diff --git a/packages/wiz/_dev/build/docs/README.md b/packages/wiz/_dev/build/docs/README.md index f5e292f3180..71b1964c18b 100644 --- a/packages/wiz/_dev/build/docs/README.md +++ b/packages/wiz/_dev/build/docs/README.md @@ -98,16 +98,18 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - Vulnerability data is fetched for the previous day. - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests. -### Troubleshooting +### Transforms -The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly. +The Wiz integration creates transforms to support [CDR](https://www.elastic.co/what-is/cloud-detection-response), for the following data streams: -When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events. +| Data stream name | Transform destination alias | +|-------------------------------------------------------|-------------------------------------------------| +| `logs-wiz.vulnerability-*` | `security_solution-wiz.vulnerability_latest` | +| `logs-wiz.cloud_configuration_finding_full_posture-*` | `security_solution-wiz.misconfiguration_latest` | -However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added. +The source data streams contain historical events and are suitable for most uses, while the aliased transform destination indexes provide a view of the current state of Wiz findings to support Elastic Security CDR workflows. The dashboards included in the Wiz integration use the source data streams. -📌 Action Required (for standalone agents): -You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline). +The transforms use `event.ingested` as their sync field. Fleet-managed Elastic Agents add this field automatically but for other setups this field might need to be added separately. ## Logs reference diff --git a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml index 008793fc332..7bc869f03bf 100644 --- a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml +++ b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding.yml @@ -20,7 +20,7 @@ rules: Content-Type: - application/json body: | - {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} + {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-07T12:55:52.012378Z","updatedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"}],"pageInfo": {"hasNextPage": true,"endCursor": "eyJmaWVsZHMiOlt7IkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} - path: /graphql methods: ['POST'] request_headers: @@ -33,4 +33,4 @@ rules: Content-Type: - application/json body: |- - {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}}],"pageInfo": {"hasNextPage": false,"endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} + {"data": {"configurationFindings": {"nodes": [{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}}],"pageInfo": {"hasNextPage": false,"endCursor": "eMJmaWVsZIkZpZWxkIjoiVGltZXN0YW1wIiwiVmFsdWUiOiIyMDIzLTA5LTA0VDExOjE5OjM3LjgwMTU0MVoifV19"}}}} diff --git a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml index 12d25aaf9e0..f30f175a35d 100644 --- a/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml +++ b/packages/wiz/_dev/deploy/docker/files/config-cloud_configuration_finding_full_posture.yml @@ -27,6 +27,7 @@ rules: "nodes": [ { "analyzedAt": "2024-08-07T12:55:52.012378Z", + "updatedAt": "2024-08-07T12:55:52.012378Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "remediation": null, "resource": { @@ -83,6 +84,7 @@ rules: "nodes": [ { "analyzedAt": "2024-08-15T11:41:17.517926Z", + "updatedAt": "2024-08-15T11:41:17.517926Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "remediation": null, "resource": { diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 93d880b71ed..3619cfce31a 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,30 @@ # newer versions go on top +- version: "4.3.0" + changes: + - description: | + Server interaction fix: Set the right User-Agent header value. + type: bugfix + link: https://github.com/elastic/integrations/pull/19203 + - description: | + Server interaction fix: use `updatedAt` rather than `analyzedAt` in queries for cloud configuration finding data. + type: bugfix + link: https://github.com/elastic/integrations/pull/19203 + - description: | + Server interaction improvements: Set a static request rate of 0.5 rps per data stream, increase retries. + type: enhancement + link: https://github.com/elastic/integrations/pull/19203 + - description: | + Settings improvements: Clear the URL default value, tolerate URLs with a `/graphql` path, make `cloud_configuration_finding_full_posture`'s 24h interval an advanced option for potential use in debugging or workarounds, make Token URL a non-advanced settings since it can vary, inform the user the interval settings must be 5m or longer. + type: enhancement + link: https://github.com/elastic/integrations/pull/19203 + - description: | + Dashboard improvements: Use panel-level filters, fix the navigation/overview panel formatting. + type: enhancement + link: https://github.com/elastic/integrations/pull/19203 + - description: | + Documentation improvements: Explain transforms better in the README, chang to a vector logo file, add a screenshot of the config UI. + type: enhancement + link: https://github.com/elastic/integrations/pull/19203 - version: "4.2.0" changes: - description: Add timestamp range filter and storage tier exclusion to latest transform source queries to reduce scan scope and improve performance. diff --git a/packages/wiz/data_stream/audit/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/audit/agent/stream/cel.yml.hbs index d7ae779c360..82ae0655cb6 100644 --- a/packages/wiz/data_stream/audit/agent/stream/cel.yml.hbs +++ b/packages/wiz/data_stream/audit/agent/stream/cel.yml.hbs @@ -13,6 +13,8 @@ resource.ssl: {{ssl}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} @@ -59,9 +61,9 @@ max_executions: {{max_executions}} {{/if}} program: | state.with( - post_request( - state.url.trim_right("/") + "/graphql", - "application/json", + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", { "query": state.query, "variables": { @@ -77,7 +79,12 @@ program: | } } }.encode_json() - ).do_request().as(resp, resp.StatusCode == 200 ? + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, body.?data.auditLogEntries.nodes.orValue(null) != null ? { "events": body.data.auditLogEntries.nodes.map(e, { diff --git a/packages/wiz/data_stream/audit/manifest.yml b/packages/wiz/data_stream/audit/manifest.yml index 39b216fecea..f327ca83a7c 100644 --- a/packages/wiz/data_stream/audit/manifest.yml +++ b/packages/wiz/data_stream/audit/manifest.yml @@ -18,7 +18,7 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s. default: 5m multi: false required: true @@ -39,6 +39,22 @@ streams: required: true show_user: false default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" - name: max_executions type: integer title: Maximum Pages Per Interval diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log index 28c8516df89..4271fd05649 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log @@ -1,7 +1,7 @@ -{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} -{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file +{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","updatedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} +{"analyzedAt":"2024-08-07T12:55:52.012378Z","updatedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} diff --git a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json index 301044ecb3b..1f7501ddf50 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json +++ b/packages/wiz/data_stream/cloud_configuration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json @@ -19,7 +19,7 @@ "created": "2023-06-12T11:38:07.900Z", "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"updatedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", "outcome": "failure", "type": [ "info" @@ -73,7 +73,8 @@ "name": "Pod should run containers with authorized additional capabilities (PSS Restricted)", "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", "short_id": "Pod-32" - } + }, + "updated_at": "2023-06-12T11:38:07.900Z" } } }, @@ -99,7 +100,7 @@ "created": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -158,7 +159,8 @@ "name": "Root account access keys should not exist", "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", "short_id": "IAM-006" - } + }, + "updated_at": "2024-08-07T12:55:52.012Z" } } }, @@ -182,7 +184,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", "outcome": "success", "type": [ "info" @@ -251,7 +253,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, @@ -275,7 +278,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -333,7 +336,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, @@ -357,7 +361,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -415,7 +419,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, @@ -439,7 +444,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -496,7 +501,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, @@ -520,7 +526,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -577,7 +583,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } } diff --git a/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs index e60b63f25df..f1806d882e8 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs +++ b/packages/wiz/data_stream/cloud_configuration_finding/agent/stream/cel.yml.hbs @@ -13,6 +13,8 @@ resource.ssl: {{ssl}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} @@ -33,6 +35,7 @@ state: nodes { id analyzedAt + updatedAt severity result remediation @@ -80,16 +83,16 @@ max_executions: {{max_executions}} {{/if}} program: | state.with( - post_request( - state.url.trim_right("/") + "/graphql", - "application/json", + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", { "query": state.query, "variables": { "first": state.batch_size, "after": state.?end_cursor.value.orValue(null), "filterBy": { - "analyzedAt": { + "updatedAt": { "after": state.want_more ? state.?cursor.first_timestamp.orValue(null) : @@ -98,7 +101,12 @@ program: | } } }.encode_json() - ).do_request().as(resp, resp.StatusCode == 200 ? + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, body.?data.configurationFindings.nodes.orValue(null) != null ? { "events": body.data.configurationFindings.nodes.map(e, { @@ -106,7 +114,7 @@ program: | }), "cursor": { ?"last_timestamp": body.data.configurationFindings.nodes.size() > 0 ? - optional.of(body.data.configurationFindings.nodes.map(e, timestamp(e.analyzedAt)).max().as(last, + optional.of(body.data.configurationFindings.nodes.map(e, timestamp(e.updatedAt)).max().as(last, has(state.?cursor.last_timestamp) && last < timestamp(state.cursor.last_timestamp) ? state.cursor.last_timestamp : diff --git a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml index 9c22f035c90..28f9f4557fc 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml @@ -115,6 +115,17 @@ processors: tag: set_event_created copy_from: wiz.cloud_configuration_finding.analyzed_at ignore_empty_value: true + - date: + field: json.updatedAt + target_field: wiz.cloud_configuration_finding.updated_at + tag: date_set_updatedat + formats: + - ISO8601 + if: ctx.json?.updatedAt != null && ctx.json.updatedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.id tag: rename_id diff --git a/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml index eea63ef4778..c150922fe82 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/fields/fields.yml @@ -3,6 +3,8 @@ fields: - name: analyzed_at type: date + - name: updated_at + type: date - name: resource type: group fields: diff --git a/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml index 3f2f2a9da43..a9da25ac092 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding/manifest.yml @@ -1,4 +1,4 @@ -title: Collet Cloud Configuration Finding logs from Wiz. +title: Collect Cloud Configuration Finding logs from Wiz. type: logs streams: - input: cel @@ -18,7 +18,7 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s. default: 5m multi: false required: true @@ -39,6 +39,22 @@ streams: required: true show_user: false default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" - name: max_executions type: integer title: Maximum Pages Per Interval diff --git a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json index e928c9e134d..ad8f6a104a5 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json +++ b/packages/wiz/data_stream/cloud_configuration_finding/sample_event.json @@ -40,7 +40,7 @@ "id": "1243196d-a365-589a-a8aa-13817c9877b2", "ingested": "2025-04-22T09:54:52Z", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -83,6 +83,7 @@ "wiz": { "cloud_configuration_finding": { "analyzed_at": "2024-08-07T12:55:52.012Z", + "updated_at": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { "cloud_platform": "EKS", diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log index 28c8516df89..4271fd05649 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log @@ -1,7 +1,7 @@ -{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} -{"analyzedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} -{"analyzedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} \ No newline at end of file +{"id":"bdeba988-f41b-55e6-9b99-96b8d3dc67d4","targetExternalId":"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","targetObjectProviderUniqueId":"cd971d74-92db-495c-8244-82da9a988fd0","firstSeenAt":"2023-06-12T11:38:07.900129Z","analyzedAt":"2023-06-12T11:38:07.900129Z","updatedAt":"2023-06-12T11:38:07.900129Z","severity":"LOW","result":"FAIL","status":"OPEN","remediation":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","resource":{"id":"0e814bb7-29e8-5c15-be9c-8da42c67ee99","providerId":"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99","name":"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx","nativeType":"Pod","type":"POD","region":null,"subscription":{"id":"a3a3cc43-1dfd-50f1-882e-692840d4a891","name":"Wiz - DEV Outpost","externalId":"cfd132be-3bc7-4f86-8efd-ed53ae498fec","cloudProvider":"Azure"},"projects":null,"tags":[{"key":"pod-template-hash","value":"8bc677d64"},{"key":"app.kubernetes.io/name","value":"azure-cluster-autoscaler"},{"key":"app.kubernetes.io/instance","value":"cluster-autoscaler"}]},"rule":{"id":"73553de7-f2ad-4ffb-b425-c69815033530","shortId":"Pod-32","graphId":"99ffeef7-75df-5c88-9265-5ab50ffbc2b9","name":"Pod should run containers with authorized additional capabilities (PSS Restricted)","description":"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.","remediationInstructions":"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n","functionAsControl":false},"securitySubCategories":[{"id":"wsct-id-5206","title":"Container Security","category":{"id":"wct-id-423","name":"9 Container Security","framework":{"id":"wf-id-1","name":"Wiz"}}},{"id":"wsct-id-8176","title":"5.1 Containers should not run with additional capabilities","category":{"id":"wct-id-1295","name":"5 Capabilities","framework":{"id":"wf-id-57","name":"Kubernetes Pod Security Standards (Restricted)"}}},{"id":"wsct-id-8344","title":"Cluster misconfiguration","category":{"id":"wct-id-1169","name":"2 Container & Kubernetes Security","framework":{"id":"wf-id-53","name":"Wiz Detailed"}}}]} +{"analyzedAt":"2024-08-07T12:55:52.012378Z","updatedAt":"2024-08-07T12:55:52.012378Z","id":"1243196d-a365-589a-a8aa-13817c9877b2","remediation":null,"resource":{"id":"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea","name":"Root user","nativeType":"rootUser","providerId":"arn:aws:iam::998231069301:root","region":null,"cloudPlatform":"EKS","subscription":{"cloudProvider":"AWS","externalId":"998231069301","id":"94e76baa-85fd-5928-b829-1669a2ca9660","name":"wiz-integrations"},"tags":[],"type":"USER_ACCOUNT"},"result":"PASS","rule":{"description":"This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.","id":"563ed717-4fb6-47fd-929e-9c794e201d0a","name":"Root account access keys should not exist","remediationInstructions":"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.","shortId":"IAM-006"},"severity":"MEDIUM"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-vm","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"PASS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW","evidence":{"cloudConfigurationLink":"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing","configurationPath":null,"currentValue":"The VM is stopped(allocated) since 2024-08-15","expectedValue":"The VM should be used or deallocated"}} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"80045425-a0a9-4457-82c2-2c5f47419d83","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","providerId":"","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} +{"analyzedAt":"2024-08-15T11:41:17.517926Z","updatedAt":"2024-08-15T11:41:17.517926Z","id":"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id","remediation":null,"resource":{"id":"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f","name":"annam-VM","nativeType":"Microsoft.Compute/virtualMachines","region":"eastus","subscription":{"cloudProvider":"Azure","externalId":"434f3cbb-30f2-4bc0-8bba-cb080280652b","id":"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db","name":"partner integrations"},"tags":[],"type":"VIRTUAL_MACHINE"},"result":"IN_PROGRESS","rule":{"description":"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.","id":"56c8890d-ad68-4659-9414-fb0ed7258c31","name":"Virtual Machine should not be stopped (allocated) for more than a week","remediationInstructions":"Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```","shortId":"VirtualMachines-021"},"severity":"LOW"} diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json index 2933675bb84..957a3ef821f 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/pipeline/test-cloud-configuration-finding-full-posture.log-expected.json @@ -1,6 +1,7 @@ { "expected": [ { + "@timestamp": "2026-05-22T13:03:10.863717174Z", "cloud": { "account": { "id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec", @@ -18,7 +19,7 @@ "created": "2023-06-12T11:38:07.900Z", "id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4", "kind": "state", - "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", + "original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"updatedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}", "outcome": "failure", "type": [ "info" @@ -71,11 +72,13 @@ "remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.io/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n", "short_id": "Pod-32" }, - "status": "OPEN" + "status": "OPEN", + "updated_at": "2023-06-12T11:38:07.900Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863733312Z", "cloud": { "account": { "id": "998231069301", @@ -96,7 +99,7 @@ "created": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"cloudPlatform\":\"EKS\",\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n>**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\n```\\n>**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -153,11 +156,13 @@ "name": "Root account access keys should not exist", "remediation_instructions": "Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \n1. Use the following command to list the Root user's access keys. \nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \n```\naws iam list-access-keys\n```\n2. Use the following command to delete the access key(s). \n```\naws iam delete-access-key /\n --access-key-id \n```\n>**Note** \nOnce an access key is removed, any application using it will not work until a new one is configured for it.", "short_id": "IAM-006" - } + }, + "updated_at": "2024-08-07T12:55:52.012Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863737107Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -176,7 +181,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-vm\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\",\"evidence\":{\"cloudConfigurationLink\":\"https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing\",\"configurationPath\":null,\"currentValue\":\"The VM is stopped(allocated) since 2024-08-15\",\"expectedValue\":\"The VM should be used or deallocated\"}}", "outcome": "success", "type": [ "info" @@ -243,11 +248,13 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863740181Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -266,7 +273,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -322,11 +329,13 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863743149Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -345,7 +354,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"80045425-a0a9-4457-82c2-2c5f47419d83\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -401,11 +410,13 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863746126Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -424,7 +435,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-empty-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"providerId\":\"\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -479,11 +490,13 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } }, { + "@timestamp": "2026-05-22T13:03:10.863749018Z", "cloud": { "account": { "id": "434f3cbb-30f2-4bc0-8bba-cb080280652b", @@ -502,7 +515,7 @@ "created": "2024-08-15T11:41:17.517Z", "id": "6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", + "original": "{\"analyzedAt\":\"2024-08-15T11:41:17.517926Z\",\"updatedAt\":\"2024-08-15T11:41:17.517926Z\",\"id\":\"6fe49e83-2f3a-5b62-99de-beae16c7bfae-missing-provider-id\",\"remediation\":null,\"resource\":{\"id\":\"8a53b2d9-f6c6-59e4-bce0-736a45e9aa3f\",\"name\":\"annam-VM\",\"nativeType\":\"Microsoft.Compute/virtualMachines\",\"region\":\"eastus\",\"subscription\":{\"cloudProvider\":\"Azure\",\"externalId\":\"434f3cbb-30f2-4bc0-8bba-cb080280652b\",\"id\":\"064ecbb5-19ee-540d-b9f5-99c3a4e2d0db\",\"name\":\"partner integrations\"},\"tags\":[],\"type\":\"VIRTUAL_MACHINE\"},\"result\":\"IN_PROGRESS\",\"rule\":{\"description\":\"This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \\nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \\nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \\nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.\",\"id\":\"56c8890d-ad68-4659-9414-fb0ed7258c31\",\"name\":\"Virtual Machine should not be stopped (allocated) for more than a week\",\"remediationInstructions\":\"Perform the following command to deallocate the VM via Azure CLI:\\n```\\naz vm deallocate \\\\\\n\\t--ids {{vmId}}\\n```\",\"shortId\":\"VirtualMachines-021\"},\"severity\":\"LOW\"}", "outcome": "unknown", "type": [ "info" @@ -557,7 +570,8 @@ "name": "Virtual Machine should not be stopped (allocated) for more than a week", "remediation_instructions": "Perform the following command to deallocate the VM via Azure CLI:\n```\naz vm deallocate \\\n\t--ids {{vmId}}\n```", "short_id": "VirtualMachines-021" - } + }, + "updated_at": "2024-08-15T11:41:17.517Z" } } } diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.expected b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.expected new file mode 100644 index 00000000000..83acf7d0939 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.expected @@ -0,0 +1,166 @@ +inputs: + - data_stream: + namespace: ep + meta: + package: + name: wiz + name: test-default-wiz + streams: + - auth.oauth2: + client.id: test-client-id + client.secret: ${SECRET_0} + endpoint_params: + audience: wiz-api + grant_type: client_credentials + token_url: https://auth.app.wiz.io/oauth/token + config_version: 2 + data_stream: + dataset: wiz.cloud_configuration_finding_full_posture + interval: 24h + max_executions: 1000 + program: | + state.with( + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", + { + "query": state.query, + "variables": { + "first": state.batch_size, + "after": state.?end_cursor.value.orValue(null), + "filterBy": { + "includeDeleted": false, + "status": ["OPEN", "RESOLVED"] + } + } + }.encode_json() + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? + resp.Body.decode_json().as(body, body.?data.configurationFindings.nodes.orValue(null) != null ? + { + "events": body.data.configurationFindings.nodes.map(e, { + "message": e.encode_json(), + }), + "end_cursor": { + ?"value": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false) ? + body.?data.configurationFindings.pageInfo.endCursor + : + optional.none() + }, + "want_more": body.?data.configurationFindings.pageInfo.hasNextPage.orValue(false), + } + : + { + "events": [], + "want_more": false, + } + ) + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "POST " + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql:" + ( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ) + publisher_pipeline.disable_host: true + redact: + fields: null + resource.rate_limit.limit: 0.5 + resource.retry.max_attempts: 10 + resource.ssl: null + resource.timeout: 30s + resource.tracer: + enabled: false + filename: ../../logs/cel/http-request-trace-*.ndjson + maxbackups: 5 + resource.url: https://api.example.app.wiz.io + state: + batch_size: 500 + query: |- + query CloudConfigurationFindingsPage($filterBy: ConfigurationFindingFilters $first: Int $after: String $orderBy: ConfigurationFindingOrder){ + configurationFindings(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) { + nodes { + id + name + analyzedAt + updatedAt + severity + result + remediation + status + resource { + id + providerId + name + nativeType + type + region + cloudPlatform + subscription { + id + name + externalId + cloudProvider + } + tags { + key + value + } + } + rule { + id + shortId + name + description + remediationInstructions + } + evidence { + currentValue + expectedValue + configurationPath + cloudConfigurationLink + } + } + pageInfo { + hasNextPage + endCursor + } + } + } + want_more: false + tags: + - forwarded + - wiz-cloud_configuration_finding_full_posture + type: cel + use_output: default +output_permissions: + default: + _elastic_agent_checks: + cluster: + - monitor + _elastic_agent_monitoring: + indices: [] + uuid-for-permissions-on-related-indices: + indices: + - names: + - logs-wiz.cloud_configuration_finding_full_posture-ep + privileges: + - auto_configure + - create_doc +secret_references: + - {} diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.yml new file mode 100644 index 00000000000..32177fa3c26 --- /dev/null +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/_dev/test/policy/test-default.yml @@ -0,0 +1,6 @@ +vars: + client_id: test-client-id + client_secret: test-client-secret + url: https://api.example.app.wiz.io +data_stream: + vars: diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs index dafec9f5756..f76fc2c5479 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/agent/stream/cel.yml.hbs @@ -1,5 +1,5 @@ config_version: 2 -interval: 24h +interval: {{interval}} resource.tracer: enabled: {{enable_request_tracer}} filename: "../../logs/cel/http-request-trace-*.ndjson" @@ -13,6 +13,8 @@ resource.ssl: {{ssl}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} @@ -33,6 +35,7 @@ state: id name analyzedAt + updatedAt severity result remediation @@ -81,9 +84,9 @@ max_executions: {{max_executions}} {{/if}} program: | state.with( - post_request( - state.url.trim_right("/") + "/graphql", - "application/json", + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", { "query": state.query, "variables": { @@ -95,7 +98,12 @@ program: | } } }.encode_json() - ).do_request().as(resp, resp.StatusCode == 200 ? + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? resp.Body.decode_json().as(body, body.?data.configurationFindings.nodes.orValue(null) != null ? { "events": body.data.configurationFindings.nodes.map(e, { @@ -121,7 +129,7 @@ program: | "error": { "code": string(resp.StatusCode), "id": string(resp.Status), - "message": "POST " + state.url.trim_right("/") + "/graphql:" + ( + "message": "POST " + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql:" + ( size(resp.Body) != 0 ? string(resp.Body) : diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml index bd2723e422d..1abe4db5046 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/elasticsearch/ingest_pipeline/default.yml @@ -115,6 +115,17 @@ processors: tag: set_event_created copy_from: wiz.cloud_configuration_finding_full_posture.analyzed_at ignore_empty_value: true + - date: + field: json.updatedAt + target_field: wiz.cloud_configuration_finding_full_posture.updated_at + tag: date_set_updatedat + formats: + - ISO8601 + if: ctx.json?.updatedAt != null && ctx.json.updatedAt != '' + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' - rename: field: json.id tag: rename_id diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml index 5df98192fcf..61224cdca53 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/fields/fields.yml @@ -3,6 +3,8 @@ fields: - name: analyzed_at type: date + - name: updated_at + type: date - name: status type: keyword - name: name diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml index ac266f2a48a..0204e1aa648 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/manifest.yml @@ -23,6 +23,22 @@ streams: required: true show_user: false default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" - name: max_executions type: integer title: Maximum Pages Per Interval @@ -78,3 +94,11 @@ streams: description: >- Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - name: interval + type: text + title: Interval + description: Do not modify. The duration between runs of full posture synchronization. + multi: false + required: true + show_user: false + default: 24h diff --git a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json index d0f3f08c5b9..c019599ab67 100644 --- a/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json +++ b/packages/wiz/data_stream/cloud_configuration_finding_full_posture/sample_event.json @@ -40,7 +40,7 @@ "id": "1243196d-a365-589a-a8aa-13817c9877b2", "ingested": "2025-04-22T09:55:55Z", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -81,6 +81,7 @@ "wiz": { "cloud_configuration_finding_full_posture": { "analyzed_at": "2024-08-07T12:55:52.012Z", + "updated_at": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { "cloud_platform": "EKS", diff --git a/packages/wiz/data_stream/issue/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/issue/agent/stream/cel.yml.hbs index 42afdc8944b..11344833763 100644 --- a/packages/wiz/data_stream/issue/agent/stream/cel.yml.hbs +++ b/packages/wiz/data_stream/issue/agent/stream/cel.yml.hbs @@ -13,6 +13,8 @@ resource.ssl: {{ssl}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} @@ -148,9 +150,9 @@ max_executions: {{max_executions}} {{/if}} program: | state.with( - post_request( - state.url.trim_right("/") + "/graphql", - "application/json", + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", { "query": state.query, "variables": { @@ -166,7 +168,12 @@ program: | } } }.encode_json() - ).do_request().as(resp, resp.StatusCode == 200 ? + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, body.?data.issues.nodes.orValue(null) != null ? { "events": body.data.issues.nodes.map(e, { diff --git a/packages/wiz/data_stream/issue/manifest.yml b/packages/wiz/data_stream/issue/manifest.yml index 4e173369baa..3c8ecca8406 100644 --- a/packages/wiz/data_stream/issue/manifest.yml +++ b/packages/wiz/data_stream/issue/manifest.yml @@ -18,7 +18,7 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s. default: 5m multi: false required: true @@ -39,6 +39,22 @@ streams: required: true show_user: false default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" - name: max_executions type: integer title: Maximum Pages Per Interval diff --git a/packages/wiz/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/wiz/data_stream/vulnerability/agent/stream/cel.yml.hbs index 02420c62ff5..568c376d3ea 100644 --- a/packages/wiz/data_stream/vulnerability/agent/stream/cel.yml.hbs +++ b/packages/wiz/data_stream/vulnerability/agent/stream/cel.yml.hbs @@ -13,6 +13,8 @@ resource.ssl: {{ssl}} {{#if http_client_timeout}} resource.timeout: {{http_client_timeout}} {{/if}} +resource.rate_limit.limit: {{resource_rate_limit_limit}} +resource.retry.max_attempts: {{resource_retry_max_attempts}} resource.url: {{url}} auth.oauth2: client.id: {{client_id}} @@ -138,9 +140,9 @@ max_executions: {{max_executions}} {{/if}} program: | state.with( - post_request( - state.url.trim_right("/") + "/graphql", - "application/json", + request( + "POST", + state.url.trim_right("/").trim_suffix("/graphql") + "/graphql", { "query": state.query, "variables": { @@ -157,7 +159,12 @@ program: | } } }.encode_json() - ).do_request().as(resp, resp.StatusCode == 200 ? + ).with({ + "Header": { + "Content-Type": ["application/json"], + "User-Agent": [useragent], + }, + }).do_request().as(resp, resp.StatusCode == 200 ? bytes(resp.Body).decode_json().as(body, body.?data.vulnerabilityFindings.nodes.orValue(null) != null ? { "events": body.data.vulnerabilityFindings.nodes.map(e, { diff --git a/packages/wiz/data_stream/vulnerability/manifest.yml b/packages/wiz/data_stream/vulnerability/manifest.yml index 56627c84fdf..3ae400be89c 100644 --- a/packages/wiz/data_stream/vulnerability/manifest.yml +++ b/packages/wiz/data_stream/vulnerability/manifest.yml @@ -28,7 +28,7 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Wiz API. Supported units for this parameter are h/m/s. + description: Duration between requests to the Wiz API. Must be 5m or longer. Supported units for this parameter are h/m/s. default: 5m multi: false required: true @@ -49,6 +49,22 @@ streams: required: true show_user: false default: 30s + - name: resource_rate_limit_limit + type: text + title: Resource Rate Limit + description: The maximum request rate for the HTTP client, in requests per second. + multi: false + required: false + show_user: false + default: "0.5" + - name: resource_retry_max_attempts + type: text + title: Resource Retry Max Attempts + description: Maximum number of retries for the HTTP client. + multi: false + required: false + show_user: false + default: "10" - name: max_executions type: integer title: Maximum Pages Per Interval diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 07502ef2506..344ebdab3eb 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -98,16 +98,18 @@ Agentless deployments are only supported in Elastic Serverless and Elastic Cloud - Vulnerability data is fetched for the previous day. - Custom headers are not supported in this integration. Only the standard Authorization header (for example, Bearer token) is used for API requests. -### Troubleshooting +### Transforms -The transforms used in the Wiz integration depend on the presence of the `event.ingested` field to function correctly. +The Wiz integration creates transforms to support [CDR](https://www.elastic.co/what-is/cloud-detection-response), for the following data streams: -When using Fleet-managed Elastic Agents, the `.fleet_final_pipeline-1` is automatically executed and ensures that the `event.ingested` field is added to all events. +| Data stream name | Transform destination alias | +|-------------------------------------------------------|-------------------------------------------------| +| `logs-wiz.vulnerability-*` | `security_solution-wiz.vulnerability_latest` | +| `logs-wiz.cloud_configuration_finding_full_posture-*` | `security_solution-wiz.misconfiguration_latest` | -However, when using standalone Elastic Agents, this pipeline is not applied, and the `event.ingested` field is not automatically added. +The source data streams contain historical events and are suitable for most uses, while the aliased transform destination indexes provide a view of the current state of Wiz findings to support Elastic Security CDR workflows. The dashboards included in the Wiz integration use the source data streams. -📌 Action Required (for standalone agents): -You must manually add the `event.ingested` field, preferably via a custom ingest pipeline (e.g., using the @custom pipeline). +The transforms use `event.ingested` as their sync field. Fleet-managed Elastic Agents add this field automatically but for other setups this field might need to be added separately. ## Logs reference @@ -298,7 +300,7 @@ An example event for `cloud_configuration_finding` looks as following: "id": "1243196d-a365-589a-a8aa-13817c9877b2", "ingested": "2025-04-22T09:54:52Z", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"This rule checks if the AWS Root Account has access keys. \\nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \\nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\\n\\u003e**Note** \\nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"Perform the following steps, while being signed in as the Root user, in order to delete the root user's access keys via AWS CLI: \\n1. Use the following command to list the Root user's access keys. \\nCopy the `AccessKeyId` from the output and paste it into the `access-key-id` value in the next step. \\n```\\naws iam list-access-keys\\n```\\n2. Use the following command to delete the access key(s). \\n```\\naws iam delete-access-key /\\n --access-key-id \\u003cvalue\\u003e\\n```\\n\\u003e**Note** \\nOnce an access key is removed, any application using it will not work until a new one is configured for it.\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -341,6 +343,7 @@ An example event for `cloud_configuration_finding` looks as following: "wiz": { "cloud_configuration_finding": { "analyzed_at": "2024-08-07T12:55:52.012Z", + "updated_at": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { "cloud_platform": "EKS", @@ -413,6 +416,7 @@ An example event for `cloud_configuration_finding` looks as following: | wiz.cloud_configuration_finding.rule.name | | keyword | | wiz.cloud_configuration_finding.rule.remediation_instructions | | text | | wiz.cloud_configuration_finding.rule.short_id | | keyword | +| wiz.cloud_configuration_finding.updated_at | | date | ### Cloud configuration finding full posture @@ -466,7 +470,7 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi "id": "1243196d-a365-589a-a8aa-13817c9877b2", "ingested": "2025-04-22T09:55:55Z", "kind": "state", - "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", + "original": "{\"analyzedAt\":\"2024-08-07T12:55:52.012378Z\",\"updatedAt\":\"2024-08-07T12:55:52.012378Z\",\"id\":\"1243196d-a365-589a-a8aa-13817c9877b2\",\"remediation\":null,\"resource\":{\"cloudPlatform\":\"EKS\",\"id\":\"f0f4163d-cbd7-517c-ba9e-f96bb90ab5ea\",\"name\":\"Root user\",\"nativeType\":\"rootUser\",\"providerId\":\"arn:aws:iam::998231069301:root\",\"region\":null,\"subscription\":{\"cloudProvider\":\"AWS\",\"externalId\":\"998231069301\",\"id\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"name\":\"wiz-integrations\"},\"tags\":[],\"type\":\"USER_ACCOUNT\"},\"result\":\"PASS\",\"rule\":{\"description\":\"description\",\"id\":\"563ed717-4fb6-47fd-929e-9c794e201d0a\",\"name\":\"Root account access keys should not exist\",\"remediationInstructions\":\"instructions\",\"shortId\":\"IAM-006\"},\"severity\":\"MEDIUM\"}", "outcome": "success", "type": [ "info" @@ -507,6 +511,7 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi "wiz": { "cloud_configuration_finding_full_posture": { "analyzed_at": "2024-08-07T12:55:52.012Z", + "updated_at": "2024-08-07T12:55:52.012Z", "id": "1243196d-a365-589a-a8aa-13817c9877b2", "resource": { "cloud_platform": "EKS", @@ -581,6 +586,7 @@ An example event for `cloud_configuration_finding_full_posture` looks as followi | wiz.cloud_configuration_finding_full_posture.rule.remediation_instructions | | text | | wiz.cloud_configuration_finding_full_posture.rule.short_id | | keyword | | wiz.cloud_configuration_finding_full_posture.status | | keyword | +| wiz.cloud_configuration_finding_full_posture.updated_at | | date | ### Defend diff --git a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml index 5df98192fcf..61224cdca53 100644 --- a/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml +++ b/packages/wiz/elasticsearch/transform/latest_cdr_misconfigurations/fields/fields.yml @@ -3,6 +3,8 @@ fields: - name: analyzed_at type: date + - name: updated_at + type: date - name: status type: keyword - name: name diff --git a/packages/wiz/img/wiz-logo.svg b/packages/wiz/img/wiz-logo.svg index fdb4edb168b..8b11aff8a6f 100644 --- a/packages/wiz/img/wiz-logo.svg +++ b/packages/wiz/img/wiz-logo.svg @@ -1,94 +1,7 @@ - - - + + Wiz logo + + + + diff --git a/packages/wiz/img/wiz-policy-editor-ui.png b/packages/wiz/img/wiz-policy-editor-ui.png new file mode 100644 index 00000000000..ca80bd34618 Binary files /dev/null and b/packages/wiz/img/wiz-policy-editor-ui.png differ diff --git a/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json b/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json index fc0d8397a8a..68c1f6e642f 100644 --- a/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json +++ b/packages/wiz/kibana/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a.json @@ -14,6 +14,7 @@ "explicitInput": { "dataViewId": "logs-*", "exclude": true, + "existsSelected": false, "fieldName": "event.action", "searchTechnique": "prefix", "selectedOptions": [], @@ -54,6 +55,7 @@ "existsSelected": false, "fieldName": "event.provider", "searchTechnique": "prefix", + "selectedOptions": [], "sort": { "by": "_count", "direction": "desc" @@ -68,33 +70,10 @@ }, "showApplySelections": false }, - "description": "This dashboard shows Detection Logs collected by the Wiz Defend integration.", + "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "wiz.defend" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "wiz.defend" - } - } - } - ], + "filter": [], "query": { "language": "kuery", "query": "" @@ -115,7 +94,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", + "name": "indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12099fd9-f20a-4e2a-91d1-1b8aac061cad", "type": "index-pattern" } ], @@ -123,19 +107,19 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "d5419375-833b-4eeb-8119-6950d64230d9": { + "6be8a450-9cac-43cb-a7e1-3b5b3f504af4": { "columnOrder": [ - "ae333c2a-5a00-4008-89a6-969caf914e83", - "c6d798c8-accb-4ae1-975b-652a8eed2d07" + "c462537a-e3f3-4542-9f21-c0cdb590f6ef", + "0f5de969-06b2-4d1a-9877-c174e448940a", + "d9b10eed-3ab7-4bda-b924-9406edf2306d" ], "columns": { - "ae333c2a-5a00-4008-89a6-969caf914e83": { + "0f5de969-06b2-4d1a-9877-c174e448940a": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Trigger Rule Names", + "label": "Cloud Account ID", "operationType": "terms", "params": { "exclude": [], @@ -144,20 +128,46 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "rule.name" + "sourceField": "wiz.defend.triggering_event.resources.cloud_account.id" }, - "c6d798c8-accb-4ae1-975b-652a8eed2d07": { + "c462537a-e3f3-4542-9f21-c0cdb590f6ef": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Cloud Platform", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.resources.cloud_account.cloud_platform" + }, + "d9b10eed-3ab7-4bda-b924-9406edf2306d": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -178,27 +188,41 @@ }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "12099fd9-f20a-4e2a-91d1-1b8aac061cad", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -208,19 +232,29 @@ "columns": [ { "alignment": "center", - "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", + "columnId": "c462537a-e3f3-4542-9f21-c0cdb590f6ef", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", "isMetric": true, "isTransposed": false }, { "alignment": "center", - "columnId": "ae333c2a-5a00-4008-89a6-969caf914e83", + "columnId": "0f5de969-06b2-4d1a-9877-c174e448940a", "isMetric": false, "isTransposed": false } ], - "layerId": "d5419375-833b-4eeb-8119-6950d64230d9", - "layerType": "data" + "headerRowHeight": "custom", + "headerRowHeightLines": 3, + "layerId": "6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 } }, "title": "", @@ -232,24 +266,47 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "12099fd9-f20a-4e2a-91d1-1b8aac061cad", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Cloud Accounts with Highest Detections [Logs Wiz]" }, "gridData": { - "h": 15, - "i": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", - "w": 24, - "x": 24, - "y": 123 + "h": 12, + "i": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", + "w": 48, + "x": 0, + "y": 35 }, - "panelIndex": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", - "title": "Top 10 Trigger Rules with Highest Detections [Logs Wiz]", + "panelIndex": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", "type": "lens" }, { @@ -258,7 +315,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "name": "indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38a738be-567c-4797-b05f-ad81ae8860f3", "type": "index-pattern" } ], @@ -266,37 +328,30 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde": { + "a954312a-b2e7-4160-8c32-42fdbaa7c639": { "columnOrder": [ - "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", - "601214c5-35bf-44dd-8d1f-2e8a0334ee44" + "cd325623-f160-42ec-92c2-029282ad3708", + "aac53614-9481-4184-a12b-ce05ec5924ce" ], "columns": { - "601214c5-35bf-44dd-8d1f-2e8a0334ee44": { + "aac53614-9481-4184-a12b-ce05ec5924ce": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": true, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } + "emptyAsNull": false }, "scale": "ratio", "sourceField": "event.id" }, - "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa": { + "cd325623-f160-42ec-92c2-029282ad3708": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Commands", + "label": "Detection Event Source", "operationType": "terms", "params": { "exclude": [], @@ -305,94 +360,155 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", + "columnId": "aac53614-9481-4184-a12b-ce05ec5924ce", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "secondaryFields": [], + "size": 5 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.command" + "sourceField": "event.provider" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "38a738be-567c-4797-b05f-ad81ae8860f3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", - "isMetric": false, - "isTransposed": false - }, + "layers": [ { - "alignment": "center", - "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", - "isMetric": true, - "isTransposed": false + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "a954312a-b2e7-4160-8c32-42fdbaa7c639", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "xlarge", + "metrics": [ + "aac53614-9481-4184-a12b-ce05ec5924ce" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "cd325623-f160-42ec-92c2-029282ad3708" + ], + "truncateLegend": false } ], - "layerId": "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", - "layerType": "data" + "shape": "donut" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsPie" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "38a738be-567c-4797-b05f-ad81ae8860f3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detection Source Distribution [Logs Wiz]" }, "gridData": { - "h": 15, - "i": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", - "w": 24, + "h": 18, + "i": "d1455288-89ba-4146-b530-dda7f9663bbc", + "w": 26, "x": 0, - "y": 123 + "y": 47 }, - "panelIndex": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", - "title": "Top 10 Common Malicious Commands", + "panelIndex": "d1455288-89ba-4146-b530-dda7f9663bbc", "type": "lens" }, { @@ -401,7 +517,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "name": "indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ae446cbc-21c9-4c28-9188-8745078e3f68", "type": "index-pattern" } ], @@ -409,38 +530,30 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "d2b4912e-3ced-49ac-aa99-2969720e2f1f": { + "9722040c-5b00-410c-a720-87bfb162c84a": { "columnOrder": [ - "68141a00-8b12-4f48-810a-1ff8b3eeabf7", - "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", - "484781b7-7d30-4ad1-8b17-8e8e6abf9e40" + "e22cefb5-f7de-422d-a95b-4a2f3f552eec", + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" ], "columns": { - "484781b7-7d30-4ad1-8b17-8e8e6abf9e40": { + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } + "emptyAsNull": false }, "scale": "ratio", "sourceField": "wiz.defend.id" }, - "68141a00-8b12-4f48-810a-1ff8b3eeabf7": { + "e22cefb5-f7de-422d-a95b-4a2f3f552eec": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Container Name", + "label": "Triggering Types", "operationType": "terms", "params": { "exclude": [], @@ -449,128 +562,153 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "columnId": "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.name" - }, - "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Container ID", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.id" + "sourceField": "event.action" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ae446cbc-21c9-4c28-9188-8745078e3f68", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "68141a00-8b12-4f48-810a-1ff8b3eeabf7", - "isMetric": false, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", - "isMetric": true, - "isTransposed": false - }, + "layers": [ { - "alignment": "center", - "columnId": "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", - "isMetric": false, - "isTransposed": false + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "9722040c-5b00-410c-a720-87bfb162c84a", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "e22cefb5-f7de-422d-a95b-4a2f3f552eec" + ], + "truncateLegend": false } ], - "layerId": "d2b4912e-3ced-49ac-aa99-2969720e2f1f", - "layerType": "data", - "rowHeight": "auto", - "rowHeightLines": -1 + "shape": "donut" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsPie" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "ae446cbc-21c9-4c28-9188-8745078e3f68", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections by Trigger Type [Logs Wiz]" }, "gridData": { - "h": 15, - "i": "427510cc-fc9e-4691-9fac-4d5a3e377700", - "w": 24, - "x": 0, - "y": 108 + "h": 18, + "i": "ace8bb17-267f-4942-9748-17f9f10749e0", + "w": 22, + "x": 26, + "y": 47 }, - "panelIndex": "427510cc-fc9e-4691-9fac-4d5a3e377700", - "title": "Top 10 Containers with Highest Detections [Logs Wiz]", + "panelIndex": "ace8bb17-267f-4942-9748-17f9f10749e0", "type": "lens" }, { @@ -579,7 +717,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-76037f8d-37f5-405c-9974-6afefd777737", + "name": "indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "777e84d3-528b-4286-9354-551204c418e8", "type": "index-pattern" } ], @@ -587,37 +730,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "76037f8d-37f5-405c-9974-6afefd777737": { + "84a5677b-c5e3-4940-8c67-7576961e2f79": { "columnOrder": [ - "c645c311-34c1-415f-b5cf-2db750c4d709", - "226bbb04-3506-47e0-89e0-c4467ec25bef" + "53ccfb54-7eaa-49da-99b1-912239fea452", + "72f83e5b-995e-44a3-8165-cdbffbe48c55" ], "columns": { - "226bbb04-3506-47e0-89e0-c4467ec25bef": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "wiz.defend.id" - }, - "c645c311-34c1-415f-b5cf-2db750c4d709": { + "53ccfb54-7eaa-49da-99b1-912239fea452": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Resource Types", + "label": "Severity", "operationType": "terms", "params": { "exclude": [], @@ -626,96 +750,171 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", + "columnId": "72f83e5b-995e-44a3-8165-cdbffbe48c55", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.resources.type" + "sourceField": "wiz.defend.severity" + }, + "72f83e5b-995e-44a3-8165-cdbffbe48c55": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "777e84d3-528b-4286-9354-551204c418e8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "c645c311-34c1-415f-b5cf-2db750c4d709", - "isMetric": false, - "isTransposed": false - }, + "layers": [ { - "alignment": "center", - "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", - "isMetric": true, - "isTransposed": false + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "84a5677b-c5e3-4940-8c67-7576961e2f79", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "72f83e5b-995e-44a3-8165-cdbffbe48c55" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "53ccfb54-7eaa-49da-99b1-912239fea452" + ], + "truncateLegend": false } ], - "layerId": "76037f8d-37f5-405c-9974-6afefd777737", - "layerType": "data", - "rowHeight": "auto", - "rowHeightLines": -1 + "shape": "donut" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsPie" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "777e84d3-528b-4286-9354-551204c418e8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections by Severity [Logs Wiz]" }, "gridData": { - "h": 15, - "i": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", - "w": 24, - "x": 24, - "y": 108 + "h": 18, + "i": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", + "w": 26, + "x": 0, + "y": 65 }, - "panelIndex": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", - "title": "Top 10 Resource Types with Highest Detections [Logs Wiz]", + "panelIndex": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", "type": "lens" }, { @@ -724,7 +923,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", + "name": "indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b490fb92-e24a-4835-8efb-9c185a528006", "type": "index-pattern" } ], @@ -732,20 +936,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "c1458332-407f-40dc-85ca-3c69a75f6153": { + "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6": { "columnOrder": [ - "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", - "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", - "466b3487-b5e1-461d-8b18-2d274ae72d05" + "6cfe7580-3c96-467d-95d9-a205dfe98731", + "c0c347fa-83ea-4150-8e00-e7abb037a687" ], "columns": { - "3f0dc38a-9424-4a96-8ac2-fd9de5aad734": { + "6cfe7580-3c96-467d-95d9-a205dfe98731": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Threat URL", + "label": "Actor Type", "operationType": "terms", "params": { "exclude": [], @@ -754,20 +956,20 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "columnId": "c0c347fa-83ea-4150-8e00-e7abb037a687", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "threat.indicator.reference" + "sourceField": "wiz.defend.triggering_event.actor.type" }, - "466b3487-b5e1-461d-8b18-2d274ae72d05": { + "c0c347fa-83ea-4150-8e00-e7abb037a687": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -783,119 +985,143 @@ } }, "scale": "ratio", - "sourceField": "wiz.defend.id" - }, - "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Threat ID", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "threat.indicator.id" + "sourceField": "event.id" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b490fb92-e24a-4835-8efb-9c185a528006", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", - "isMetric": false, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", - "isMetric": false, - "isTransposed": false - }, + "layers": [ { - "alignment": "center", - "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", - "isMetric": true, - "isTransposed": false + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "emptySizeRatio": 0, + "layerId": "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "c0c347fa-83ea-4150-8e00-e7abb037a687" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "6cfe7580-3c96-467d-95d9-a205dfe98731" + ], + "truncateLegend": false } ], - "headerRowHeight": "custom", - "headerRowHeightLines": 3, - "layerId": "c1458332-407f-40dc-85ca-3c69a75f6153", - "layerType": "data", - "rowHeight": "auto", - "rowHeightLines": -1 + "shape": "donut" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsPie" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "b490fb92-e24a-4835-8efb-9c185a528006", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections by Actor Type [Logs Wiz]" }, "gridData": { - "h": 15, - "i": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", - "w": 24, - "x": 0, - "y": 138 + "h": 18, + "i": "4ce47b03-10cc-4fe3-9de3-c239e5184334", + "w": 22, + "x": 26, + "y": 65 }, - "panelIndex": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", - "title": "Top 10 Detected Threats [Logs Wiz]", + "panelIndex": "4ce47b03-10cc-4fe3-9de3-c239e5184334", "type": "lens" }, { @@ -904,7 +1130,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "name": "indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26a8762b-bd10-43a6-b632-1fc52b649c46", "type": "index-pattern" } ], @@ -912,52 +1143,30 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "5d7b131e-a2dc-453a-897a-c384a62a3fc6": { + "f9c7cfa2-0061-466f-8909-040b89ecd361": { "columnOrder": [ - "06e6d10f-51b4-458b-b70b-ace175849baf", - "9663e831-b7ed-474f-b699-34b54039c383", - "052b1acc-59b8-43f9-b9f6-d627732628a9" + "dff56fec-70cc-4d6d-8a79-5c2794322a5a", + "9e564606-3929-45ec-91ac-71dbacc739e3" ], "columns": { - "052b1acc-59b8-43f9-b9f6-d627732628a9": { + "9e564606-3929-45ec-91ac-71dbacc739e3": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } + "emptyAsNull": false }, "scale": "ratio", "sourceField": "event.id" }, - "06e6d10f-51b4-458b-b70b-ace175849baf": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Triggering Event Time", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "9663e831-b7ed-474f-b699-34b54039c383": { + "dff56fec-70cc-4d6d-8a79-5c2794322a5a": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Triggering Event Source", + "label": "Country ISO Code", "operationType": "terms", "params": { "exclude": [], @@ -966,123 +1175,121 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", + "columnId": "9e564606-3929-45ec-91ac-71dbacc739e3", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, "secondaryFields": [], - "size": 20 + "size": 5 }, "scale": "ordinal", - "sourceField": "event.provider" + "sourceField": "source.geo.country_iso_code" } }, "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "26a8762b-bd10-43a6-b632-1fc52b649c46", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", - "isMetric": true, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "06e6d10f-51b4-458b-b70b-ace175849baf", - "isMetric": false, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "9663e831-b7ed-474f-b699-34b54039c383", - "isMetric": false, - "isTransposed": false - } - ], - "layerId": "5d7b131e-a2dc-453a-897a-c384a62a3fc6", - "layerType": "data" + "layerId": "f9c7cfa2-0061-466f-8909-040b89ecd361", + "layerType": "data", + "regionAccessor": "dff56fec-70cc-4d6d-8a79-5c2794322a5a", + "valueAccessor": "9e564606-3929-45ec-91ac-71dbacc739e3" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsChoropleth" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "26a8762b-bd10-43a6-b632-1fc52b649c46", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false - }, - "gridData": { - "h": 15, - "i": "77df9a6b-af9e-412f-a916-fc83bd7c3194", - "w": 24, - "x": 24, - "y": 138 - }, - "panelIndex": "77df9a6b-af9e-412f-a916-fc83bd7c3194", - "title": "Detection Triggering Event Details [Logs Wiz]", - "type": "lens" - }, - { - "embeddableConfig": { - "description": "", - "enhancements": { - "dynamicActions": { - "events": [] - } - } + "syncTooltips": false, + "title": "Detections by Actor IP [Logs Wiz]" }, "gridData": { - "h": 14, - "i": "bb78eccf-6271-4494-a767-bb65bf1cbdc0", + "h": 25, + "i": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", "w": 48, "x": 0, - "y": 153 + "y": 83 }, - "panelIndex": "bb78eccf-6271-4494-a767-bb65bf1cbdc0", - "panelRefName": "panel_bb78eccf-6271-4494-a767-bb65bf1cbdc0", - "title": "Detection Essential Details [Logs Wiz]", - "type": "search" + "panelIndex": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", + "type": "lens" }, { "embeddableConfig": { @@ -1090,7 +1297,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", + "name": "indexpattern-datasource-layer-d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e25a34ad-eee8-44a1-89f8-7d7808d9a1d9", "type": "index-pattern" } ], @@ -1098,29 +1310,15 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "53610d78-e92c-427d-bfcf-374a2135f8e3": { + "d2b4912e-3ced-49ac-aa99-2969720e2f1f": { "columnOrder": [ - "2a335dea-e98d-4537-9d8b-5b305747306d", - "bcf37841-f643-449b-8367-7d53656c7da1" + "68141a00-8b12-4f48-810a-1ff8b3eeabf7", + "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", + "484781b7-7d30-4ad1-8b17-8e8e6abf9e40" ], "columns": { - "2a335dea-e98d-4537-9d8b-5b305747306d": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Detection Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "wiz.defend.created_at" - }, - "bcf37841-f643-449b-8367-7d53656c7da1": { + "484781b7-7d30-4ad1-8b17-8e8e6abf9e40": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -1137,124 +1335,179 @@ }, "scale": "ratio", "sourceField": "wiz.defend.id" + }, + "68141a00-8b12-4f48-810a-1ff8b3eeabf7": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container Name", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.name" + }, + "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Container ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.container.id" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e25a34ad-eee8-44a1-89f8-7d7808d9a1d9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ + "columns": [ { - "accessors": [ - "bcf37841-f643-449b-8367-7d53656c7da1" - ], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "53610d78-e92c-427d-bfcf-374a2135f8e3", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "2a335dea-e98d-4537-9d8b-5b305747306d" + "alignment": "center", + "columnId": "68141a00-8b12-4f48-810a-1ff8b3eeabf7", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "484781b7-7d30-4ad1-8b17-8e8e6abf9e40", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "cd2fa083-75b3-49a8-a3bc-2f59146d8fa6", + "isMetric": false, + "isTransposed": false } ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "layerId": "d2b4912e-3ced-49ac-aa99-2969720e2f1f", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 } }, "title": "", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e25a34ad-eee8-44a1-89f8-7d7808d9a1d9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Containers with Highest Detections [Logs Wiz]" }, "gridData": { "h": 15, - "i": "cc20569b-60f2-4fc0-93cc-1152902c76a0", - "w": 40, - "x": 8, - "y": 0 + "i": "427510cc-fc9e-4691-9fac-4d5a3e377700", + "w": 24, + "x": 0, + "y": 108 }, - "panelIndex": "cc20569b-60f2-4fc0-93cc-1152902c76a0", - "title": "Detections over Time [Logs Wiz]", + "panelIndex": "427510cc-fc9e-4691-9fac-4d5a3e377700", "type": "lens" }, { @@ -1263,7 +1516,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", + "name": "indexpattern-datasource-layer-76037f8d-37f5-405c-9974-6afefd777737", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a12cdeed-01c1-4d8d-a6e6-82d0e29666c9", "type": "index-pattern" } ], @@ -1272,17 +1530,35 @@ "datasourceStates": { "formBased": { "layers": { - "65bbc691-ab9f-40f0-8258-66f28c54eeff": { + "76037f8d-37f5-405c-9974-6afefd777737": { "columnOrder": [ - "08ae64da-5722-4701-b325-0d76a2e0d46b", - "09e064d7-68b4-4ee8-92b8-f71499245cd1" + "c645c311-34c1-415f-b5cf-2db750c4d709", + "226bbb04-3506-47e0-89e0-c4467ec25bef" ], "columns": { - "08ae64da-5722-4701-b325-0d76a2e0d46b": { + "226bbb04-3506-47e0-89e0-c4467ec25bef": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "c645c311-34c1-415f-b5cf-2db750c4d709": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "MITRE Tactic", + "label": "Resource Types", "operationType": "terms", "params": { "exclude": [], @@ -1291,38 +1567,21 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "09e064d7-68b4-4ee8-92b8-f71499245cd1", + "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "threat.tactic.id" - }, - "09e064d7-68b4-4ee8-92b8-f71499245cd1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "wiz.defend.id" + "sourceField": "wiz.defend.triggering_event.resources.type" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, "sampling": 1 } @@ -1335,101 +1594,106 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a12cdeed-01c1-4d8d-a6e6-82d0e29666c9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ + "columns": [ { - "accessors": [ - "09e064d7-68b4-4ee8-92b8-f71499245cd1" - ], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "65bbc691-ab9f-40f0-8258-66f28c54eeff", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal_stacked", - "showGridlines": false, - "xAccessor": "08ae64da-5722-4701-b325-0d76a2e0d46b" + "alignment": "center", + "columnId": "c645c311-34c1-415f-b5cf-2db750c4d709", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "226bbb04-3506-47e0-89e0-c4467ec25bef", + "isMetric": true, + "isTransposed": false } ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "layerId": "76037f8d-37f5-405c-9974-6afefd777737", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 } }, "title": "", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a12cdeed-01c1-4d8d-a6e6-82d0e29666c9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Resource Types with Highest Detections [Logs Wiz]" }, "gridData": { - "h": 10, - "i": "1a0212e1-6df2-4187-8bb0-029f04f196d1", - "w": 20, - "x": 28, - "y": 15 + "h": 15, + "i": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", + "w": 24, + "x": 24, + "y": 108 }, - "panelIndex": "1a0212e1-6df2-4187-8bb0-029f04f196d1", - "title": "Detections by MITRE Tactic [Logs Wiz]", + "panelIndex": "dc38a316-4a46-4c12-81d2-e78c90d1ceed", "type": "lens" }, { @@ -1438,7 +1702,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "name": "indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e48aaab-bddd-4e61-b73d-44dfa9464bd8", "type": "index-pattern" } ], @@ -1446,22 +1715,21 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c": { + "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde": { "columnOrder": [ - "d4e3a535-a7cf-48ca-b284-ad56d5794f16", - "a6cebce0-c3fb-457b-832b-a0356ad54c2a" + "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", + "601214c5-35bf-44dd-8d1f-2e8a0334ee44" ], "columns": { - "a6cebce0-c3fb-457b-832b-a0356ad54c2a": { + "601214c5-35bf-44dd-8d1f-2e8a0334ee44": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": false, + "emptyAsNull": true, "format": { "id": "number", "params": { @@ -1470,13 +1738,13 @@ } }, "scale": "ratio", - "sourceField": "wiz.defend.id" + "sourceField": "event.id" }, - "d4e3a535-a7cf-48ca-b284-ad56d5794f16": { + "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "MITRE Techniques", + "label": "Commands", "operationType": "terms", "params": { "exclude": [], @@ -1485,178 +1753,132 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "a6cebce0-c3fb-457b-832b-a0356ad54c2a", + "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "threat.technique.id" + "sourceField": "wiz.defend.triggering_event.runtime_details.process_tree.command" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7e48aaab-bddd-4e61-b73d-44dfa9464bd8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "Linear", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ + "columns": [ { - "accessors": [ - "a6cebce0-c3fb-457b-832b-a0356ad54c2a" - ], - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "layerId": "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", - "layerType": "data", - "position": "top", - "seriesType": "bar_horizontal_stacked", - "showGridlines": false, - "xAccessor": "d4e3a535-a7cf-48ca-b284-ad56d5794f16" + "alignment": "center", + "columnId": "8f6d58e5-7ebc-44f8-a34e-af340ae9beaa", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "601214c5-35bf-44dd-8d1f-2e8a0334ee44", + "isMetric": true, + "isTransposed": false } ], - "legend": { - "isVisible": true, - "position": "right", - "shouldTruncate": false, - "showSingleSeries": false - }, - "preferredSeriesType": "bar_stacked", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" + "layerId": "f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "layerType": "data" } }, "title": "", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "7e48aaab-bddd-4e61-b73d-44dfa9464bd8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Common Malicious Commands" }, "gridData": { - "h": 10, - "i": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", - "w": 20, - "x": 8, - "y": 15 - }, - "panelIndex": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", - "title": "Detections by MITRE Techniques [Logs Wiz]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": { - "dynamicActions": { - "events": [] - } - }, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "**Navigation**\n\n**Wiz**\n\nWiz Defend\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n**Overview**\n\nThis dashboard provides visibility into detection events, enabling effective threat monitoring across cloud and container environments. It features a Control Panel for filtering by severity and trigger type, and includes visualizations such as detections over time, top cloud accounts, containers, and resource types with highest detections. It highlights trends by MITRE tactics and techniques, actor types, and trigger types through pie and bar charts, while a geographic map displays actor IP distribution. A table details triggering events, and additional tables showcase top threats, rules, and common malicious commands, supporting deeper investigation and response.\n\n[**Integrations Page**](/app/integrations/detail/wiz/overview)", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 35, - "i": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", - "w": 8, + "h": 15, + "i": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", + "w": 24, "x": 0, - "y": 0 + "y": 123 }, - "panelIndex": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", - "type": "visualization" + "panelIndex": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb", + "type": "lens" }, { "embeddableConfig": { @@ -1664,7 +1886,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "name": "indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "dd22aafe-d388-43b7-9646-0403aaee81a7", "type": "index-pattern" } ], @@ -1672,19 +1899,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6": { + "d5419375-833b-4eeb-8119-6950d64230d9": { "columnOrder": [ - "6cfe7580-3c96-467d-95d9-a205dfe98731", - "c0c347fa-83ea-4150-8e00-e7abb037a687" + "ae333c2a-5a00-4008-89a6-969caf914e83", + "c6d798c8-accb-4ae1-975b-652a8eed2d07" ], "columns": { - "6cfe7580-3c96-467d-95d9-a205dfe98731": { + "ae333c2a-5a00-4008-89a6-969caf914e83": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Actor Type", + "label": "Trigger Rule Names", "operationType": "terms", "params": { "exclude": [], @@ -1693,7 +1919,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "c0c347fa-83ea-4150-8e00-e7abb037a687", + "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", "type": "column" }, "orderDirection": "desc", @@ -1701,12 +1927,12 @@ "parentFormat": { "id": "terms" }, - "size": 5 + "size": 10 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.actor.type" + "sourceField": "rule.name" }, - "c0c347fa-83ea-4150-8e00-e7abb037a687": { + "c6d798c8-accb-4ae1-975b-652a8eed2d07": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -1722,104 +1948,120 @@ } }, "scale": "ratio", - "sourceField": "event.id" + "sourceField": "wiz.defend.id" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dd22aafe-d388-43b7-9646-0403aaee81a7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "emptySizeRatio": 0, - "layerId": "a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "large", - "metrics": [ - "c0c347fa-83ea-4150-8e00-e7abb037a687" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "6cfe7580-3c96-467d-95d9-a205dfe98731" - ], - "truncateLegend": false + "alignment": "center", + "columnId": "c6d798c8-accb-4ae1-975b-652a8eed2d07", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "ae333c2a-5a00-4008-89a6-969caf914e83", + "isMetric": false, + "isTransposed": false } ], - "shape": "donut" + "layerId": "d5419375-833b-4eeb-8119-6950d64230d9", + "layerType": "data" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "dd22aafe-d388-43b7-9646-0403aaee81a7", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Trigger Rules with Highest Detections [Logs Wiz]" }, "gridData": { - "h": 18, - "i": "4ce47b03-10cc-4fe3-9de3-c239e5184334", - "w": 22, - "x": 26, - "y": 65 + "h": 15, + "i": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", + "w": 24, + "x": 24, + "y": 123 }, - "panelIndex": "4ce47b03-10cc-4fe3-9de3-c239e5184334", - "title": "Detections by Actor Type [Logs Wiz]", + "panelIndex": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc", "type": "lens" }, { @@ -1828,7 +2070,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", + "name": "indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e0a3af3d-69e3-444b-addc-44cf5a0bf2ff", "type": "index-pattern" } ], @@ -1836,31 +2083,63 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "a954312a-b2e7-4160-8c32-42fdbaa7c639": { + "c1458332-407f-40dc-85ca-3c69a75f6153": { "columnOrder": [ - "cd325623-f160-42ec-92c2-029282ad3708", - "aac53614-9481-4184-a12b-ce05ec5924ce" + "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", + "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", + "466b3487-b5e1-461d-8b18-2d274ae72d05" ], "columns": { - "aac53614-9481-4184-a12b-ce05ec5924ce": { + "3f0dc38a-9424-4a96-8ac2-fd9de5aad734": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Threat URL", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "threat.indicator.reference" + }, + "466b3487-b5e1-461d-8b18-2d274ae72d05": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": false + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } }, "scale": "ratio", - "sourceField": "event.id" + "sourceField": "wiz.defend.id" }, - "cd325623-f160-42ec-92c2-029282ad3708": { + "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Detection Event Source", + "label": "Threat ID", "operationType": "terms", "params": { "exclude": [], @@ -1869,116 +2148,141 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "aac53614-9481-4184-a12b-ce05ec5924ce", + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, - "secondaryFields": [], - "size": 5 + "size": 10 }, "scale": "ordinal", - "sourceField": "event.provider" + "sourceField": "threat.indicator.id" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e0a3af3d-69e3-444b-addc-44cf5a0bf2ff", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "emptySizeRatio": 0, - "layerId": "a954312a-b2e7-4160-8c32-42fdbaa7c639", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "xlarge", - "metrics": [ - "aac53614-9481-4184-a12b-ce05ec5924ce" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "cd325623-f160-42ec-92c2-029282ad3708" - ], - "truncateLegend": false + "alignment": "center", + "columnId": "b7f34afc-6ea7-4604-902a-5dbf3e5a7f4e", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "3f0dc38a-9424-4a96-8ac2-fd9de5aad734", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "466b3487-b5e1-461d-8b18-2d274ae72d05", + "isMetric": true, + "isTransposed": false } ], - "shape": "donut" + "headerRowHeight": "custom", + "headerRowHeightLines": 3, + "layerId": "c1458332-407f-40dc-85ca-3c69a75f6153", + "layerType": "data", + "rowHeight": "auto", + "rowHeightLines": -1 } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e0a3af3d-69e3-444b-addc-44cf5a0bf2ff", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Top 10 Detected Threats [Logs Wiz]" }, "gridData": { - "h": 18, - "i": "d1455288-89ba-4146-b530-dda7f9663bbc", - "w": 26, + "h": 15, + "i": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", + "w": 24, "x": 0, - "y": 47 + "y": 138 }, - "panelIndex": "d1455288-89ba-4146-b530-dda7f9663bbc", - "title": "Detection Source Distribution [Logs Wiz]", + "panelIndex": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44", "type": "lens" }, { @@ -1987,7 +2291,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "name": "indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cd797741-fccc-48de-879a-37abf3c5f1eb", "type": "index-pattern" } ], @@ -1995,31 +2304,51 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "9722040c-5b00-410c-a720-87bfb162c84a": { + "5d7b131e-a2dc-453a-897a-c384a62a3fc6": { "columnOrder": [ - "e22cefb5-f7de-422d-a95b-4a2f3f552eec", - "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" + "06e6d10f-51b4-458b-b70b-ace175849baf", + "9663e831-b7ed-474f-b699-34b54039c383", + "052b1acc-59b8-43f9-b9f6-d627732628a9" ], "columns": { - "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7": { + "052b1acc-59b8-43f9-b9f6-d627732628a9": { "customLabel": true, "dataType": "number", "isBucketed": false, "label": "Count", "operationType": "unique_count", "params": { - "emptyAsNull": false + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "06e6d10f-51b4-458b-b70b-ace175849baf": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Triggering Event Time", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" }, - "scale": "ratio", - "sourceField": "wiz.defend.id" + "scale": "interval", + "sourceField": "@timestamp" }, - "e22cefb5-f7de-422d-a95b-4a2f3f552eec": { + "9663e831-b7ed-474f-b699-34b54039c383": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Triggering Types", + "label": "Triggering Event Source", "operationType": "terms", "params": { "exclude": [], @@ -2028,123 +2357,174 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7", + "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, - "size": 5 + "secondaryFields": [], + "size": 20 }, "scale": "ordinal", - "sourceField": "event.action" + "sourceField": "event.provider" } }, + "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cd797741-fccc-48de-879a-37abf3c5f1eb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "colorMapping": { - "assignments": [], - "colorMode": { - "type": "categorical" - }, - "paletteId": "eui_amsterdam_color_blind", - "specialAssignments": [ - { - "color": { - "type": "loop" - }, - "rule": { - "type": "other" - }, - "touched": false - } - ] - }, - "emptySizeRatio": 0, - "layerId": "9722040c-5b00-410c-a720-87bfb162c84a", - "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "b9ce961a-78c3-4ee7-8296-ad5c67db3eb7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "e22cefb5-f7de-422d-a95b-4a2f3f552eec" - ], - "truncateLegend": false + "alignment": "center", + "columnId": "052b1acc-59b8-43f9-b9f6-d627732628a9", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "06e6d10f-51b4-458b-b70b-ace175849baf", + "isMetric": false, + "isTransposed": false + }, + { + "alignment": "center", + "columnId": "9663e831-b7ed-474f-b699-34b54039c383", + "isMetric": false, + "isTransposed": false } ], - "shape": "donut" + "layerId": "5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "layerType": "data" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "cd797741-fccc-48de-879a-37abf3c5f1eb", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detection Triggering Event Details [Logs Wiz]" }, "gridData": { - "h": 18, - "i": "ace8bb17-267f-4942-9748-17f9f10749e0", - "w": 22, - "x": 26, - "y": 47 + "h": 15, + "i": "77df9a6b-af9e-412f-a916-fc83bd7c3194", + "w": 24, + "x": 24, + "y": 138 }, - "panelIndex": "ace8bb17-267f-4942-9748-17f9f10749e0", - "title": "Detections by Trigger Type [Logs Wiz]", + "panelIndex": "77df9a6b-af9e-412f-a916-fc83bd7c3194", "type": "lens" }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedObjectId": "wiz-f661536e-81c2-455b-9a4f-9840d910c318", + "title": "Detection Essential Details [Logs Wiz]" + }, + "gridData": { + "h": 15, + "i": "022a726e-0fc7-4cee-8fe8-42bd959353e2", + "w": 48, + "x": 0, + "y": 153 + }, + "panelIndex": "022a726e-0fc7-4cee-8fe8-42bd959353e2", + "panelRefName": "panel_022a726e-0fc7-4cee-8fe8-42bd959353e2", + "type": "search" + }, { "embeddableConfig": { "attributes": { "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "name": "indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e51064e9-6f6d-4b9e-b51b-bd7761849547", "type": "index-pattern" } ], @@ -2152,41 +2532,28 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "84a5677b-c5e3-4940-8c67-7576961e2f79": { + "53610d78-e92c-427d-bfcf-374a2135f8e3": { "columnOrder": [ - "53ccfb54-7eaa-49da-99b1-912239fea452", - "72f83e5b-995e-44a3-8165-cdbffbe48c55" + "2a335dea-e98d-4537-9d8b-5b305747306d", + "bcf37841-f643-449b-8367-7d53656c7da1" ], "columns": { - "53ccfb54-7eaa-49da-99b1-912239fea452": { + "2a335dea-e98d-4537-9d8b-5b305747306d": { "customLabel": true, - "dataType": "string", + "dataType": "date", "isBucketed": true, - "label": "Severity", - "operationType": "terms", + "label": "Detection Timestamp", + "operationType": "date_histogram", "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "72f83e5b-995e-44a3-8165-cdbffbe48c55", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": true, - "parentFormat": { - "id": "terms" - }, - "size": 5 + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" }, - "scale": "ordinal", - "sourceField": "wiz.defend.severity" + "scale": "interval", + "sourceField": "wiz.defend.created_at" }, - "72f83e5b-995e-44a3-8165-cdbffbe48c55": { + "bcf37841-f643-449b-8367-7d53656c7da1": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -2206,36 +2573,68 @@ } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e51064e9-6f6d-4b9e-b51b-bd7761849547", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, "layers": [ { - "categoryDisplay": "default", + "accessors": [ + "bcf37841-f643-449b-8367-7d53656c7da1" + ], "colorMapping": { "assignments": [], "colorMode": { @@ -2247,58 +2646,87 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "emptySizeRatio": 0, - "layerId": "84a5677b-c5e3-4940-8c67-7576961e2f79", + "layerId": "53610d78-e92c-427d-bfcf-374a2135f8e3", "layerType": "data", - "legendDisplay": "show", - "metrics": [ - "72f83e5b-995e-44a3-8165-cdbffbe48c55" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "53ccfb54-7eaa-49da-99b1-912239fea452" - ], - "truncateLegend": false + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "2a335dea-e98d-4537-9d8b-5b305747306d" } ], - "shape": "donut" + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e51064e9-6f6d-4b9e-b51b-bd7761849547", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections over Time [Logs Wiz]" }, "gridData": { - "h": 18, - "i": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", - "w": 26, - "x": 0, - "y": 65 + "h": 15, + "i": "cc20569b-60f2-4fc0-93cc-1152902c76a0", + "w": 34, + "x": 14, + "y": 0 }, - "panelIndex": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c", - "title": "Detections by Severity [Logs Wiz]", + "panelIndex": "cc20569b-60f2-4fc0-93cc-1152902c76a0", "type": "lens" }, { @@ -2307,7 +2735,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "name": "indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fe68821-6dda-4f6b-b47d-9cd824fef43d", "type": "index-pattern" } ], @@ -2315,19 +2748,36 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151": { + "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c": { "columnOrder": [ - "442a0743-a4e1-4ab0-893b-ee248d2a2bf2", - "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + "d4e3a535-a7cf-48ca-b284-ad56d5794f16", + "a6cebce0-c3fb-457b-832b-a0356ad54c2a" ], "columns": { - "442a0743-a4e1-4ab0-893b-ee248d2a2bf2": { + "a6cebce0-c3fb-457b-832b-a0356ad54c2a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "wiz.defend.id" + }, + "d4e3a535-a7cf-48ca-b284-ad56d5794f16": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Affected Resource Types", + "label": "MITRE Techniques", "operationType": "terms", "params": { "exclude": [], @@ -2336,7 +2786,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "acb81f97-78f9-4aaf-903c-06ac7d34cf99", + "columnId": "a6cebce0-c3fb-457b-832b-a0356ad54c2a", "type": "column" }, "orderDirection": "desc", @@ -2347,49 +2797,45 @@ "size": 10 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.resources.type" - }, - "acb81f97-78f9-4aaf-903c-06ac7d34cf99": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false, - "format": { - "id": "number", - "params": { - "decimals": 0 - } - } - }, - "scale": "ratio", - "sourceField": "event.id" + "sourceField": "threat.technique.id" } }, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1fe68821-6dda-4f6b-b47d-9cd824fef43d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -2415,7 +2861,7 @@ "layers": [ { "accessors": [ - "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + "a6cebce0-c3fb-457b-832b-a0356ad54c2a" ], "colorMapping": { "assignments": [], @@ -2428,25 +2874,28 @@ "color": { "type": "loop" }, - "rule": { - "type": "other" - }, + "rules": [ + { + "type": "other" + } + ], "touched": false } ] }, - "layerId": "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "layerId": "f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", "layerType": "data", "position": "top", "seriesType": "bar_horizontal_stacked", "showGridlines": false, - "xAccessor": "442a0743-a4e1-4ab0-893b-ee248d2a2bf2" + "xAccessor": "d4e3a535-a7cf-48ca-b284-ad56d5794f16" } ], "legend": { "isVisible": true, "position": "right", - "shouldTruncate": true + "shouldTruncate": false, + "showSingleSeries": false }, "preferredSeriesType": "bar_stacked", "tickLabelsVisibilitySettings": { @@ -2466,24 +2915,47 @@ "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "1fe68821-6dda-4f6b-b47d-9cd824fef43d", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections by MITRE Techniques [Logs Wiz]" }, "gridData": { "h": 10, - "i": "5249b0f0-30ea-472f-99e7-ebd31a239802", - "w": 40, - "x": 8, - "y": 25 + "i": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", + "w": 17, + "x": 14, + "y": 15 }, - "panelIndex": "5249b0f0-30ea-472f-99e7-ebd31a239802", - "title": "Affected Resources by Type [Logs Wiz]", + "panelIndex": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e", "type": "lens" }, { @@ -2492,7 +2964,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "name": "indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e967ce57-1163-4382-ba57-bd40b7bacad3", "type": "index-pattern" } ], @@ -2500,46 +2977,18 @@ "adHocDataViews": {}, "datasourceStates": { "formBased": { - "currentIndexPatternId": "logs-*", "layers": { - "6be8a450-9cac-43cb-a7e1-3b5b3f504af4": { + "65bbc691-ab9f-40f0-8258-66f28c54eeff": { "columnOrder": [ - "c462537a-e3f3-4542-9f21-c0cdb590f6ef", - "0f5de969-06b2-4d1a-9877-c174e448940a", - "d9b10eed-3ab7-4bda-b924-9406edf2306d" + "08ae64da-5722-4701-b325-0d76a2e0d46b", + "09e064d7-68b4-4ee8-92b8-f71499245cd1" ], "columns": { - "0f5de969-06b2-4d1a-9877-c174e448940a": { - "customLabel": true, - "dataType": "string", - "isBucketed": true, - "label": "Cloud Account ID", - "operationType": "terms", - "params": { - "exclude": [], - "excludeIsRegex": false, - "include": [], - "includeIsRegex": false, - "missingBucket": false, - "orderBy": { - "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", - "type": "column" - }, - "orderDirection": "desc", - "otherBucket": false, - "parentFormat": { - "id": "terms" - }, - "size": 10 - }, - "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.resources.cloud_account.id" - }, - "c462537a-e3f3-4542-9f21-c0cdb590f6ef": { + "08ae64da-5722-4701-b325-0d76a2e0d46b": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Cloud Platform", + "label": "MITRE Tactic", "operationType": "terms", "params": { "exclude": [], @@ -2548,20 +2997,20 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", + "columnId": "09e064d7-68b4-4ee8-92b8-f71499245cd1", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, "size": 10 }, "scale": "ordinal", - "sourceField": "wiz.defend.triggering_event.resources.cloud_account.cloud_platform" + "sourceField": "threat.tactic.id" }, - "d9b10eed-3ab7-4bda-b924-9406edf2306d": { + "09e064d7-68b4-4ee8-92b8-f71499245cd1": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -2580,90 +3029,161 @@ "sourceField": "wiz.defend.id" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e967ce57-1163-4382-ba57-bd40b7bacad3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "columns": [ - { - "alignment": "center", - "columnId": "c462537a-e3f3-4542-9f21-c0cdb590f6ef", - "isMetric": false, - "isTransposed": false - }, - { - "alignment": "center", - "columnId": "d9b10eed-3ab7-4bda-b924-9406edf2306d", - "isMetric": true, - "isTransposed": false - }, + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ { - "alignment": "center", - "columnId": "0f5de969-06b2-4d1a-9877-c174e448940a", - "isMetric": false, - "isTransposed": false + "accessors": [ + "09e064d7-68b4-4ee8-92b8-f71499245cd1" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "65bbc691-ab9f-40f0-8258-66f28c54eeff", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "08ae64da-5722-4701-b325-0d76a2e0d46b" } ], - "headerRowHeight": "custom", - "headerRowHeightLines": 3, - "layerId": "6be8a450-9cac-43cb-a7e1-3b5b3f504af4", - "layerType": "data", - "rowHeight": "auto", - "rowHeightLines": -1 + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsXY" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "e967ce57-1163-4382-ba57-bd40b7bacad3", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Detections by MITRE Tactic [Logs Wiz]" }, "gridData": { - "h": 12, - "i": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", - "w": 48, - "x": 0, - "y": 35 + "h": 10, + "i": "1a0212e1-6df2-4187-8bb0-029f04f196d1", + "w": 17, + "x": 31, + "y": 15 }, - "panelIndex": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518", - "title": "Top 10 Cloud Accounts with Highest Detections [Logs Wiz]", + "panelIndex": "1a0212e1-6df2-4187-8bb0-029f04f196d1", "type": "lens" }, { @@ -2672,39 +3192,31 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "name": "indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "26fb3668-5b3d-4a0d-bf8b-a5a1697b0ac6", "type": "index-pattern" } ], "state": { "adHocDataViews": {}, "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "f9c7cfa2-0061-466f-8909-040b89ecd361": { - "columnOrder": [ - "dff56fec-70cc-4d6d-8a79-5c2794322a5a", - "9e564606-3929-45ec-91ac-71dbacc739e3" - ], - "columns": { - "9e564606-3929-45ec-91ac-71dbacc739e3": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "unique_count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "event.id" - }, - "dff56fec-70cc-4d6d-8a79-5c2794322a5a": { + "formBased": { + "layers": { + "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151": { + "columnOrder": [ + "442a0743-a4e1-4ab0-893b-ee248d2a2bf2", + "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + ], + "columns": { + "442a0743-a4e1-4ab0-893b-ee248d2a2bf2": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Country ISO Code", + "label": "Affected Resource Types", "operationType": "terms", "params": { "exclude": [], @@ -2713,7 +3225,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "9e564606-3929-45ec-91ac-71dbacc739e3", + "columnId": "acb81f97-78f9-4aaf-903c-06ac7d34cf99", "type": "column" }, "orderDirection": "desc", @@ -2721,76 +3233,225 @@ "parentFormat": { "id": "terms" }, - "secondaryFields": [], - "size": 5 + "size": 10 }, "scale": "ordinal", - "sourceField": "source.geo.country_iso_code" + "sourceField": "wiz.defend.triggering_event.resources.type" + }, + "acb81f97-78f9-4aaf-903c-06ac7d34cf99": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": false, + "format": { + "id": "number", + "params": { + "decimals": 0 + } + } + }, + "scale": "ratio", + "sourceField": "event.id" } }, - "ignoreGlobalFilters": false, "incompleteColumns": {}, - "indexPatternId": "logs-*", "sampling": 1 } } }, "indexpattern": { - "currentIndexPatternId": "logs-*", "layers": {} }, "textBased": { - "indexPatternRefs": [ - { - "id": "logs-*", - "timeField": "@timestamp", - "title": "logs-*" - } - ], "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "26fb3668-5b3d-4a0d-bf8b-a5a1697b0ac6", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", "query": "" }, "visualization": { - "layerId": "f9c7cfa2-0061-466f-8909-040b89ecd361", - "layerType": "data", - "regionAccessor": "dff56fec-70cc-4d6d-8a79-5c2794322a5a", - "valueAccessor": "9e564606-3929-45ec-91ac-71dbacc739e3" + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "Linear", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "acb81f97-78f9-4aaf-903c-06ac7d34cf99" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rules": [ + { + "type": "other" + } + ], + "touched": false + } + ] + }, + "layerId": "2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "layerType": "data", + "position": "top", + "seriesType": "bar_horizontal_stacked", + "showGridlines": false, + "xAccessor": "442a0743-a4e1-4ab0-893b-ee248d2a2bf2" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsChoropleth" + "visualizationType": "lnsXY" }, "enhancements": { "dynamicActions": { "events": [] } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "26fb3668-5b3d-4a0d-bf8b-a5a1697b0ac6", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "query": { "language": "kuery", "query": "" }, "syncColors": false, "syncCursor": true, - "syncTooltips": false + "syncTooltips": false, + "title": "Affected Resources by Type [Logs Wiz]" }, "gridData": { - "h": 25, - "i": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", - "w": 48, - "x": 0, - "y": 83 + "h": 10, + "i": "5249b0f0-30ea-472f-99e7-ebd31a239802", + "w": 34, + "x": 14, + "y": 25 }, - "panelIndex": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7", - "title": "Detections by Actor IP [Logs Wiz]", + "panelIndex": "5249b0f0-30ea-472f-99e7-ebd31a239802", "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "#### Navigation\n\n[Wiz Audit Dashboard](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273) \n[Wiz Cloud Configuration Finding Dashboard](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368) \n**Wiz Defend Dashboard** \n[Wiz Issue Dashboard](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf) \n[Wiz Vulnerability Dashboard](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf) \n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\n#### Dashboard Overview\n\nThis dashboard provides visibility into detection events, enabling effective threat monitoring across cloud and container environments. It features a Control Panel for filtering by severity and trigger type, and includes visualizations such as detections over time, top cloud accounts, containers, and resource types with highest detections. It highlights trends by MITRE tactics and techniques, actor types, and trigger types through pie and bar charts, while a geographic map displays actor IP distribution. A table details triggering events, and additional tables showcase top threats, rules, and common malicious commands, supporting deeper investigation and response.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 35, + "i": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "ced2a470-d1c8-4d56-9f70-e8d3aa6d81c4", + "type": "visualization" } ], "timeRestore": false, @@ -2798,28 +3459,67 @@ "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-21T10:47:33.605Z", + "created_at": "2026-05-26T09:08:18.772Z", "id": "wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a", - "managed": false, "references": [ { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518:indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", "type": "index-pattern" }, { - "id": "wiz-f71321c0-a641-4411-a33e-f39569c2c7be", - "name": "bb78eccf-6271-4494-a767-bb65bf1cbdc0:panel_bb78eccf-6271-4494-a767-bb65bf1cbdc0", - "type": "search" + "id": "logs-*", + "name": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518:12099fd9-f20a-4e2a-91d1-1b8aac061cad", + "type": "index-pattern" }, { "id": "logs-*", - "name": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc:indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", + "name": "d1455288-89ba-4146-b530-dda7f9663bbc:indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", "type": "index-pattern" }, { "id": "logs-*", - "name": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb:indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", + "name": "d1455288-89ba-4146-b530-dda7f9663bbc:38a738be-567c-4797-b05f-ad81ae8860f3", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ace8bb17-267f-4942-9748-17f9f10749e0:indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ace8bb17-267f-4942-9748-17f9f10749e0:ae446cbc-21c9-4c28-9188-8745078e3f68", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c:indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c:777e84d3-528b-4286-9354-551204c418e8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ce47b03-10cc-4fe3-9de3-c239e5184334:indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "4ce47b03-10cc-4fe3-9de3-c239e5184334:b490fb92-e24a-4835-8efb-9c185a528006", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7:indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7:26a8762b-bd10-43a6-b632-1fc52b649c46", "type": "index-pattern" }, { @@ -2827,6 +3527,11 @@ "name": "427510cc-fc9e-4691-9fac-4d5a3e377700:indexpattern-datasource-layer-d2b4912e-3ced-49ac-aa99-2969720e2f1f", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "427510cc-fc9e-4691-9fac-4d5a3e377700:e25a34ad-eee8-44a1-89f8-7d7808d9a1d9", + "type": "index-pattern" + }, { "id": "logs-*", "name": "dc38a316-4a46-4c12-81d2-e78c90d1ceed:indexpattern-datasource-layer-76037f8d-37f5-405c-9974-6afefd777737", @@ -2834,86 +3539,116 @@ }, { "id": "logs-*", - "name": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44:indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", + "name": "dc38a316-4a46-4c12-81d2-e78c90d1ceed:a12cdeed-01c1-4d8d-a6e6-82d0e29666c9", "type": "index-pattern" }, { "id": "logs-*", - "name": "77df9a6b-af9e-412f-a916-fc83bd7c3194:indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", + "name": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb:indexpattern-datasource-layer-f3c8e76c-8dbe-44bf-a4c0-1953cf2dffde", "type": "index-pattern" }, { "id": "logs-*", - "name": "cc20569b-60f2-4fc0-93cc-1152902c76a0:indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", + "name": "2d6af0b4-36e2-46ad-b5a8-ceacef6219cb:7e48aaab-bddd-4e61-b73d-44dfa9464bd8", "type": "index-pattern" }, { "id": "logs-*", - "name": "1a0212e1-6df2-4187-8bb0-029f04f196d1:indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", + "name": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc:indexpattern-datasource-layer-d5419375-833b-4eeb-8119-6950d64230d9", "type": "index-pattern" }, { "id": "logs-*", - "name": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e:indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", + "name": "dc2bc10a-8f52-4242-81b2-515c18ad2ccc:dd22aafe-d388-43b7-9646-0403aaee81a7", "type": "index-pattern" }, { "id": "logs-*", - "name": "4ce47b03-10cc-4fe3-9de3-c239e5184334:indexpattern-datasource-layer-a7a27126-b5e1-48de-9cc0-c71a01b1a1e6", + "name": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44:indexpattern-datasource-layer-c1458332-407f-40dc-85ca-3c69a75f6153", "type": "index-pattern" }, { "id": "logs-*", - "name": "d1455288-89ba-4146-b530-dda7f9663bbc:indexpattern-datasource-layer-a954312a-b2e7-4160-8c32-42fdbaa7c639", + "name": "ee5926f1-4f4c-4ff2-beb0-afa71c199d44:e0a3af3d-69e3-444b-addc-44cf5a0bf2ff", "type": "index-pattern" }, { "id": "logs-*", - "name": "ace8bb17-267f-4942-9748-17f9f10749e0:indexpattern-datasource-layer-9722040c-5b00-410c-a720-87bfb162c84a", + "name": "77df9a6b-af9e-412f-a916-fc83bd7c3194:indexpattern-datasource-layer-5d7b131e-a2dc-453a-897a-c384a62a3fc6", "type": "index-pattern" }, { "id": "logs-*", - "name": "9afe8b96-eb6a-44e6-97e7-15c766d26a1c:indexpattern-datasource-layer-84a5677b-c5e3-4940-8c67-7576961e2f79", + "name": "77df9a6b-af9e-412f-a916-fc83bd7c3194:cd797741-fccc-48de-879a-37abf3c5f1eb", + "type": "index-pattern" + }, + { + "id": "wiz-f661536e-81c2-455b-9a4f-9840d910c318", + "name": "022a726e-0fc7-4cee-8fe8-42bd959353e2:panel_022a726e-0fc7-4cee-8fe8-42bd959353e2", + "type": "search" + }, + { + "id": "wiz-f661536e-81c2-455b-9a4f-9840d910c318", + "name": "022a726e-0fc7-4cee-8fe8-42bd959353e2:panel_022a726e-0fc7-4cee-8fe8-42bd959353e2", + "type": "search" + }, + { + "id": "logs-*", + "name": "cc20569b-60f2-4fc0-93cc-1152902c76a0:indexpattern-datasource-layer-53610d78-e92c-427d-bfcf-374a2135f8e3", "type": "index-pattern" }, { "id": "logs-*", - "name": "5249b0f0-30ea-472f-99e7-ebd31a239802:indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "name": "cc20569b-60f2-4fc0-93cc-1152902c76a0:e51064e9-6f6d-4b9e-b51b-bd7761849547", "type": "index-pattern" }, { "id": "logs-*", - "name": "0246d4ce-3dda-4e9f-bc69-7122fc6aa518:indexpattern-datasource-layer-6be8a450-9cac-43cb-a7e1-3b5b3f504af4", + "name": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e:indexpattern-datasource-layer-f9a84bcb-a0e2-40a5-82d0-f8bd1fb49e4c", "type": "index-pattern" }, { "id": "logs-*", - "name": "8aa3eb20-a518-455e-aa8e-1fb39ba0e2e7:indexpattern-datasource-layer-f9c7cfa2-0061-466f-8909-040b89ecd361", + "name": "69a3edc2-dc12-454a-af9f-8eb3fbfb191e:1fe68821-6dda-4f6b-b47d-9cd824fef43d", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_ae2b0313-95e1-4ecc-8ddf-04549f7871ba:optionsListDataView", + "name": "1a0212e1-6df2-4187-8bb0-029f04f196d1:indexpattern-datasource-layer-65bbc691-ab9f-40f0-8258-66f28c54eeff", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_8e5f0dbe-44b1-4df2-867c-74e248c27f38:optionsListDataView", + "name": "1a0212e1-6df2-4187-8bb0-029f04f196d1:e967ce57-1163-4382-ba57-bd40b7bacad3", "type": "index-pattern" }, { "id": "logs-*", - "name": "controlGroup_c4086230-8937-4b90-8e90-6c94e34b48b8:optionsListDataView", + "name": "5249b0f0-30ea-472f-99e7-ebd31a239802:indexpattern-datasource-layer-2e38c3a3-9cb3-42f0-8264-5c0de2b7d151", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5249b0f0-30ea-472f-99e7-ebd31a239802:26fb3668-5b3d-4a0d-bf8b-a5a1697b0ac6", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ae2b0313-95e1-4ecc-8ddf-04549f7871ba:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_8e5f0dbe-44b1-4df2-867c-74e248c27f38:optionsListDataView", "type": "index-pattern" }, { "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "name": "controlGroup_c4086230-8937-4b90-8e90-6c94e34b48b8:optionsListDataView", "type": "index-pattern" } ], "type": "dashboard", - "typeMigrationVersion": "10.2.0", + "typeMigrationVersion": "10.3.0", "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} \ No newline at end of file +} diff --git a/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json index d159ef944c6..9d9dc245fa7 100644 --- a/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json +++ b/packages/wiz/kibana/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368.json @@ -1,5 +1,17 @@ { "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -20,8 +32,12 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, "savedVis": { "data": { "aggs": [], @@ -34,16 +50,16 @@ } }, "description": "", - "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\nWiz Cloud Configuration Finding\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\nOverview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", + "markdown": "#### Navigation\n\n[Wiz Audit Dashboard](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273) \n**Wiz Cloud Configuration Finding Dashboard** \n[Wiz Defend Dashboard](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a) \n[Wiz Issue Dashboard](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf) \n[Wiz Vulnerability Dashboard](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf) \n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\n#### Dashboard Overview\n\nThis dashboard shows the Cloud Configuration Findings overview related to the Wiz Integration.\n\nThis dashboard provides general statistics and shows the detection of ingested cloud configuration findings.\n\nIt provides information about findings and assets. It also displays the distribution of findings according to evaluation results and contains details regarding the count of findings over time.", "openLinksInNewTab": false }, "title": "", "type": "markdown", "uiState": {} - } + }, + "title": "Table of Contents" }, "gridData": { "h": 23, @@ -53,7 +69,6 @@ "y": 0 }, "panelIndex": "94a743d5-faba-431e-b382-1fc7315b7e3e", - "title": "Table of Contents", "type": "visualization" }, { @@ -245,7 +260,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 Cloud Configuration Findings [Logs Wiz]" }, "gridData": { "h": 12, @@ -255,7 +271,6 @@ "y": 0 }, "panelIndex": "044ff952-a6d8-4fc2-a49f-8013448a5b2d", - "title": "Top 10 Cloud Configuration Findings [Logs Wiz]", "type": "lens" }, { @@ -470,7 +485,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 resources with Cloud Configuration Findings [Logs Wiz]" }, "gridData": { "h": 11, @@ -480,7 +496,6 @@ "y": 12 }, "panelIndex": "42f119fc-4f83-48fa-964d-2ba1255bdd3b", - "title": "Top 10 resources with Cloud Configuration Findings [Logs Wiz]", "type": "lens" }, { @@ -684,7 +699,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Findings over Time [Logs Wiz]" }, "gridData": { "h": 15, @@ -694,7 +710,6 @@ "y": 23 }, "panelIndex": "083792d4-85c6-436b-ab41-60c74996826c", - "title": "Findings over Time [Logs Wiz]", "type": "lens" }, { @@ -833,7 +848,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Vulnerability by Status [Logs Wiz]" }, "gridData": { "h": 15, @@ -843,18 +859,16 @@ "y": 23 }, "panelIndex": "e684aa2c-8963-4cae-a04e-74b00b662a33", - "title": "Vulnerability by Status [Logs Wiz]", "type": "lens" } ], "timeRestore": false, "title": "[Logs Wiz] Cloud Configuration Finding", - "version": 1 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-08-23T14:46:23.733Z", + "created_at": "2026-05-26T09:08:17.746Z", "id": "wiz-726802c0-4007-48b9-bae5-09daa69d4368", - "managed": false, "references": [ { "id": "logs-*", @@ -903,5 +917,6 @@ } ], "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} \ No newline at end of file + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json b/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json index 540b85f8756..ebd665b166b 100644 --- a/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json +++ b/packages/wiz/kibana/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf.json @@ -1,5 +1,17 @@ { "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "twoLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -20,8 +32,12 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, "savedVis": { "data": { "aggs": [], @@ -34,16 +50,16 @@ } }, "description": "", - "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\nWiz Vulnerability\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Vulnerability overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested vulnerabilities.\n\nIt provides information about vulnerability and vulnerability assets. It also displays the distribution of vulnerabilities according to detection method and status. It also contains details regarding count of vulnerabilities over time.", + "markdown": "#### Navigation\n\n[Wiz Audit Dashboard](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273) \n[Wiz Cloud Configuration Finding Dashboard](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368) \n[Wiz Defend Dashboard](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a) \n[Wiz Issue Dashboard](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf) \n**Wiz Vulnerability Dashboard** \n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\n#### Dashboard Overview\n\nThis dashboard shows Vulnerability overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested vulnerabilities.\n\nIt provides information about vulnerability and vulnerability assets. It also displays the distribution of vulnerabilities according to detection method and status. It also contains details regarding count of vulnerabilities over time.\n", "openLinksInNewTab": false }, "title": "", "type": "markdown", "uiState": {} - } + }, + "title": "Table of Contents" }, "gridData": { "h": 23, @@ -53,9 +69,7 @@ "y": 0 }, "panelIndex": "727bcd3b-a463-4e53-b37c-e4d5b2f21109", - "title": "Table of Contents", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -278,7 +292,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 Vulnerable Asset Details [Logs Wiz]" }, "gridData": { "h": 11, @@ -288,9 +303,7 @@ "y": 12 }, "panelIndex": "2051bd2b-1eec-4089-b4fb-577795cacfa2", - "title": "Top 10 Vulnerable Asset Details [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -483,7 +496,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 Vulnerability Details [Logs Wiz]" }, "gridData": { "h": 12, @@ -493,9 +507,7 @@ "y": 0 }, "panelIndex": "f3eb2e36-296f-4004-96da-cbb7b028b304", - "title": "Top 10 Vulnerability Details [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -638,7 +650,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Vulnerability by Impact Score [Logs Wiz]" }, "gridData": { "h": 15, @@ -648,9 +661,7 @@ "y": 23 }, "panelIndex": "06724fb1-c688-4fb8-994f-46fdda85f4df", - "title": "Vulnerability by Impact Score [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -825,7 +836,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Vulnerability over Time [Logs Wiz]" }, "gridData": { "h": 15, @@ -835,9 +847,7 @@ "y": 23 }, "panelIndex": "847c81d1-f4af-4251-a36b-d78b84ca73b0", - "title": "Vulnerability over Time [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -975,7 +985,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Vulnerability by Status [Logs Wiz]" }, "gridData": { "h": 15, @@ -985,9 +996,7 @@ "y": 38 }, "panelIndex": "5431537a-7121-454f-9311-539c6c4f49b1", - "title": "Vulnerability by Status [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -1125,7 +1134,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Vulnerability by Detection Method [Logs Wiz]" }, "gridData": { "h": 15, @@ -1135,19 +1145,16 @@ "y": 38 }, "panelIndex": "949d4086-94e4-4d90-a590-7a373ce0ee36", - "title": "Vulnerability by Detection Method [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Wiz] Vulnerability", - "version": 1 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-13T10:53:15.400Z", + "created_at": "2026-05-26T09:08:15.734Z", "id": "wiz-927c36f0-6358-11ee-a265-c3569aa0cebf", - "managed": false, "references": [ { "id": "logs-*", @@ -1211,5 +1218,6 @@ } ], "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} \ No newline at end of file + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json b/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json index 0773d282db4..d558e5d3f9f 100644 --- a/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json +++ b/packages/wiz/kibana/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273.json @@ -1,5 +1,17 @@ { "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -18,45 +30,6 @@ "useMargins": true }, "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 12, - "markdown": "Navigation\n\nWiz Audit\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Issue](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\nOverview\n\nThis dashboard shows an Audit overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested audit data.\n\nIt provides information about audit data by user. It also displays the actions performed on time and the status of those actions in the pie chart. It displays the top 10 source IPs with their count.", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 23, - "i": "0f27302b-3efb-4712-a3cf-fa26a7fc6bd1", - "w": 15, - "x": 0, - "y": 0 - }, - "panelIndex": "0f27302b-3efb-4712-a3cf-fa26a7fc6bd1", - "title": "Table of Contents", - "type": "visualization", - "version": "8.10.1" - }, { "embeddableConfig": { "attributes": { @@ -64,12 +37,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-6f8238aa-59ea-4672-a656-4b302e00407e", + "name": "indexpattern-datasource-layer-95235e2f-1057-46ba-90d6-474002b2555d", "type": "index-pattern" }, { "id": "logs-*", - "name": "cbfca3e7-f41f-4b16-b399-846ca16aae6d", + "name": "e5711963-4101-4e46-a9e9-63d9a3c62352", "type": "index-pattern" } ], @@ -78,17 +51,29 @@ "datasourceStates": { "formBased": { "layers": { - "6f8238aa-59ea-4672-a656-4b302e00407e": { + "95235e2f-1057-46ba-90d6-474002b2555d": { "columnOrder": [ - "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81", - "668d4789-ec89-4e37-80f2-78aa42845886" + "d41001f7-0425-40fc-ab1c-95341b43e4d2", + "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7" ], "columns": { - "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81": { + "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7": { "customLabel": true, - "dataType": "ip", + "dataType": "number", + "isBucketed": false, + "label": "Event ID", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "d41001f7-0425-40fc-ab1c-95341b43e4d2": { + "customLabel": true, + "dataType": "string", "isBucketed": true, - "label": "Source IP", + "label": "Top 5 User ID", "operationType": "terms", "params": { "exclude": [], @@ -97,30 +82,18 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "668d4789-ec89-4e37-80f2-78aa42845886", + "columnId": "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7", "type": "column" }, "orderDirection": "desc", - "otherBucket": false, + "otherBucket": true, "parentFormat": { "id": "terms" }, - "size": 10 + "size": 5 }, "scale": "ordinal", - "sourceField": "source.ip" - }, - "668d4789-ec89-4e37-80f2-78aa42845886": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Count", - "operationType": "count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "___records___" + "sourceField": "user.id" } }, "ignoreGlobalFilters": false, @@ -145,7 +118,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "cbfca3e7-f41f-4b16-b399-846ca16aae6d", + "index": "e5711963-4101-4e46-a9e9-63d9a3c62352", "key": "data_stream.dataset", "negate": false, "params": { @@ -166,38 +139,44 @@ "query": "" }, "visualization": { - "columns": [ - { - "columnId": "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81", - "isTransposed": false - }, + "layers": [ { - "columnId": "668d4789-ec89-4e37-80f2-78aa42845886", - "isTransposed": false + "categoryDisplay": "default", + "layerId": "95235e2f-1057-46ba-90d6-474002b2555d", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "d41001f7-0425-40fc-ab1c-95341b43e4d2" + ], + "truncateLegend": false } ], - "layerId": "6f8238aa-59ea-4672-a656-4b302e00407e", - "layerType": "data" + "shape": "pie" } }, "title": "", "type": "lens", - "visualizationType": "lnsDatatable" + "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Audit by User [Logs Wiz]" }, "gridData": { "h": 11, - "i": "955f380d-4b48-416f-8fa3-41dd6c0df91c", - "w": 15, - "x": 15, + "i": "28d1a83b-3558-473c-948c-8157eee46509", + "w": 18, + "x": 30, "y": 0 }, - "panelIndex": "955f380d-4b48-416f-8fa3-41dd6c0df91c", - "title": "Top 10 Source IP [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "panelIndex": "28d1a83b-3558-473c-948c-8157eee46509", + "type": "lens" }, { "embeddableConfig": { @@ -206,12 +185,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-95235e2f-1057-46ba-90d6-474002b2555d", + "name": "indexpattern-datasource-layer-eda794c9-092a-4564-805e-f3d834f2084d", "type": "index-pattern" }, { "id": "logs-*", - "name": "e5711963-4101-4e46-a9e9-63d9a3c62352", + "name": "0bfdde77-b622-4820-b63e-accae3b4f4c5", "type": "index-pattern" } ], @@ -220,13 +199,13 @@ "datasourceStates": { "formBased": { "layers": { - "95235e2f-1057-46ba-90d6-474002b2555d": { + "eda794c9-092a-4564-805e-f3d834f2084d": { "columnOrder": [ - "d41001f7-0425-40fc-ab1c-95341b43e4d2", - "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7" + "dc749dcf-16fb-4055-9b3a-34260393f125", + "6a8fa0a7-9369-41c2-b228-6f31418aeff7" ], "columns": { - "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7": { + "6a8fa0a7-9369-41c2-b228-6f31418aeff7": { "customLabel": true, "dataType": "number", "isBucketed": false, @@ -238,11 +217,11 @@ "scale": "ratio", "sourceField": "event.id" }, - "d41001f7-0425-40fc-ab1c-95341b43e4d2": { + "dc749dcf-16fb-4055-9b3a-34260393f125": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Top 5 User ID", + "label": "Top 5 Event Action", "operationType": "terms", "params": { "exclude": [], @@ -251,7 +230,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7", + "columnId": "6a8fa0a7-9369-41c2-b228-6f31418aeff7", "type": "column" }, "orderDirection": "desc", @@ -262,7 +241,7 @@ "size": 5 }, "scale": "ordinal", - "sourceField": "user.id" + "sourceField": "event.action" } }, "ignoreGlobalFilters": false, @@ -287,7 +266,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "e5711963-4101-4e46-a9e9-63d9a3c62352", + "index": "0bfdde77-b622-4820-b63e-accae3b4f4c5", "key": "data_stream.dataset", "negate": false, "params": { @@ -311,17 +290,17 @@ "layers": [ { "categoryDisplay": "default", - "layerId": "95235e2f-1057-46ba-90d6-474002b2555d", + "layerId": "eda794c9-092a-4564-805e-f3d834f2084d", "layerType": "data", "legendDisplay": "show", "legendSize": "large", "metrics": [ - "41c3bf84-939e-4f4c-9c4a-ef1d61cde9d7" + "6a8fa0a7-9369-41c2-b228-6f31418aeff7" ], "nestedLegend": false, "numberDisplay": "percent", "primaryGroups": [ - "d41001f7-0425-40fc-ab1c-95341b43e4d2" + "dc749dcf-16fb-4055-9b3a-34260393f125" ], "truncateLegend": false } @@ -334,19 +313,18 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Audit by Action [Logs Wiz]" }, "gridData": { - "h": 11, - "i": "28d1a83b-3558-473c-948c-8157eee46509", + "h": 12, + "i": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc", "w": 18, "x": 30, - "y": 0 + "y": 11 }, - "panelIndex": "28d1a83b-3558-473c-948c-8157eee46509", - "title": "Audit by User [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "panelIndex": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc", + "type": "lens" }, { "embeddableConfig": { @@ -355,7 +333,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-2ef70662-f7d5-4917-bff4-c212ecf7ad19", + "name": "indexpattern-datasource-layer-c4705a46-4a7c-484e-acae-35aa9de658f0", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68046879-96c5-4615-950e-e40001e3bb9b", "type": "index-pattern" } ], @@ -364,17 +347,32 @@ "datasourceStates": { "formBased": { "layers": { - "2ef70662-f7d5-4917-bff4-c212ecf7ad19": { + "c4705a46-4a7c-484e-acae-35aa9de658f0": { "columnOrder": [ - "042dcb66-1d9e-49d9-bda3-f42b9ab2770a", - "d1fcb2cb-ae75-4473-ae21-1830e116feba" + "30ee1d33-c798-4a40-b94c-093b93598375", + "263cfa15-045b-44c1-9601-fa6d36ecf6b1", + "d1e9fc29-3890-413a-956c-ee38f8171fd0" ], "columns": { - "042dcb66-1d9e-49d9-bda3-f42b9ab2770a": { + "263cfa15-045b-44c1-9601-fa6d36ecf6b1": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "30ee1d33-c798-4a40-b94c-093b93598375": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Top 5 Wiz Audit Status", + "label": "Top 10 Event Action", "operationType": "terms", "params": { "exclude": [], @@ -383,7 +381,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "d1fcb2cb-ae75-4473-ae21-1830e116feba", + "columnId": "d1e9fc29-3890-413a-956c-ee38f8171fd0", "type": "column" }, "orderDirection": "desc", @@ -391,17 +389,16 @@ "parentFormat": { "id": "terms" }, - "secondaryFields": [], - "size": 5 + "size": 10 }, "scale": "ordinal", - "sourceField": "wiz.audit.status" + "sourceField": "event.action" }, - "d1fcb2cb-ae75-4473-ae21-1830e116feba": { + "d1e9fc29-3890-413a-956c-ee38f8171fd0": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Event ID", + "label": "Count", "operationType": "count", "params": { "emptyAsNull": false @@ -423,7 +420,30 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "68046879-96c5-4615-950e-e40001e3bb9b", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.audit" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -432,43 +452,88 @@ "visualization": { "layers": [ { - "categoryDisplay": "default", - "layerId": "2ef70662-f7d5-4917-bff4-c212ecf7ad19", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "large", - "metrics": [ - "d1fcb2cb-ae75-4473-ae21-1830e116feba" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "042dcb66-1d9e-49d9-bda3-f42b9ab2770a" + "accessors": [ + "d1e9fc29-3890-413a-956c-ee38f8171fd0" ], - "truncateLegend": false + "layerId": "c4705a46-4a7c-484e-acae-35aa9de658f0", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "splitAccessor": "30ee1d33-c798-4a40-b94c-093b93598375", + "xAccessor": "263cfa15-045b-44c1-9601-fa6d36ecf6b1" } ], - "shape": "pie" + "legend": { + "isVisible": true, + "legendSize": "large", + "position": "right", + "shouldTruncate": false, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Action over Time [Logs Wiz]" }, "gridData": { - "h": 12, - "i": "38992b4f-7a75-4641-afc9-4cede93fbe04", - "w": 15, - "x": 15, - "y": 11 + "h": 11, + "i": "5f4a4c50-2b75-49e8-997e-996ed535715e", + "w": 48, + "x": 0, + "y": 23 }, - "panelIndex": "38992b4f-7a75-4641-afc9-4cede93fbe04", - "title": "Audit by Status [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "panelIndex": "5f4a4c50-2b75-49e8-997e-996ed535715e", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "params": { + "fontSize": 12, + "markdown": "#### Navigation\n\n**Wiz Audit Dashboard** \n[Wiz Cloud Configuration Finding Dashboard](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368) \n[Wiz Defend Dashboard](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a) \n[Wiz Issue Dashboard](#/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf) \n[Wiz Vulnerability Dashboard](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf) \n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\n#### Dashboard Overview\n\nThis dashboard shows an Audit overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested audit data.\n\nIt provides information about audit data by user. It also displays the actions performed on time and the status of those actions in the pie chart. It displays the top 10 source IPs with their count.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + }, + "title": "Table of Contents" + }, + "gridData": { + "h": 23, + "i": "0f27302b-3efb-4712-a3cf-fa26a7fc6bd1", + "w": 14, + "x": 0, + "y": 0 + }, + "panelIndex": "0f27302b-3efb-4712-a3cf-fa26a7fc6bd1", + "type": "visualization" }, { "embeddableConfig": { @@ -477,12 +542,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-eda794c9-092a-4564-805e-f3d834f2084d", + "name": "indexpattern-datasource-layer-6f8238aa-59ea-4672-a656-4b302e00407e", "type": "index-pattern" }, { "id": "logs-*", - "name": "0bfdde77-b622-4820-b63e-accae3b4f4c5", + "name": "cbfca3e7-f41f-4b16-b399-846ca16aae6d", "type": "index-pattern" } ], @@ -491,29 +556,17 @@ "datasourceStates": { "formBased": { "layers": { - "eda794c9-092a-4564-805e-f3d834f2084d": { + "6f8238aa-59ea-4672-a656-4b302e00407e": { "columnOrder": [ - "dc749dcf-16fb-4055-9b3a-34260393f125", - "6a8fa0a7-9369-41c2-b228-6f31418aeff7" + "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81", + "668d4789-ec89-4e37-80f2-78aa42845886" ], "columns": { - "6a8fa0a7-9369-41c2-b228-6f31418aeff7": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Event ID", - "operationType": "count", - "params": { - "emptyAsNull": false - }, - "scale": "ratio", - "sourceField": "event.id" - }, - "dc749dcf-16fb-4055-9b3a-34260393f125": { + "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81": { "customLabel": true, - "dataType": "string", + "dataType": "ip", "isBucketed": true, - "label": "Top 5 Event Action", + "label": "Source IP", "operationType": "terms", "params": { "exclude": [], @@ -522,18 +575,30 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "6a8fa0a7-9369-41c2-b228-6f31418aeff7", + "columnId": "668d4789-ec89-4e37-80f2-78aa42845886", "type": "column" }, "orderDirection": "desc", - "otherBucket": true, + "otherBucket": false, "parentFormat": { "id": "terms" }, - "size": 5 + "size": 10 }, "scale": "ordinal", - "sourceField": "event.action" + "sourceField": "source.ip" + }, + "668d4789-ec89-4e37-80f2-78aa42845886": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" } }, "ignoreGlobalFilters": false, @@ -558,7 +623,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "0bfdde77-b622-4820-b63e-accae3b4f4c5", + "index": "cbfca3e7-f41f-4b16-b399-846ca16aae6d", "key": "data_stream.dataset", "negate": false, "params": { @@ -579,45 +644,37 @@ "query": "" }, "visualization": { - "layers": [ + "columns": [ { - "categoryDisplay": "default", - "layerId": "eda794c9-092a-4564-805e-f3d834f2084d", - "layerType": "data", - "legendDisplay": "show", - "legendSize": "large", - "metrics": [ - "6a8fa0a7-9369-41c2-b228-6f31418aeff7" - ], - "nestedLegend": false, - "numberDisplay": "percent", - "primaryGroups": [ - "dc749dcf-16fb-4055-9b3a-34260393f125" - ], - "truncateLegend": false + "columnId": "314b70c3-3bd6-4b5d-8e50-4c8f343fbd81", + "isTransposed": false + }, + { + "columnId": "668d4789-ec89-4e37-80f2-78aa42845886", + "isTransposed": false } ], - "shape": "pie" + "layerId": "6f8238aa-59ea-4672-a656-4b302e00407e", + "layerType": "data" } }, "title": "", "type": "lens", - "visualizationType": "lnsPie" + "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 Source IP [Logs Wiz]" }, "gridData": { - "h": 12, - "i": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc", - "w": 18, - "x": 30, - "y": 11 + "h": 11, + "i": "955f380d-4b48-416f-8fa3-41dd6c0df91c", + "w": 16, + "x": 14, + "y": 0 }, - "panelIndex": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc", - "title": "Audit by Action [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "panelIndex": "955f380d-4b48-416f-8fa3-41dd6c0df91c", + "type": "lens" }, { "embeddableConfig": { @@ -626,12 +683,12 @@ "references": [ { "id": "logs-*", - "name": "indexpattern-datasource-layer-c4705a46-4a7c-484e-acae-35aa9de658f0", + "name": "indexpattern-datasource-layer-2ef70662-f7d5-4917-bff4-c212ecf7ad19", "type": "index-pattern" }, { "id": "logs-*", - "name": "68046879-96c5-4615-950e-e40001e3bb9b", + "name": "249b6030-1923-46a8-afcd-02911d27bea8", "type": "index-pattern" } ], @@ -640,32 +697,17 @@ "datasourceStates": { "formBased": { "layers": { - "c4705a46-4a7c-484e-acae-35aa9de658f0": { + "2ef70662-f7d5-4917-bff4-c212ecf7ad19": { "columnOrder": [ - "30ee1d33-c798-4a40-b94c-093b93598375", - "263cfa15-045b-44c1-9601-fa6d36ecf6b1", - "d1e9fc29-3890-413a-956c-ee38f8171fd0" + "042dcb66-1d9e-49d9-bda3-f42b9ab2770a", + "d1fcb2cb-ae75-4473-ae21-1830e116feba" ], "columns": { - "263cfa15-045b-44c1-9601-fa6d36ecf6b1": { - "customLabel": true, - "dataType": "date", - "isBucketed": true, - "label": "Timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "@timestamp" - }, - "30ee1d33-c798-4a40-b94c-093b93598375": { + "042dcb66-1d9e-49d9-bda3-f42b9ab2770a": { "customLabel": true, "dataType": "string", "isBucketed": true, - "label": "Top 10 Event Action", + "label": "Top 5 Wiz Audit Status", "operationType": "terms", "params": { "exclude": [], @@ -674,7 +716,7 @@ "includeIsRegex": false, "missingBucket": false, "orderBy": { - "columnId": "d1e9fc29-3890-413a-956c-ee38f8171fd0", + "columnId": "d1fcb2cb-ae75-4473-ae21-1830e116feba", "type": "column" }, "orderDirection": "desc", @@ -682,16 +724,17 @@ "parentFormat": { "id": "terms" }, - "size": 10 + "secondaryFields": [], + "size": 5 }, "scale": "ordinal", - "sourceField": "event.action" + "sourceField": "wiz.audit.status" }, - "d1e9fc29-3890-413a-956c-ee38f8171fd0": { + "d1fcb2cb-ae75-4473-ae21-1830e116feba": { "customLabel": true, "dataType": "number", "isBucketed": false, - "label": "Count", + "label": "Event ID", "operationType": "count", "params": { "emptyAsNull": false @@ -722,7 +765,7 @@ "alias": null, "disabled": false, "field": "data_stream.dataset", - "index": "68046879-96c5-4615-950e-e40001e3bb9b", + "index": "249b6030-1923-46a8-afcd-02911d27bea8", "key": "data_stream.dataset", "negate": false, "params": { @@ -745,105 +788,139 @@ "visualization": { "layers": [ { - "accessors": [ - "d1e9fc29-3890-413a-956c-ee38f8171fd0" - ], - "layerId": "c4705a46-4a7c-484e-acae-35aa9de658f0", + "categoryDisplay": "default", + "layerId": "2ef70662-f7d5-4917-bff4-c212ecf7ad19", "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "splitAccessor": "30ee1d33-c798-4a40-b94c-093b93598375", - "xAccessor": "263cfa15-045b-44c1-9601-fa6d36ecf6b1" + "legendDisplay": "show", + "legendSize": "large", + "metrics": [ + "d1fcb2cb-ae75-4473-ae21-1830e116feba" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "042dcb66-1d9e-49d9-bda3-f42b9ab2770a" + ], + "truncateLegend": false } ], - "legend": { - "isVisible": true, - "legendSize": "large", - "position": "right", - "shouldTruncate": false, - "showSingleSeries": true - }, - "preferredSeriesType": "bar_stacked", - "title": "Empty XY chart", - "valueLabels": "hide" + "shape": "pie" } }, "title": "", "type": "lens", - "visualizationType": "lnsXY" + "visualizationType": "lnsPie" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "249b6030-1923-46a8-afcd-02911d27bea8", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.audit" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Audit by Status [Logs Wiz]" }, "gridData": { - "h": 11, - "i": "5f4a4c50-2b75-49e8-997e-996ed535715e", - "w": 48, - "x": 0, - "y": 23 + "h": 12, + "i": "38992b4f-7a75-4641-afc9-4cede93fbe04", + "w": 16, + "x": 14, + "y": 11 }, - "panelIndex": "5f4a4c50-2b75-49e8-997e-996ed535715e", - "title": "Action over Time [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "panelIndex": "38992b4f-7a75-4641-afc9-4cede93fbe04", + "type": "lens" } ], "timeRestore": false, "title": "[Logs Wiz] Audit", - "version": 1 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-13T11:16:54.626Z", + "created_at": "2026-05-26T09:08:16.743Z", "id": "wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273", - "managed": false, "references": [ { "id": "logs-*", - "name": "955f380d-4b48-416f-8fa3-41dd6c0df91c:indexpattern-datasource-layer-6f8238aa-59ea-4672-a656-4b302e00407e", + "name": "28d1a83b-3558-473c-948c-8157eee46509:indexpattern-datasource-layer-95235e2f-1057-46ba-90d6-474002b2555d", "type": "index-pattern" }, { "id": "logs-*", - "name": "955f380d-4b48-416f-8fa3-41dd6c0df91c:cbfca3e7-f41f-4b16-b399-846ca16aae6d", + "name": "28d1a83b-3558-473c-948c-8157eee46509:e5711963-4101-4e46-a9e9-63d9a3c62352", "type": "index-pattern" }, { "id": "logs-*", - "name": "28d1a83b-3558-473c-948c-8157eee46509:indexpattern-datasource-layer-95235e2f-1057-46ba-90d6-474002b2555d", + "name": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc:indexpattern-datasource-layer-eda794c9-092a-4564-805e-f3d834f2084d", "type": "index-pattern" }, { "id": "logs-*", - "name": "28d1a83b-3558-473c-948c-8157eee46509:e5711963-4101-4e46-a9e9-63d9a3c62352", + "name": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc:0bfdde77-b622-4820-b63e-accae3b4f4c5", "type": "index-pattern" }, { "id": "logs-*", - "name": "38992b4f-7a75-4641-afc9-4cede93fbe04:indexpattern-datasource-layer-2ef70662-f7d5-4917-bff4-c212ecf7ad19", + "name": "5f4a4c50-2b75-49e8-997e-996ed535715e:indexpattern-datasource-layer-c4705a46-4a7c-484e-acae-35aa9de658f0", "type": "index-pattern" }, { "id": "logs-*", - "name": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc:indexpattern-datasource-layer-eda794c9-092a-4564-805e-f3d834f2084d", + "name": "5f4a4c50-2b75-49e8-997e-996ed535715e:68046879-96c5-4615-950e-e40001e3bb9b", "type": "index-pattern" }, { "id": "logs-*", - "name": "892360c9-2be8-4e1e-a93e-e70a9d2aa8fc:0bfdde77-b622-4820-b63e-accae3b4f4c5", + "name": "955f380d-4b48-416f-8fa3-41dd6c0df91c:indexpattern-datasource-layer-6f8238aa-59ea-4672-a656-4b302e00407e", "type": "index-pattern" }, { "id": "logs-*", - "name": "5f4a4c50-2b75-49e8-997e-996ed535715e:indexpattern-datasource-layer-c4705a46-4a7c-484e-acae-35aa9de658f0", + "name": "955f380d-4b48-416f-8fa3-41dd6c0df91c:cbfca3e7-f41f-4b16-b399-846ca16aae6d", "type": "index-pattern" }, { "id": "logs-*", - "name": "5f4a4c50-2b75-49e8-997e-996ed535715e:68046879-96c5-4615-950e-e40001e3bb9b", + "name": "38992b4f-7a75-4641-afc9-4cede93fbe04:indexpattern-datasource-layer-2ef70662-f7d5-4917-bff4-c212ecf7ad19", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "38992b4f-7a75-4641-afc9-4cede93fbe04:249b6030-1923-46a8-afcd-02911d27bea8", "type": "index-pattern" } ], "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} \ No newline at end of file + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json b/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json index 6ee96ee0c91..f2e25801883 100644 --- a/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json +++ b/packages/wiz/kibana/dashboard/wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf.json @@ -1,5 +1,17 @@ { "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, "description": "", "kibanaSavedObjectMeta": { "searchSourceJSON": { @@ -20,8 +32,12 @@ "panelsJSON": [ { "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": true, "savedVis": { "data": { "aggs": [], @@ -34,16 +50,16 @@ } }, "description": "", - "id": "", "params": { "fontSize": 12, - "markdown": "Navigation\n\nWiz Issue\n\n[Wiz Vulnerability](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf)\n\n[Wiz Cloud Configuration Finding](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368)\n\n[Wiz Defend](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a)\n\n[Wiz Audit](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273)\n\n[Integration Page](/app/integrations/detail/wiz-0.2.0/overview)\n\nOverview\n\nThis dashboard shows Issue overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested issues.\n\nIt provides information about issue data. It also displays the distribution of issues according to status, severity and entity type. It also contains details regarding count of issues over time.", + "markdown": "#### Navigation\n\n[Wiz Audit Dashboard](#/dashboard/wiz-be3fd3f0-6358-11ee-9db4-21f79f2e6273) \n[Wiz Cloud Configuration Finding Dashboard](#/dashboard/wiz-726802c0-4007-48b9-bae5-09daa69d4368) \n[Wiz Defend Dashboard](#/dashboard/wiz-3c3519be-f4f9-4c67-a9d8-1db4182b6e6a) \n**Wiz Issue Dashboard** \n[Wiz Vulnerability Dashboard](#/dashboard/wiz-927c36f0-6358-11ee-a265-c3569aa0cebf) \n\n[Integration Page](/app/integrations/detail/wiz/overview)\n\n#### Dashboard Overview\n\nThis dashboard shows Issue overview related to the Wiz Integration.\n\nThis dashboard is made to provide general statistics and show the detection of ingested issues.\n\nIt provides information about issue data. It also displays the distribution of issues according to status, severity and entity type. It also contains details regarding count of issues over time.", "openLinksInNewTab": false }, "title": "", "type": "markdown", "uiState": {} - } + }, + "title": "Table of Contents" }, "gridData": { "h": 25, @@ -53,9 +69,7 @@ "y": 0 }, "panelIndex": "508e0ce7-ae93-4889-ac6f-061b181855da", - "title": "Table of Contents", - "type": "visualization", - "version": "8.10.1" + "type": "visualization" }, { "embeddableConfig": { @@ -235,7 +249,8 @@ "visualizationType": "lnsDatatable" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Top 10 Issue Details [Logs Wiz]" }, "gridData": { "h": 12, @@ -245,9 +260,7 @@ "y": 0 }, "panelIndex": "4486be35-cdb7-4f57-bc5a-790877de1a13", - "title": "Top 10 Issue Details [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -385,7 +398,8 @@ "visualizationType": "lnsPie" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Issue by Severity [Logs Wiz]" }, "gridData": { "h": 12, @@ -395,9 +409,7 @@ "y": 0 }, "panelIndex": "209d9dd1-b157-467f-8595-6a1411ea9b82", - "title": "Issue by Severity [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -408,6 +420,11 @@ "id": "logs-*", "name": "indexpattern-datasource-layer-f0588491-4a9d-43fe-a5c5-37f78ee2ef67", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8a59c578-ef56-4009-b626-6ca362a82071", + "type": "index-pattern" } ], "state": { @@ -473,7 +490,30 @@ "layers": {} } }, - "filters": [], + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8a59c578-ef56-4009-b626-6ca362a82071", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.issue" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.issue" + } + } + } + ], "internalReferences": [], "query": { "language": "kuery", @@ -505,8 +545,44 @@ "type": "lens", "visualizationType": "lnsPie" }, - "enhancements": {}, - "hidePanelTitles": false + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "8a59c578-ef56-4009-b626-6ca362a82071", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.issue" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.issue" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "title": "Issue by Status [Logs Wiz]" }, "gridData": { "h": 13, @@ -516,9 +592,7 @@ "y": 12 }, "panelIndex": "2b7e3f1c-c156-48b8-9c32-f4afc4d1508f", - "title": "Issue by Status [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -658,7 +732,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Issue by Entity Type [Logs Wiz]" }, "gridData": { "h": 13, @@ -668,9 +743,7 @@ "y": 12 }, "panelIndex": "136424c9-2f71-4dcc-81ce-87b8ed61612a", - "title": "Issue by Entity Type [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" }, { "embeddableConfig": { @@ -827,7 +900,8 @@ "visualizationType": "lnsXY" }, "enhancements": {}, - "hidePanelTitles": false + "hidePanelTitles": false, + "title": "Issue over Time [Logs Wiz]" }, "gridData": { "h": 14, @@ -837,19 +911,16 @@ "y": 25 }, "panelIndex": "bf85ce23-6dd3-4fc3-ad47-c9ae021c13f9", - "title": "Issue over Time [Logs Wiz]", - "type": "lens", - "version": "8.10.1" + "type": "lens" } ], "timeRestore": false, "title": "[Logs Wiz] Issue", - "version": 1 + "version": 3 }, "coreMigrationVersion": "8.8.0", - "created_at": "2023-10-13T11:15:13.241Z", + "created_at": "2026-05-26T09:08:15.617Z", "id": "wiz-d8f91a20-6363-11ee-a265-c3569aa0cebf", - "managed": false, "references": [ { "id": "logs-*", @@ -876,6 +947,11 @@ "name": "2b7e3f1c-c156-48b8-9c32-f4afc4d1508f:indexpattern-datasource-layer-f0588491-4a9d-43fe-a5c5-37f78ee2ef67", "type": "index-pattern" }, + { + "id": "logs-*", + "name": "2b7e3f1c-c156-48b8-9c32-f4afc4d1508f:8a59c578-ef56-4009-b626-6ca362a82071", + "type": "index-pattern" + }, { "id": "logs-*", "name": "136424c9-2f71-4dcc-81ce-87b8ed61612a:indexpattern-datasource-layer-c967e601-e1f7-41ce-bbad-83fe21431b07", @@ -898,5 +974,6 @@ } ], "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} \ No newline at end of file + "typeMigrationVersion": "10.3.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} diff --git a/packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json b/packages/wiz/kibana/search/wiz-f661536e-81c2-455b-9a4f-9840d910c318.json similarity index 50% rename from packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json rename to packages/wiz/kibana/search/wiz-f661536e-81c2-455b-9a4f-9840d910c318.json index cbe434cb82e..8dac94abf4c 100644 --- a/packages/wiz/kibana/search/wiz-f71321c0-a641-4411-a33e-f39569c2c7be.json +++ b/packages/wiz/kibana/search/wiz-f661536e-81c2-455b-9a4f-9840d910c318.json @@ -18,7 +18,30 @@ "isTextBasedQuery": false, "kibanaSavedObjectMeta": { "searchSourceJSON": { - "filter": [], + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "wiz.defend" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "wiz.defend" + } + } + } + ], "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", "query": { "language": "kuery", @@ -33,21 +56,25 @@ ] ], "timeRestore": false, - "title": "Detection Essential Details [Logs Wiz]" + "title": "[Logs Wiz] Detection Essential Details" }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-04-21T06:50:17.258Z", + "created_at": "2026-05-26T08:33:23.090Z", "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", - "id": "wiz-f71321c0-a641-4411-a33e-f39569c2c7be", - "managed": false, + "id": "wiz-f661536e-81c2-455b-9a4f-9840d910c318", "references": [ { "id": "logs-*", "name": "kibanaSavedObjectMeta.searchSourceJSON.index", "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" } ], "type": "search", "typeMigrationVersion": "10.5.0", "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" -} \ No newline at end of file +} diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index 7bfd133924a..c7526a59223 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: wiz title: Wiz -version: "4.2.0" +version: "4.3.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: @@ -47,6 +47,10 @@ screenshots: title: Wiz Defend Dashboard Screenshot size: 600x600 type: image/png + - src: /img/wiz-policy-editor-ui.png + title: Wiz Integration Policy Editor UI + size: 1691x2012 + type: image/png icons: - src: /img/wiz-logo.svg title: Wiz logo @@ -87,8 +91,7 @@ policy_templates: - name: url type: text title: URL - description: Base URL of the Wiz API. Default URL given is for the demo environment. - default: https://api.us17.app.wiz.io + description: Base URL of your tenant-specific Wiz API endpoint, for example `https://api.somedc.app.wiz.io`. required: true show_user: true - name: token_url @@ -97,7 +100,7 @@ policy_templates: description: Token URL of Wiz. default: https://auth.app.wiz.io/oauth/token required: true - show_user: false + show_user: true secret: false - name: proxy_url type: text diff --git a/packages/wiz/validation.yml b/packages/wiz/validation.yml index c7bf004b676..1189aa63c89 100644 --- a/packages/wiz/validation.yml +++ b/packages/wiz/validation.yml @@ -1,4 +1,3 @@ errors: exclude_checks: - - SVR00002 # Mandatory filters in dashboards - SVR00004 # References in dashboards.