tenable_io: Add mappings and transform for Cloud Detection and Response (CDR) workflow#13636
tenable_io: Add mappings and transform for Cloud Detection and Response (CDR) workflow#13636kcreddy merged 21 commits intoelastic:mainfrom
Conversation
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
plugin |
5555.56 | 4608.29 | -947.27 (-17.05%) | 💔 |
vulnerability |
2155.17 | 1459.85 | -695.32 (-32.26%) | 💔 |
To see the full report comment with /test benchmark fullreport
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| - status_code: 200 | ||
| body: | | ||
| [{"asset":{"fqdn":"example.com","hostname":"89.160.20.112","uuid":"cf165808-6a31-48e1-9cf3-c6c3174df51d","ipv4":"81.2.69.142","operating_system":["Test Demo OS X 10.5.8"],"network_id":"00000000-0000-0000-0000-000000000000","tracked":true},"output":"The observed version of Test is : \n /21.0.1180.90","plugin":{"cve":["CVE-2016-1620","CVE-2016-1614","CVE-2016-1613","CVE-2016-1612","CVE-2016-1618","CVE-2016-1617","CVE-2016-1616","CVE-2016-1615","CVE-2016-1619"],"cvss_base_score": 9.3,"cvss_temporal_score":6.9,"cvss_temporal_vector":{"exploitability":"Unproven","remediation_level":"Official-fix","report_confidence":"Confirmed","raw":"E:U/RL:OF/RC:C"},"cvss_vector":{"access_complexity":"Medium","access_vector":"Network","authentication":"None required","confidentiality_impact":"Complete","integrity_impact":"Complete","availability_impact":"Complete","raw":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},"description":"The version of Test on the remote host is prior to 48.0.2564.82 and is affected by the following vulnerabilities: \n\n - An unspecified vulnerability exists in Test V8 when handling compatible receiver checks hidden behind receptors. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1612)\n - A use-after-free error exists in `PDFium` due to improper invalidation of `IPWL_FocusHandler` and `IPWL_Provider` upon destruction. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-1613)\n - An unspecified vulnerability exists in `Blink` that is related to the handling of bitmaps. An attacker can exploit this to access sensitive information. No other details are available. (CVE-2016-1614)\n - An unspecified vulnerability exists in `omnibox` that is related to origin confusion. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1615)\n - An unspecified vulnerability exists that allows an attacker to spoof a displayed URL. No other details are available. (CVE-2016-1616)\n - An unspecified vulnerability exists that is related to history sniffing with HSTS and CSP. No other details are available. (CVE-2016-1617)\n - A flaw exists in `Blink` due to the weak generation of random numbers by the ARC4-based random number generator. An attacker can exploit this to gain access to sensitive information. No other details are available. (CVE-2016-1618)\n - An out-of-bounds read error exists in `PDFium` in file `fx_codec_jpx_opj.cpp` in the `sycc4{22,44}_to_rgb()` functions. An attacker can exploit this to cause a denial of service by crashing the application linked using the library. (CVE-2016-1619)\n - Multiple vulnerabilities exist, the most serious of which allow an attacker to execute arbitrary code via a crafted web page. (CVE-2016-1620)\n - A flaw in `objects.cc` is triggered when handling cleared `WeakCells`, which may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (CVE-2016-2051)","family":"Web Clients","family_id": 1000020,"has_patch":false,"id":9062,"name":"Test < 48.0.2564.82 Multiple Vulnerabilities","risk_factor":"HIGH","see_also":["http://testreleases.blogspot.com/2016/01/beta-channel-update_20.html"],"solution":"Update the browser to 48.0.2564.82 or later.","synopsis":"The remote host is utilizing a web browser that is affected by multiple vulnerabilities.","vpr":{"score":5.9,"drivers":{"age_of_vuln":{"lower_bound":366,"upper_bound":730},"exploit_code_maturity":"UNPROVEN","cvss_impact_score_predicted":false,"cvss3_impact_score":5.9,"threat_intensity_last28":"VERY_LOW","threat_sources_last28":["No recorded events"],"product_coverage":"LOW"},"updated":"2019-12-31T10:08:58Z"}},"port":{"port":"0","protocol":"TCP"},"scan":{"completed_at":"2018-12-31T20:59:47Z","schedule_uuid":"6f7db010-9cb6-4870-b745-70a2aea2f81ce1b6640fe8a2217b","started_at":"2018-12-31T20:59:47Z","uuid":"0e55ec5d-c7c7-4673-a618-438a84e9d1b78af3a9957a077904"},"severity":"low","severity_id":3,"severity_default_id":3,"severity_modification_type":"NONE","first_found":"2018-12-31T20:59:47Z","last_found":"2018-12-31T20:59:47Z","indexed":"2022-11-30T14:09:12.061Z","state":"OPEN"}] | ||
| [{"asset":{"fqdn":"example.com","hostname":"89.160.20.112","uuid":"cf165808-6a31-48e1-9cf3-c6c3174df51d","ipv4":"81.2.69.142","operating_system":["Test Demo OS X 10.5.8"],"network_id":"00000000-0000-0000-0000-000000000000","tracked":true},"output":"\n Path : /opt/jdk-11.0.2/\n Installed version : 11.0.2\n Fixed version : Upgrade to a version greater than 11.0.18\n\n\n\n Path : /usr/java/jdk1.8.0_232-cloudera/\n Installed version : 8.0.232\n Fixed version : Upgrade to a version greater than 8u362\n","plugin":{"vuln_publication_date":"2023-04-18T00:00:00Z","cve":["CVE-2016-1620","CVE-2016-1614","CVE-2016-1613","CVE-2016-1612","CVE-2016-1618","CVE-2016-1617","CVE-2016-1616","CVE-2016-1615","CVE-2016-1619"],"cvss_base_score": 9.3,"cvss_temporal_score":6.9,"cvss_temporal_vector":{"exploitability":"Unproven","remediation_level":"Official-fix","report_confidence":"Confirmed","raw":"E:U/RL:OF/RC:C"},"cvss_vector":{"access_complexity":"Medium","access_vector":"Network","authentication":"None required","confidentiality_impact":"Complete","integrity_impact":"Complete","availability_impact":"Complete","raw":"AV:N/AC:M/Au:N/C:C/I:C/A:C"},"description":"The version of Test on the remote host is prior to 48.0.2564.82 and is affected by the following vulnerabilities: \n\n - An unspecified vulnerability exists in Test V8 when handling compatible receiver checks hidden behind receptors. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1612)\n - A use-after-free error exists in `PDFium` due to improper invalidation of `IPWL_FocusHandler` and `IPWL_Provider` upon destruction. An attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-1613)\n - An unspecified vulnerability exists in `Blink` that is related to the handling of bitmaps. An attacker can exploit this to access sensitive information. No other details are available. (CVE-2016-1614)\n - An unspecified vulnerability exists in `omnibox` that is related to origin confusion. An attacker can exploit this to have an unspecified impact. No other details are available. (CVE-2016-1615)\n - An unspecified vulnerability exists that allows an attacker to spoof a displayed URL. No other details are available. (CVE-2016-1616)\n - An unspecified vulnerability exists that is related to history sniffing with HSTS and CSP. No other details are available. (CVE-2016-1617)\n - A flaw exists in `Blink` due to the weak generation of random numbers by the ARC4-based random number generator. An attacker can exploit this to gain access to sensitive information. No other details are available. (CVE-2016-1618)\n - An out-of-bounds read error exists in `PDFium` in file `fx_codec_jpx_opj.cpp` in the `sycc4{22,44}_to_rgb()` functions. An attacker can exploit this to cause a denial of service by crashing the application linked using the library. (CVE-2016-1619)\n - Multiple vulnerabilities exist, the most serious of which allow an attacker to execute arbitrary code via a crafted web page. (CVE-2016-1620)\n - A flaw in `objects.cc` is triggered when handling cleared `WeakCells`, which may allow a context-dependent attacker to have an unspecified impact. No further details have been provided. (CVE-2016-2051)","family":"Web Clients","family_id": 1000020,"has_patch":false,"id":9062,"name":"Test < 48.0.2564.82 Multiple Vulnerabilities","risk_factor":"HIGH","see_also":["http://testreleases.blogspot.com/2016/01/beta-channel-update_20.html"],"solution":"Update the browser to 48.0.2564.82 or later.","synopsis":"The remote host is utilizing a web browser that is affected by multiple vulnerabilities.","vpr":{"score":5.9,"drivers":{"age_of_vuln":{"lower_bound":366,"upper_bound":730},"exploit_code_maturity":"UNPROVEN","cvss_impact_score_predicted":false,"cvss3_impact_score":5.9,"threat_intensity_last28":"VERY_LOW","threat_sources_last28":["No recorded events"],"product_coverage":"LOW"},"updated":"2019-12-31T10:08:58Z"}},"port":{"port":"0","protocol":"TCP"},"scan":{"completed_at":"2018-12-31T20:59:47Z","schedule_uuid":"6f7db010-9cb6-4870-b745-70a2aea2f81ce1b6640fe8a2217b","started_at":"2018-12-31T20:59:47Z","uuid":"0e55ec5d-c7c7-4673-a618-438a84e9d1b78af3a9957a077904"},"severity":"low","severity_id":3,"severity_default_id":3,"severity_modification_type":"NONE","first_found":"2018-12-31T20:59:47Z","last_found":"2018-12-31T20:59:47Z","indexed":"2022-11-30T14:09:12.061Z","state":"OPEN"}] |
There was a problem hiding this comment.
Updated "output" to test package field.
packages/tenable_io/data_stream/vulnerability/fields/vulnerability.yml
Outdated
Show resolved
Hide resolved
...tenable_io/data_stream/vulnerability/_dev/test/pipeline/test-vulnerability.log-expected.json
Outdated
Show resolved
Hide resolved
| latest: | ||
| unique_key: | ||
| - event.id | ||
| - resource.id | ||
| - data_stream.namespace |
There was a problem hiding this comment.
Transform's uniqueness is defined similar to Qualys, instead of following the guide.
chrisberkhout
left a comment
There was a problem hiding this comment.
The proposed commit message could be updated to mention it also adds the transform.
packages/tenable_io/data_stream/vulnerability/fields/vulnerability.yml
Outdated
Show resolved
Hide resolved
packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/fields/base-fields.yml
Show resolved
Hide resolved
packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/fields/ecs.yml
Outdated
Show resolved
Hide resolved
packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml
Show resolved
Hide resolved
packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/transform.yml
Show resolved
Hide resolved
| # The next two gsub processors facilitate `splitOnToken` in the subsequent script processor, which otherwise cannot split \n or \t. | ||
| - gsub: | ||
| field: tenable_io.vulnerability.output | ||
| description: To facilitate splitOnToken in the subsequent script processor, which otherwise cannot split on \n. Each package are seperated by multiple \n. | ||
| pattern: '\n\n+\s*' | ||
| replacement: ';;' | ||
| if: ctx._temp?.output_has_package == true | ||
| tag: gsub_tenable_io_vulnerability_output_split_packages | ||
| ignore_missing: true | ||
| - gsub: | ||
| field: tenable_io.vulnerability.output | ||
| pattern: '\n\s*' | ||
| description: To facilitate splitOnToken in the subsequent script processor, which otherwise cannot split on \n. Within each package, details are seperated by single \n. | ||
| replacement: '||' | ||
| tag: gsub_tenable_io_vulnerability_output_split_package_info | ||
| if: ctx._temp?.output_has_package == true | ||
| ignore_missing: true |
There was a problem hiding this comment.
I think you can can avoid these by building the token strings from chars.
In Painless Lab, put this:
String lf = (String)(char)10;
String s = "line1" + lf + "line2";
"s:"+lf
+"---"+lf
+s+lf
+"---"+lf
+lf
+"s.splitOnToken(lf)[1]:"+lf
+s.splitOnToken(lf)[1]
And you'll see the output:
s:
---
line1
line2
---
s.splitOnToken(lf)[1]:
line2
For the following Painless script, I think it would be nice to define a function that does most of the work without being dependent on a specific context, then have minimal code to apply the function where necessary. That makes it easier to test or modify in the future, because you can copy the function out and work on it in other contexts.
There was a problem hiding this comment.
Thanks for the suggestion @chrisberkhout.
For this script, we are trying to replace a pattern and not a single character. I will use the regexp inside the script processor itself and add functions inside the script itself as you suggested so that it will be easy to maintain.
There was a problem hiding this comment.
Sorry, for some reason I thought it was newlines and tabs, and that the problem was making a string literal with those characters in it.
A pattern is different. Moving it into the script is nice.
Splitting on the pattern rather than doing the substitutions is an option: https://discuss.elastic.co/t/can-we-use-split-processor-with-painless-scripting/98536/2
My original idea was to wrap everything in a function. Something like this:
List packagesFromOutput(String output) {
// ...
}
List results = packagesFromOutput(ctx.tenable_io.vulnerability.output);
ctx.package = ctx.package ?: [];
ctx.vulnerability = ctx.vulnerability ?: [:];
ctx.vulnerability.package = ctx.vulnerability.package ?: [];
ctx.package.addAll(results);
ctx.vulnerability.package.addAll(results);
Anyway, these are all optional suggestions.
Remove explicitly defined vulnerability.description field causing ECS conflict.
| field: json.output | ||
| target_field: tenable_io.vulnerability.output | ||
| ignore_missing: true | ||
| - script: |
There was a problem hiding this comment.
@kcreddy currently we support in the UI where each package.name, package.version and package.fixed_version are separate fields. Introducing this field a nested type in Tenable is breaking the client as i have tested it.
Qualys + wiz + CNVM
Tenable
IMO nested is the correct type here. but we should decide on the correct data model and type before continuing.
cc @maxcold
There was a problem hiding this comment.
Thanks @alexreal1314 for the testing. Does it mean we need to have a separate package_nested field for storing nested package data?
We did this in Qualys where package is an object type and package_nested is nested type.
There was a problem hiding this comment.
@kcreddy creating a separate package_nested field won't fix the issue because we rely in the UI on the package field which is of type object. Also package_nested is not part of ECS.
Need to think how to overcome this issue, meanwhile I would think that we should store ctx.tenable_io?.vulnerability?.output fields in the format we have today package.name: array of packages, package.version: array of versions and package.fixed_version array of fixed versions.
WDYT @maxcold ?
There was a problem hiding this comment.
Related discussion previously: https://github.com/elastic/security-team/issues/9987#issuecomment-2548605862. We wanted to have package.* fields for the UI, but also package_nested.* nested fields to preserve the relationships.
There was a problem hiding this comment.
@alexreal1314 @maxcold, this seems to be the only pending comment to merge this PR.
Let me know if there's anything needed here from my side.
There was a problem hiding this comment.
just getting back to this problem, discussed on Slack. My suggestion to be consistent with what we have in Qualys and deal with the relationship between fields in case of multiple packages later. Also I think it makes sense to have package_nested as a way to keep the information about the relation
There was a problem hiding this comment.
Updated in 21b2ac8.
Now the package and vulnerability.package fields are mapped as objects and the custom field tenable_io.vulnerability.package_nested is mapped as nested.
| - set: | ||
| field: host.name | ||
| copy_from: tenable_io.vulnerability.asset.netbios.name | ||
| copy_from: tenable_io.vulnerability.asset.fqdn |
There was a problem hiding this comment.
@kcreddy Is it possible to share some docs from Tenable? I would like to understand which fields they have. Because I see for example that out of 1844 documents, 52 are missing host.name which is quite important because alerts calculations are based on it. In comparison in Qualys out of 45k documents only 39 are missing this field.
There was a problem hiding this comment.
@alexreal1314, here's the relevant discussion which lead to host.name copied from asset.fqdn: https://docs.google.com/spreadsheets/d/1ovxuXOtSXyNGZ_db7TaD5D0pt5m_60yUPe1oxJ1AQ8I/edit?gid=0#gid=0&range=G21
Here's the Tenable API doc: https://developer.tenable.com/reference/exports-vulns-download-chunk.
In case asset.fqdn field is missing, we could populate with some other field asset.hostname or asset.netbios_name. Would that be accepted solution?
There was a problem hiding this comment.
In case asset.fqdn field is missing, we could populate with some other field asset.hostname or asset.netbios_name. Would that be accepted solution?
Yes, that’s a great suggestion. If the asset.fqdn field isn’t available, falling back to asset.hostname makes sense and if that’s also missing, using asset.netbios_name as a final fallback will be a solid approach, especially since this is a crucial ECS field that powers alert and entity(host) flyouts with vulnerability contextualization.
There was a problem hiding this comment.
@alexreal1314, as per Nick's suggestion, I updated in 0fab27e
| conditions: | ||
| kibana: | ||
| version: "^8.18.0 || ^9.0.0" | ||
| version: "^8.19.0 || ^9.1.0" |
There was a problem hiding this comment.
@kcreddy We've been given guidance by the leadership team that Security Solution treats 8.19 as a bugfix release and that we shouldn't add new features to this release, only 9.1.0. Does Security Integrations follow the same approach? If yes, we need to limit this version to only ^9.1.0 stack version.
For Qyalys we already have the integration published with ^8.19.0 || ^9.1.0 stack condition, we will need to figure out what we need to do on Kibana side to support that, most likely backport all the changes we made to support multiple CVEs, packages etc.
There was a problem hiding this comment.
We've been given guidance by the leadership team that Security Solution treats 8.19 as a bugfix release
@maxcold I wasn't aware of this. Also, Qualys VMDR is the only integration that seems to define this version.
Do you know if this specifically with 8.19.0 and we can still target ^8.19.1?
Let me know which versions are you targeting for backport, I can update this accordingly.
BTW 8.17.7 and 8.18.2 FF is today.
There was a problem hiding this comment.
@jamiehynds, it seems that we shouldn't be releasing new features targeting ^8.19.0. Does it also mean new integrations shouldn't be targeting this version?
Its not GA yet, but would like to know in case any future PRs comes up targeting this version.
There was a problem hiding this comment.
I'm waiting for the confirmation from @nick-alayil on the approach to stack versions and availability of CDR related changes in integrations. If we follow the guidance for Security Solution and treat 8.19.0 as bugfix release (it applies to all 8.x versions going forward as far as I understand) , then for Tenable we should have version: "^9.1.0"
For Qualys as the integration has already been published, I think we need to backport Kibana changes to 8.19.0, but that's solely on us. Let me know if I can give more context on this topic
There was a problem hiding this comment.
The main problem going only with ^9.1.0 and skip entire 8.x versions is that any future changes such as bugfixes and enhancements for this integration need to be backported to 8.x versions following our backporting guide which needs 3 PRs per every change.
I am also unsure if customers in 8.x would likely upgrade to 9.1 any sooner because its a major version upgrade.
There was a problem hiding this comment.
After discussing with @maxcold, we are going ahead with version constraint: version: "^8.19.0 || ^9.1.0". Will go ahead and merge the PR.
cc: @nick-alayil
packages/tenable_io/data_stream/vulnerability/fields/vulnerability.yml
Outdated
Show resolved
Hide resolved
packages/tenable_io/elasticsearch/transform/latest_cdr_vulnerabilities/fields/vulnerability.yml
Outdated
Show resolved
Hide resolved
maxcold
left a comment
There was a problem hiding this comment.
tested everything except the latest change of removing vulnerability.package. Looks good! Thanks for the very fast feedback loop!
|
For visibility: though approved, we are waiting from product and leadership decision on whether we can make these changes available starting from both 8.19 and 9.1 or only 9.1 . I will update when we have a final decision. Pls don't merge before that |
## Summary While reviewing Tenable mapping for CDR elastic/integrations#13636 noticed that CVE link is not rendered for the following case ``` vulnerability.reference: [ 'http://www.nessus.org/u?5b3cb0db', 'https://www.cve.org/CVERecord?id=CVE-2022-2068', 'https://www.openssl.org/news/secadv/20220621.txt', ]; vulnerability.id: ['CVE-2022-2068'] ``` due to the find utility looking only into `name` search param. Fixing that by iterating over all params ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
…221099) (#221602) # Backport This will backport the following commits from `main` to `8.19`: - [Search for CVE id in all search params instead of only name (#221099)](#221099) <!--- Backport version: 10.0.0 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Maxim Kholod","email":"maxim.kholod@elastic.co"},"sourceCommit":{"committedDate":"2025-05-26T12:51:50Z","message":"Search for CVE id in all search params instead of only name (#221099)\n\n## Summary\n\nWhile reviewing Tenable mapping for CDR\nhttps://github.com/elastic/integrations/pull/13636 noticed that CVE link\nis not rendered for the following case\n\n```\nvulnerability.reference: [\n 'http://www.nessus.org/u?5b3cb0db',\n 'https://www.cve.org/CVERecord?id=CVE-2022-2068',\n 'https://www.openssl.org/news/secadv/20220621.txt',\n ];\nvulnerability.id: ['CVE-2022-2068']\n```\n\ndue to the find utility looking only into `name` search param. Fixing\nthat by iterating over all params\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"684c87750c0c4039724434d2dfe35d3b7a567a6f","branchLabelMapping":{"^v9.1.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Cloud Security","backport:version","v9.1.0","v8.19.0"],"title":"Search for CVE id in all search params instead of only name","number":221099,"url":"https://github.com/elastic/kibana/pull/221099","mergeCommit":{"message":"Search for CVE id in all search params instead of only name (#221099)\n\n## Summary\n\nWhile reviewing Tenable mapping for CDR\nhttps://github.com/elastic/integrations/pull/13636 noticed that CVE link\nis not rendered for the following case\n\n```\nvulnerability.reference: [\n 'http://www.nessus.org/u?5b3cb0db',\n 'https://www.cve.org/CVERecord?id=CVE-2022-2068',\n 'https://www.openssl.org/news/secadv/20220621.txt',\n ];\nvulnerability.id: ['CVE-2022-2068']\n```\n\ndue to the find utility looking only into `name` search param. Fixing\nthat by iterating over all params\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"684c87750c0c4039724434d2dfe35d3b7a567a6f"}},"sourceBranch":"main","suggestedTargetBranches":["8.19"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/221099","number":221099,"mergeCommit":{"message":"Search for CVE id in all search params instead of only name (#221099)\n\n## Summary\n\nWhile reviewing Tenable mapping for CDR\nhttps://github.com/elastic/integrations/pull/13636 noticed that CVE link\nis not rendered for the following case\n\n```\nvulnerability.reference: [\n 'http://www.nessus.org/u?5b3cb0db',\n 'https://www.cve.org/CVERecord?id=CVE-2022-2068',\n 'https://www.openssl.org/news/secadv/20220621.txt',\n ];\nvulnerability.id: ['CVE-2022-2068']\n```\n\ndue to the find utility looking only into `name` search param. Fixing\nthat by iterating over all params\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"684c87750c0c4039724434d2dfe35d3b7a567a6f"}},{"branch":"8.19","label":"v8.19.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
|
/test |
💚 Build Succeeded
History
cc @kcreddy |
|
…221099) ## Summary While reviewing Tenable mapping for CDR elastic/integrations#13636 noticed that CVE link is not rendered for the following case ``` vulnerability.reference: [ 'http://www.nessus.org/u?5b3cb0db', 'https://www.cve.org/CVERecord?id=CVE-2022-2068', 'https://www.openssl.org/news/secadv/20220621.txt', ]; vulnerability.id: ['CVE-2022-2068'] ``` due to the find utility looking only into `name` search param. Fixing that by iterating over all params ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
| # newer versions go on top | ||
| - version: "4.0.0" | ||
| changes: | ||
| - description: Add mappings required for Cloud Detection and Response (CDR) vulnerability workflow. |
There was a problem hiding this comment.
I think it would be helpful to specify what the breaking changes are and include any advice we might have for users who are upgrading (if applicable).
There was a problem hiding this comment.
Just missed this comment and merged it 😞.
I will create a quick PR with list of changes and update documentation regarding transform and its requirement.
Essentially there are few important mappings that were updated and addition of a transform adds atleast 2X data, and also requires Transform nodes, all of which the users could be made aware of.
|
Package tenable_io - 4.0.0 containing this change is available at https://epr.elastic.co/package/tenable_io/4.0.0/ |
Proposed commit message
Note
To Reviewers:
Checklist
changelog.ymlfile.How to test this PR locally
Both pipeline and system tests should pass:
cd packages/tenable_io && elastic-package build && elastic-package stack up -d -v --version=8.19.0-SNAPSHOT && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -vcd packages/tenable_io && elastic-package build && elastic-package stack up -d -v --version=8.19.0-SNAPSHOT && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v --data-streams=vulnerabilityRelated issues
Screenshots
Ingested source data:
Transform running:
Populating destination index:
