":{\"kind\":\"network_accept\"}}},\"commandLine\":\"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups\",\"runtimeProgram\":{\"name\":\"/usr/sbin/sshd\"},\"parentRuntimeProgram\":{\"name\":\"/usr/lib/systemd/systemd\"}}]},\"ruleMatch\":{\"rule\":{\"id\":\"49ed0540-4dff-4193-87cc-c4b5d6d9c305\",\"name\":\"Service account token was accessed\",\"builtin\":false,\"securitySubCategories\":[{\"id\":\"wsct-id-9465\",\"title\":\"Credential access\",\"category\":{\"id\":\"wct-id-2123\",\"name\":\"Credential access\",\"framework\":{\"id\":\"wf-id-103\"}}},{\"id\":\"wsct-id-10708\",\"title\":\"Secret theft\",\"category\":{\"id\":\"wct-id-1860\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-83\"}}}]}}}", + "severity": 47, + "type": [ + "indicator" + ] + }, + "host": { + "os": { + "type": "linux" + } + }, + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "process": { + "command_line": [ + "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" + ], + "executable": [ + "/usr/sbin/sshd" + ], + "name": [ + "/usr/sbin/sshd" + ], + "parent": { + "name": [ + "/usr/lib/systemd/systemd" + ] + } + }, + "related": { + "ip": [ + "192.0.2.13" + ] + }, + "rule": { + "category": [ + "Credential access", + "Credential Access" + ], + "id": "49ed0540-4dff-4193-87cc-c4b5d6d9c305", + "name": "Service account token was accessed" + }, + "source": { + "geo": { + "city_name": "Las Vegas", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 36.17497, + "lon": -115.13722 + }, + "region_iso_code": "US-NV", + "region_name": "Nevada" + }, + "ip": [ + "192.0.2.13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "wiz": { + "defend_v2": { + "cloud_accounts": [ + { + "cloud_provider": "AWS", + "external_id": "100000000001", + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account" + } + ], + "created_at": "2026-06-30T10:53:40.878Z", + "issue": { + "id": "e0321809-7913-4693-aa03-7dad19d38d65" + }, + "origins": [ + "WIZ_SENSOR" + ], + "primary_actor": { + "federated": false, + "has_admin_kubernetes_privileges": false, + "has_admin_privileges": false, + "has_high_kubernetes_privileges": false, + "has_high_privileges": false, + "inactive_in_last_90_days": false, + "type": "UNKNOWN" + }, + "primary_resource": { + "external_id": "i-0000000000000002", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "type": "VIRTUAL_MACHINE" + }, + "resources": [ + { + "external_id": "i-0000000000000002", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "provider_unique_id": "arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002", + "type": "VIRTUAL_MACHINE" + } + ], + "rule_match": { + "rule": { + "builtin": false, + "security_sub_categories": [ + { + "category": { + "framework": { + "id": "wf-id-103" + }, + "id": "wct-id-2123", + "name": "Credential access" + }, + "id": "wsct-id-9465", + "title": "Credential access" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1860", + "name": "Credential Access" + }, + "id": "wsct-id-10708", + "title": "Secret theft" + } + ] + } + }, + "severity": "MEDIUM", + "triggering_events": { + "nodes": [ + { + "actor_ip": "192.0.2.13", + "command_line": "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", + "description": "The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}", + "id": "38d4c457-8310-4286-9b15-4dca6d102f46", + "parent_runtime_program": { + "name": "/usr/lib/systemd/systemd" + }, + "raw_audit_log_record": { + "alert": { + "event": { + "kind": "network_accept" + } + }, + "common": { + "host_info": { + "hostname": "sensor-host-1", + "os_type": "Linux" + }, + "vm_external_id": "i-0000000000000002" + } + }, + "runtime_program": { + "name": "/usr/sbin/sshd" + }, + "timestamp": "2026-07-01T08:18:21.326Z" + } + ], + "total_count": 1 + }, + "type": "GENERATED_THREAT" + } + } + }, + { + "@timestamp": "2026-07-01T08:19:49.640Z", + "cloud": { + "account": { + "id": [ + "100000000001" + ], + "name": [ + "example-cloud-account" + ] + }, + "provider": [ + "AWS" + ], + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "83200e8c-0d19-476a-af65-843f9d3c1711", + "kind": "alert", + "original": "{\"type\":\"MATCH_ONLY\",\"origins\":[\"WIZ_SENSOR\"],\"actors\":null,\"resources\":[{\"id\":\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\",\"name\":\"example-vm-2\",\"externalId\":\"i-0000000000000002\",\"providerUniqueId\":\"arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002\",\"type\":\"VIRTUAL_MACHINE\"}],\"cloudAccounts\":[{\"id\":\"32a7e699-c09f-4afc-abf2-1e00e2998350\",\"name\":\"example-cloud-account\",\"externalId\":\"100000000001\",\"cloudProvider\":\"AWS\"}],\"cloudOrganizations\":null,\"createdAt\":\"2026-06-30T10:53:40.8782105Z\",\"updatedAt\":\"2026-07-01T08:19:49.6407109Z\",\"id\":\"83200e8c-0d19-476a-af65-843f9d3c1711\",\"severity\":\"MEDIUM\",\"description\":\"The program **/usr/sbin/sshd** accepted an incoming connection from **192.0.2.17**\",\"primaryResource\":{\"type\":\"VIRTUAL_MACHINE\",\"name\":\"example-vm-2\",\"externalId\":\"i-0000000000000002\",\"region\":\"us-east-2\",\"id\":\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\"},\"issue\":null,\"primaryActor\":{\"id\":\"\",\"name\":null,\"type\":\"UNKNOWN\",\"nativeType\":null,\"email\":null,\"userAgent\":null,\"MFA\":null,\"federated\":false,\"friendlyName\":null,\"accessKeyId\":null,\"externalId\":null,\"providerUniqueId\":null,\"hasHighPrivileges\":false,\"hasAdminPrivileges\":false,\"hasHighKubernetesPrivileges\":false,\"hasAdminKubernetesPrivileges\":false,\"inactiveInLast90Days\":false,\"actingAs\":null,\"cloudAccount\":null},\"triggeringEvents\":{\"totalCountV2\":1,\"nodes\":[{\"id\":\"38d4c457-8310-4286-9b15-4dca6d102f46\",\"description\":\"The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\\\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\\\" cloudEventId=\\\"38d4c457-8310-4286-9b15-4dca6d102f46\\\" cloudEventTimestamp=\\\"2026-07-01T08:18:21.326Z\\\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\\\-vm\\\\-2]{resourceId=\\\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\\\" resourceType=\\\"VIRTUAL_MACHINE\\\" nativeType=\\\"virtualMachine\\\"}\",\"actorIP\":\"192.0.2.13\",\"timestamp\":\"2026-07-01T08:18:21.326Z\",\"rawAuditLogRecord\":{\"common\":{\"vmExternalId\":\"i-0000000000000002\",\"hostInfo\":{\"hostname\":\"sensor-host-1\",\"osType\":\"Linux\"}},\"alert\":{\"event\":{\"kind\":\"network_accept\"}}},\"commandLine\":\"sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups\",\"runtimeProgram\":{\"name\":\"/usr/sbin/sshd\"},\"parentRuntimeProgram\":{\"name\":\"/usr/lib/systemd/systemd\"}}]},\"ruleMatch\":{\"rule\":{\"id\":\"a3a8322e-4d2c-40b1-943f-db6dd6f81d02\",\"name\":\"Suspected SSH brute-force attempts originating from a publicly accessible IP address\",\"builtin\":true,\"securitySubCategories\":[{\"id\":\"wsct-id-10678\",\"title\":\"Credentials guessing\",\"category\":{\"id\":\"wct-id-1854\",\"name\":\"Initial Access\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-20507\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-3522\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}}]}}}", + "severity": 47, + "type": [ + "indicator" + ] + }, + "host": { + "os": { + "type": "linux" + } + }, + "message": "The program **/usr/sbin/sshd** accepted an incoming connection from **192.0.2.17**", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "process": { + "command_line": [ + "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" + ], + "executable": [ + "/usr/sbin/sshd" + ], + "name": [ + "/usr/sbin/sshd" + ], + "parent": { + "name": [ + "/usr/lib/systemd/systemd" + ] + } + }, + "related": { + "ip": [ + "192.0.2.13" + ] + }, + "rule": { + "category": [ + "Initial Access", + "Credential Access" + ], + "id": "a3a8322e-4d2c-40b1-943f-db6dd6f81d02", + "name": "Suspected SSH brute-force attempts originating from a publicly accessible IP address" + }, + "source": { + "geo": { + "city_name": "Las Vegas", + "continent_name": "North America", + "country_iso_code": "US", + "country_name": "United States", + "location": { + "lat": 36.17497, + "lon": -115.13722 + }, + "region_iso_code": "US-NV", + "region_name": "Nevada" + }, + "ip": [ + "192.0.2.13" + ] + }, + "tags": [ + "preserve_original_event" + ], + "wiz": { + "defend_v2": { + "cloud_accounts": [ + { + "cloud_provider": "AWS", + "external_id": "100000000001", + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account" + } + ], + "created_at": "2026-06-30T10:53:40.878Z", + "origins": [ + "WIZ_SENSOR" + ], + "primary_actor": { + "federated": false, + "has_admin_kubernetes_privileges": false, + "has_admin_privileges": false, + "has_high_kubernetes_privileges": false, + "has_high_privileges": false, + "inactive_in_last_90_days": false, + "type": "UNKNOWN" + }, + "primary_resource": { + "external_id": "i-0000000000000002", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "type": "VIRTUAL_MACHINE" + }, + "resources": [ + { + "external_id": "i-0000000000000002", + "id": "44fa8d41-8cf2-4032-afbf-098cade5d5ab", + "name": "example-vm-2", + "provider_unique_id": "arn:aws:ec2:us-east-2:100000000001:instance/i-0000000000000002", + "type": "VIRTUAL_MACHINE" + } + ], + "rule_match": { + "rule": { + "builtin": true, + "security_sub_categories": [ + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1854", + "name": "Initial Access" + }, + "id": "wsct-id-10678", + "title": "Credentials guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20507", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3522", + "title": "Brute Force" + } + ] + } + }, + "severity": "MEDIUM", + "triggering_events": { + "nodes": [ + { + "actor_ip": "192.0.2.13", + "command_line": "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups", + "description": "The program :runtime-program[/usr/sbin/sshd]{runtimeProgramId=\"ab58b28a-8e4c-4bc3-b668-7724b1e5a65a##16195461525115046481\" cloudEventId=\"38d4c457-8310-4286-9b15-4dca6d102f46\" cloudEventTimestamp=\"2026-07-01T08:18:21.326Z\"} accepted an incoming connection from **192.0.2.13** on the local port **22** on :cloud-resource[example\\-vm\\-2]{resourceId=\"44fa8d41-8cf2-4032-afbf-098cade5d5ab\" resourceType=\"VIRTUAL_MACHINE\" nativeType=\"virtualMachine\"}", + "id": "38d4c457-8310-4286-9b15-4dca6d102f46", + "parent_runtime_program": { + "name": "/usr/lib/systemd/systemd" + }, + "raw_audit_log_record": { + "alert": { + "event": { + "kind": "network_accept" + } + }, + "common": { + "host_info": { + "hostname": "sensor-host-1", + "os_type": "Linux" + }, + "vm_external_id": "i-0000000000000002" + } + }, + "runtime_program": { + "name": "/usr/sbin/sshd" + }, + "timestamp": "2026-07-01T08:18:21.326Z" + } + ], + "total_count": 1 + }, + "type": "MATCH_ONLY" + } + } + } + ] +} diff --git a/packages/wiz/data_stream/defend_v2/_dev/test/system/test-default-config.yml b/packages/wiz/data_stream/defend_v2/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..dc64df99f37 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/_dev/test/system/test-default-config.yml @@ -0,0 +1,15 @@ +input: cel +service: wiz-defend_v2 +wait_for_data_timeout: 2m +vars: + url: http://{{Hostname}}:{{Port}} + client_id: xxxx + client_secret: xxxx + token_url: http://{{Hostname}}:{{Port}}/oauth/token +data_stream: + vars: + interval: 10s + batch_size: 2 + preserve_original_event: true +assert: + hit_count: 3 diff --git a/packages/wiz/data_stream/defend_v2/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/defend_v2/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..0a0ff4dd9b1 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/agent/stream/cel.yml.hbs @@ -0,0 +1,246 @@ +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +{{#if proxy_url}} +resource.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +resource.ssl: {{ssl}} +{{/if}} +{{#if http_client_timeout}} +resource.timeout: {{http_client_timeout}} +{{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} +resource.url: {{url}} +auth.oauth2: + client.id: {{client_id}} + client.secret: {{client_secret}} + token_url: {{token_url}} + endpoint_params: + grant_type: client_credentials + audience: wiz-api +state: + initial_interval: {{initial_interval}} + want_more: false + batch_size: {{batch_size}} + query: >- + query DetectionsTableV2($filterBy: DetectionFilters $first: Int $after: String $orderBy: DetectionOrder){ + detections(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { + nodes { + type + origins + actors { + id + name + externalId + providerUniqueId + type + } + resources { + id + name + externalId + providerUniqueId + type + } + cloudAccounts { + id + name + externalId + cloudProvider + } + cloudOrganizations { + id + name + externalId + cloudProvider + } + createdAt + updatedAt + id + severity + description(format: MARKDOWN) + primaryResource { + type + name + externalId + region + id + } + issue { + id + } + primaryActor { + id + name + type + nativeType + email + userAgent + MFA + federated + friendlyName + accessKeyId + externalId + providerUniqueId + hasHighPrivileges + hasAdminPrivileges + hasHighKubernetesPrivileges + hasAdminKubernetesPrivileges + inactiveInLast90Days + actingAs { + id + name + type + friendlyName + accessKeyId + externalId + providerUniqueId + } + cloudAccount { + id + externalId + name + cloudProvider + } + } + triggeringEvents(first: 50) { + totalCountV2 + nodes { + ... on CloudEvent { + id + description + actorIP + timestamp + rawAuditLogRecord + commandLine + runtimeProgram { + name + } + parentRuntimeProgram { + name + } + } + } + } + ruleMatch { + rule { + id + name + builtin + securitySubCategories { + id + title + category { + id + name + framework { + id + } + } + } + } + } + } + pageInfo { + hasNextPage + endCursor + } + totalCount + } + } +redact: + fields: ~ +{{#if max_executions}} +max_executions: {{max_executions}} +{{/if}} +program: | + ( + state.?want_more.orValue(false) ? + state.start_time + : + state.?cursor.last_timestamp.orValue(string(now() - duration(state.initial_interval))) + ).as(start_time, state.with( + request( + "POST", + state.url.trim_right("/") + "/graphql", + { + "query": state.query, + "variables": { + "first": state.batch_size, + "after": state.?end_cursor.value.orValue(null), + "filterBy": { + "updatedAt": { + "after": start_time + }, + // Wiz applies a default type filter of GENERATED_THREAT when any filterBy is + // sent, which drops MATCH_ONLY detections (rule matches without a threat issue). + // Request both types explicitly so pagination matches an unfiltered query. + "type": { + "equals": ["GENERATED_THREAT", "MATCH_ONLY"] + } + } + } + }.encode_json() + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, { + "events": body.?data.?detections.?nodes.orValue([]).map(e, { + "message": e.encode_json(), + }), + "cursor": { + ?"last_timestamp": body.?data.?detections.nodes.orValue([]).size() > 0 ? + optional.of(string(body.?data.?detections.nodes.orValue([]).map(e, timestamp(e.updatedAt)).max())) + : + state.?cursor.last_timestamp, + }, + "start_time": start_time, + "end_cursor": { + ?"value": body.?data.?detections.?pageInfo.hasNextPage.orValue(false) && + body.?data.?detections.?pageInfo.endCursor.orValue(null) != null ? + body.?data.?detections.?pageInfo.endCursor + : + optional.none() + }, + "want_more": body.?data.?detections.?pageInfo.hasNextPage.orValue(false) && + body.?data.?detections.?pageInfo.endCursor.orValue(null) != null, + }) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/") + "/graphql: " + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + )) +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/wiz/data_stream/defend_v2/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/defend_v2/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..9efb672a8ed --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,626 @@ +--- +description: Pipeline for processing Wiz Defend v2 detection logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: '9.3.0' + - set: + field: observer.product + tag: set_observer_product + value: Defend + - set: + field: observer.vendor + tag: set_observer_vendor + value: Wiz + - terminate: + tag: data_collection_error + if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null + description: error message set and no data to process. + + # parse the event JSON + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - json: + field: event.original + tag: json_event_original + target_field: json + on_failure: + - append: + field: error.message + tag: append_json_event_original_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - fingerprint: + tag: fingerprint_defend_v2_id_and_updated_at + fields: + - json.id + - json.updatedAt + target_field: _id + ignore_missing: true + + # rename to snake case + - script: + tag: script_convert_camelcase_to_snake_case + lang: painless + description: Convert camelCase to snake_case + if: ctx.json != null + source: | + String camelToSnake(String str) { + def result = ""; + def lastCharWasUpperCase = false; + for (int i = 0; i < str.length(); i++) { + char c = str.charAt(i); + if (Character.isUpperCase(c)) { + if (i > 0 && !lastCharWasUpperCase) { + result += "_"; + } + result += Character.toLowerCase(c); + lastCharWasUpperCase = true; + } else { + result += c; + lastCharWasUpperCase = false; + } + } + return result; + } + def convertToSnakeCase(def obj) { + if (obj instanceof Map) { + def newObj = [:]; + for (entry in obj.entrySet()) { + if (!entry.getKey().contains("@")) { + String newKey = camelToSnake(entry.getKey()); + newObj[newKey] = convertToSnakeCase(entry.getValue()); + } + } + return newObj; + } else if (obj instanceof List) { + def newList = []; + for (item in obj) { + newList.add(convertToSnakeCase(item)); + } + return newList; + } else { + return obj; + } + } + ctx.wiz = ctx.wiz ?: [:]; + ctx.wiz.defend_v2 = convertToSnakeCase(ctx.json); + - rename: + field: wiz.defend_v2.triggering_events.total_count_v2 + tag: rename_triggering_events_total_count_v2 + target_field: wiz.defend_v2.triggering_events.total_count + ignore_missing: true + - rename: + field: wiz.defend_v2.primary_actor.inactive_in_last90_days + tag: rename_primary_actor_inactive_in_last90_days + target_field: wiz.defend_v2.primary_actor.inactive_in_last_90_days + ignore_missing: true + + # convert values + - date: + field: wiz.defend_v2.created_at + tag: date_created_at + target_field: wiz.defend_v2.created_at + formats: + - ISO8601 + if: ctx.wiz?.defend_v2?.created_at != null && ctx.wiz.defend_v2.created_at != '' + on_failure: + - remove: + field: wiz.defend_v2.created_at + tag: remove_created_at_on_date_failure + ignore_missing: true + - append: + field: error.message + tag: append_date_created_at_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: wiz.defend_v2.updated_at + tag: date_updated_at + target_field: wiz.defend_v2.updated_at + formats: + - ISO8601 + if: ctx.wiz?.defend_v2?.updated_at != null && ctx.wiz.defend_v2.updated_at != '' + on_failure: + - remove: + field: wiz.defend_v2.updated_at + tag: remove_updated_at_on_date_failure + ignore_missing: true + - append: + field: error.message + tag: append_date_updated_at_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # populate ECS fields + - set: + field: message + tag: set_message_from_description + copy_from: wiz.defend_v2.description + ignore_empty_value: true + - set: + field: '@timestamp' + tag: set_timestamp_from_updated_at + copy_from: wiz.defend_v2.updated_at + ignore_empty_value: true + + # event.* + - set: + field: event.kind + tag: set_event_kind + value: alert + - append: + field: event.type + tag: append_indicator_into_event_type + value: indicator + - append: + field: event.category + tag: append_threat_into_event_category + value: threat + - set: + field: event.id + tag: set_event_id_from_defend_v2_id + copy_from: wiz.defend_v2.id + ignore_empty_value: true + - script: + description: Set event severity based on detection severity. + tag: set_event_severity_from_defend_v2_severity + if: ctx.wiz?.defend_v2?.severity instanceof String + lang: painless + source: |- + String severity = ctx.wiz.defend_v2.severity; + if (severity.equalsIgnoreCase("low")) { + ctx.event.severity = 21; + } else if (severity.equalsIgnoreCase("informational")) { + ctx.event.severity = 0; + } else if (severity.equalsIgnoreCase("medium")) { + ctx.event.severity = 47; + } else if (severity.equalsIgnoreCase("high")) { + ctx.event.severity = 73; + } else if (severity.equalsIgnoreCase("critical")) { + ctx.event.severity = 99; + } + + # cloud.* + - set: + field: cloud.region + tag: set_cloud_region_from_primary_resource_region + copy_from: wiz.defend_v2.primary_resource.region + ignore_empty_value: true + - foreach: + field: wiz.defend_v2.cloud_accounts + tag: foreach_cloud_accounts_into_cloud_account_id + if: ctx.wiz?.defend_v2?.cloud_accounts instanceof List + processor: + append: + field: cloud.account.id + tag: append_cloud_account_id + value: '{{{_ingest._value.external_id}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_cloud_account_id_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.cloud_accounts + tag: foreach_cloud_accounts_into_cloud_account_name + if: ctx.wiz?.defend_v2?.cloud_accounts instanceof List + processor: + append: + field: cloud.account.name + tag: append_cloud_account_name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_cloud_account_name_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.cloud_accounts + tag: foreach_cloud_accounts_into_cloud_provider + if: ctx.wiz?.defend_v2?.cloud_accounts instanceof List + processor: + append: + field: cloud.provider + tag: append_cloud_provider + value: '{{{_ingest._value.cloud_provider}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_cloud_provider_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # organization.* + - foreach: + field: wiz.defend_v2.cloud_organizations + tag: foreach_cloud_organizations_into_organization_id + if: ctx.wiz?.defend_v2?.cloud_organizations instanceof List + processor: + append: + field: organization.id + tag: append_organization_id + value: '{{{_ingest._value.id}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_organization_id_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.cloud_organizations + tag: foreach_cloud_organizations_into_organization_name + if: ctx.wiz?.defend_v2?.cloud_organizations instanceof List + processor: + append: + field: organization.name + tag: append_organization_name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_organization_name_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # user.* + - set: + field: user.email + tag: set_user_email_from_primary_actor_email + copy_from: wiz.defend_v2.primary_actor.email + ignore_empty_value: true + + # process.* + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_process_command_line + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: process.command_line + tag: append_process_command_line_from_triggering_events + value: '{{{_ingest._value.command_line}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_process_command_line_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_process_executable + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: process.executable + tag: append_process_executable_from_triggering_events + value: '{{{_ingest._value.runtime_program.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_process_executable_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_process_name + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: process.name + tag: append_process_name_from_triggering_events + value: '{{{_ingest._value.runtime_program.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_process_name_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_process_parent_name + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: process.parent.name + tag: append_process_parent_name_from_triggering_events + value: '{{{_ingest._value.parent_runtime_program.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_process_parent_name_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # source.* + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_source_ip + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: source.ip + tag: append_source_ip_from_triggering_events + value: '{{{_ingest._value.actor_ip}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_source_ip_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - geoip: + field: source.ip + tag: geoip_source_ip + target_field: source.geo + ignore_missing: true + on_failure: + - append: + field: error.message + tag: append_geoip_source_ip_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # container.* + - set: + field: container.id + tag: set_container_id_from_primary_resource_external_id + copy_from: wiz.defend_v2.primary_resource.external_id + if: ctx.wiz?.defend_v2?.primary_resource?.type != null && ctx.wiz.defend_v2.primary_resource.type.equalsIgnoreCase('CONTAINER') + ignore_empty_value: true + - set: + field: container.name + tag: set_container_name_from_primary_resource_name + copy_from: wiz.defend_v2.primary_resource.name + if: ctx.wiz?.defend_v2?.primary_resource?.type != null && ctx.wiz.defend_v2.primary_resource.type.equalsIgnoreCase('CONTAINER') + ignore_empty_value: true + + # cloud.instance.id, host.name, file.path, event.action (triggering event audit logs) + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_cloud_instance_id + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: cloud.instance.id + tag: append_cloud_instance_id_from_triggering_events + value: '{{{_ingest._value.raw_audit_log_record.common.vm_external_id}}}' + if: ctx._ingest?._value?.raw_audit_log_record?.common?.vm_external_id != null + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_cloud_instance_id_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_host_name + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: host.name + tag: append_host_name_from_triggering_events + value: '{{{_ingest._value.raw_audit_log_record.common.host_info.hostname}}}' + if: ctx._ingest?._value?.raw_audit_log_record?.common?.host_info?.hostname != null + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_host_name_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_file_path + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: file.path + tag: append_file_path_from_triggering_events + value: '{{{_ingest._value.raw_audit_log_record.alert.file_event_details.name}}}' + if: ctx._ingest?._value?.raw_audit_log_record?.alert?.file_event_details?.name != null + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_file_path_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_event_action + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: event.action + tag: append_event_action_from_triggering_events + value: '{{{_ingest._value.raw_audit_log_record.alert.event.kind}}}' + if: ctx._ingest?._value?.raw_audit_log_record?.alert?.event?.kind != null + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_event_action_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # host.os.type (triggering event audit logs) + - script: + tag: script_set_host_os_type_from_triggering_events + lang: painless + description: Map host OS type from all triggering event audit logs. + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List && !ctx.wiz.defend_v2.triggering_events.nodes.isEmpty() + source: |- + String mapOsType(def osType) { + if (osType == null) { + return null; + } + String os = osType.toString().toLowerCase(); + if (os.contains('windows')) { + return 'windows'; + } else if (os.contains('mac') || os.contains('darwin')) { + return 'macos'; + } else if (os.contains('linux') || os.contains('amazon') || os.contains('ubuntu') || os.contains('debian') || os.contains('centos') || os.contains('rhel') || os.contains('unix')) { + return 'linux'; + } else if (os.contains('android')) { + return 'android'; + } else if (os.contains('ios')) { + return 'ios'; + } + return null; + } + def osTypes = []; + for (def node : ctx.wiz.defend_v2.triggering_events.nodes) { + def audit = node.raw_audit_log_record; + if (!(audit instanceof Map)) { + continue; + } + def common = audit.common; + if (!(common instanceof Map)) { + continue; + } + def hostInfo = common.host_info; + if (!(hostInfo instanceof Map)) { + continue; + } + String mappedOsType = mapOsType(hostInfo.os_type); + if (mappedOsType != null && !osTypes.contains(mappedOsType)) { + osTypes.add(mappedOsType); + } + } + if (!osTypes.isEmpty()) { + ctx.host = ctx.host ?: [:]; + ctx.host.os = ctx.host.os ?: [:]; + ctx.host.os.type = osTypes.size() == 1 ? osTypes[0] : osTypes; + } + + # rule.* + - set: + field: rule.id + tag: set_rule_id_from_rule_match_rule_id + copy_from: wiz.defend_v2.rule_match.rule.id + ignore_empty_value: true + - set: + field: rule.name + tag: set_rule_name_from_rule_match_rule_name + copy_from: wiz.defend_v2.rule_match.rule.name + ignore_empty_value: true + - foreach: + field: wiz.defend_v2.rule_match.rule.security_sub_categories + tag: foreach_security_sub_categories_into_rule_category + if: ctx.wiz?.defend_v2?.rule_match?.rule?.security_sub_categories instanceof List + processor: + append: + field: rule.category + tag: append_rule_category_from_security_sub_categories + value: '{{{_ingest._value.category.name}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_rule_category_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + + # related.* + - foreach: + field: wiz.defend_v2.triggering_events.nodes + tag: foreach_triggering_events_into_related_ip + if: ctx.wiz?.defend_v2?.triggering_events?.nodes instanceof List + processor: + append: + field: related.ip + tag: append_related_ip_from_triggering_events + value: '{{{_ingest._value.actor_ip}}}' + allow_duplicates: false + on_failure: + - append: + field: error.message + tag: append_related_ip_failure_into_error_message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - append: + field: related.user + tag: append_related_user_from_primary_actor_email + value: '{{{wiz.defend_v2.primary_actor.email}}}' + if: ctx.wiz?.defend_v2?.primary_actor?.email != null + allow_duplicates: false + - append: + field: related.hosts + tag: append_related_hosts_from_host_name + value: '{{{host.name}}}' + if: ctx.host?.name != null + allow_duplicates: false + + - remove: + field: + - wiz.defend_v2.updated_at + - wiz.defend_v2.id + - wiz.defend_v2.description + - wiz.defend_v2.rule_match.rule.id + - wiz.defend_v2.rule_match.rule.name + - wiz.defend_v2.primary_resource.region + tag: remove_fields_mapped_to_ecs + ignore_missing: true + - remove: + field: json + tag: remove_json + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: |- + void handleMap(Map map) { + map.values().removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + void handleList(List list) { + list.removeIf(v -> { + if (v instanceof Map) { + handleMap(v); + } else if (v instanceof List) { + handleList(v); + } + return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0) + }); + } + handleMap(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null + - append: + field: tags + tag: append_preserve_original_event_on_error + value: preserve_original_event + allow_duplicates: false + if: ctx.error?.message != null +on_failure: + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: error.message + tag: append_pipeline_failure_into_error_message + value: |- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - append: + field: tags + tag: append_preserve_original_event_on_pipeline_failure + value: preserve_original_event + allow_duplicates: false diff --git a/packages/wiz/data_stream/defend_v2/fields/base-fields.yml b/packages/wiz/data_stream/defend_v2/fields/base-fields.yml new file mode 100644 index 00000000000..4f95bbd9127 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + external: ecs + type: constant_keyword + value: wiz +- name: event.dataset + external: ecs + type: constant_keyword + value: wiz.defend_v2 +- name: '@timestamp' + external: ecs diff --git a/packages/wiz/data_stream/defend_v2/fields/beats.yml b/packages/wiz/data_stream/defend_v2/fields/beats.yml new file mode 100644 index 00000000000..4fe11e7b4a2 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/fields/beats.yml @@ -0,0 +1,3 @@ +- name: input.type + type: keyword + description: Type of filebeat input. \ No newline at end of file diff --git a/packages/wiz/data_stream/defend_v2/fields/ecs.yml b/packages/wiz/data_stream/defend_v2/fields/ecs.yml new file mode 100644 index 00000000000..d86b0806eb7 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/fields/ecs.yml @@ -0,0 +1,8 @@ +- name: observer.vendor + external: ecs + type: constant_keyword + value: Wiz +- name: observer.product + external: ecs + type: constant_keyword + value: Defend diff --git a/packages/wiz/data_stream/defend_v2/fields/fields.yml b/packages/wiz/data_stream/defend_v2/fields/fields.yml new file mode 100644 index 00000000000..cbf15ea0dc1 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/fields/fields.yml @@ -0,0 +1,303 @@ +- name: wiz.defend_v2 + type: group + fields: + - name: id + type: keyword + description: The unique identifier of the detection. + - name: type + type: keyword + description: The detection type. + - name: origins + type: keyword + description: The data sources that contributed to the detection. + - name: severity + type: keyword + description: "The severity of the detection. Possible values: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL." + - name: description + type: text + description: A Markdown-formatted description of the detection. + - name: created_at + type: date + description: The timestamp when the detection was created. + - name: updated_at + type: date + description: The timestamp when the detection was last updated. + - name: actors + type: group + description: The identities (users or service accounts) associated with the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the actor. + - name: name + type: keyword + description: The name of the actor. + - name: external_id + type: keyword + description: The cloud provider's identifier for the actor. + - name: provider_unique_id + type: keyword + description: The globally unique identifier for the actor as assigned by the cloud provider. + - name: type + type: keyword + description: The type of actor. + - name: resources + type: group + description: The cloud resources associated with the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the resource. + - name: name + type: keyword + description: The name of the resource. + - name: external_id + type: keyword + description: The cloud provider's identifier for the resource. + - name: provider_unique_id + type: keyword + description: The globally unique identifier for the resource as assigned by the cloud provider. + - name: type + type: keyword + description: The type of resource. + - name: cloud_accounts + type: group + description: The cloud accounts associated with the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the cloud account. + - name: name + type: keyword + description: The name of the cloud account. + - name: external_id + type: keyword + description: The cloud provider's identifier for the account. + - name: cloud_provider + type: keyword + description: The cloud provider of the account. + - name: cloud_organizations + type: group + description: The cloud organizations associated with the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the cloud organization. + - name: name + type: keyword + description: The name of the cloud organization. + - name: external_id + type: keyword + description: The cloud provider's identifier for the organization. + - name: cloud_provider + type: keyword + description: The cloud provider of the organization. + - name: primary_resource + type: group + description: The main resource affected by the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the primary resource. + - name: name + type: keyword + description: The name of the primary resource. + - name: type + type: keyword + description: The type of the primary resource. + - name: external_id + type: keyword + description: The cloud provider's identifier for the primary resource. + - name: region + type: keyword + description: The cloud region where the primary resource is located. + - name: issue + type: group + description: The Wiz issue linked to this detection. + fields: + - name: id + type: keyword + description: The unique identifier of the linked issue. + - name: primary_actor + type: group + description: The main identity associated with the detection. + fields: + - name: id + type: keyword + description: The unique identifier of the primary actor. + - name: name + type: keyword + description: The name of the primary actor. + - name: type + type: keyword + description: The type of the primary actor. + - name: native_type + type: keyword + description: The actor type as defined by the cloud provider. + - name: email + type: keyword + description: The email address of the primary actor. + - name: user_agent + type: keyword + description: The user agent string associated with the actor's actions. + - name: mfa + type: boolean + description: Whether the actor authenticated with multi-factor authentication. + - name: federated + type: boolean + description: Whether the actor authenticated via a federated identity provider. + - name: friendly_name + type: keyword + description: A human-readable display name for the actor. + - name: access_key_id + type: keyword + description: The access key ID used by the actor, if applicable. + - name: external_id + type: keyword + description: The cloud provider's identifier for the actor. + - name: provider_unique_id + type: keyword + description: The globally unique identifier for the actor as assigned by the cloud provider. + - name: has_high_privileges + type: boolean + description: Whether the actor has high-privilege access. + - name: has_admin_privileges + type: boolean + description: Whether the actor has administrator-level access. + - name: has_high_kubernetes_privileges + type: boolean + description: Whether the actor has high-privilege access in Kubernetes. + - name: has_admin_kubernetes_privileges + type: boolean + description: Whether the actor has administrator-level access in Kubernetes. + - name: inactive_in_last_90_days + type: boolean + description: Whether the actor has been inactive for the last 90 days. + - name: acting_as + type: group + description: The identity the primary actor assumed when performing the detected actions. + fields: + - name: id + type: keyword + description: The unique identifier of the assumed identity. + - name: name + type: keyword + description: The name of the assumed identity. + - name: type + type: keyword + description: The type of the assumed identity. + - name: friendly_name + type: keyword + description: A human-readable display name for the assumed identity. + - name: access_key_id + type: keyword + description: The access key ID associated with the assumed identity. + - name: external_id + type: keyword + description: The cloud provider's identifier for the assumed identity. + - name: provider_unique_id + type: keyword + description: The globally unique identifier for the assumed identity as assigned by the cloud provider. + - name: cloud_account + type: group + description: The cloud account the primary actor belongs to. + fields: + - name: id + type: keyword + description: The unique identifier of the cloud account. + - name: external_id + type: keyword + description: The cloud provider's identifier for the account. + - name: name + type: keyword + description: The name of the cloud account. + - name: cloud_provider + type: keyword + description: The cloud provider of the account. + - name: triggering_events + type: group + description: The events that triggered the detection. + fields: + - name: total_count + type: long + description: The total number of triggering events. + - name: nodes + type: group + description: A list of triggering events. + fields: + - name: id + type: keyword + description: The unique identifier of the event. + - name: description + type: text + description: A description of the event. + - name: actor_ip + type: ip + description: The IP address of the actor that triggered the event. + - name: timestamp + type: date + description: The timestamp when the event occurred. + - name: raw_audit_log_record + type: flattened + description: The raw audit log data associated with the event. The structure varies by event source. + - name: command_line + type: keyword + description: The command line executed during the event, if applicable. + - name: runtime_program + type: group + description: The runtime program that executed the command. + fields: + - name: name + type: keyword + description: The name of the runtime program. + - name: parent_runtime_program + type: group + description: The parent process of the runtime program. + fields: + - name: name + type: keyword + description: The name of the parent runtime program. + - name: rule_match + type: group + description: The threat detection rule that matched and triggered this detection. + fields: + - name: rule + type: group + description: The matched rule. + fields: + - name: id + type: keyword + description: The unique identifier of the rule. + - name: name + type: keyword + description: The name of the rule. + - name: builtin + type: boolean + description: Whether the rule is a built-in Wiz rule or a custom rule. + - name: security_sub_categories + type: group + description: The security sub-categories the rule is mapped to. + fields: + - name: id + type: keyword + description: The unique identifier of the sub-category. + - name: title + type: keyword + description: The title of the sub-category. + - name: category + type: group + description: The parent category of the sub-category. + fields: + - name: id + type: keyword + description: The unique identifier of the category. + - name: name + type: keyword + description: The name of the category. + - name: framework + type: group + description: The security framework the category belongs to. + fields: + - name: id + type: keyword + description: The unique identifier of the framework. diff --git a/packages/wiz/data_stream/defend_v2/manifest.yml b/packages/wiz/data_stream/defend_v2/manifest.yml new file mode 100644 index 00000000000..c7cfcd1f947 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/manifest.yml @@ -0,0 +1,99 @@ +title: Collect Detection events from Wiz via API. +type: logs +streams: + - input: cel + title: Defend v2 logs + enabled: false + description: Collect Detection events from Wiz via the Detections API. + template_path: cel.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull Detection events from Wiz. Supported units for this parameter are h/m/s. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s. + default: 5m + multi: false + required: true + show_user: true + - name: batch_size + type: integer + title: Batch Size + description: Batch size for the response of the Wiz API. The maximum supported batch size value is 500. + default: 500 + multi: false + required: true + show_user: false + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" + - name: max_executions + type: integer + title: Maximum Pages Per Interval + description: Maximum Pages Per Interval is the maximum number of pages that can be collected at each interval. + multi: false + required: false + show_user: false + default: 1000 + - name: enable_request_tracer + type: bool + title: Enable request tracing + default: false + multi: false + required: false + show_user: false + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - wiz-defend-v2 + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/wiz/data_stream/defend_v2/sample_event.json b/packages/wiz/data_stream/defend_v2/sample_event.json new file mode 100644 index 00000000000..917c2d8b1d1 --- /dev/null +++ b/packages/wiz/data_stream/defend_v2/sample_event.json @@ -0,0 +1,298 @@ +{ + "@timestamp": "2026-07-01T15:13:36.318Z", + "cloud": { + "account": { + "id": [ + "100000000001" + ], + "name": [ + "example-cloud-account" + ] + }, + "provider": [ + "AWS" + ], + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980", + "kind": "alert", + "original": "{\"type\":\"MATCH_ONLY\",\"origins\":[\"AWS_GUARD_DUTY\"],\"actors\":[{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"type\":\"NETWORK_ADDRESS\"}],\"resources\":[{\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"providerUniqueId\":null,\"type\":\"VIRTUAL_MACHINE\"}],\"cloudAccounts\":[{\"id\":\"32a7e699-c09f-4afc-abf2-1e00e2998350\",\"name\":\"example-cloud-account\",\"externalId\":\"100000000001\",\"cloudProvider\":\"AWS\"}],\"cloudOrganizations\":null,\"createdAt\":\"2026-07-01T15:12:18.1559021Z\",\"updatedAt\":\"2026-07-01T15:13:36.3181301Z\",\"id\":\"edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980\",\"severity\":\"LOW\",\"description\":\"An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.\",\"primaryResource\":{\"type\":\"VIRTUAL_MACHINE\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"region\":\"us-east-2\",\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\"},\"issue\":null,\"primaryActor\":{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"type\":\"NETWORK_ADDRESS\",\"nativeType\":null,\"email\":null,\"userAgent\":null,\"MFA\":null,\"federated\":false,\"friendlyName\":null,\"accessKeyId\":null,\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"hasHighPrivileges\":false,\"hasAdminPrivileges\":false,\"hasHighKubernetesPrivileges\":false,\"hasAdminKubernetesPrivileges\":false,\"inactiveInLast90Days\":false,\"actingAs\":null,\"cloudAccount\":null},\"triggeringEvents\":{\"totalCountV2\":1,\"nodes\":[{\"id\":\"031e0c27-55c2-4496-92d9-4b7a97324515\",\"description\":\"192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.\",\"actorIP\":\"192.0.2.10\",\"timestamp\":\"2026-07-01T15:05:03.533Z\",\"rawAuditLogRecord\":{},\"commandLine\":null,\"runtimeProgram\":{\"name\":null},\"parentRuntimeProgram\":{\"name\":null}}]},\"ruleMatch\":{\"rule\":{\"id\":\"f0568339-eb51-486b-bac1-7a835689f051\",\"name\":\"UnauthorizedAccess:EC2/SSHBruteForce\",\"builtin\":true,\"securitySubCategories\":[{\"id\":\"wsct-id-3522\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3518\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3517\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3519\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3524\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-6532\",\"title\":\"Generic malicious activity\",\"category\":{\"id\":\"wct-id-2116\",\"name\":\"Generic malicious activity\",\"framework\":{\"id\":\"wf-id-103\"}}},{\"id\":\"wsct-id-10678\",\"title\":\"Credentials guessing\",\"category\":{\"id\":\"wct-id-1854\",\"name\":\"Initial Access\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-10714\",\"title\":\"Abnormal-sourced communication\",\"category\":{\"id\":\"wct-id-1861\",\"name\":\"C2 & Exfiltration\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-20507\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20508\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20509\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20510\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20511\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}}]}}}", + "severity": 21, + "type": [ + "indicator" + ], + "agent_id_status": "verified", + "dataset": "wiz.defend_v2", + "ingested": "2026-07-02T12:00:00.000Z" + }, + "message": "An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "ip": [ + "192.0.2.10" + ] + }, + "rule": { + "category": [ + "Credential Access", + "Generic malicious activity", + "Initial Access", + "C2 & Exfiltration" + ], + "id": "f0568339-eb51-486b-bac1-7a835689f051", + "name": "UnauthorizedAccess:EC2/SSHBruteForce" + }, + "source": { + "ip": [ + "192.0.2.10" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "wiz-defend-v2" + ], + "wiz": { + "defend_v2": { + "actors": [ + { + "external_id": "192.0.2.10", + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + } + ], + "cloud_accounts": [ + { + "cloud_provider": "AWS", + "external_id": "100000000001", + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account" + } + ], + "created_at": "2026-07-01T15:12:18.155Z", + "origins": [ + "AWS_GUARD_DUTY" + ], + "primary_actor": { + "external_id": "192.0.2.10", + "federated": false, + "has_admin_kubernetes_privileges": false, + "has_admin_privileges": false, + "has_high_kubernetes_privileges": false, + "has_high_privileges": false, + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "inactive_in_last_90_days": false, + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + }, + "primary_resource": { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + }, + "resources": [ + { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + } + ], + "rule_match": { + "rule": { + "builtin": true, + "security_sub_categories": [ + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3522", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3518", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3517", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3519", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3524", + "title": "Brute Force: Credential Stuffing" + }, + { + "category": { + "framework": { + "id": "wf-id-103" + }, + "id": "wct-id-2116", + "name": "Generic malicious activity" + }, + "id": "wsct-id-6532", + "title": "Generic malicious activity" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1854", + "name": "Initial Access" + }, + "id": "wsct-id-10678", + "title": "Credentials guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1861", + "name": "C2 & Exfiltration" + }, + "id": "wsct-id-10714", + "title": "Abnormal-sourced communication" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20507", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20508", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20509", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20510", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20511", + "title": "Brute Force: Credential Stuffing" + } + ] + } + }, + "severity": "LOW", + "triggering_events": { + "nodes": [ + { + "actor_ip": "192.0.2.10", + "description": "192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", + "id": "031e0c27-55c2-4496-92d9-4b7a97324515", + "timestamp": "2026-07-01T15:05:03.533Z" + } + ], + "total_count": 1 + }, + "type": "MATCH_ONLY" + } + }, + "agent": { + "ephemeral_id": "d95a7140-a5b6-418a-b00d-6bafacc2481e", + "id": "0059d5e7-da05-4e3e-becb-4c4d8eaa696c", + "name": "elastic-agent-41482", + "type": "filebeat", + "version": "8.19.2" + }, + "data_stream": { + "dataset": "wiz.defend_v2", + "namespace": "91669", + "type": "logs" + }, + "elastic_agent": { + "id": "0059d5e7-da05-4e3e-becb-4c4d8eaa696c", + "snapshot": false, + "version": "8.19.2" + }, + "input": { + "type": "cel" + } +} diff --git a/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml index 3eaf203c639..5065f7d230d 100644 --- a/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml @@ -9,17 +9,6 @@ processors: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null description: error message set and no data to process. - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - rename: field: message tag: rename_message diff --git a/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml index 4ac117b5839..507fadc5bab 100644 --- a/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml @@ -9,17 +9,6 @@ processors: tag: data_collection_error if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null description: error message set and no data to process. - - remove: - field: - - organization - - division - - team - ignore_missing: true - if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String - tag: remove_agentless_tags - description: >- - Removes the fields added by Agentless as metadata, - as they can collide with ECS fields. - set: field: event.kind tag: set_event_kind diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 344ebdab3eb..63549af463c 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -6,7 +6,7 @@ The Wiz integration enables you to consume and analyze Wiz data within Elastic S ## Data streams -The Wiz integration collects five types of data: +The Wiz integration collects six types of data: - **Audit** - The Audit log records key events within the Wiz platform, including logins and any mutation API calls executed in the Wiz portal (such as write, edit, delete, and save actions). @@ -14,6 +14,8 @@ The Wiz integration collects five types of data: - **Defend** - Detects and alerts on real-time cloud threats using runtime signals, logs, and Wiz’s security graph via webhook integrations. +- **Defend v2** - Detections generated by Threat Detection Rules, which give enhanced granularity and visibility into network activities and potential security incidents. + - **Issue** - Issues represent active risks or threats identified in your cloud environment. - **Vulnerability** - Vulnerabilities are weaknesses in computer systems that can be exploited by malicious attackers. @@ -26,7 +28,7 @@ This integration supports using Elastic Agent or agentless ingestion of data. Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). -The minimum **kibana.version** required is **8.10.1**. +The minimum **kibana.version** required is **8.19.2** or **9.1.2**. This module has been tested against the **Wiz API Version v1**. ## Agentless-enabled integration @@ -62,6 +64,7 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud | Vulnerability | read:vulnerabilities | | Cloud Configuration Finding | read:cloud_configuration | | Cloud Configuration Finding Full Posture | read:cloud_configuration | + | Defend v2 | read:detections, read:cloud_events_cloud, read:cloud_events_sensor, read:security_scans | ### Collect logs (Defend) via HTTP Endpoint @@ -970,6 +973,406 @@ An example event for `defend` looks as following: | wiz.defend.triggering_events_count | Count of events that triggered detection. | long | +### Defend v2 + +This is the `Defend v2` dataset. + +#### Example + +An example event for `defend_v2` looks as following: + +```json +{ + "@timestamp": "2026-07-01T15:13:36.318Z", + "cloud": { + "account": { + "id": [ + "100000000001" + ], + "name": [ + "example-cloud-account" + ] + }, + "provider": [ + "AWS" + ], + "region": "us-east-2" + }, + "ecs": { + "version": "9.3.0" + }, + "event": { + "category": [ + "threat" + ], + "id": "edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980", + "kind": "alert", + "original": "{\"type\":\"MATCH_ONLY\",\"origins\":[\"AWS_GUARD_DUTY\"],\"actors\":[{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"type\":\"NETWORK_ADDRESS\"}],\"resources\":[{\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"providerUniqueId\":null,\"type\":\"VIRTUAL_MACHINE\"}],\"cloudAccounts\":[{\"id\":\"32a7e699-c09f-4afc-abf2-1e00e2998350\",\"name\":\"example-cloud-account\",\"externalId\":\"100000000001\",\"cloudProvider\":\"AWS\"}],\"cloudOrganizations\":null,\"createdAt\":\"2026-07-01T15:12:18.1559021Z\",\"updatedAt\":\"2026-07-01T15:13:36.3181301Z\",\"id\":\"edb74e2d-e1bd-49a6-bcd7-ec6b2f5e4980\",\"severity\":\"LOW\",\"description\":\"An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.\",\"primaryResource\":{\"type\":\"VIRTUAL_MACHINE\",\"name\":\"example-vm-1\",\"externalId\":\"i-0000000000000001\",\"region\":\"us-east-2\",\"id\":\"afd6a19a-3f4e-4a69-9faf-4c313217b0e2\"},\"issue\":null,\"primaryActor\":{\"id\":\"7b6ce9df-40e3-4b6f-a0a0-1238986a32a5\",\"name\":\"192.0.2.10\",\"type\":\"NETWORK_ADDRESS\",\"nativeType\":null,\"email\":null,\"userAgent\":null,\"MFA\":null,\"federated\":false,\"friendlyName\":null,\"accessKeyId\":null,\"externalId\":\"192.0.2.10\",\"providerUniqueId\":null,\"hasHighPrivileges\":false,\"hasAdminPrivileges\":false,\"hasHighKubernetesPrivileges\":false,\"hasAdminKubernetesPrivileges\":false,\"inactiveInLast90Days\":false,\"actingAs\":null,\"cloudAccount\":null},\"triggeringEvents\":{\"totalCountV2\":1,\"nodes\":[{\"id\":\"031e0c27-55c2-4496-92d9-4b7a97324515\",\"description\":\"192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.\",\"actorIP\":\"192.0.2.10\",\"timestamp\":\"2026-07-01T15:05:03.533Z\",\"rawAuditLogRecord\":{},\"commandLine\":null,\"runtimeProgram\":{\"name\":null},\"parentRuntimeProgram\":{\"name\":null}}]},\"ruleMatch\":{\"rule\":{\"id\":\"f0568339-eb51-486b-bac1-7a835689f051\",\"name\":\"UnauthorizedAccess:EC2/SSHBruteForce\",\"builtin\":true,\"securitySubCategories\":[{\"id\":\"wsct-id-3522\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3518\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3517\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3519\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-3524\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-822\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-34\"}}},{\"id\":\"wsct-id-6532\",\"title\":\"Generic malicious activity\",\"category\":{\"id\":\"wct-id-2116\",\"name\":\"Generic malicious activity\",\"framework\":{\"id\":\"wf-id-103\"}}},{\"id\":\"wsct-id-10678\",\"title\":\"Credentials guessing\",\"category\":{\"id\":\"wct-id-1854\",\"name\":\"Initial Access\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-10714\",\"title\":\"Abnormal-sourced communication\",\"category\":{\"id\":\"wct-id-1861\",\"name\":\"C2 & Exfiltration\",\"framework\":{\"id\":\"wf-id-83\"}}},{\"id\":\"wsct-id-20507\",\"title\":\"Brute Force\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20508\",\"title\":\"Brute Force: Password Guessing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20509\",\"title\":\"Brute Force: Password Cracking\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20510\",\"title\":\"Brute Force: Password Spraying\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}},{\"id\":\"wsct-id-20511\",\"title\":\"Brute Force: Credential Stuffing\",\"category\":{\"id\":\"wct-id-2772\",\"name\":\"Credential Access\",\"framework\":{\"id\":\"wf-id-181\"}}}]}}}", + "severity": 21, + "type": [ + "indicator" + ], + "agent_id_status": "verified", + "dataset": "wiz.defend_v2", + "ingested": "2026-07-02T12:00:00.000Z" + }, + "message": "An EC2 instance has been involved in SSH brute force attacks. This rule's final severity is assigned dynamically according to the severity assigned by GuardDuty.", + "observer": { + "product": "Defend", + "vendor": "Wiz" + }, + "related": { + "ip": [ + "192.0.2.10" + ] + }, + "rule": { + "category": [ + "Credential Access", + "Generic malicious activity", + "Initial Access", + "C2 & Exfiltration" + ], + "id": "f0568339-eb51-486b-bac1-7a835689f051", + "name": "UnauthorizedAccess:EC2/SSHBruteForce" + }, + "source": { + "ip": [ + "192.0.2.10" + ] + }, + "tags": [ + "preserve_original_event", + "forwarded", + "wiz-defend-v2" + ], + "wiz": { + "defend_v2": { + "actors": [ + { + "external_id": "192.0.2.10", + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + } + ], + "cloud_accounts": [ + { + "cloud_provider": "AWS", + "external_id": "100000000001", + "id": "32a7e699-c09f-4afc-abf2-1e00e2998350", + "name": "example-cloud-account" + } + ], + "created_at": "2026-07-01T15:12:18.155Z", + "origins": [ + "AWS_GUARD_DUTY" + ], + "primary_actor": { + "external_id": "192.0.2.10", + "federated": false, + "has_admin_kubernetes_privileges": false, + "has_admin_privileges": false, + "has_high_kubernetes_privileges": false, + "has_high_privileges": false, + "id": "7b6ce9df-40e3-4b6f-a0a0-1238986a32a5", + "inactive_in_last_90_days": false, + "name": "192.0.2.10", + "type": "NETWORK_ADDRESS" + }, + "primary_resource": { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + }, + "resources": [ + { + "external_id": "i-0000000000000001", + "id": "afd6a19a-3f4e-4a69-9faf-4c313217b0e2", + "name": "example-vm-1", + "type": "VIRTUAL_MACHINE" + } + ], + "rule_match": { + "rule": { + "builtin": true, + "security_sub_categories": [ + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3522", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3518", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3517", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3519", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-34" + }, + "id": "wct-id-822", + "name": "Credential Access" + }, + "id": "wsct-id-3524", + "title": "Brute Force: Credential Stuffing" + }, + { + "category": { + "framework": { + "id": "wf-id-103" + }, + "id": "wct-id-2116", + "name": "Generic malicious activity" + }, + "id": "wsct-id-6532", + "title": "Generic malicious activity" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1854", + "name": "Initial Access" + }, + "id": "wsct-id-10678", + "title": "Credentials guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-83" + }, + "id": "wct-id-1861", + "name": "C2 & Exfiltration" + }, + "id": "wsct-id-10714", + "title": "Abnormal-sourced communication" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20507", + "title": "Brute Force" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20508", + "title": "Brute Force: Password Guessing" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20509", + "title": "Brute Force: Password Cracking" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20510", + "title": "Brute Force: Password Spraying" + }, + { + "category": { + "framework": { + "id": "wf-id-181" + }, + "id": "wct-id-2772", + "name": "Credential Access" + }, + "id": "wsct-id-20511", + "title": "Brute Force: Credential Stuffing" + } + ] + } + }, + "severity": "LOW", + "triggering_events": { + "nodes": [ + { + "actor_ip": "192.0.2.10", + "description": "192.0.2.10 is performing SSH brute force attacks against i-0000000000000001. Brute force attacks are used to gain unauthorized access to your instance by guessing the SSH password.", + "id": "031e0c27-55c2-4496-92d9-4b7a97324515", + "timestamp": "2026-07-01T15:05:03.533Z" + } + ], + "total_count": 1 + }, + "type": "MATCH_ONLY" + } + }, + "agent": { + "ephemeral_id": "d95a7140-a5b6-418a-b00d-6bafacc2481e", + "id": "0059d5e7-da05-4e3e-becb-4c4d8eaa696c", + "name": "elastic-agent-41482", + "type": "filebeat", + "version": "8.19.2" + }, + "data_stream": { + "dataset": "wiz.defend_v2", + "namespace": "91669", + "type": "logs" + }, + "elastic_agent": { + "id": "0059d5e7-da05-4e3e-becb-4c4d8eaa696c", + "snapshot": false, + "version": "8.19.2" + }, + "input": { + "type": "cel" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| observer.product | The product name of the observer. | constant_keyword | +| observer.vendor | Vendor name of the observer. | constant_keyword | +| wiz.defend_v2.actors.external_id | The cloud provider's identifier for the actor. | keyword | +| wiz.defend_v2.actors.id | The unique identifier of the actor. | keyword | +| wiz.defend_v2.actors.name | The name of the actor. | keyword | +| wiz.defend_v2.actors.provider_unique_id | The globally unique identifier for the actor as assigned by the cloud provider. | keyword | +| wiz.defend_v2.actors.type | The type of actor. | keyword | +| wiz.defend_v2.cloud_accounts.cloud_provider | The cloud provider of the account. | keyword | +| wiz.defend_v2.cloud_accounts.external_id | The cloud provider's identifier for the account. | keyword | +| wiz.defend_v2.cloud_accounts.id | The unique identifier of the cloud account. | keyword | +| wiz.defend_v2.cloud_accounts.name | The name of the cloud account. | keyword | +| wiz.defend_v2.cloud_organizations.cloud_provider | The cloud provider of the organization. | keyword | +| wiz.defend_v2.cloud_organizations.external_id | The cloud provider's identifier for the organization. | keyword | +| wiz.defend_v2.cloud_organizations.id | The unique identifier of the cloud organization. | keyword | +| wiz.defend_v2.cloud_organizations.name | The name of the cloud organization. | keyword | +| wiz.defend_v2.created_at | The timestamp when the detection was created. | date | +| wiz.defend_v2.description | A Markdown-formatted description of the detection. | text | +| wiz.defend_v2.id | The unique identifier of the detection. | keyword | +| wiz.defend_v2.issue.id | The unique identifier of the linked issue. | keyword | +| wiz.defend_v2.origins | The data sources that contributed to the detection. | keyword | +| wiz.defend_v2.primary_actor.access_key_id | The access key ID used by the actor, if applicable. | keyword | +| wiz.defend_v2.primary_actor.acting_as.access_key_id | The access key ID associated with the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.acting_as.external_id | The cloud provider's identifier for the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.acting_as.friendly_name | A human-readable display name for the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.acting_as.id | The unique identifier of the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.acting_as.name | The name of the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.acting_as.provider_unique_id | The globally unique identifier for the assumed identity as assigned by the cloud provider. | keyword | +| wiz.defend_v2.primary_actor.acting_as.type | The type of the assumed identity. | keyword | +| wiz.defend_v2.primary_actor.cloud_account.cloud_provider | The cloud provider of the account. | keyword | +| wiz.defend_v2.primary_actor.cloud_account.external_id | The cloud provider's identifier for the account. | keyword | +| wiz.defend_v2.primary_actor.cloud_account.id | The unique identifier of the cloud account. | keyword | +| wiz.defend_v2.primary_actor.cloud_account.name | The name of the cloud account. | keyword | +| wiz.defend_v2.primary_actor.email | The email address of the primary actor. | keyword | +| wiz.defend_v2.primary_actor.external_id | The cloud provider's identifier for the actor. | keyword | +| wiz.defend_v2.primary_actor.federated | Whether the actor authenticated via a federated identity provider. | boolean | +| wiz.defend_v2.primary_actor.friendly_name | A human-readable display name for the actor. | keyword | +| wiz.defend_v2.primary_actor.has_admin_kubernetes_privileges | Whether the actor has administrator-level access in Kubernetes. | boolean | +| wiz.defend_v2.primary_actor.has_admin_privileges | Whether the actor has administrator-level access. | boolean | +| wiz.defend_v2.primary_actor.has_high_kubernetes_privileges | Whether the actor has high-privilege access in Kubernetes. | boolean | +| wiz.defend_v2.primary_actor.has_high_privileges | Whether the actor has high-privilege access. | boolean | +| wiz.defend_v2.primary_actor.id | The unique identifier of the primary actor. | keyword | +| wiz.defend_v2.primary_actor.inactive_in_last_90_days | Whether the actor has been inactive for the last 90 days. | boolean | +| wiz.defend_v2.primary_actor.mfa | Whether the actor authenticated with multi-factor authentication. | boolean | +| wiz.defend_v2.primary_actor.name | The name of the primary actor. | keyword | +| wiz.defend_v2.primary_actor.native_type | The actor type as defined by the cloud provider. | keyword | +| wiz.defend_v2.primary_actor.provider_unique_id | The globally unique identifier for the actor as assigned by the cloud provider. | keyword | +| wiz.defend_v2.primary_actor.type | The type of the primary actor. | keyword | +| wiz.defend_v2.primary_actor.user_agent | The user agent string associated with the actor's actions. | keyword | +| wiz.defend_v2.primary_resource.external_id | The cloud provider's identifier for the primary resource. | keyword | +| wiz.defend_v2.primary_resource.id | The unique identifier of the primary resource. | keyword | +| wiz.defend_v2.primary_resource.name | The name of the primary resource. | keyword | +| wiz.defend_v2.primary_resource.region | The cloud region where the primary resource is located. | keyword | +| wiz.defend_v2.primary_resource.type | The type of the primary resource. | keyword | +| wiz.defend_v2.resources.external_id | The cloud provider's identifier for the resource. | keyword | +| wiz.defend_v2.resources.id | The unique identifier of the resource. | keyword | +| wiz.defend_v2.resources.name | The name of the resource. | keyword | +| wiz.defend_v2.resources.provider_unique_id | The globally unique identifier for the resource as assigned by the cloud provider. | keyword | +| wiz.defend_v2.resources.type | The type of resource. | keyword | +| wiz.defend_v2.rule_match.rule.builtin | Whether the rule is a built-in Wiz rule or a custom rule. | boolean | +| wiz.defend_v2.rule_match.rule.id | The unique identifier of the rule. | keyword | +| wiz.defend_v2.rule_match.rule.name | The name of the rule. | keyword | +| wiz.defend_v2.rule_match.rule.security_sub_categories.category.framework.id | The unique identifier of the framework. | keyword | +| wiz.defend_v2.rule_match.rule.security_sub_categories.category.id | The unique identifier of the category. | keyword | +| wiz.defend_v2.rule_match.rule.security_sub_categories.category.name | The name of the category. | keyword | +| wiz.defend_v2.rule_match.rule.security_sub_categories.id | The unique identifier of the sub-category. | keyword | +| wiz.defend_v2.rule_match.rule.security_sub_categories.title | The title of the sub-category. | keyword | +| wiz.defend_v2.severity | The severity of the detection. Possible values: CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL. | keyword | +| wiz.defend_v2.triggering_events.nodes.actor_ip | The IP address of the actor that triggered the event. | ip | +| wiz.defend_v2.triggering_events.nodes.command_line | The command line executed during the event, if applicable. | keyword | +| wiz.defend_v2.triggering_events.nodes.description | A description of the event. | text | +| wiz.defend_v2.triggering_events.nodes.id | The unique identifier of the event. | keyword | +| wiz.defend_v2.triggering_events.nodes.parent_runtime_program.name | The name of the parent runtime program. | keyword | +| wiz.defend_v2.triggering_events.nodes.raw_audit_log_record | The raw audit log data associated with the event. The structure varies by event source. | flattened | +| wiz.defend_v2.triggering_events.nodes.runtime_program.name | The name of the runtime program. | keyword | +| wiz.defend_v2.triggering_events.nodes.timestamp | The timestamp when the event occurred. | date | +| wiz.defend_v2.triggering_events.total_count | The total number of triggering events. | long | +| wiz.defend_v2.type | The detection type. | keyword | +| wiz.defend_v2.updated_at | The timestamp when the detection was last updated. | date | + + ### Issue This is the `Issue` dataset. diff --git a/packages/wiz/img/wiz-defend-v-2-dashboard.png b/packages/wiz/img/wiz-defend-v-2-dashboard.png new file mode 100644 index 00000000000..b0b742165b0 Binary files /dev/null and b/packages/wiz/img/wiz-defend-v-2-dashboard.png differ diff --git a/packages/wiz/kibana/dashboard/wiz-ef5b5469-8957-49ec-85f3-1c48cecb34e4.json b/packages/wiz/kibana/dashboard/wiz-ef5b5469-8957-49ec-85f3-1c48cecb34e4.json new file mode 100644 index 00000000000..59177322635 --- /dev/null +++ b/packages/wiz/kibana/dashboard/wiz-ef5b5469-8957-49ec-85f3-1c48cecb34e4.json @@ -0,0 +1,1324 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "0234bd3d-9692-4d79-8e7d-9cd4e61ae5ec": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "rule.name", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Rule Name" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "2f4e785b-c08b-4a1a-8c61-711e097ad277": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "event.severity", + "searchTechnique": "exact", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Severity" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "aa0a2c66-183e-4429-ad49-8dd8ea6135c4": { + "explicitInput": { + "dataViewId": "logs-*", + "exclude": false, + "existsSelected": false, + "fieldName": "wiz.defend_v2.primary_resource.type", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Resource Type" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend_v2" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend_v2" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "layout": "vertical", + "links": [ + { + "destinationRefName": "link_e0ec5ea1-7c0b-41d3-ba9c-1a352463eab9_dashboard", + "id": "e0ec5ea1-7c0b-41d3-ba9c-1a352463eab9", + "label": "Defend", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 0, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_460e787f-7378-4fcb-a0e5-1a47904ee5b6_dashboard", + "id": "460e787f-7378-4fcb-a0e5-1a47904ee5b6", + "label": "Defend V2", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 1, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_18e8f90a-5370-4200-a482-bed6c5cf7134_dashboard", + "id": "18e8f90a-5370-4200-a482-bed6c5cf7134", + "label": "Vulnerability", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 2, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_8ab0bc5d-eb89-45a7-8287-44f6c8429748_dashboard", + "id": "8ab0bc5d-eb89-45a7-8287-44f6c8429748", + "label": "Issue", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 3, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_469f9f09-03af-461c-9d50-1d5f3ace072f_dashboard", + "id": "469f9f09-03af-461c-9d50-1d5f3ace072f", + "label": "Audit", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 4, + "type": "dashboardLink" + }, + { + "destinationRefName": "link_a13e8853-7254-4c48-ac78-841eac660c85_dashboard", + "id": "a13e8853-7254-4c48-ac78-841eac660c85", + "label": "Cloud Configuration Finding", + "options": { + "openInNewTab": false, + "useCurrentDateRange": true, + "useCurrentFilters": false + }, + "order": 5, + "type": "dashboardLink" + } + ] + }, + "title": "Table of Content" + }, + "gridData": { + "h": 10, + "i": "cb642fa3-cd8c-4a28-9280-b63ef669b489", + "w": 8, + "x": 0, + "y": 0 + }, + "panelIndex": "cb642fa3-cd8c-4a28-9280-b63ef669b489", + "type": "links" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b544291b-989a-419b-bcad-fddeb514e08e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b544291b-989a-419b-bcad-fddeb514e08e": { + "columnOrder": [ + "85136554-512f-4569-9ff6-9a9ec6b451b0" + ], + "columns": { + "85136554-512f-4569-9ff6-9a9ec6b451b0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Detections ", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "sourceField": "event.id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "b544291b-989a-419b-bcad-fddeb514e08e", + "layerType": "data", + "metricAccessor": "85136554-512f-4569-9ff6-9a9ec6b451b0", + "secondaryTrend": { + "type": "none" + } + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Total Detections" + }, + "gridData": { + "h": 14, + "i": "00db63b3-418a-422a-8d0e-f6419787b0f0", + "w": 8, + "x": 8, + "y": 0 + }, + "panelIndex": "00db63b3-418a-422a-8d0e-f6419787b0f0", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ab526641-395a-46dd-b316-f9a57b51242e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "ab526641-395a-46dd-b316-f9a57b51242e": { + "columnOrder": [ + "41870108-68b8-4221-afc9-816ffd1fe883", + "765bb1ca-1e16-4faa-87f6-de13ae71ed5b", + "4e8a98e9-8629-4a91-9553-db3c14fcf008" + ], + "columns": { + "41870108-68b8-4221-afc9-816ffd1fe883": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4e8a98e9-8629-4a91-9553-db3c14fcf008", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "sourceField": "wiz.defend_v2.severity" + }, + "4e8a98e9-8629-4a91-9553-db3c14fcf008": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "sourceField": "event.id" + }, + "765bb1ca-1e16-4faa-87f6-de13ae71ed5b": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "sourceField": "@timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "4e8a98e9-8629-4a91-9553-db3c14fcf008" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "ab526641-395a-46dd-b316-f9a57b51242e", + "layerType": "data", + "seriesType": "line", + "splitAccessor": "41870108-68b8-4221-afc9-816ffd1fe883", + "xAccessor": "765bb1ca-1e16-4faa-87f6-de13ae71ed5b" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Events over Time by Severity " + }, + "gridData": { + "h": 14, + "i": "66a8624a-fa0c-4181-adeb-edf605a24558", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "66a8624a-fa0c-4181-adeb-edf605a24558", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d6a7129b-e1ac-48d4-bf12-4acef21d82b1": { + "columnOrder": [ + "a1a487de-a912-4441-b564-e2b1f1a73d77", + "3a5f3494-14c3-477d-b5db-c74723058a59" + ], + "columns": { + "3a5f3494-14c3-477d-b5db-c74723058a59": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "sourceField": "___records___" + }, + "a1a487de-a912-4441-b564-e2b1f1a73d77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Primary Resource Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3a5f3494-14c3-477d-b5db-c74723058a59", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "sourceField": "wiz.defend_v2.primary_resource.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "3a5f3494-14c3-477d-b5db-c74723058a59" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "a1a487de-a912-4441-b564-e2b1f1a73d77" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Events by Primary Resource Type" + }, + "gridData": { + "h": 15, + "i": "74fc6f07-41d0-47df-8513-799639723f5c", + "w": 24, + "x": 0, + "y": 28 + }, + "panelIndex": "74fc6f07-41d0-47df-8513-799639723f5c", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "d6a7129b-e1ac-48d4-bf12-4acef21d82b1": { + "columnOrder": [ + "a1a487de-a912-4441-b564-e2b1f1a73d77", + "3a5f3494-14c3-477d-b5db-c74723058a59" + ], + "columns": { + "3a5f3494-14c3-477d-b5db-c74723058a59": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "sourceField": "event.id" + }, + "a1a487de-a912-4441-b564-e2b1f1a73d77": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Rule Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "3a5f3494-14c3-477d-b5db-c74723058a59", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "sourceField": "rule.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "3a5f3494-14c3-477d-b5db-c74723058a59" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal", + "showGridlines": false, + "xAccessor": "a1a487de-a912-4441-b564-e2b1f1a73d77" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Events by Rule Name " + }, + "gridData": { + "h": 15, + "i": "302945f7-b0d0-4a5d-9f5e-cbe6429f86a0", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "302945f7-b0d0-4a5d-9f5e-cbe6429f86a0", + "type": "lens" + }, + { + "embeddableConfig": { + "savedObjectId": "f13e693c-d234-49ef-9b6d-679c0d22c4be" + }, + "gridData": { + "h": 14, + "i": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "w": 48, + "x": 0, + "y": 43 + }, + "panelIndex": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "panelRefName": "panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "This dashboard provides an overview of Wiz Defend v2 threat detections from Threat Detection Rules. It summarizes detection volume and severity, shows how events trend over time, and breaks down activity by matched rule, affected resource type and actor type. A detection details table supports triage and investigation.\n\n[Integration Page](/app/integrations/detail/wiz/overview)", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "title": "Overview" + }, + "gridData": { + "h": 18, + "i": "9481595d-19e0-4da8-b51f-60dda07bcbf4", + "w": 8, + "x": 0, + "y": 10 + }, + "panelIndex": "9481595d-19e0-4da8-b51f-60dda07bcbf4", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ab526641-395a-46dd-b316-f9a57b51242e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ab526641-395a-46dd-b316-f9a57b51242e": { + "columnOrder": [ + "259d807f-06dc-4843-9aa2-80c311a1dc93", + "4e8a98e9-8629-4a91-9553-db3c14fcf008" + ], + "columns": { + "259d807f-06dc-4843-9aa2-80c311a1dc93": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Severity", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "4e8a98e9-8629-4a91-9553-db3c14fcf008", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "sourceField": "wiz.defend_v2.severity" + }, + "4e8a98e9-8629-4a91-9553-db3c14fcf008": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": true + } + ] + }, + "emptySizeRatio": 0.3, + "layerId": "ab526641-395a-46dd-b316-f9a57b51242e", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "4e8a98e9-8629-4a91-9553-db3c14fcf008" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "259d807f-06dc-4843-9aa2-80c311a1dc93" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Events by Severity " + }, + "gridData": { + "h": 14, + "i": "76d43754-faed-4dbd-9e4b-7fc899344d75", + "w": 20, + "x": 8, + "y": 14 + }, + "panelIndex": "76d43754-faed-4dbd-9e4b-7fc899344d75", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c309b0e6-4831-4977-bf44-a3c464419cca", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "c309b0e6-4831-4977-bf44-a3c464419cca": { + "columnOrder": [ + "01308177-9da1-49bc-96a6-16a681cd91a3", + "c6d34123-7757-4e24-be45-1174c151c7fa" + ], + "columns": { + "01308177-9da1-49bc-96a6-16a681cd91a3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Primary Actor Type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c6d34123-7757-4e24-be45-1174c151c7fa", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "sourceField": "wiz.defend_v2.primary_actor.type" + }, + "c6d34123-7757-4e24-be45-1174c151c7fa": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "sourceField": "event.id" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "currentIndexPatternId": "logs-*", + "layers": {} + }, + "textBased": { + "indexPatternRefs": [ + { + "id": "logs-*", + "timeField": "@timestamp", + "title": "logs-*" + } + ], + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "default", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "emptySizeRatio": 0.3, + "layerId": "c309b0e6-4831-4977-bf44-a3c464419cca", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "c6d34123-7757-4e24-be45-1174c151c7fa" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "01308177-9da1-49bc-96a6-16a681cd91a3" + ], + "truncateLegend": false + } + ], + "shape": "donut" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": " Events by Actor Type " + }, + "gridData": { + "h": 14, + "i": "cf295ec5-5cd6-45cc-9c30-86d1fad42826", + "w": 20, + "x": 28, + "y": 14 + }, + "panelIndex": "cf295ec5-5cd6-45cc-9c30-86d1fad42826", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs WIZ] Defend V2", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-06-22T11:11:04.742Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "wiz-ef5b5469-8957-49ec-85f3-1c48cecb34e4", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_e0ec5ea1-7c0b-41d3-ba9c-1a352463eab9_dashboard", + "type": "dashboard" + }, + { + "id": "wiz-ef5b5469-8957-49ec-85f3-1c48cecb34e4", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_460e787f-7378-4fcb-a0e5-1a47904ee5b6_dashboard", + "type": "dashboard" + }, + { + "id": "wiz-927c36f0-6358-11ee-a265-c3569aa0cebf", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_18e8f90a-5370-4200-a482-bed6c5cf7134_dashboard", + "type": "dashboard" + }, + { + "id": "wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_8ab0bc5d-eb89-45a7-8287-44f6c8429748_dashboard", + "type": "dashboard" + }, + { + "id": "wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_469f9f09-03af-461c-9d50-1d5f3ace072f_dashboard", + "type": "dashboard" + }, + { + "id": "wiz-726802c0-4007-48b9-bae5-09daa69d4368", + "name": "cb642fa3-cd8c-4a28-9280-b63ef669b489:link_a13e8853-7254-4c48-ac78-841eac660c85_dashboard", + "type": "dashboard" + }, + { + "id": "logs-*", + "name": "00db63b3-418a-422a-8d0e-f6419787b0f0:indexpattern-datasource-layer-b544291b-989a-419b-bcad-fddeb514e08e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "66a8624a-fa0c-4181-adeb-edf605a24558:indexpattern-datasource-layer-ab526641-395a-46dd-b316-f9a57b51242e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "74fc6f07-41d0-47df-8513-799639723f5c:indexpattern-datasource-layer-d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "302945f7-b0d0-4a5d-9f5e-cbe6429f86a0:indexpattern-datasource-layer-d6a7129b-e1ac-48d4-bf12-4acef21d82b1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "name": "2f9c17d4-3653-4b0c-ae66-5c79832eb42a:panel_2f9c17d4-3653-4b0c-ae66-5c79832eb42a", + "type": "search" + }, + { + "id": "logs-*", + "name": "76d43754-faed-4dbd-9e4b-7fc899344d75:indexpattern-datasource-layer-ab526641-395a-46dd-b316-f9a57b51242e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cf295ec5-5cd6-45cc-9c30-86d1fad42826:indexpattern-datasource-layer-c309b0e6-4831-4977-bf44-a3c464419cca", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_2f4e785b-c08b-4a1a-8c61-711e097ad277:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_aa0a2c66-183e-4429-ad49-8dd8ea6135c4:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0234bd3d-9692-4d79-8e7d-9cd4e61ae5ec:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/wiz/kibana/search/wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be.json b/packages/wiz/kibana/search/wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be.json new file mode 100644 index 00000000000..ef541972d1d --- /dev/null +++ b/packages/wiz/kibana/search/wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "columns": [ + "wiz.defend_v2.severity", + "wiz.defend_v2.primary_resource.name", + "message" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend_v2" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend_v2" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "Defend V2 Detection details [Logs WIZ]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2026-06-22T11:46:57.727Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "wiz-f13e693c-d234-49ef-9b6d-679c0d22c4be", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 8332954b539..7c1a37fe2e7 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: wiz title: Wiz -version: "4.5.0" +version: "4.6.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -15,7 +15,7 @@ categories: - siem conditions: kibana: - version: "^8.19.0 || ^9.1.0" + version: "^8.19.2 || ^9.1.2" elastic: subscription: "basic" screenshots: @@ -47,6 +47,10 @@ screenshots: title: Wiz Defend Dashboard Screenshot size: 600x600 type: image/png + - src: /img/wiz-defend-v-2-dashboard.png + title: Wiz Defend V2 Dashboard Screenshot + size: 600x600 + type: image/png - src: /img/wiz-policy-editor-ui.png title: Wiz Integration Policy Editor UI size: 1691x2012