prisma_cloud: Add misconfiguration and vulnerability data streams for CDR workflow #16012
Conversation
kcreddy
changed the title
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
alert |
2824.86 | 2304.15 | -520.71 (-18.43%) | 💔 |
host_profile |
3039.51 | 2336.45 | -703.06 (-23.13%) | 💔 |
To see the full report comment with /test benchmark fullreport
kcreddy
added
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
kcreddy
changed the title
andrewkroh
added
documentation
packages/prisma_cloud/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
| copy_from: prisma_cloud.misconfiguration.scanned_policy.name | ||
| ignore_empty_value: true | ||
| - set: | ||
| field: rule.uuid |
There was a problem hiding this comment.
@kcreddy @maxcold I checked and we are still querying by resource.id and rule.id instead of the unique rule.uuid fields to get the document to display in the misconfiguration flyout. Since docs produced by this integration are not containing such field flyouts are unable to open correctly.
i would suggest for now to use to copy the rule.uuid to rule.id field as currently doing it for consistency only (using uuid) is possible, but associated with risks and might affect our native integration.
There was a problem hiding this comment.
Done. Added rule.id from rule.uuid.
There was a problem hiding this comment.
@kcreddy thanks, could you update the env with the changes? I would like to test also the contextual flow/alerts flyout.
There was a problem hiding this comment.
@alexreal1314, resource.name is populated for Misconfigurations and only missing in Vulnerabilities workflow, which was discussed in the sheet.
Also, we don't have a rule.description field in the API data. Since its not Must Have, we have omitted it.
There was a problem hiding this comment.
@kcreddy yep i meant resouce.id, I see that its currently missing.
There was a problem hiding this comment.
Regarding rendering sub_type as Resource Type I think it is intentional and in line with out native integration. The sub type is more specific usually (when type and sub_type are not the same ofc) but for users we want to present only one field as Type . So that's why from data point of view it looks a bit off, but in the end users might not need this type/sub_type complexity. In our native type is more of group thing. Like monitoring is type and sub type is azure-network-watchers-flow-log so seeing monitoring in data grid isn't that helpful
There was a problem hiding this comment.
@kcreddy yep i meant resouce.id, I see that its currently missing.
@alexreal1314, I just looked into security_solution-* indices and resource.id is present in all of them. Could it be that there's a bug in the Findings page, that you are not able to see it there?
There was a problem hiding this comment.
@kcreddy LGTM besides the resource.sub_type which is missing, but I guess its not a blocker.
andrewkroh
added
the
dashboard
| headers: | ||
| Content-Type: | ||
| - "application/octet-stream" | ||
| body: '{{file "/sample_logs/prisma-cloud-vulnerability.csv.gz"}}' |
| ), | ||
| "next": { | ||
| ?"access_token": has(body.nextPageToken) ? optional.of(state.next.access_token) : optional.none(), | ||
| ?"pageToken": has(body.nextPageToken) ? optional.of(body.nextPageToken) : optional.none(), |
There was a problem hiding this comment.
| ?"pageToken": has(body.nextPageToken) ? optional.of(body.nextPageToken) : optional.none(), | |
| ?"pageToken": body.?nextPageToken, |
| [] | ||
| ), | ||
| "next": { | ||
| ?"access_token": has(body.nextPageToken) ? optional.of(state.next.access_token) : optional.none(), |
There was a problem hiding this comment.
Just checking that this is right. We're keeping the next access token that we had if there is a next page token? I think this is something that needs a little explanatory note.
There was a problem hiding this comment.
That is correct. I added a comment.
| want_more: false | ||
| redact: | ||
| fields: | ||
| - user |
There was a problem hiding this comment.
Do we need to redact the user?
| want_more: false | ||
| redact: | ||
| fields: | ||
| - user |
| - append: | ||
| field: tags | ||
| value: preserve_original_event | ||
| allow_duplicates: false No newline at end of file |
| - append: | ||
| field: tags | ||
| value: preserve_original_event | ||
| allow_duplicates: false No newline at end of file |
|
Can you add an explanation for the source of the new test inputs? |
@efd6, do you mean sample logs? I got them from the live data of Prisma Cloud. |
💚 Build Succeeded
History
cc @kcreddy |
Thanks, can you note that in the proposed commit message? |
|
Package prisma_cloud - 4.0.0 containing this change is available at https://epr.elastic.co/package/prisma_cloud/4.0.0/ |
6 participants
Proposed commit message
Checklist
changelog.ymlfile.How to test this PR locally
Both pipeline and system tests pass.
Transforms install correctly (see screenshot below).
Transforms have no authorisation error (see screenshot below).
Related issues
Screenshots
Dashboards