So I just enabled Azure CSPM (8.12.2) and I have some questions:
Is there is a way to snooze / acknowledge / ignore findings? Some of the findings are not applicable to our organization and we would like to ignore them or acknowledge them.
Where is the compliance score stored? Or is it a calculated value? I would like to show this score on a custom dashboard we use for reporting to our management. How can I create a Lens metric visualisation which show this score?
Is there a way to visualize the evolution of the compliance score? If we'd fix some things, I'd like to show to my management the evolution of our compliance score somehow.
@willemdh Thank you for your questions and exploring latest Azure CSPM coverage in our Product. Please find responses below:
Is there is a way to snooze / acknowledge / ignore findings? Some of the findings are not applicable to our organization and we would like to ignore them or acknowledge them.
It was one of the top asks from customers and we have prioritised and worked on delivering this capability in version 8.13 which will be released later this month. We plan to release the "enable/disable" functionality for benchmark rules. It will be possible to disable/mute specific rules so they are not producing any findings and don't participate in the score calculation. Lookout for 8.13 release updates.
Where is the compliance score stored? Or is it a calculated value? I would like to show this score on a custom dashboard we use for reporting to our management. How can I create a Lens metric visualisation which show this score?
The percentage score is a calculated value, but all the base numbers for the score are stored in the index logs-cloud_security_posture.scores-default and it should be possible to use it in Lens. You need to create a Data View with this index first so it shows up in Lens, but then you should be able to build any custom visualisation based on this data
Is there a way to visualize the evolution of the compliance score? If we'd fix some things, I'd like to show to my management the evolution of our compliance score somehow.
Should be possible with a custom visualisation. The score data is stored in the logs-cloud_security_posture.scores-default index every 5 mins, so it is possible to show a trendline of the score
Is it documented somewhere what Azure ur'ls need to be acessible so I can open only those in our perimeter firewall? For example what url's in this list do I need to open?
We recommend to enable all listed endpoints in Microsoft's documentation.
Let me know if you have any follow up questions on these or related topics.
@smriti0321 Are you sure I should be able to recreate the percentage score? I gave it a try, but the low / medium / high / critical scores always seem 0...
hi @willemdh, on the screenshot I see that you are looking at documents with policy_template: vuln_mgmt. The index logs-cloud_security_posture.scores-default contains scores from all our integrations CSPM, KSPM, and CNVM. Here is how you can distinguish them:
CSPM: policy_template: cspm
KSPM: policy_template: kspm
CNVM: policy_template: vuln_mgmt
As you mentioned that you installed CSPM Azure, look for documents with policy_template: cspm. Mind that they have a different structure than the vuln_mgmt ones so that you won't have critical, high, etc. attributes on them, but there should be other attributes you can use for your usecase, eg. failed_findings and passed_findings
Do you see any data in the Security > Dashboards > Cloud Security Posture, the URL should be /app/security/cloud_security_posture/dashboard/cspm ? Do you see any findings in the Security > Findings > Misconfigurations?
The stats for the indices you see in Stack Management > Index Managements > Indecies when you search for logs-cloud_security_posture in the search bar would also be helpful
health status index uuid pri rep docs.count docs.deleted creation.date.string store.size pri.store.size
green open .ds-logs-cloud_security_posture.findings-default-2024.03.15-000001 ex-rujcBRr-6biMof8YEsQ 1 1 19077 0 2024-03-15T15:23:21.955Z 65.2mb 32.6mb
green open .ds-logs-cloud_security_posture.findings-default-2024.04.14-000002 0dwgNQDkRVedn5UkvcOcMA 1 1 5841 0 2024-04-14T15:24:23.705Z 21.1mb 10.5mb
green open logs-cloud_security_posture.findings_latest-default TBa-oWEXTZarG8pTkLCb4w 1 1 531 0 2024-03-14T15:23:09.353Z 1.9mb 1007kb
green open logs-cloud_security_posture.scores-default VEGDQvXWTFm9zfHvuqMPNg 1 1 10164 0 2024-03-14T15:23:09.682Z 1.2mb 648.9kb
green open logs-cloud_security_posture.vulnerabilities_latest-default BtbkSROYT5WkziDp2u7pMA 1 1 0 0 2024-03-14T15:23:10.012Z 498b 249b
Thanks for providing more information! I'm assuming you also have data in the Compliance Score, trendline, and the split between failed and passed findings. this data is based on the policy_template: cspm documents in logs-cloud_security_posture.scores-default, unless I'm missing smth obvious.
You can try doing the following request in the Dev Tools of Kibana (search for Dev Tools in the global Kibana search)
This is interesting, I'm out of obvious ideas. It seems it requires a more thorough investigation, I'll get back to you after I do some digging myself into why it can happen that you don't see documents in logs-cloud_security_posture.scores-default index while the CSPM dashboard works fine.
In the meantime, you can also check if you have any special setup around access control (in Users and Roles) and look in more detail into the documents of logs-cloud_security_posture.scores-default, what policy_template values you have there on the documents and you can spot smth off with this index in the Index Management
@willemdh one more thing I want to check, do you see the trendlines in the CSP dashboard? Or do you see "No data to display" message instead of trendlines? Here is how the trendline chart should look like
@willemdh thanks for your patience and for providing all this information! You seem to hit a bug which we fixed in 8.13. We are working on a fix for 8.12, it should be a part of an integration version update, not the stack update when implemented. We will keep you posted on the progress. The bug leads to no CSPM data being stored in the scores index, therefore you only see the current posture, but not the history and trendline.
As mentioned by @maxcold, we worked on backporting the fix for Kibana 8.12, a fix was patched today, and the only step to apply the fix is to upgrade the Security Posture Management integration to v1.7.5.
You can refer to this documentation about how to upgrade an integration in case it was not set for automatic upgrades.
Once the Security Posture Management integration is upgraded to version 1.7.5 the Dashboard should be fixed the next time the elastic agent sends the Azure findings data.
Once again, thank you for providing all the information and exploring Azure CSPM coverage in Elastic.
So weird, I didn't update CSPM Integration, but now it is on 1.7.5 and we have a trendline now. So is this the only integration which is automatically updated?
Just an fyi, we have another CSPM related issue where superusers can see the findings in all Spaces, but our cloud engineers can only see it in the default Space (to which they do not have all access too). This is not very logical. See support case 01585364 and enhancement request 21439.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
