aws.securityhub_findings: Update datastream to leverage Cloud Security workflows

[kcreddy]

As part of supporting AWS SecurityHub for native Cloud Security (CSPM, KSPM, & CNVM) workflows, the following changes are required:

• [x] Setup data flow https://github.com/elastic/security-integrations/issues/361
• [x] Analyse and get clarifications on mapping changes with Cloud team.
• [ ] Implement mapping changes https://github.com/elastic/integrations/issues/11040
• [x] Add transform permissions https://github.com/elastic/elasticsearch/pull/112574
• [ ] Implement transform https://github.com/elastic/integrations/issues/11039

More details in the meta issue https://github.com/elastic/security-team/issues/9961

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[kcreddy]

PR for mapping changes: https://github.com/elastic/integrations/pull/11158. Will be ready for review after mapping clarifications answered and implemented by Cloud Security team.

[kcreddy]

All clarifications are provided by Cloud Team except for ones still pending for Wiz (1:many mappings for benchmark fields). There is one clarification/suggestion that stands out that may impact the workflow, hence mentioning here:

AWS SecurityHub Finding can contain multiple resources, which provides all the resources effected by that finding. But this multiple resources case wasn't observed in any of the ingested data in the Demo cluster so far. Also, the native CSPM workflow expects i.e., a 1:1 mapping for finding:resource. So, we are taking this approach:

If there is one resource we do what we have in wiz and native - just populate resource.* as keywords, so that if three is one it is a string and if many then array. Arrays won’t work in general for the current ui, but as we don’t see them we can take this trade off for now hoping that it’s a rare case and not many findings will be affected.

cc: @maxcold

[kcreddy]

After recommendation from Cloud Team, both the mapping changes: https://github.com/elastic/integrations/issues/11040 and transform changes: https://github.com/elastic/integrations/issues/11039 are now part of same PR: https://github.com/elastic/integrations/pull/11158 This is to make the e2e testing for AWS SecurityHub with CSPM easier and prevent bug fixes in multiple stages. cc: @maxcold, @narph