AWS Inspector

[jamiehynds]

Description

Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.

Architecture

AWS Inspector Findings can be transmitted to a SIEM, via the ListFindings API endpoint, outlined here: https://docs.aws.amazon.com/inspector/v1/APIReference/API_ListFindings.html

Integration release checklist

This checklist is intended for integrations maintainers to ensure consistency
when creating or updating a Package, Module or Dataset for an Integration.

All changes

• Change follows the contributing guidelines
• Supported versions of the monitoring target are documented
• Supported operating systems are documented (if applicable)
• Integration or System tests exist
• Documentation exists
• Fields follow ECS and naming conventions
• At least a manual test with ES / Kibana / Agent has been performed.
• Required Kibana version set to:

New Package

• Screenshot of the "Add Integration" page on Fleet added

Dashboards changes

• Dashboards exists
• Screenshots added or updated
• Datastream filters added to visualizations

Log dataset changes

• Pipeline tests exist (if applicable)
• Generated output for at least 1 log file exists
• Sample event (sample_event.json) exists

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[jamiehynds]

@nick-alayil we're actively working on this AWS Inspector integration and to ensure that the data provided by the integration can be leveraged within Cloud Security also. Is there someone on your team we can work with to ensure we map the data appropriately, to ensure it populates any relevant dashboards within Cloud Security?

[nick-alayil]

It's great to see the progress on the AWS Inspector integration. The work on identifying the data and mapping it to ECS fields, necessary to populate Kibana dashboards and workflows, has yet to begin (likely in a week). The plan is to align with the sample ECS doc shared by elastic InfoSec team. It would be ideal if we

• Cloud Native Vulnerability Management
• OS-query based Vulnerability Management (@patrykkopycinski )
• Third party integrations related to Vulnerability Management(e.g AWS Inspector)
• Elastic InfoSec Vulnerability Management (@clement-fouque )

all agree on same ECS fields, the kibana dashboards and workflows currently being developed by elastic security design team - @r4zr32d3k1l Cc @dimadavid could be used by data generated by all the above mentioned teams and also in future by any other third party vuln mgmt integrations say for e.g Nexpose (Rapid7 Vuln Scanner).

Is there someone on your team we can work with to ensure we map the data appropriately

@m-sample and @mitodrummer would be the right folk to collab on ECS from our end. As I said, we've not started yet. Once we've the initial data(required for populating Kibana dashboard and workflows) and ECS mapping ready, I'll set-up a meeting with all the folks tagged here.

[clement-fouque]

There are additional inputs on what is required on the ECS vulnerability field in elastic/ecs#1685.

[jamiehynds]

Closing as the AWS Inspector integration is now available. https://docs.elastic.co/integrations/aws/inspector