Add new AWS Security Hub Findings Full Posture data stream and update misconfig transform to use it

.github/CODEOWNERS

@@ -58,6 +58,7 @@
 /packages/aws/data_stream/s3_storage_lens @elastic/obs-infraobs-integrations
 /packages/aws/data_stream/s3access @elastic/obs-ds-hosted-services
 /packages/aws/data_stream/securityhub_findings @elastic/security-service-integrations
+/packages/aws/data_stream/securityhub_findings_full_posture @elastic/security-service-integrations
 /packages/aws/data_stream/securityhub_insights @elastic/security-service-integrations
 /packages/aws/data_stream/sns @elastic/obs-infraobs-integrations
 /packages/aws/data_stream/sqs @elastic/obs-infraobs-integrations

packages/aws/_dev/build/docs/securityhub.md

@@ -22,6 +22,7 @@ The [AWS Security Hub](https://docs.aws.amazon.com/securityhub/) integration col
 
   1. For the current integration package, it is recommended to have interval in hours.
   2. For the current integration package, it is compulsory to add Secret Access Key and Access Key ID.
+  3. Findings Full Posture data stream request all the historical findings every 24 hours.
 
 ## Logs
 
@@ -37,6 +38,18 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
 
 {{fields "securityhub_findings"}}
 
+### Findings Full Posture
+
+This is the [`securityhub_findings_full_posture`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetFindings.html#API_GetFindings_ResponseElements) data stream.
+
+{{event "securityhub_findings_full_posture"}}
+
+**ECS Field Reference**
+
+Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields.
+
+{{fields "securityhub_findings_full_posture"}}
+
 ### Insights
 
 This is the [`securityhub_insights`](https://docs.aws.amazon.com/securityhub/1.0/APIReference/API_GetInsights.html#API_GetInsights_ResponseElements) data stream.

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.0.0"
+  changes:
+    - description: Add new Security Hub Findings Full Posture data stream. If you rely on Findings > Misconfigurations view, enable this new data stream.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/13372
 - version: "2.45.2"
   changes:
     - description: Update grok pattern for AWS S3 access ingest pipeline
@@ -11,14 +16,14 @@
       link: https://github.com/elastic/integrations/pull/13350
 - version: "2.45.0"
   changes:
-  - description: Update default data_stream.dataset to aws.cloudwatch_logs for cloudwatch_logs data stream.
-    type: breaking-change
-    link: https://github.com/elastic/integrations/pull/13370
+    - description: Update default data_stream.dataset to aws.cloudwatch_logs for cloudwatch_logs data stream.
+      type: breaking-change
+      link: https://github.com/elastic/integrations/pull/13370
 - version: "2.44.0"
   changes:
-  - description: Add `actor.entity.id` and `target.entity.id`
-    type: enhancement
-    link: https://github.com/elastic/integrations/pull/12685
+    - description: Add `actor.entity.id` and `target.entity.id`
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12685
 - version: "2.43.0"
   changes:
     - description: Set `event.type` and `event.action` fields in vpcflow logs.
@@ -41,7 +46,7 @@
       link: https://github.com/elastic/integrations/pull/12755
 - version: "2.40.0"
   changes:
-    - description: Add support for Kibana `9.0.0` 
+    - description: Add support for Kibana `9.0.0`
       type: enhancement
       link: https://github.com/elastic/integrations/pull/12637
 - version: "2.39.0"

packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,17 @@
+version: '2.3'
+services:
+  securityhub_full_posture:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    hostname: securityhub.xxxx.amazonaws.cn
+    ports:
+      - 443
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: "443"
+    command:
+      - http-server
+      - --addr=:443
+      - --config=/files/config.yml
+      - --tls-cert=/files/certificate.crt
+      - --tls-key=/files/private.key

packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/certificate.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDUjCCAjoCCQDQ1VVKJuqgWjANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJY
+WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
+bnkgTHRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20w
+HhcNMjIwNzA2MDg1MTUwWhcNMjMwNzA2MDg1MTUwWjBrMQswCQYDVQQGEwJYWDEV
+MBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkg
+THRkMScwJQYDVQQDDB5zZWN1cml0eWh1Yi54eHh4LmFtYXpvbmF3cy5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDhyLkZGxIdXMUb8UuD16U67hGi
+/W7SvhtHLkQGbHTWAD7+AAg5ybbBFa2LTf3G5lprgJ/nUAl5N2i7CnSOlRxm6yKU
+VeyXPzQ8327sb7Y1pm07hU2Y+unKXcCjQi4lgF9GUXgRFYGxzIiwbG52XgZNJ4Cq
+TWXAlRi8J4nJbSPty3R6wt2+bxIGf9/v6VoBpj0Ltal7aM9/YTGYkc+PprcoK6+x
+o5IzXha4iedNLjVRl7MLkP57BmDTTJpdO8OraddWjm1/I3kG5Lyu19A9URMg47vW
+L7IOtOZzfDNyCYbFwqNMHk62AVpTOYqL/icNlX+EpUxX4kyVhd4W0Y9xBs5HAgMB
+AAEwDQYJKoZIhvcNAQELBQADggEBAFA+VI+UgD2ldDLkfoCG+BNtasm9dyJvuer+
+9+R8IyMDL0O8ppLSpKny7MbTLFKymIkTFJzCKf3+q5cL/y4W5YRPsm3tYD8wzBfN
+o+sG2e1UlmMtv0vU4dsmoeHqYFyuxuDlgtH0FynCYgh+Xo6s6zPpNi48QsLebIf9
+Bp0lgklIyHpVhMTwUua5P0t00ecKvkCNf51x/apqyRYBdoAvrwQ9IRVPmvu/iQCR
+3AMQH0dhaDjS3aVzKyRrhu+jjEAFRV5yVr64LTkQAWzMb6yz1KaQa0OjXNV1wX4F
+/k5zhqX0C0HAvDkSKXqwtUXl8jKyvP3Ogwddzg17932lVJe/3jc=
+-----END CERTIFICATE-----

packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/config.yml

@@ -0,0 +1,7 @@
+rules:
+  - path: /findings
+    methods: ["POST"]
+    responses:
+      - status_code: 200
+        body: |
+          {"Findings":[{"Action":{"ActionType":"PORT_PROBE","PortProbeAction":{"PortProbeDetails":[{"LocalPortDetails":{"Port":80,"PortName":"HTTP"},"LocalIpDetails":{"IpAddressV4":"1.128.0.0"},"RemoteIpDetails":{"Country":{"CountryName":"Example Country"},"City":{"CityName":"Example City"},"GeoLocation":{"Lon":0,"Lat":0},"Organization":{"AsnOrg":"ExampleASO","Org":"ExampleOrg","Isp":"ExampleISP","Asn":64496}}}],"Blocked":false}},"AwsAccountId":"111111111111","CompanyName":"AWS","Compliance":{"RelatedRequirements":["Req1","Req2"],"Status":"PASSED","StatusReasons":[{"ReasonCode":"CLOUDWATCH_ALARMS_NOT_PRESENT","Description":"CloudWatch alarms do not exist in the account"}]},"Confidence":42,"CreatedAt":"2017-03-22T13:22:13.933Z","Criticality":99,"Description":"The version of openssl found on instance i-abcd1234 is known to contain a vulnerability.","FindingProviderFields":{"Confidence":42,"Criticality":99,"RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"}],"Severity":{"Label":"MEDIUM","Original":"MEDIUM"},"Types":["Software and Configuration Checks/Vulnerabilities/CVE"]},"FirstObservedAt":"2017-03-22T13:22:13.933Z","GeneratorId":"acme-vuln-9ab348","Id":"us-west-2/111111111111/98aebb2207407c87f51e89943f12b1ef","LastObservedAt":"2017-03-23T13:22:13.933Z","Malware":[{"Name":"Stringler","Type":"COIN_MINER","Path":"/usr/sbin/stringler","State":"OBSERVED"}],"Network":{"Direction":"IN","OpenPortRange":{"Begin":443,"End":443},"Protocol":"TCP","SourceIpV4":"1.128.0.0","SourceIpV6":"2a02:cf40::","SourcePort":"42","SourceDomain":"example1.com","SourceMac":"00:0d:83:b1:c0:8e","DestinationIpV4":"1.128.0.0","DestinationIpV6":"2a02:cf40::","DestinationPort":"80","DestinationDomain":"example2.com"},"NetworkPath":[{"ComponentId":"abc-01a234bc56d8901ee","ComponentType":"AWS::EC2::InternetGateway","Egress":{"Destination":{"Address":["1.128.0.0/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}},"Ingress":{"Destination":{"Address":["175.16.199.1/24"],"PortRanges":[{"Begin":443,"End":443}]},"Protocol":"TCP","Source":{"Address":["175.16.199.1/24"]}}}],"Note":{"Text":"Don't forget to check under the mat.","UpdatedBy":"jsmith","UpdatedAt":"2018-08-31T00:15:09Z"},"PatchSummary":{"Id":"pb-123456789098","InstalledCount":"100","MissingCount":"100","FailedCount":"0","InstalledOtherCount":"1023","InstalledRejectedCount":"0","InstalledPendingReboot":"0","OperationStartTime":"2018-09-27T23:37:31Z","OperationEndTime":"2018-09-27T23:39:31Z","RebootOption":"RebootIfNeeded","Operation":"Install"},"Process":{"Name":"syslogd","Path":"/usr/sbin/syslogd","Pid":12345,"ParentPid":56789,"LaunchedAt":"2018-09-27T22:37:31Z","TerminatedAt":"2018-09-27T23:37:31Z"},"ProductArn":"arn:aws:securityhub:us-east-1:111111111111:product/111111111111/default","ProductFields":{"generico/secure-pro/Count":"6","Service_Name":"cloudtrail.amazonaws.com","aws/inspector/AssessmentTemplateName":"My daily CVE assessment","aws/inspector/AssessmentTargetName":"My prod env","aws/inspector/RulesPackageName":"Common Vulnerabilities and Exposures"},"ProductName":"Security Hub","RecordState":"ACTIVE","Region":"us-east-1","RelatedFindings":[{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"123e4567-e89b-12d3-a456-426655440000"},{"ProductArn":"arn:aws:securityhub:us-west-2::product/aws/guardduty","Id":"AcmeNerfHerder-111111111111-x189dx7824"}],"Remediation":{"Recommendation":{"Text":"Run sudo yum update and cross your fingers and toes.","Url":"http://myfp.com/recommendations/dangerous_things_and_how_to_fix_them.html"}},"Resources":[{"Type":"AwsEc2Instance","Id":"i-cafebabe","Partition":"aws","Region":"us-west-2","Tags":{"billingCode":"Lotus-1-2-3","needsPatching":"true"},"Details":{"IamInstanceProfileArn":"arn:aws:iam::123456789012:role/IamInstanceProfileArn","ImageId":"ami-79fd7eee","IpV4Addresses":["175.16.199.1"],"IpV6Addresses":["2a02:cf40::"],"KeyName":"testkey","LaunchedAt":"2018-09-29T01:25:54Z","MetadataOptions":{"HttpEndpoint":"enabled","HttpProtocolIpv6":"enabled","HttpPutResponseHopLimit":1,"HttpTokens":"optional","InstanceMetadataTags":"disabled"},"NetworkInterfaces":[{"NetworkInterfaceId":"eni-e5aa89a3"}],"SubnetId":"PublicSubnet","Type":"i3.xlarge","VirtualizationType":"hvm","VpcId":"TestVPCIpv6"}}],"Sample":true,"SchemaVersion":"2018-10-08","Severity":{"Label":"CRITICAL","Original":"8.3"},"SourceUrl":"http://threatintelweekly.org/backdoors/8888","ThreatIntelIndicators":[{"Type":"IPV4_ADDRESS","Value":"175.16.199.1","Category":"BACKDOOR","LastObservedAt":"2018-09-27T23:37:31Z","Source":"Threat Intel Weekly","SourceUrl":"http://threatintelweekly.org/backdoors/8888"}],"Threats":[{"FilePaths":[{"FileName":"b.txt","FilePath":"/tmp/b.txt","Hash":"sha256","ResourceId":"arn:aws:ec2:us-west-2:123456789012:volume/vol-032f3bdd89aee112f"}],"ItemCount":3,"Name":"Iot.linux.mirai.vwisi","Severity":"HIGH"}],"Title":"EC2.20 Both VPN tunnels for an AWS Site-to-Site VPN connection should be up","Types":["Software and Configuration Checks/Vulnerabilities/CVE"],"UpdatedAt":"2018-08-31T00:15:09Z","UserDefinedFields":{"reviewedByCio":"true","comeBackToLater":"Check this again on Monday"},"VerificationState":"UNKNOWN","Vulnerabilities":[{"Cvss":[{"BaseScore":4.7,"BaseVector":"AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","Version":"V3"},{"BaseScore":4.7,"BaseVector":"AV:L/AC:M/Au:N/C:C/I:N/A:N","Version":"V2"}],"Id":"CVE-2020-12345","ReferenceUrls":["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"],"RelatedVulnerabilities":["CVE-2020-12345"],"Vendor":{"Name":"Alas","Url":"https://alas.aws.amazon.com/ALAS-2020-1337.html","VendorCreatedAt":"2020-01-16T00:01:43Z","VendorSeverity":"Medium","VendorUpdatedAt":"2020-01-16T00:01:43Z"},"VulnerablePackages":[{"Architecture":"x86_64","Epoch":"1","Name":"openssl","Release":"16.amzn2.0.3","Version":"1.0.2k"}]}],"Workflow":{"Status":"NEW"},"WorkflowState":"NEW"}]}

packages/aws/data_stream/securityhub_findings_full_posture/_dev/deploy/docker/files/private.key

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDhyLkZGxIdXMUb
+8UuD16U67hGi/W7SvhtHLkQGbHTWAD7+AAg5ybbBFa2LTf3G5lprgJ/nUAl5N2i7
+CnSOlRxm6yKUVeyXPzQ8327sb7Y1pm07hU2Y+unKXcCjQi4lgF9GUXgRFYGxzIiw
+bG52XgZNJ4CqTWXAlRi8J4nJbSPty3R6wt2+bxIGf9/v6VoBpj0Ltal7aM9/YTGY
+kc+PprcoK6+xo5IzXha4iedNLjVRl7MLkP57BmDTTJpdO8OraddWjm1/I3kG5Lyu
+19A9URMg47vWL7IOtOZzfDNyCYbFwqNMHk62AVpTOYqL/icNlX+EpUxX4kyVhd4W
+0Y9xBs5HAgMBAAECggEAF21MR16XspQ9n3iZ7UQi0MqC6faB2TwAeJJEXKZEOTAt
+WQ2HzPcxDzfAmgOtoUWlfCIMdWPIl9s38rBTB7hRChy7qciAk/Dq6qYETGQK8+Yg
+z1w1gPoH6AdyRX5Ia3u2ZwVs/9jLbDdct3GIxJ9c6ASBRSpitGjD+EHh+hRo9fNE
+bnTNCS9roukGIyXbRDJMplAoCLNI+HVjTkjWPq4mff6EeYuTCjPKoJVzsrp8Ecai
+Rf9a444KeUFlE4rcNmFtHJiVohJiPpIF85DUb8RBfVr8xSdoG6QHxaTcjbk3nPd2
+/x+NSY5O5PkEXbQpsBZmEo1Aba1qjeRg2pCNsP9tgQKBgQDxNBtroNv7uWMeQMKf
+fj4FtyvFfgfBt4fdUZblW60sWbRu2PnrwDyFxGGX+KKVFrKauS2R8SfSvX230kGl
+vbKXSxo10XjmmY0Kaulet7z9awjK+yTcj3HKqVpjCdZK0KO1FXwZ45hwM7ewB6KI
+xukbZPORJwbwIjBYAGt0mfSaTQKBgQDvondtX11L0qjDoqcW5a6o2cdkj1MjBfP+
+AKZqOKDNNeHG3hT/YWfcFUis/UXMV7TBG4NQuIRGu5xZn3WbxgynHx3/QiVKG90/
+m56hsAStcVHTVcPcAh48jgYF60u60jgUhBcyrAZpsskul+oY/v16Eutx5QqjGjnc
+3bmFZe/s4wKBgB2SeOYqM65aHVfhMrthO/NxcLFm8UaD3Ol6jliSc9njKacJfSK1
+T/ZKjHiYaD6FKOKlX3vsKCjDSL2XzqqmZlX8RDti8kK7grpLP094kXg0fkB8qBlO
+kPH673UDCL3ldJzIBI4cBF2FSbkQRpIkaQINz3r1YPliB7FSY9pI4d9lAoGAWGyz
+8vjonUz7l00SqQFR5N6PlAzLGbZdpVGqFrIUrASA7ngOeXoA8BYufh7rPY7zlPpJ
+B2U+8jbSZ8POiw+Wpah20jUfO2xyxMDw1Sr1Xubc0cXpAusJK0Eg+dgsVqCxruhb
+Awi1SRV+5SGLcXPOJtiKZrmkpjDMPzLV/WJzGQ8CgYAbcMtnLshdYVNXfutWgSm2
+TqYfGm/L+njAFXfSnIxotIw0jQVt/uB0okcNAHKTn1elCxC0v0BZDsSUhxToUGk+
+x1wfip3SVhR5sYg8HBYbDCkTKZerleeW5PzcFFf+BY4DxR+8yWNEA1PrAejKyXk5
+Id0GFdKT0A2niGndkyL7/A==
+-----END PRIVATE KEY-----

packages/aws/data_stream/securityhub_findings_full_posture/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,6 @@
+fields:
+  tags:
+    - preserve_original_event
+    - preserve_duplicate_custom_fields
+dynamic_fields:
+  "@timestamp": ".*"