Wiz
编辑Wiz
编辑Wiz 基于对错误配置、网络暴露、机密、漏洞、恶意软件和身份的深入云分析,持续优先处理关键风险,从而为您的云构建单一的优先风险视图。通过此 Wiz 集成,您可以在 Elastic Security 中使用和分析 Wiz 数据,包括问题、审计事件、错误配置 和 漏洞,从而为您在 Elastic Security 中提供云环境的可见性和上下文。
数据流
编辑Wiz 集成收集四种类型的数据:审计、云配置发现、问题和漏洞。
要求
编辑必须安装 Elastic Agent。有关详细信息,请参阅 此处的链接。
安装和管理 Elastic Agent
编辑您有几种安装和管理 Elastic Agent 的选项
安装由 Fleet 管理的 Elastic Agent(推荐)
编辑通过此方法,您可以安装 Elastic Agent,并在 Kibana 中使用 Fleet 在中心位置定义、配置和管理您的 Agent。我们建议使用 Fleet 管理,因为它使您的 Agent 的管理和升级变得相当容易。
以独立模式安装 Elastic Agent(高级用户)
编辑通过此方法,您可以安装 Elastic Agent,并在安装该 Agent 的系统上手动配置该 Agent。您负责管理和升级 Agent。此方法仅适用于高级用户。
在容器化环境中安装 Elastic Agent
编辑您可以使用 Fleet Server 或独立方式在容器内运行 Elastic Agent。所有版本的 Elastic Agent 的 Docker 镜像都可从 Elastic Docker 注册表中获得,并且我们提供了用于在 Kubernetes 上运行的部署清单。
运行 Elastic Agent 有一些最低要求,有关更多信息,请参阅 此处的链接。
最低要求的 kibana.version 是 8.10.1。此模块已针对 Wiz API 版本 v1 进行测试。
设置
编辑要从 Wiz 收集数据,需要您 Wiz 实例中的以下参数
编辑- 客户端 ID
- 客户端密钥
- 令牌 URL
- API 端点 URL
-
每个数据流所需的作用域
数据流 作用域 审计
admin:audit
问题
read:issues
漏洞
read:vulnerabilities
云配置发现
read:cloud_configuration
获取 Wiz URL
编辑- 导航到您的用户配置文件并复制 API 端点 URL。
获取客户端 ID 和客户端密钥的步骤
编辑- 在 Wiz 仪表板中,导航到设置 > 服务帐户。
- 单击添加服务帐户。
- 命名新服务帐户,例如:Elastic 集成。
- 如果需要,可以将此服务帐户的作用域缩小到特定项目。
- 选择权限 read:resources,然后单击添加服务帐户。
- 复制客户端密钥。请注意,在此阶段之后您将无法复制它。
- 复制客户端 ID,该 ID 显示在“服务帐户”页面下。
在 Elastic 中启用集成
编辑- 在 Kibana 中,转到管理 > 集成
- 在“搜索集成”搜索栏中,键入 Wiz
- 从搜索结果中单击“Wiz”集成。
- 单击“添加 Wiz”按钮以添加集成。
- 添加所有必需的集成配置参数,例如客户端 ID、客户端密钥、URL 和令牌 URL。对于所有数据流,必须提供这些参数才能检索日志。
- 保存集成。
注意
- 漏洞 data_stream 从前一天提取漏洞。
日志参考
编辑审计
编辑这是 Audit 数据集。
示例
audit 的示例事件如下所示
{
"@timestamp": "2023-07-21T07:07:21.105Z",
"agent": {
"ephemeral_id": "5c3096ee-b490-4b19-a848-bfed150c1bca",
"id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.10.1"
},
"data_stream": {
"dataset": "wiz.audit",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
"snapshot": false,
"version": "8.10.1"
},
"event": {
"action": "login",
"agent_id_status": "verified",
"category": [
"authentication"
],
"dataset": "wiz.audit",
"id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4",
"ingested": "2023-10-03T10:35:48Z",
"kind": "event",
"original": "{\"action\":\"Login\",\"actionParameters\":{\"clientID\":\"afsdafasmdgj5c\",\"groups\":null,\"name\":\"example\",\"products\":[\"*\"],\"role\":\"\",\"scopes\":[\"read:issues\",\"read:reports\",\"read:vulnerabilities\",\"update:reports\",\"create:reports\",\"admin:audit\"],\"userEmail\":\"\",\"userID\":\"afsafasdghbhdfg5t35fdgs\",\"userpoolID\":\"us-east-2_GQ3gwvxsQ\"},\"id\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"requestId\":\"hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4\",\"serviceAccount\":{\"id\":\"mlipebtwsndhxdmnzdwrxzmiolvzt6topjvv4nugzctcsyarazrhg\",\"name\":\"elastic\"},\"sourceIP\":null,\"status\":\"SUCCESS\",\"timestamp\":\"2023-07-21T07:07:21.105685Z\",\"user\":null,\"userAgent\":null}",
"outcome": "success",
"type": [
"info"
]
},
"http": {
"request": {
"id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4"
}
},
"input": {
"type": "cel"
},
"related": {
"user": [
"afsafasdghbhdfg5t35fdgs",
"us-east-2_GQ3gwvxsQ"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"wiz-audit"
],
"wiz": {
"audit": {
"action": "Login",
"action_parameters": {
"client_id": "afsdafasmdgj5c",
"name": "example",
"products": [
"*"
],
"scopes": [
"read:issues",
"read:reports",
"read:vulnerabilities",
"update:reports",
"create:reports",
"admin:audit"
],
"user": {
"id": "afsafasdghbhdfg5t35fdgs"
},
"userpool_id": "us-east-2_GQ3gwvxsQ"
},
"id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4",
"request_id": "hhd8ab9c-f1bf-4a80-a1e1-13bc8769caf4",
"service_account": {
"id": "mlipebtwsndhxdmnzdwrxzmiolvzt6topjvv4nugzctcsyarazrhg",
"name": "elastic"
},
"status": "SUCCESS",
"timestamp": "2023-07-21T07:07:21.105Z"
}
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件发生时的日期/时间。这是从事件中提取的日期/时间,通常表示事件由源生成的时间。如果事件源没有原始时间戳,则此值通常由管道首次接收到事件的时间填充。所有事件的必填字段。 |
date |
data_stream.dataset |
该字段可以包含任何有意义的内容来表示数据的来源。示例包括 |
constant_keyword |
data_stream.namespace |
用户定义的命名空间。命名空间对于允许数据分组很有用。许多用户已经以这种方式组织他们的索引,而数据流命名方案现在提供了这种最佳实践作为默认值。许多用户将使用 |
constant_keyword |
data_stream.type |
数据流的总体类型。当前允许的值是“logs”和“metrics”。我们希望在不久的将来添加“traces”和“synthetics”。 |
constant_keyword |
event.dataset |
数据集的名称。如果事件源发布多种类型的日志或事件(例如,访问日志、错误日志),则数据集用于指定事件来自哪个日志或事件。建议(但不是必需)以模块名称开头,后跟一个点,然后是数据集名称。 |
constant_keyword |
event.module |
此数据来自的模块的名称。如果您的监控代理支持模块或插件的概念来处理给定来源的事件(例如 Apache 日志),则 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
keyword |
log.offset |
日志偏移量。 |
long |
wiz.audit.action |
keyword |
|
wiz.audit.action_parameters.client_id |
keyword |
|
wiz.audit.action_parameters.groups |
flattened |
|
wiz.audit.action_parameters.name |
keyword |
|
wiz.audit.action_parameters.products |
keyword |
|
wiz.audit.action_parameters.role |
keyword |
|
wiz.audit.action_parameters.scopes |
keyword |
|
wiz.audit.action_parameters.user.email |
keyword |
|
wiz.audit.action_parameters.user.id |
keyword |
|
wiz.audit.action_parameters.userpool_id |
keyword |
|
wiz.audit.id |
keyword |
|
wiz.audit.request_id |
keyword |
|
wiz.audit.service_account.id |
keyword |
|
wiz.audit.service_account.name |
keyword |
|
wiz.audit.source_ip |
ip |
|
wiz.audit.status |
keyword |
|
wiz.audit.timestamp |
date |
|
wiz.audit.user.id |
keyword |
|
wiz.audit.user.name |
keyword |
|
wiz.audit.user_agent |
keyword |
云配置发现
编辑这是 Cloud Configuration Finding 数据集。
示例
cloud_configuration_finding 的示例事件如下所示
{
"@timestamp": "2023-06-12T11:38:07.900Z",
"cloud": {
"account": {
"id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec",
"name": "Wiz - DEV Outpost"
},
"provider": "azure"
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"configuration"
],
"created": "2023-06-12T11:38:07.900Z",
"id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4",
"kind": "state",
"original": "{\"id\":\"bdeba988-f41b-55e6-9b99-96b8d3dc67d4\",\"targetExternalId\":\"k8s/pod/da99fd668e64c2def251b1d48b7b69ad3129638787a0f9144a993fe30fd4554f/default/cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"targetObjectProviderUniqueId\":\"cd971d74-92db-495c-8244-82da9a988fd0\",\"firstSeenAt\":\"2023-06-12T11:38:07.900129Z\",\"analyzedAt\":\"2023-06-12T11:38:07.900129Z\",\"severity\":\"LOW\",\"result\":\"FAIL\",\"status\":\"OPEN\",\"remediation\":\"Follow the step below to ensure that each [Pod](https://kubernetes.ac.cn/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"resource\":{\"id\":\"0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"providerId\":\"provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99\",\"name\":\"cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx\",\"nativeType\":\"Pod\",\"type\":\"POD\",\"region\":null,\"subscription\":{\"id\":\"a3a3cc43-1dfd-50f1-882e-692840d4a891\",\"name\":\"Wiz - DEV Outpost\",\"externalId\":\"cfd132be-3bc7-4f86-8efd-ed53ae498fec\",\"cloudProvider\":\"Azure\"},\"projects\":null,\"tags\":[{\"key\":\"pod-template-hash\",\"value\":\"8bc677d64\"},{\"key\":\"app.kubernetes.io/name\",\"value\":\"azure-cluster-autoscaler\"},{\"key\":\"app.kubernetes.io/instance\",\"value\":\"cluster-autoscaler\"}]},\"rule\":{\"id\":\"73553de7-f2ad-4ffb-b425-c69815033530\",\"shortId\":\"Pod-32\",\"graphId\":\"99ffeef7-75df-5c88-9265-5ab50ffbc2b9\",\"name\":\"Pod should run containers with authorized additional capabilities (PSS Restricted)\",\"description\":\"This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.ac.cn/docs/concepts/security/pod-security-standards/#restricted). \\nThis rule checks whether the pod is running containers with authorized additional capabilities. \\nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \\nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \\nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.\",\"remediationInstructions\":\"Follow the step below to ensure that each [Pod](https://kubernetes.ac.cn/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \\r\\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \\r\\n* `securityContext.capabilities.drop` key is set to `ALL`. \\r\\n\",\"functionAsControl\":false},\"securitySubCategories\":[{\"id\":\"wsct-id-5206\",\"title\":\"Container Security\",\"category\":{\"id\":\"wct-id-423\",\"name\":\"9 Container Security\",\"framework\":{\"id\":\"wf-id-1\",\"name\":\"Wiz\"}}},{\"id\":\"wsct-id-8176\",\"title\":\"5.1 Containers should not run with additional capabilities\",\"category\":{\"id\":\"wct-id-1295\",\"name\":\"5 Capabilities\",\"framework\":{\"id\":\"wf-id-57\",\"name\":\"Kubernetes Pod Security Standards (Restricted)\"}}},{\"id\":\"wsct-id-8344\",\"title\":\"Cluster misconfiguration\",\"category\":{\"id\":\"wct-id-1169\",\"name\":\"2 Container & Kubernetes Security\",\"framework\":{\"id\":\"wf-id-53\",\"name\":\"Wiz Detailed\"}}}]}",
"outcome": "failure",
"type": [
"info"
]
},
"message": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.ac.cn/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.",
"observer": {
"vendor": "Wiz"
},
"resource": {
"id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99",
"name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx",
"sub_type": "Pod",
"type": "POD"
},
"result": {
"evaluation": "FAILED"
},
"rule": {
"description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.ac.cn/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.",
"id": "Pod-32",
"name": "Pod should run containers with authorized additional capabilities (PSS Restricted)",
"remediation": "Follow the step below to ensure that each [Pod](https://kubernetes.ac.cn/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n",
"uuid": "73553de7-f2ad-4ffb-b425-c69815033530"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields"
],
"wiz": {
"cloud_configuration_finding": {
"analyzed_at": "2023-06-12T11:38:07.900Z",
"id": "bdeba988-f41b-55e6-9b99-96b8d3dc67d4",
"resource": {
"id": "0e814bb7-29e8-5c15-be9c-8da42c67ee99",
"name": "cluster-autoscaler-azure-cluster-autoscaler-8bc677d64-z2qfx",
"native_type": "Pod",
"provider_id": "provider-id-0e814bb7-29e8-5c15-be9c-8da42c67ee99",
"subscription": {
"cloud_provider": "Azure",
"external_id": "cfd132be-3bc7-4f86-8efd-ed53ae498fec",
"name": "Wiz - DEV Outpost"
},
"type": "POD"
},
"result": "FAIL",
"rule": {
"description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.ac.cn/docs/concepts/security/pod-security-standards/#restricted). \nThis rule checks whether the pod is running containers with authorized additional capabilities. \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`. \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass. \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.",
"id": "73553de7-f2ad-4ffb-b425-c69815033530",
"name": "Pod should run containers with authorized additional capabilities (PSS Restricted)",
"remediation_instructions": "Follow the step below to ensure that each [Pod](https://kubernetes.ac.cn/docs/concepts/workloads/pods) should runs containers with allowed additional capabilities: \r\n* The following capabilities are not allowed : {{removeUnnecessaryCapabilities}} . \r\n* `securityContext.capabilities.drop` key is set to `ALL`. \r\n",
"short_id": "Pod-32"
}
}
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件发生时的日期/时间。这是从事件中提取的日期/时间,通常表示事件由源生成的时间。如果事件源没有原始时间戳,则此值通常由管道首次接收到事件的时间填充。所有事件的必填字段。 |
date |
data_stream.dataset |
该字段可以包含任何有意义的内容来表示数据的来源。示例包括 |
constant_keyword |
data_stream.namespace |
用户定义的命名空间。命名空间对于允许数据分组很有用。许多用户已经以这种方式组织他们的索引,而数据流命名方案现在提供了这种最佳实践作为默认值。许多用户将使用 |
constant_keyword |
data_stream.type |
数据流的总体类型。当前允许的值是“logs”和“metrics”。我们希望在不久的将来添加“traces”和“synthetics”。 |
constant_keyword |
event.dataset |
数据集的名称。如果事件源发布多种类型的日志或事件(例如,访问日志、错误日志),则数据集用于指定事件来自哪个日志或事件。建议(但不是必需)以模块名称开头,后跟一个点,然后是数据集名称。 |
constant_keyword |
event.module |
此数据来自的模块的名称。如果您的监控代理支持模块或插件的概念来处理给定来源的事件(例如 Apache 日志),则 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
keyword |
log.offset |
日志偏移量。 |
long |
resource.id |
keyword |
|
resource.name |
keyword |
|
resource.sub_type |
keyword |
|
resource.type |
keyword |
|
result.evaluation |
keyword |
|
result.evidence.cloud_configuration_link |
text |
|
result.evidence.configuration_path |
text |
|
result.evidence.current_value |
text |
|
result.evidence.expected_value |
text |
|
rule.remediation |
keyword |
|
tags |
用于标记每个事件的关键字列表。 |
keyword |
wiz.cloud_configuration_finding.analyzed_at |
date |
|
wiz.cloud_configuration_finding.evidence.cloud_configuration_link |
text |
|
wiz.cloud_configuration_finding.evidence.configuration_path |
text |
|
wiz.cloud_configuration_finding.evidence.current_value |
text |
|
wiz.cloud_configuration_finding.evidence.expected_value |
text |
|
wiz.cloud_configuration_finding.id |
keyword |
|
wiz.cloud_configuration_finding.resource.cloud_platform |
keyword |
|
wiz.cloud_configuration_finding.resource.id |
keyword |
|
wiz.cloud_configuration_finding.resource.name |
keyword |
|
wiz.cloud_configuration_finding.resource.native_type |
keyword |
|
wiz.cloud_configuration_finding.resource.provider_id |
keyword |
|
wiz.cloud_configuration_finding.resource.region |
keyword |
|
wiz.cloud_configuration_finding.resource.subscription.cloud_provider |
keyword |
|
wiz.cloud_configuration_finding.resource.subscription.external_id |
keyword |
|
wiz.cloud_configuration_finding.resource.subscription.name |
keyword |
|
wiz.cloud_configuration_finding.resource.type |
keyword |
|
wiz.cloud_configuration_finding.result |
keyword |
|
wiz.cloud_configuration_finding.rule.description |
text |
|
wiz.cloud_configuration_finding.rule.id |
keyword |
|
wiz.cloud_configuration_finding.rule.name |
keyword |
|
wiz.cloud_configuration_finding.rule.remediation_instructions |
text |
|
wiz.cloud_configuration_finding.rule.short_id |
keyword |
问题
编辑这是 Issue 数据集。
示例
issue 的示例事件如下所示
{
"@timestamp": "2023-07-31T06:26:08.708Z",
"agent": {
"ephemeral_id": "e74ac4d2-8565-45ee-8c61-c66b6f3151bf",
"id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.10.1"
},
"cloud": {
"provider": "Kubernetes",
"region": "us-01"
},
"data_stream": {
"dataset": "wiz.issue",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "927b2eff-4394-4486-ab77-d6bfa7c529cf",
"snapshot": false,
"version": "8.10.1"
},
"event": {
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2023-08-23T07:56:09.903Z",
"dataset": "wiz.issue",
"id": "fff9cffd-64a7-412c-9535-cf837f4b0b40",
"ingested": "2023-10-03T10:22:42Z",
"kind": "event",
"original": "{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"dueAt\":\"2023-08-30T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"e507d472-b7da-5f05-9b25-72a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"fff9cffd-64a7-412c-9535-cf837f4b0b40\",\"notes\":[{\"createdAt\":\"2023-08-23T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-09T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRule\":{\"__typename\":\"Control\",\"controlDescription\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-31T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}",
"type": [
"info"
]
},
"input": {
"type": "cel"
},
"message": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.",
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"wiz-issue"
],
"url": {
"domain": "portal.az.com",
"fragment": "@sectest.on.com/resource//subscriptions/",
"original": "https://portal.az.com/#@sectest.on.com/resource//subscriptions/",
"path": "/",
"scheme": "https"
},
"wiz": {
"issue": {
"created_at": "2023-08-23T07:56:09.903Z",
"due_at": "2023-08-30T21:00:00.000Z",
"entity_snapshot": {
"cloud": {
"platform": "Kubernetes",
"provider_url": "https://portal.az.com/#@sectest.on.com/resource//subscriptions/"
},
"external_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12",
"id": "e507d472-b7da-5f05-9b25-72a271336b14",
"name": "system:aggregate-to-edit",
"native_type": "ClusterRole",
"provider_id": "k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12",
"region": "us-01",
"resource_group_external_id": "/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus",
"status": "Active",
"subscription": {
"external_id": "998231069301",
"name": "demo-integrations"
},
"tags": {
"kubernetes.io/bootstrapping": "rbac-defaults",
"rbac.authorization.k8s.io/aggregate-to-edit": "true"
},
"type": "ACCESS_ROLE"
},
"id": "fff9cffd-64a7-412c-9535-cf837f4b0b40",
"notes": [
{
"created_at": "2023-08-23T07:56:09.903Z",
"service_account": {
"name": "rev-ke"
},
"text": "updated",
"updated_at": "2023-08-09T23:10:22.588Z"
},
{
"created_at": "2023-08-09T23:08:49.918Z",
"service_account": {
"name": "rev-ke2"
},
"text": "updated",
"updated_at": "2023-08-09T23:10:22.591Z"
}
],
"projects": [
{
"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8",
"name": "Project 2",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project-2"
},
{
"business_unit": "Dev",
"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531",
"name": "project 4",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project-4"
},
{
"business_unit": "Dev",
"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178",
"name": "Project1",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project1"
}
],
"resolved_at": "2023-08-09T23:10:22.588Z",
"service_tickets": [
{
"external_id": "638361121bbfdd10f6c1cbf3604bcb7e",
"name": "SIR0010002",
"url": "https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421"
}
],
"severity": "INFORMATIONAL",
"source_rule": {
"__typename": "Control",
"control_description": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.",
"id": "wc-id-1335",
"name": "EKS principals assume roles that provide bind, escalate and impersonate permissions",
"resolution_recommendation": "To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.",
"security_sub_categories": [
{
"category": {
"framework": {
"name": "CIS EKS 1.2.0"
},
"name": "4.1 RBAC and Service Accounts"
},
"title": "4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)"
},
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "Identity Management"
},
"title": "Privileged principal"
},
{
"category": {
"framework": {
"name": "Wiz"
},
"name": "9 Container Security"
},
"title": "Container Security"
},
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "Container \u0026 Kubernetes Security"
},
"title": "Cluster misconfiguration"
}
]
},
"status": {
"changed_at": "2023-07-31T06:26:08.708Z",
"value": "IN_PROGRESS"
},
"updated_at": "2023-08-14T06:06:18.331Z"
}
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件发生时的日期/时间。这是从事件中提取的日期/时间,通常表示事件由源生成的时间。如果事件源没有原始时间戳,则此值通常由管道首次接收到事件的时间填充。所有事件的必填字段。 |
date |
data_stream.dataset |
该字段可以包含任何有意义的内容来表示数据的来源。示例包括 |
constant_keyword |
data_stream.namespace |
用户定义的命名空间。命名空间对于允许数据分组很有用。许多用户已经以这种方式组织他们的索引,而数据流命名方案现在提供了这种最佳实践作为默认值。许多用户将使用 |
constant_keyword |
data_stream.type |
数据流的总体类型。当前允许的值是“logs”和“metrics”。我们希望在不久的将来添加“traces”和“synthetics”。 |
constant_keyword |
event.dataset |
数据集的名称。如果事件源发布多种类型的日志或事件(例如,访问日志、错误日志),则数据集用于指定事件来自哪个日志或事件。建议(但不是必需)以模块名称开头,后跟一个点,然后是数据集名称。 |
constant_keyword |
event.module |
此数据来自的模块的名称。如果您的监控代理支持模块或插件的概念来处理给定来源的事件(例如 Apache 日志),则 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
keyword |
log.offset |
日志偏移量。 |
long |
wiz.issue.created_at |
date |
|
wiz.issue.due_at |
date |
|
wiz.issue.entity_snapshot.cloud.platform |
keyword |
|
wiz.issue.entity_snapshot.cloud.provider_url |
keyword |
|
wiz.issue.entity_snapshot.external_id |
keyword |
|
wiz.issue.entity_snapshot.id |
keyword |
|
wiz.issue.entity_snapshot.name |
keyword |
|
wiz.issue.entity_snapshot.native_type |
keyword |
|
wiz.issue.entity_snapshot.provider_id |
keyword |
|
wiz.issue.entity_snapshot.region |
keyword |
|
wiz.issue.entity_snapshot.resource_group_external_id |
keyword |
|
wiz.issue.entity_snapshot.status |
keyword |
|
wiz.issue.entity_snapshot.subscription.external_id |
keyword |
|
wiz.issue.entity_snapshot.subscription.name |
keyword |
|
wiz.issue.entity_snapshot.subscription.tags |
flattened |
|
wiz.issue.entity_snapshot.tags |
flattened |
|
wiz.issue.entity_snapshot.type |
keyword |
|
wiz.issue.id |
keyword |
|
wiz.issue.notes.created_at |
date |
|
wiz.issue.notes.service_account.name |
keyword |
|
wiz.issue.notes.text |
keyword |
|
wiz.issue.notes.updated_at |
date |
|
wiz.issue.notes.user.email |
keyword |
|
wiz.issue.notes.user.name |
keyword |
|
wiz.issue.projects.business_unit |
keyword |
|
wiz.issue.projects.id |
keyword |
|
wiz.issue.projects.name |
keyword |
|
wiz.issue.projects.risk_profile.business_impact |
keyword |
|
wiz.issue.projects.slug |
keyword |
|
wiz.issue.resolved_at |
date |
|
wiz.issue.service_tickets.external_id |
keyword |
|
wiz.issue.service_tickets.name |
keyword |
|
wiz.issue.service_tickets.url |
keyword |
|
wiz.issue.severity |
keyword |
|
wiz.issue.source_rule.__typename |
keyword |
|
wiz.issue.source_rule.cloud_configuration_rule_description |
keyword |
|
wiz.issue.source_rule.control_description |
keyword |
|
wiz.issue.source_rule.id |
keyword |
|
wiz.issue.source_rule.name |
keyword |
|
wiz.issue.source_rule.resolution_recommendation |
keyword |
|
wiz.issue.source_rule.security_sub_categories.category.framework.name |
keyword |
|
wiz.issue.source_rule.security_sub_categories.category.name |
keyword |
|
wiz.issue.source_rule.security_sub_categories.title |
keyword |
|
wiz.issue.status.changed_at |
date |
|
wiz.issue.status.value |
keyword |
|
wiz.issue.type |
keyword |
|
wiz.issue.updated_at |
date |
漏洞
编辑这是 Vulnerability 数据集。
示例
一个 vulnerability 事件的示例如下所示
{
"@timestamp": "2023-08-16T18:40:57.000Z",
"agent": {
"ephemeral_id": "124489e8-14a9-4120-9631-0c55ec182d07",
"id": "9f35182a-afaa-4788-859d-d523d976b90e",
"name": "elastic-agent-32792",
"type": "filebeat",
"version": "8.14.3"
},
"cloud": {
"account": {
"name": "wiz-integrations"
},
"provider": "AWS",
"region": "us-east-1"
},
"data_stream": {
"dataset": "wiz.vulnerability",
"namespace": "32071",
"type": "logs"
},
"device": {
"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "9f35182a-afaa-4788-859d-d523d976b90e",
"snapshot": false,
"version": "8.14.3"
},
"event": {
"agent_id_status": "verified",
"category": [
"vulnerability"
],
"dataset": "wiz.vulnerability",
"ingested": "2024-10-08T12:48:23Z",
"kind": "alert",
"original": "{\"CVEDescription\":\"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.\",\"CVSSSeverity\":\"MEDIUM\",\"dataSourceName\":\"data Source\",\"description\":\"Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`\\u003c4.0.3-35.amzn2.0.1`.\\n\\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\\n\\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.\",\"detailedName\":\"libtiff\",\"detectionMethod\":\"PACKAGE\",\"epssPercentile\":46.2,\"epssProbability\":0.1,\"epssSeverity\":\"LOW\",\"exploitabilityScore\":1.8,\"firstDetectedAt\":\"2022-05-01T11:36:10.063767Z\",\"fixedVersion\":\"4.0.3-35.amzn2.0.1\",\"hasCisaKevExploit\":false,\"hasExploit\":false,\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"ignoreRules\":{\"enabled\":true,\"expiredAt\":\"2023-08-16T18:40:57Z\",\"id\":\"aj3jqtvnaf\",\"name\":\"abc\"},\"impactScore\":3.6,\"lastDetectedAt\":\"2023-08-16T18:40:57Z\",\"layerMetadata\":{\"details\":\"xxxx\",\"id\":\"5e95ff50-5490-514e-87f7-11e56f3230ff\",\"isBaseLayer\":true},\"link\":\"https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html\",\"locationPath\":\"package/library/file\",\"name\":\"CVE-2020-3333\",\"portalUrl\":\"https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))\",\"projects\":[{\"businessUnit\":\"\",\"id\":\"83b76efe-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d6ac50bb-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"remediation\":\"yumupdatelibtiff\",\"resolutionReason\":\"resolutionReason\",\"resolvedAt\":\"2023-08-16T18:40:57Z\",\"score\":5.5,\"status\":\"OPEN\",\"validatedInRuntime\":true,\"vendorSeverity\":\"MEDIUM\",\"version\":\"4.0.3-35.amzn2\",\"vulnerableAsset\":{\"cloudPlatform\":\"AWS\",\"cloudProviderURL\":\"https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3\",\"hasLimitedInternetExposure\":true,\"hasWideInternetExposure\":true,\"id\":\"c828de0d-4c42-5b1c-946b-2edee094d0b3\",\"ipAddresses\":[\"89.160.20.112\",\"89.160.20.128\"],\"isAccessibleFromOtherSubscriptions\":false,\"isAccessibleFromOtherVnets\":false,\"isAccessibleFromVPN\":false,\"name\":\"test-4\",\"operatingSystem\":\"Linux\",\"providerUniqueId\":\"arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3\",\"region\":\"us-east-1\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionId\":\"94e76baa-85fd-5928-b829-1669a2ca9660\",\"subscriptionName\":\"wiz-integrations\",\"tags\":{\"Name\":\"test-4\"},\"type\":\"VIRTUAL_MACHINE\"}}",
"type": [
"info"
]
},
"host": {
"name": "test-4",
"os": {
"family": "Linux"
}
},
"input": {
"type": "cel"
},
"message": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.",
"observer": {
"vendor": "Wiz"
},
"package": {
"fixed_version": "4.0.3-35.amzn2.0.1",
"name": "libtiff",
"version": "4.0.3-35.amzn2"
},
"related": {
"ip": [
"89.160.20.112",
"89.160.20.128"
]
},
"resource": {
"id": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3",
"name": "test-4"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"wiz-vulnerability"
],
"vulnerability": {
"cwe": "CVE-2020-3333",
"description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.",
"id": "CVE-2020-3333",
"package": {
"fixed_version": "4.0.3-35.amzn2.0.1",
"name": "libtiff",
"version": "4.0.3-35.amzn2"
},
"reference": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html",
"score": {
"base": 5.5
},
"severity": "MEDIUM"
},
"wiz": {
"vulnerability": {
"cve_description": "In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.",
"cvss_severity": "MEDIUM",
"data_source_name": "data Source",
"description": "Thepackage`libtiff`version`4.0.3-35.amzn2`wasdetectedin`YUMpackagemanager`onamachinerunning`Amazon2(Karoo)`isvulnerableto`CVE-2020-35522`,whichexistsinversions`<4.0.3-35.amzn2.0.1`.\n\nThevulnerabilitywasfoundinthe[OfficialAmazonLinuxSecurityAdvisories](https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html)withvendorseverity:`Medium`([NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-35522)severity:`Medium`).\n\nThevulnerabilitycanberemediatedbyupdatingthepackagetoversion`4.0.3-35.amzn2.0.1`orhigher,using`yumupdatelibtiff`.",
"detailed_name": "libtiff",
"detection_method": "PACKAGE",
"epss": {
"percentile": 46.2,
"probability": 0.1,
"severity": "LOW"
},
"exploitability_score": 1.8,
"first_detected_at": "2022-05-01T11:36:10.063Z",
"fixed_version": "4.0.3-35.amzn2.0.1",
"has_cisa_kev_exploit": false,
"has_exploit": false,
"id": "5e95ff50-5490-514e-87f7-11e56f3230ff",
"ignore_rules": {
"enabled": true,
"expired_at": "2023-08-16T18:40:57.000Z",
"id": "aj3jqtvnaf",
"name": "abc"
},
"impact_score": 3.6,
"last_detected_at": "2023-08-16T18:40:57.000Z",
"layer_metadata": {
"details": "xxxx",
"id": "5e95ff50-5490-514e-87f7-11e56f3230ff",
"is_base_layer": true
},
"link": "https://alas.aws.amazon.com/AL2/ALAS-2022-1780.html",
"location_path": "package/library/file",
"name": "CVE-2020-3333",
"portal_url": "https://app.wiz.io/explorer/vulnerability-findings#~(entity~(~'xxx-xxx*2cSECURITY_TOOL_FINDING))",
"projects": [
{
"id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8",
"name": "Project2",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project-2"
},
{
"business_unit": "Dev",
"id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531",
"name": "project4",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project-4"
},
{
"business_unit": "Dev",
"id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178",
"name": "Project1",
"risk_profile": {
"business_impact": "MBI"
},
"slug": "project1"
}
],
"remedation": "yumupdatelibtiff",
"resolution_reason": "resolutionReason",
"resolved_at": "2023-08-16T18:40:57.000Z",
"score": 5.5,
"status": "OPEN",
"validated_in_runtime": true,
"vendor_severity": "MEDIUM",
"version": "4.0.3-35.amzn2",
"vulnerable_asset": {
"cloud": {
"platform": "AWS",
"provider_url": "https://us-east-1.console.aws.amazon.com/ec2/v2/home?region=us-east-1#InstanceDetails:instanceId=i-0a0f7e1451da5f4a3"
},
"has_limited_internet_exposure": true,
"has_wide_internet_exposure": true,
"id": "c828de0d-4c42-5b1c-946b-2edee094d0b3",
"ip_addresses": [
"89.160.20.112",
"89.160.20.128"
],
"is_accessible_from": {
"other_subscriptions": false,
"other_vnets": false,
"vpn": false
},
"name": "test-4",
"operating_system": "Linux",
"provider_unique_id": "arn:aws:ec2:us-east-1:998231069301:instance/i-0a0f7e1451da5f4a3",
"region": "us-east-1",
"status": "Active",
"subscription": {
"external_id": "998231069301",
"id": "94e76baa-85fd-5928-b829-1669a2ca9660",
"name": "wiz-integrations"
},
"tags": {
"name": "test-4"
},
"type": "VIRTUAL_MACHINE"
}
}
}
}
导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件发生时的日期/时间。这是从事件中提取的日期/时间,通常表示事件由源生成的时间。如果事件源没有原始时间戳,则此值通常由管道首次接收到事件的时间填充。所有事件的必填字段。 |
date |
data_stream.dataset |
该字段可以包含任何有意义的内容来表示数据的来源。示例包括 |
constant_keyword |
data_stream.namespace |
用户定义的命名空间。命名空间对于允许数据分组很有用。许多用户已经以这种方式组织他们的索引,而数据流命名方案现在提供了这种最佳实践作为默认值。许多用户将使用 |
constant_keyword |
data_stream.type |
数据流的总体类型。当前允许的值是“logs”和“metrics”。我们希望在不久的将来添加“traces”和“synthetics”。 |
constant_keyword |
event.dataset |
数据集的名称。如果事件源发布多种类型的日志或事件(例如,访问日志、错误日志),则数据集用于指定事件来自哪个日志或事件。建议(但不是必需)以模块名称开头,后跟一个点,然后是数据集名称。 |
constant_keyword |
event.module |
此数据来自的模块的名称。如果您的监控代理支持模块或插件的概念来处理给定来源的事件(例如 Apache 日志),则 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
keyword |
log.offset |
日志偏移量。 |
long |
package.fixed_version |
keyword |
|
resource.id |
keyword |
|
resource.name |
keyword |
|
vulnerability.cwe |
keyword |
|
vulnerability.package.fixed_version |
keyword |
|
vulnerability.package.name |
keyword |
|
vulnerability.package.version |
keyword |
|
wiz.vulnerability.cve_description |
keyword |
|
wiz.vulnerability.cvss_severity |
keyword |
|
wiz.vulnerability.data_source_name |
keyword |
|
wiz.vulnerability.description |
keyword |
|
wiz.vulnerability.detailed_name |
keyword |
|
wiz.vulnerability.detection_method |
keyword |
|
wiz.vulnerability.epss.percentile |
double |
|
wiz.vulnerability.epss.probability |
double |
|
wiz.vulnerability.epss.severity |
keyword |
|
wiz.vulnerability.exploitability_score |
double |
|
wiz.vulnerability.first_detected_at |
date |
|
wiz.vulnerability.fixed_version |
keyword |
|
wiz.vulnerability.has_cisa_kev_exploit |
boolean |
|
wiz.vulnerability.has_exploit |
boolean |
|
wiz.vulnerability.id |
keyword |
|
wiz.vulnerability.ignore_rules.enabled |
boolean |
|
wiz.vulnerability.ignore_rules.expired_at |
date |
|
wiz.vulnerability.ignore_rules.id |
keyword |
|
wiz.vulnerability.ignore_rules.name |
keyword |
|
wiz.vulnerability.impact_score |
double |
|
wiz.vulnerability.last_detected_at |
date |
|
wiz.vulnerability.layer_metadata.details |
keyword |
|
wiz.vulnerability.layer_metadata.id |
keyword |
|
wiz.vulnerability.layer_metadata.is_base_layer |
boolean |
|
wiz.vulnerability.link |
keyword |
|
wiz.vulnerability.location_path |
keyword |
|
wiz.vulnerability.name |
keyword |
|
wiz.vulnerability.portal_url |
keyword |
|
wiz.vulnerability.projects.business_unit |
keyword |
|
wiz.vulnerability.projects.id |
keyword |
|
wiz.vulnerability.projects.name |
keyword |
|
wiz.vulnerability.projects.risk_profile.business_impact |
keyword |
|
wiz.vulnerability.projects.slug |
keyword |
|
wiz.vulnerability.remedation |
keyword |
|
wiz.vulnerability.resolution_reason |
keyword |
|
wiz.vulnerability.resolved_at |
date |
|
wiz.vulnerability.score |
double |
|
wiz.vulnerability.status |
keyword |
|
wiz.vulnerability.validated_in_runtime |
boolean |
|
wiz.vulnerability.vendor_severity |
keyword |
|
wiz.vulnerability.version |
keyword |
|
wiz.vulnerability.vulnerable_asset.cloud.platform |
keyword |
|
wiz.vulnerability.vulnerable_asset.cloud.provider_url |
keyword |
|
wiz.vulnerability.vulnerable_asset.has_limited_internet_exposure |
boolean |
|
wiz.vulnerability.vulnerable_asset.has_wide_internet_exposure |
boolean |
|
wiz.vulnerability.vulnerable_asset.id |
keyword |
|
wiz.vulnerability.vulnerable_asset.ip_addresses |
ip |
|
wiz.vulnerability.vulnerable_asset.is_accessible_from.other_subscriptions |
boolean |
|
wiz.vulnerability.vulnerable_asset.is_accessible_from.other_vnets |
boolean |
|
wiz.vulnerability.vulnerable_asset.is_accessible_from.vpn |
boolean |
|
wiz.vulnerability.vulnerable_asset.name |
keyword |
|
wiz.vulnerability.vulnerable_asset.operating_system |
keyword |
|
wiz.vulnerability.vulnerable_asset.provider_unique_id |
keyword |
|
wiz.vulnerability.vulnerable_asset.region |
keyword |
|
wiz.vulnerability.vulnerable_asset.status |
keyword |
|
wiz.vulnerability.vulnerable_asset.subscription.external_id |
keyword |
|
wiz.vulnerability.vulnerable_asset.subscription.id |
keyword |
|
wiz.vulnerability.vulnerable_asset.subscription.name |
keyword |
|
wiz.vulnerability.vulnerable_asset.tags.name |
keyword |
|
wiz.vulnerability.vulnerable_asset.type |
keyword |
更新日志
编辑更新日志
| 版本 | 详情 | Kibana 版本 |
|---|---|---|
2.6.0 |
增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.5.1 |
错误修复 (查看拉取请求) |
8.16.0 或更高版本 |
2.5.0 |
增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.4.0 |
增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.3.0 |
增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.2.0 |
增强 (查看拉取请求) 增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.1.0 |
增强 (查看拉取请求) |
8.16.0 或更高版本 |
2.0.1 |
错误修复 (查看拉取请求) 错误修复 (查看拉取请求) |
8.16.0 或更高版本 |
2.0.0 |
错误修复 (查看拉取请求) 增强 (查看拉取请求) 错误修复 (查看拉取请求) 增强 (查看拉取请求) 重大更改 (查看拉取请求) 重大更改 (查看拉取请求) 增强 (查看拉取请求) 增强 (查看拉取请求) 增强 (查看拉取请求) 错误修复 (查看拉取请求) 增强 (查看拉取请求) 错误修复 (查看拉取请求) |
8.16.0 或更高版本 |
1.8.4 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.8.3 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.8.2 |
错误修复 (查看拉取请求) 增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.8.1 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.8.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.7.2 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.7.1 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.7.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.6.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.5.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.4.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.3.2 |
错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.3.1 |
错误修复 (查看拉取请求) 错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.3.0 |
增强 (查看拉取请求) 错误修复 (查看拉取请求) |
8.13.0 或更高版本 |
1.2.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.1.1 |
增强 (查看拉取请求) |
8.12.0 或更高版本 |
1.1.0 |
增强 (查看拉取请求) |
8.12.0 或更高版本 |
1.0.1 |
增强 (查看拉取请求) |
8.10.1 或更高版本 |
1.0.0 |
增强 (查看拉取请求) |
8.10.1 或更高版本 |
0.4.0 |
增强 (查看拉取请求) |
— |
0.3.0 |
增强 (查看拉取请求) |
— |
0.2.0 |
增强 (查看拉取请求) |
— |
0.1.0 |
增强 (查看拉取请求) |
— |