[BUG] CIS AWS Rule 4.1 - Correctly defined metric and filter for unauthorized API calls is evaluated as failure.

[gurevichdmitry]

Describe the bug Rule 4.1: Ensure a log metric filter and alarm exist for unauthorized API calls. Correctly defined metric and filter for unauthorized API calls is evaluated as failure.

After investigation with @olegsu it was found that csp policy uses incorrect filter evaluation pattern.

Preconditions ELK Stack 8.8 is deployed

To Reproduce Steps to reproduce the behavior:

1. Create CSPM integration and deploy elastic agent (csp aws account user)
2. Navigate to Findings and search by rule.tags: "CIS 4.1"

Expected behavior Cloudbeat evaluates rule 4.1 as passed.

Environment

• OS: Amazon Linux
• Browser: NA
• Kibana Version: 8.8-SNAPSHOT
• Elastic-Agent: 8.8-SNAPSHOT

[gurevichdmitry]

@orestisfl, It appears that this bug is still present in the latest Kibana version, 8.8.0-BC3.

evidence raw data

```json [ { "MetricTopicBinding": {}, "MetricFilters": [], "TrailInfo": { "Status": { "LatestNotificationError": null, "LatestNotificationAttemptTime": "", "StartLoggingTime": "2020-09-08T07:18:44.158Z", "LatestDeliveryAttemptTime": "2023-05-08T13:25:00Z", "StopLoggingTime": "2023-05-08T13:19:38.008Z", "LatestNotificationAttemptSucceeded": "", "LatestDeliveryAttemptSucceeded": "2023-05-08T13:25:00Z", "LatestDigestDeliveryError": null, "LatestDeliveryTime": "2023-05-08T13:25:00.203Z", "TimeLoggingStarted": "2020-09-08T07:18:44Z", "LatestCloudWatchLogsDeliveryError": null, "LatestDigestDeliveryTime": null, "LatestNotificationTime": null, "ResultMetadata": {}, "LatestDeliveryError": null, "LatestCloudWatchLogsDeliveryTime": null, "TimeLoggingStopped": "2023-05-08T13:19:38Z", "IsLogging": false }, "Trail": { "IncludeGlobalServiceEvents": true, "HasInsightSelectors": false, "KmsKeyId": null, "HomeRegion": "us-east-1", "CloudWatchLogsRoleArn": null, "S3KeyPrefix": null, "IsOrganizationTrail": false, "Name": "management-events", "CloudWatchLogsLogGroupArn": null, "HasCustomEventSelectors": false, "SnsTopicName": null, "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "SnsTopicARN": null, "S3BucketName": "aws-cloudtrail-logs-xxx-d741de63", "TrailARN": "arn:aws:cloudtrail:us-east-1:xxx:trail/management-events" }, "EventSelectors": [ { "IncludeManagementEvents": true, "ExcludeManagementEventSources": [], "ReadWriteType": "All", "DataResources": [] } ] } }, { "MetricTopicBinding": { "": [] }, "MetricFilters": [ { "MetricTransformations": [ { "MetricName": "unauthorized_api_calls_metric", "DefaultValue": 1, "MetricValue": "1", "MetricNamespace": "CISBenchmark", "Dimensions": null, "Unit": "" } ], "FilterPattern": "{ ($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\") || ($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") || ($.eventName!=\"HeadBucket\") }", "CreationTime": 1684061080450, "LogGroupName": "aws-cloudtrail-logs-xxx-28679765", "FilterName": "" } ], "TrailInfo": { "Status": { "LatestNotificationError": null, "LatestNotificationAttemptTime": "", "LatestDeliveryAttemptTime": "2023-05-14T12:25:34Z", "StartLoggingTime": "2023-03-21T08:36:52.664Z", "StopLoggingTime": null, "LatestNotificationAttemptSucceeded": "", "LatestDigestDeliveryError": null, "LatestDeliveryAttemptSucceeded": "2023-05-14T12:25:34Z", "LatestDeliveryTime": "2023-05-14T12:25:34.39Z", "TimeLoggingStarted": "2023-03-21T08:36:52Z", "LatestCloudWatchLogsDeliveryError": null, "LatestDigestDeliveryTime": null, "LatestNotificationTime": null, "ResultMetadata": {}, "LatestDeliveryError": null, "LatestCloudWatchLogsDeliveryTime": "2023-05-14T12:26:44.471Z", "TimeLoggingStopped": "", "IsLogging": true }, "EventSelectors": null, "Trail": { "IncludeGlobalServiceEvents": true, "HasInsightSelectors": false, "KmsKeyId": "arn:aws:kms:us-west-2:xxx:key/xxx", "HomeRegion": "us-west-2", "CloudWatchLogsRoleArn": "arn:aws:iam::xxx:role/service-role/TestAwsManagementEvents", "S3KeyPrefix": null, "IsOrganizationTrail": false, "Name": "test-aws-file-validation-off-failed", "CloudWatchLogsLogGroupArn": "arn:aws:logs:us-west-2:xxx:log-group:aws-cloudtrail-logs-704479110758-28679765:*", "HasCustomEventSelectors": true, "SnsTopicName": null, "LogFileValidationEnabled": false, "IsMultiRegionTrail": true, "S3BucketName": "aws-cloudtrail-logs-xxx-61552557", "SnsTopicARN": null, "TrailARN": "arn:aws:cloudtrail:us-west-2:xxx:trail/test-aws-file-validation-off-failed" } } } ] ```

[orestisfl]

@gurevichdmitry it fails because

1. there are no event selectors set

      "EventSelectors": null,

2. there are no subscriptions:

    "MetricTopicBinding": {
      "<unauthorized_api_calls_metric>": []
    },