-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
qualys_vmdr: expand documents to map each vulnerability per host #9293
Conversation
"events": body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.map(h, | ||
h.DETECTION_LIST.DETECTION.map(v, { | ||
"message": h.with({"DETECTION_LIST": v}).encode_json(), | ||
}) | ||
).flatten(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A less invasive change that does not require any of the ingest pipeline changes, and is not a breaking change, but does not match the issue is
"events": body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.map(h, | |
h.DETECTION_LIST.DETECTION.map(v, { | |
"message": h.with({"DETECTION_LIST": v}).encode_json(), | |
}) | |
).flatten(), | |
"events": body.doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.map(h, | |
h.DETECTION_LIST.DETECTION.map(v, { | |
"message": h.with({"DETECTION_LIST": {"DETECTION": [v]}}).encode_json(), | |
}) | |
).flatten(), |
This would still map each vuln of each host to a separate document, but would leave the detection in an array of one with the old name. This would mean that it does not break any existing users, but as noted in the issue, "With the current integration, we can't easily create dashboards and enrich vulnerability data (not sure it's possible in an array)." Also the name would now be misleading since it's only an array in shape.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think there are many people using it in Production at the moment. And I'm not sure we can enrich from the Qualys Knowledge Base from an array (even with 1 value).
I'm in favour to have something cleaner and not store the vulnerability in an array of one value (not sure if it'll be the case or not).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. I agree, but wanted to make sure.
🚀 Benchmarks reportTo see the full report comment with |
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
fyi @clement-fouque |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks good to me. I'm wondering if we should name the parent field qualys_vmdr.vulnerability
or something else. But I don't think about something better.
target_field: qualys_vmdr.asset_host_detection.vulnerability | ||
ignore_missing: true | ||
- rename: | ||
if: ctx.qualys_vmdr?.asset_host_detection?.vulnerability != null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this null check on root field indicate the inner field qualys_vmdr.asset_host_detection.vulnerability.UNIQUE_VULN_ID
to be non-null? Just making sure because its same for other processors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch. Checking the XSD, they are all minOccurs='0' maxOccurs='1'. Will fix.
on_failure: | ||
- append: | ||
field: error.message | ||
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should also capture failures for all above date processors to improve telemetry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will add.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
💚 Build Succeeded
History
cc @efd6 |
|
Package qualys_vmdr - 2.0.0 containing this change is available at https://epr.elastic.co/search?package=qualys_vmdr |
Proposed commit message
See title.
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots