[aws] Update inspector data stream for Cloud Detection and Response (CDR) workflow

[brijesh-elastic]

Proposed commit message

aws: Update inspector data stream for Cloud Detection and Response (CDR) workflow

Add ECS mappings and latest transform to aws.inspector datastream 
to help with the Cloud Native Vulnerability Management (CNVM)[1] workflow.

Enabled agentless deployment for the `inspector` datastream.
Parse and map the newly introduced fields in the `inspector` datastream.

[1] https://www.elastic.co/guide/en/security/current/vuln-management-overview.html

Note

To Reviewers:

• Please refer to this guide: https://docs.elastic.dev/security-solution/cloud-security/cdr/3p-dev-guide which was used for proposed changes.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install elastic package locally.
• Start elastic stack using elastic-package.
• Move to integrations/packages/aws directory.
• Run the following command to run tests.

elastic-package test

Related issues

• Closes AWS Inspector: Implement mappings for Cloud Security Workflows #13902
• Closes AWS Inspector: Implement transform for Cloud Security Workflows #13903
• Relates [meta][CDR] Update Amazon Inspector integration to Leverage Native CDR Workflows #13901

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[brijesh-elastic]

@maxcold, I've updated the integration title and all other references of AWS Inspector to Amazon Inspector. See Product Page and Documentation Page.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package aws 👍(17) 💚(2) 💔(3)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
inspector	1652.89	1044.93	-607.96 (-36.78%)	💔
lambda_logs	10526.32	8264.46	-2261.86 (-21.49%)	💔
s3access	5464.48	3952.57	-1511.91 (-27.67%)	💔

To see the full report comment with /test benchmark fullreport

[efd6]

Suggested change

	3. Because the latest copy of vulnerabilities is now indexed in two places, i.e., in both source and destination indices, users must anticipate storage requirements accordingly.
	3. Because the latest copy of vulnerabilities is now indexed in two places, that is, in both source and destination indices, users must anticipate storage requirements accordingly.

The number in the first clause is confusing; is it one copy for each of the vulnerabilities (arguably plural) or is it one copy of the set of vulnerabilities (singular but would be helped by inclusion of "set of")?

[efd6]

Please revert this change.

[efd6]

Pretty print the JSON and use minify_json.

[efd6]

Suggested change

	if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' && ctx.aws?.inspector?.package_vulnerability_details?.vulnerability_id.startsWith('CVE')
	if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY' && ctx.aws?.inspector?.package_vulnerability_details?.vulnerability_id?.startsWith('CVE') == true

(if ctx.aws?.inspector?.package_vulnerability_detail?.vulnerability_id is null, the call will fail and even with the ? protecting the call, it will resolve to null, which is not a boolean, so we cannot use the expression as a boolean)

[efd6]

Suggested change

	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",
	"markdown": "**Inspector Findings Overview Dashboard** | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",

We don't need a link to the page we are on.

[efd6]

Suggested change

	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",
	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | **Inspector Vulnerabilities Dashboard** | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",

[efd6]

Suggested change

	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",
	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | **Inspector Severity Dashboard** | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",

[efd6]

Suggested change

	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | [Inspector EC2 and ECR Overview Dashboard](#/dashboard/aws-63984b70-63e1-11ed-be08-4b4db5223139) ",
	"markdown": "[Inspector Findings Overview Dashboard](#/dashboard/aws-131a1550-5a0b-11ed-a807-bd2da8f2e79b) | [Inspector Severity Dashboard](#/dashboard/aws-60881ab0-63e0-11ed-be08-4b4db5223139) | [Inspector Vulnerabilities Dashboard](#/dashboard/aws-383d4630-63df-11ed-be08-4b4db5223139) | **Inspector EC2 and ECR Overview Dashboard**",

[brijesh-elastic]

@maxcold, I'm using the aws.inspector.transform_unique_id field as the unique key in the transform because if I use individual fields (vulnerability.id, resource.id, package.id, package.version), the transforms behave strangely. The destination index has a higher event count than the source index, which seems to be caused by the fields resource.id, package.id, and package.version being arrays.

[kcreddy]

@maxcold, here's the logic for calculating aws.inspector.transform_unique_id

integrations/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml

Lines 1150 to 1154 in bbd4c37

	- set:
	field: aws.inspector.transform_unique_id
	tag: set_transform_unique_id
	value: '{{vulnerability.id}}|{{resource.id}}|{{package.name}}|{{package.version}}'
	if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY'

[maxcold]

thanks! I think it makes sense. I wonder when resource.id can be an array. I guess we had similar situation with AWS Security Hub when resource was defined as array in the docs but we couldn't find any example in the real data. Did you see this case with Amazon Inspector in the wild?
anyway, the unique key logic seems reasonable to me!

[brijesh-elastic]

In Amazon Inspector also we're getting the single element in resources.

[kcreddy]

guess we had similar situation with AWS Security Hub when resource was defined as array in the docs but we couldn't find any example in the real data. Did you see this case with Amazon Inspector in the wild?

It is similar to AWS SecurityHub.
Added a comment here: https://github.com/elastic/security-team/issues/10753#issuecomment-2921417448

[kcreddy]

@jamiehynds @cpascale43 , we are changing AWS Inspector into Amazon Inspector as it should be with this change. We are only changing UI elements and not updating any field names, so the custom fields are still aws.inspector.*.
Let me know if you have any concerns.

[kcreddy]

@maxcold, current kibana version constraint is following:

kibana:
    version: "~8.16.6 || ~8.17.4 || ^8.18.0 || ^9.0.0"

In Inspector, we don't have missing CVE values for package vulnerabilities. Also, it is not an array and always contain single values. For example: vulnerability.id: CVE-2025-38000

Do we still need to bump the minimum versions here? Related to multiple/empty CVEs: #14079 (comment)

[maxcold]

@kcreddy thanks for highlighting it! I need to test the integration with 8.18 and 9.0 to check that. Right now I'm testing with the latest 9.1 snapshot, will play with 8.18/9.0 version later

[maxcold]

When testing 8.18 I realised that we don't support multiple packages in this version and also have some other rough edges. I think we will need to bump to ^8.19.0 || ^9.1.0" but let's wait for product feedback as well

[kcreddy]

aws integration has shared ownership. If we are completely removing support for 8.17 and 8.18, we need everyone's approval on this.
Is it possible to backport this support multiple packages to 8.17.9 and 8.18.4?

[kcreddy]

This is existing ECS field. Does the build or tests fail if its not defined manually?
Similar for other ECS fields.

[kcreddy]

Add descriptions per CDR guide.

[kcreddy]

Add description per CDR guide

[kcreddy]

@maxcold, this is set to Amazon Inspector as opposed to AWS Inspector as discussed before. FYI.
https://docs.aws.amazon.com/inspector/. Let me know if you have any concern.

[maxcold]

I think it works for CDR usecases!

[kcreddy]

@maxcold, here's the logic for calculating aws.inspector.transform_unique_id

integrations/packages/aws/data_stream/inspector/elasticsearch/ingest_pipeline/default.yml

Lines 1150 to 1154 in bbd4c37

	- set:
	field: aws.inspector.transform_unique_id
	tag: set_transform_unique_id
	value: '{{vulnerability.id}}|{{resource.id}}|{{package.name}}|{{package.version}}'
	if: ctx.aws?.inspector?.type == 'PACKAGE_VULNERABILITY'

[maxcold]

@kcreddy @brijesh-elastic While testing I see that we don't have the resource.name , I guess it was discussed during the mapping, but I realised that for EC2 instances we can rely on the Name tag (it might not be present, but when it is it represents the instance name). Wdyt about using it as resource.name?

[kcreddy]

@kcreddy @brijesh-elastic While testing I see that we don't have the resource.name , I guess it was discussed during the mapping, but I realised that for EC2 instances we can rely on the Name tag (it might not be present, but when it is it represents the instance name). Wdyt about using it as resource.name?

@maxcold, that sounds reasonable. We will also populate host.name based on this tag (only if present) as we don't have that as well.

[brijesh-elastic]

@kcreddy @brijesh-elastic While testing I see that we don't have the resource.name , I guess it was discussed during the mapping, but I realised that for EC2 instances we can rely on the Name tag (it might not be present, but when it is it represents the instance name). Wdyt about using it as resource.name?

@maxcold, that sounds reasonable. We will also populate host.name based on this tag (only if present) as we don't have that as well.

Populated resource.name and host.name in the 34a8fd6

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: b9b2494

History

• 💚 Build #27693 succeeded 671472d
• 💚 Build #27603 succeeded bbd4c37

cc @brijesh-elastic

[elastic-sonarqube]

Quality Gate failed

Failed conditions
65.8% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube