qualys_vmdr: Improve support for Cloud Detection and Response (CDR) workflow #11999
+5,301
−218
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 tasks
kcreddy
added
the
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
💚 Build Succeeded
History
cc @kcreddy |
|
kcreddy
commented
Dec 10, 2024
Comment on lines
+18
to
+20
| - resource.id | ||
| - event.id | ||
| - data_stream.namespace |
efd6
reviewed
Dec 11, 2024
| @@ -1,4 +1,9 @@ | |||
| # newer versions go on top | |||
| - version: "6.0.0" | |||
| changes: | |||
| - description: Leverage Cloud Detection and Response (CDR) workflows in asset_host_detection data-stream. | |||
There was a problem hiding this comment.
Suggested change
| - description: Leverage Cloud Detection and Response (CDR) workflows in asset_host_detection data-stream. | |
| - description: Use Cloud Detection and Response (CDR) workflows in asset_host_detection data-stream. |
?
| @@ -1066,6 +1142,70 @@ processors: | |||
| tag: rename_qualys_vmdr_asset_host_detection_vulnerability_RESULTS_1 | |||
| target_field: qualys_vmdr.asset_host_detection.vulnerability.results | |||
| ignore_missing: true | |||
| # The below 2 gsub processors facilitate `splitOnToken` in subsequent script processor which otherwise cannot split \n or \t. | |||
There was a problem hiding this comment.
Suggested change
| # The below 2 gsub processors facilitate `splitOnToken` in subsequent script processor which otherwise cannot split \n or \t. | |
| # The next two gsub processors facilitate `splitOnToken` in the subsequent script processor, which otherwise cannot split \n or \t. |
Do we know that ; and | do not otherwise appear in the text?
| return; | ||
| } | ||
| def level = Long.parseLong(ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL); | ||
| if (['Potential Vulnerability', 'Vulnerability', 'Vulnerability or Potential Vulnerability'].contains(vuln_type)) { |
There was a problem hiding this comment.
Could this array be put in a params array to avoid allocs?
Comment on lines
+791
to
+801
| if (level == 1){ | ||
| ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL = "Minimal"; | ||
| } else if (level == 2) { | ||
| ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL = "Medium"; | ||
| } else if (level == 3) { | ||
| ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL = "Serious"; | ||
| } else if (level == 4) { | ||
| ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL = "Critical"; | ||
| } else if (level == 5) { | ||
| ctx.qualys_vmdr.asset_host_detection.knowledge_base.SEVERITY_LEVEL = "Urgent"; | ||
| } |
There was a problem hiding this comment.
These are dense with a numeric index, so the assignment could be done from a params array after bounds checking. Same below.
There was a problem hiding this comment.
Add a
- append:
field: tags
value: preserve_original_event
allow_duplicates: false
to the final on_failure.
| "Authorization": ["Basic "+(state.user+":"+state.password).base64()], | ||
| } | ||
| }).do_request().as(resp, resp.StatusCode == 200 ? | ||
| resp.Body.as(xml, try(bytes(xml).decode_xml('qualys_api_2_0_ahd'), "decode_xml_error_ahd").as(ahd_body, |
There was a problem hiding this comment.
Since we are now on v8.16.0 this can be
Suggested change
| resp.Body.as(xml, try(bytes(xml).decode_xml('qualys_api_2_0_ahd'), "decode_xml_error_ahd").as(ahd_body, | |
| resp.Body.as(xml, try(xml.decode_xml('qualys_api_2_0_ahd'), "decode_xml_error_ahd").as(ahd_body, |
| (body.?doc.HOST_LIST_VM_DETECTION_OUTPUT.RESPONSE.HOST_LIST.HOST.hasValue() | ||
| } | ||
| }).do_request().as(resp, resp.StatusCode == 200 ? | ||
| resp.Body.as(xml, try(bytes(xml).decode_xml('qualys_api_2_0_kb'), "decode_xml_error_kb").as(kb_body, |
There was a problem hiding this comment.
Suggested change
| resp.Body.as(xml, try(bytes(xml).decode_xml('qualys_api_2_0_kb'), "decode_xml_error_kb").as(kb_body, | |
| resp.Body.as(xml, try(xml.decode_xml('qualys_api_2_0_kb'), "decode_xml_error_kb").as(kb_body, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Add Qualys VMDR's Asset data to Elastic's Cloud Native Vulnerability Management (CNVM) workflow.
Ref: #11673
Note
To Reviewers:
Please refer to this guide: https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide which was used for proposed changes.
Checklist
changelog.ymlfile.How to test this PR locally
Run:
cd packages/qualys_vmdr && elastic-package build && elastic-package stack up --version=8.16.0 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate -v --data-streams=asset_host_detectionReturns success:
Run:
cd packages/qualys_vmdr && elastic-package build && elastic-package stack up --version=8.16.0 -d -v && eval "$(elastic-package stack shellinit)" && elastic-package test system --generate -v --data-streams=asset_host_detectionReturns success:
Related issues
Screenshots
Source
Destination
Transform