elastic · efd6 · Mar 14, 2024 · Feb 20, 2024 · Feb 22, 2024 · Feb 22, 2024
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "git@v8.11.0"
@@ -0,0 +1,13 @@
+# CISA KEV integration
+
+This integration is for [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) logs. This data can be useful for current awareness of Known Exploited Vulnerabilities according to CISA and also for enriching other vulnerability scan data in the Elastic stack. It includes the following datasets for retrieving logs from the CISA KEV website:
+
+- `vulnerability` dataset: Supports vulnerabilities classified as known exploited from CISA.
+
+## Logs
+
+### Vulnerabilities
+
+The CISA KEV data_stream retrieves vulnerability information from the endpoint `https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json`.
+
+{{fields "vulnerability"}}
@@ -0,0 +1,14 @@
+version: "2.3"
+services:
+  cisakev:
+    image: docker.elastic.co/observability/stream:v0.7.0
+    ports:
+      - 8080
+    volumes:
+      - ./files:/files:ro
+    environment:
+      PORT: 8080
+    command:
+      - http-server
+      - --addr=:8080
+      - --config=/files/config.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/9240 # FIXME Replace with the real PR link
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event
@@ -0,0 +1,7 @@
+input: httpjson
+service: cisakev
+data_stream:
+  vars:
+    url: http://{{Hostname}}:{{Port}}/sites/default/files/feeds/known_exploited_vulnerabilities.json
+    preserve_original_event: true
+    enable_request_tracer: true
@@ -0,0 +1,42 @@
+config_version: "2"
+interval: {{interval}}
+request.method: "GET"
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+request.tracer.maxbackups: 5
+{{/if}}
+
+{{#if url}}
+request.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+- set:
+    target: header.Content-Type
+    value: application/json
+
+response.split:
+  target: body.vulnerabilities
+
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
@@ -0,0 +1,118 @@
+---
+description: Pipeline for parsing the CISA KEV Catalog
+processors:
+  ####################
+  # Event ECS fields #
+  ####################
+  - set:
+      field: ecs.version
+      value: '8.11.0'
+  - set:
+      field: event.kind
+      value: enrichment
+  - set:
+      field: event.category
+      value: [vulnerability]
+  - set:
+      field: event.type
+      value: [info]
+  ######################
+  # General ECS fields #
+  ######################
+  - rename:
+      field: message
+      target_field: event.original
+      ignore_missing: true
+      if: ctx.event?.original == null
+  - json:
+      field: event.original
+      target_field: cisa_kev
+  - fingerprint:
+      fields:
+        - cisa_kev.cveID
+      target_field: "_id"
+  - date:
+      field: cisa_kev.dateAdded
+      formats:
+        - "yyyy-MM-dd"
+  #####################
+  # Vulnerability ECS Fields #
+  #####################
+  - rename:
+      field: cisa_kev.cveID
+      target_field: vulnerability.id
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.shortDescription
+      target_field: vulnerability.description
+      ignore_missing: true
+
+  #####################
+  # CISA KEV Custom Fields #
+  #####################
+  - rename:
+      field: cisa_kev.product
+      target_field: cisa_kev.vulnerability.product
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.vulnerabilityName
+      target_field: cisa_kev.vulnerability.name
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.notes
+      target_field: cisa_kev.vulnerability.notes
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.dueDate
+      target_field: cisa_kev.vulnerability.due_date
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.vendorProject
+      target_field: cisa_kev.vulnerability.vendor_project
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.knownRansomwareCampaignUse
+      target_field: cisa_kev.vulnerability.known_ransomware_campaign_use
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.requiredAction
+      target_field: cisa_kev.vulnerability.required_action
+      ignore_missing: true
+  - rename:
+      field: cisa_kev.dateAdded
+      target_field: cisa_kev.vulnerability.date_added
+      ignore_missing: true
+
+  ######################
+  # Cleanup processors #
+  ######################
+
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+  - script:
+      description: Remove null/empty values recursively.
+      lang: painless
+      source: |-
+        boolean drop(Object o) {
+          if (o == null || o == '') {
+            return true;
+          } else if (o instanceof Map) {
+            ((Map) o).values().removeIf(v -> drop(v));
+            return (((Map) o).size() == 0);
+          } else if (o instanceof List) {
+            ((List) o).removeIf(v -> drop(v));
+            return (((List) o).length == 0);
+          }
+          return false;
+        }
+        drop(ctx);
+on_failure:
+  - set:
+      field: event.kind
+      value: pipeline_error
+  - append:
+      field: error.message
+      value: '{{{ _ingest.on_failure_message }}}'
@@ -0,0 +1,12 @@
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.
@@ -0,0 +1,3 @@
+- name: input.type
+  type: keyword
+  description: Type of Filebeat input.
@@ -0,0 +1,24 @@
+- external: ecs
+  name: ecs.version
+- external: ecs
+  name: message
+- external: ecs
+  name: error.message
+- external: ecs
+  name: tags
+- external: ecs
+  name: event.ingested
+- external: ecs
+  name: event.kind
+- external: ecs
+  name: event.category
+- external: ecs
+  name: event.type
+- external: ecs
+  name: event.created
+- external: ecs
+  name: event.original
+- external: ecs
+  name: vulnerability.id
+- external: ecs
+  name: vulnerability.description
@@ -0,0 +1,44 @@
+- name: cisa_kev.vulnerability
+  type: group
+  description: All fields related to the CISA Known Exploited Vulnerabilities.
+  fields:
+    - name: vendor_project
+      type: keyword
+      description: >
+        The vendor or project name for the vulnerability
+
+    - name: product
+      type: keyword
+      description: >
+        The vulnerability product
+
+    - name: name
+      type: keyword
+      description: >
+        The name of the vulnerability
+
+    - name: date_added
+      type: date
+      description: >
+        The date the vulnerability was added to the catalog in the format YYYY-MM-DD
+
+    - name: required_action
+      type: keyword
+      description: >
+        The required action to address the vulnerability
+
+    - name: due_date
+      type: date
+      description: >
+        The date the required action is due in the format YYYY-MM-DD
+
+    - name: known_ransomware_campaign_use
+      type: keyword
+      description: >
+        'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware
+
+    - name: notes
+      type: keyword
+      description: >
+        Any additional notes about the vulnerability
+
@@ -0,0 +1,69 @@
+title: "CISA Known Exploited Vulnerabilities List"
+type: logs
+streams:
+  - input: httpjson
+    vars:
+      - name: url
+        type: text
+        title: CISA KEV URL Catalog API endpoint
+        multi: false
+        required: true
+        show_user: false
+        default: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
+      - name: http_client_timeout
+        type: text
+        title: HTTP Client Timeout
+        description: Duration before declaring that the HTTP client connection has timed out. Valid time units are ns, us, ms, s, m, h.
+        multi: false
+        required: false
+        show_user: false
+        default: 30s
+      - name: proxy_url
+        type: text
+        title: Proxy URL
+        multi: false
+        required: false
+        show_user: false
+        description: URL to proxy connections in the form of http\[s\]://<user>:<password>@<server name/ip>:<port>
+      - name: interval
+        type: text
+        title: Interval
+        multi: false
+        required: true
+        show_user: true
+        default: 60m
+      - name: ssl
+        type: yaml
+        title: SSL
+        multi: false
+        required: false
+        show_user: false
+      - name: tags
+        type: text
+        title: Tags
+        multi: true
+        required: true
+        show_user: false
+        default:
+          - forwarded
+          - cisa-kev
+      - name: preserve_original_event
+        required: true
+        show_user: true
+        title: Preserve original event
+        description: Preserves a raw copy of the original event, added to the field `event.original`
+        type: bool
+        multi: false
+        default: false
+      - name: processors
+        type: yaml
+        title: Processors
+        multi: false
+        required: false
+        show_user: false
+        description: >
+          Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+
+    template_path: httpjson.yml.hbs
+    title: CISA KEV Catalog logs
+    description: Collect CISA Known Exploited Vulnerability logs