search

elastic / ecs

Elastic Common Schema
https://www.elastic.co/what-is/ecs
Apache License 2.0
987 stars 410 forks source link

[RFC] Stage 0: Introducing new field in rule namespace #2330

Open smriti0321 opened 3 months ago

smriti0321 commented 3 months ago

Updating the template for ECS RFC Stage 0 for adding 1 new rule fields:

  1. rule.remediation
tinnytintin10 commented 1 month ago

@smriti0321 whats the plan for capturing benchmark/framework metadata? The existing rule.ruleset field has a type of keyword type that will only allow us to capture the benchmark/framework's name.

For context, here is an example of a wiz findings that contains multiple mapped benchmarks/frameworks:

Just the benchmarks / frameworks ```json "securitySubCategories": [ { "category": { "framework": { "id": "wf-id-115", "name": "UK Cyber Essentials" }, "id": "wct-id-2360", "name": "1 Firewalls" }, "id": "wsct-id-15168", "title": "1.1 Change default administrative passwords" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-363", "name": "2 Business Environment (ID.BE)" }, "id": "wsct-id-37", "title": "5 Resilience requirements to support delivery of critical services are established" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-370", "name": "10 Information Protection Processes and Procedures (PR.IP)" }, "id": "wsct-id-76", "title": "9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-372", "name": "12 Protective Technology (PR.PT)" }, "id": "wsct-id-689", "title": "5 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations" }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1062", "name": "5 - CEK Cryptography, Encryption \u0026 Key Management" }, "id": "wsct-id-6165", "title": "CEK-01 Encryption and Key Management Policy and Procedures - Establish, document, approve, communicate, apply, evaluate and maintain\npolicies and procedures for Cryptography, Encryption and Key Management. Review\nand update the policies and procedures at least annually." }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1074", "name": "17 - UEM Universal Endpoint Management" }, "id": "wsct-id-6322", "title": "UEM-08 Storage Encryption - Protect information from unauthorized disclosure on managed endpoint\ndevices with storage encryption." }, { "category": { "framework": { "id": "wf-id-48", "name": "NIST SP 800-53 Revision 4" }, "id": "wct-id-1181", "name": "CM CONFIGURATION MANAGEMENT" }, "id": "wsct-id-6836", "title": "CM-7 LEAST FUNCTIONALITY" }, { "category": { "framework": { "id": "wf-id-1", "name": "Wiz for Risk Assessment" }, "id": "wct-id-940", "name": "Operationalization" }, "id": "wsct-id-10421", "title": "Informational configuration" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-370", "name": "10 Information Protection Processes and Procedures (PR.IP)" }, "id": "wsct-id-71", "title": "4 Backups of information are conducted, maintained, and tested periodically" }, { "category": { "framework": { "id": "wf-id-3", "name": "ISO/IEC 27001" }, "id": "wct-id-589", "name": "A.12 Operations security" }, "id": "wsct-id-635", "title": "A.12.3.1 Information backup" }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1061", "name": "4 - CCC Change Control and Configuration Management" }, "id": "wsct-id-6164", "title": "CCC-09 Change Restoration - Define and implement a process to proactively roll back changes to\na previous known good state in case of errors or security concerns." }, { "category": { "framework": { "id": "wf-id-105", "name": "Wiz (Legacy)" }, "id": "wct-id-2136", "name": "Operationalization" }, "id": "wsct-id-5540", "title": "Operationalization" } ] ```
Full finding ```json { "analyzedAt": "2024-05-29T01:03:24.600785Z", "firstSeenAt": "2024-05-29T01:03:26.815114Z", "id": "bb379d62-72bf-57c8-8e68-a043696a072b", "ignoreRules": null, "remediation": "To monitor an instance stop scheduled event for the EC2 instance, follow [this link](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html).\n", "resource": { "id": "72b98370-615e-5136-a614-71269ddef677", "name": "Demo vulns findings", "nativeType": "virtualMachine", "projects": [ { "id": "83b76efe-a7b6-5762-8a53-8e8f59e68bd8", "name": "Project 2", "riskProfile": { "businessImpact": "MBI" } }, { "id": "af52828c-4eb1-5c4e-847c-ebc3a5ead531", "name": "project 4", "riskProfile": { "businessImpact": "MBI" } }, { "id": "d6ac50bb-aec0-52fc-80ab-bacd7b02f178", "name": "Project1", "riskProfile": { "businessImpact": "MBI" } } ], "providerId": "arn:aws:ec2:us-east-2:998231069301:instance/i-07602bddd9c7a3052", "region": "us-east-2", "subscription": { "cloudProvider": "AWS", "externalId": "998231069301", "id": "94e76baa-85fd-5928-b829-1669a2ca9660", "name": "wiz-integrations" }, "tags": [{ "key": "Name", "value": "Demo vulns findings" }], "type": "VIRTUAL_MACHINE" }, "result": "FAIL", "rule": { "description": "This rule checks whether there is an instance stop scheduled event for the EC2 instance. \nThis rule fails if there is at least one `Events` element whose `Code` field is set to `instance-stop`. \nThe event applies to instances backed by Amazon EBS. This event indicates that at the scheduled time, the instance is stopped, and when it is started again, it is migrated to a new host. Be aware of instance-stop scheduled events to avoid unexpected data loss and downtime.\n\u003e**Note** \n\u003eThis rule does not indicate any misconfiguration and is informational only.", "functionAsControl": false, "graphId": "0dd0ca67-e17e-5e0d-b296-08ce779953f6", "id": "5076dc62-3fbd-4ee9-9495-3ca295aeac99", "name": "EC2 instance with an upcoming instance stop scheduled event", "remediationInstructions": "To monitor an instance stop scheduled event for the EC2 instance, follow [this link](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-instances-status-check_sched.html).\n" }, "securitySubCategories": [ { "category": { "framework": { "id": "wf-id-115", "name": "UK Cyber Essentials" }, "id": "wct-id-2360", "name": "1 Firewalls" }, "id": "wsct-id-15168", "title": "1.1 Change default administrative passwords" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-363", "name": "2 Business Environment (ID.BE)" }, "id": "wsct-id-37", "title": "5 Resilience requirements to support delivery of critical services are established" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-370", "name": "10 Information Protection Processes and Procedures (PR.IP)" }, "id": "wsct-id-76", "title": "9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-372", "name": "12 Protective Technology (PR.PT)" }, "id": "wsct-id-689", "title": "5 Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations" }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1062", "name": "5 - CEK Cryptography, Encryption \u0026 Key Management" }, "id": "wsct-id-6165", "title": "CEK-01 Encryption and Key Management Policy and Procedures - Establish, document, approve, communicate, apply, evaluate and maintain\npolicies and procedures for Cryptography, Encryption and Key Management. Review\nand update the policies and procedures at least annually." }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1074", "name": "17 - UEM Universal Endpoint Management" }, "id": "wsct-id-6322", "title": "UEM-08 Storage Encryption - Protect information from unauthorized disclosure on managed endpoint\ndevices with storage encryption." }, { "category": { "framework": { "id": "wf-id-48", "name": "NIST SP 800-53 Revision 4" }, "id": "wct-id-1181", "name": "CM CONFIGURATION MANAGEMENT" }, "id": "wsct-id-6836", "title": "CM-7 LEAST FUNCTIONALITY" }, { "category": { "framework": { "id": "wf-id-1", "name": "Wiz for Risk Assessment" }, "id": "wct-id-940", "name": "Operationalization" }, "id": "wsct-id-10421", "title": "Informational configuration" }, { "category": { "framework": { "id": "wf-id-13", "name": "NIST CSF v1.1" }, "id": "wct-id-370", "name": "10 Information Protection Processes and Procedures (PR.IP)" }, "id": "wsct-id-71", "title": "4 Backups of information are conducted, maintained, and tested periodically" }, { "category": { "framework": { "id": "wf-id-3", "name": "ISO/IEC 27001" }, "id": "wct-id-589", "name": "A.12 Operations security" }, "id": "wsct-id-635", "title": "A.12.3.1 Information backup" }, { "category": { "framework": { "id": "wf-id-14", "name": "CSA CCM v4.0.5" }, "id": "wct-id-1061", "name": "4 - CCC Change Control and Configuration Management" }, "id": "wsct-id-6164", "title": "CCC-09 Change Restoration - Define and implement a process to proactively roll back changes to\na previous known good state in case of errors or security concerns." }, { "category": { "framework": { "id": "wf-id-105", "name": "Wiz (Legacy)" }, "id": "wct-id-2136", "name": "Operationalization" }, "id": "wsct-id-5540", "title": "Operationalization" } ], "severity": "NONE", "status": "OPEN", "targetExternalId": "i-07602bddd9c7a3052", "targetObjectProviderUniqueId": "arn:aws:ec2:us-east-2:998231069301:instance/i-07602bddd9c7a3052" } ```
smriti0321 commented 1 week ago

@tinnytintin10 we plan to capture ruleset through a separate RFC as per my discussion with @trisch-me

smriti0321 commented 1 week ago

@ebeahan and @tinnytintin10 could you please review the changes.