Hello.
I tried to configure Kibana custom resource with xpack.fleet.agentPolicies to add aws integration without success. I have read many documentation and done a lot of experiments and looks that there is no support for that. Is that true?
Below are the details of some of my attempts.
The attempt to use policy_template:
This field is used when adding integration via the UI:
...
package_policies:
- name: aws
package:
name: aws
namespace: quickstart
inputs:
- type: httpjson
enabled: true
policy_template: securityhub
...
There is error:
2024-04-30 18:13:35.386
FATAL Error: [config validation of [xpack.fleet].agentPolicies.1.package_policies.0.inputs.0.policy_template]: definition for this key is missing
The attempt to disable some integrations:
...
package_policies:
- name: aws
package:
name: aws
namespace: quickstart
inputs:
- type: httpjson
enabled: false
- type: aws-s3
enabled: false
...
There are errors:
2024-04-30 18:39:16.823
inputs.guardduty-httpjson.streams.aws.guardduty.vars.aws_region: AWS Region is required
2024-04-30 18:39:16.823
inputs.guardduty-httpjson.streams.aws.guardduty.vars.detector_id: Detector ID is required
2024-04-30 18:39:16.823
inputs.inspector-httpjson.streams.aws.inspector.vars.aws_region: AWS Region is required
2024-04-30 18:39:16.823
inputs.securityhub-httpjson.streams.aws.securityhub_insights.vars.aws_region: AWS Region is required
2024-04-30 18:39:16.823
inputs.securityhub-httpjson.streams.aws.securityhub_findings.vars.aws_region: AWS Region is required
2024-04-30 18:39:16.823
inputs.cloudfront-aws-s3.streams.aws.cloudfront_logs.vars.queue_url: Queue URL is required
2024-04-30 18:39:16.823
inputs.route53-aws-s3.streams.aws.route53_resolver_logs.vars.queue_url: Queue URL is required
2024-04-30 18:39:16.823
inputs.waf-aws-s3.streams.aws.waf.vars.queue_url: Queue URL is required
2024-04-30 18:39:16.823
inputs.s3-aws-s3.streams.aws.s3access.vars.queue_url: Queue URL is required
2024-04-30 18:39:16.823
inputs.firewall-aws-s3.streams.aws.firewall_logs.vars.queue_url: Queue URL is required
2024-04-30 18:39:16.823
[2024-04-30T15:39:16.822+00:00][ERROR][plugins.fleet] Package policy is invalid: inputs.elb-aws-s3.streams.aws.elb_logs.vars.queue_url: Queue URL is required
Hi, you could check the created config if you add the AWS Security Hub integration from Kibana UI:
inputs:
- id: httpjson-securityhub-0caa8e69-5656-4824-bdf5-c8716d0c880c
name: aws-1
revision: 1
type: httpjson
use_output: default
meta:
package:
name: aws
version: 2.15.2
data_stream:
namespace: default
package_policy_id: 0caa8e69-5656-4824-bdf5-c8716d0c880c
streams:
- id: httpjson-aws.securityhub_findings-0caa8e69-5656-4824-bdf5-c8716d0c880c
data_stream:
dataset: aws.securityhub_findings
type: logs
config_version: 2
interval: 1h
request.timeout: 2m
request.method: POST
request.ssl: null
request.url: 'https://securityhub.test.amazonaws.com/findings'
request.transforms:
- set:
target: header.X-Amz-Date
value: '[[formatDate (now) "20060102T150405Z"]]'
- set:
target: body.MaxResults
value: 100
value_type: int
- set:
target: body.SortCriteria
value: '[{"Field":"UpdatedAt","SortOrder":"asc"}]'
value_type: json
- set:
target: body.Filters.UpdatedAt
value: >-
[{ "Start": "[[formatDate (parseDate
.cursor.last_execution_datetime "RFC3339") "2006-01-02T15"]]",
"End": "[[formatDate (now) "2006-01-02T15"]]" }]
default: >-
[{ "Start": "[[formatDate (now (parseDuration "-24h"))
"2006-01-02T15"]]", "End": "[[formatDate (now)
"2006-01-02T15"]]" }]
value_type: json
- set:
target: header.Authorization
value: >-
[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256
Credential=/%s/test/securityhub/aws4_request,
SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now)
"20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode
(hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac
"sha256" "AWS4" (formatDate ($now) "20060102"))) "test"))
"securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n"
(formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n"
(formatDate ($now) "20060102") "test/securityhub/aws4_request")
(hash "sha256" "POST\n" "/findings\n" "\n"
"host:securityhub.test.amazonaws.com\n" (sprintf
"x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z"))
"host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]
response.pagination:
- set:
target: body.NextToken
value: >-
[[if (eq (len .last_response.body.Findings)
100)]][[.last_response.body.NextToken]][[end]]
fail_on_template_error: true
- delete:
target: header.Authorization
- set:
target: header.Authorization
value: >-
[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256
Credential=/%s/test/securityhub/aws4_request,
SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now)
"20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode
(hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac
"sha256" "AWS4" (formatDate ($now) "20060102"))) "test"))
"securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n"
(formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n"
(formatDate ($now) "20060102") "test/securityhub/aws4_request")
(hash "sha256" "POST\n" "/findings\n" "\n"
"host:securityhub.test.amazonaws.com\n" (sprintf
"x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z"))
"host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]
cursor:
last_execution_datetime:
value: >-
[[if (ne (len .last_response.body.Findings)
100)]][[.last_event.UpdatedAt]][[end]]
response.split:
target: body.Findings
ignore_empty_value: true
tags:
- forwarded
- aws_securityhub_findings
publisher_pipeline.disable_host: true
- id: httpjson-aws.securityhub_insights-0caa8e69-5656-4824-bdf5-c8716d0c880c
data_stream:
dataset: aws.securityhub_insights
type: logs
config_version: 2
interval: 1m
request.timeout: 2m
request.method: POST
request.ssl: null
request.url: 'https://securityhub.test.amazonaws.com/insights/get'
request.transforms:
- set:
target: header.X-Amz-Date
value: '[[(formatDate (now) "20060102T150405Z")]]'
- set:
target: body.MaxResults
value: 100
value_type: int
- set:
target: header.Authorization
value: >-
[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256
Credential=/%s/test/securityhub/aws4_request,
SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now)
"20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode
(hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac
"sha256" "AWS4" (formatDate ($now) "20060102"))) "test"))
"securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n"
(formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n"
(formatDate ($now) "20060102") "test/securityhub/aws4_request")
(hash "sha256" "POST\n" "/insights/get\n" "\n"
"host:securityhub.test.amazonaws.com\n" (sprintf
"x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z"))
"host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]
response.pagination:
- set:
target: body.NextToken
value: >-
[[if (eq (len .last_response.body.Insights)
100)]][[.last_response.body.NextToken]][[end]]
fail_on_template_error: true
- delete:
target: header.Authorization
- set:
target: header.Authorization
value: >-
[[$now := (now)]][[(sprintf "AWS4-HMAC-SHA256
Credential=/%s/test/securityhub/aws4_request,
SignedHeaders=host;x-amz-date, Signature=%s" (formatDate ($now)
"20060102") (hmac "sha256" (hexDecode (hmac "sha256" (hexDecode
(hmac "sha256" (hexDecode (hmac "sha256" (hexDecode (hmac
"sha256" "AWS4" (formatDate ($now) "20060102"))) "test"))
"securityhub")) "aws4_request")) "AWS4-HMAC-SHA256\n"
(formatDate ($now) "20060102T150405Z") "\n" (sprintf "%s/%s\n"
(formatDate ($now) "20060102") "test/securityhub/aws4_request")
(hash "sha256" "POST\n" "/insights/get\n" "\n"
"host:securityhub.test.amazonaws.com\n" (sprintf
"x-amz-date:%s\n\n" (formatDate ($now) "20060102T150405Z"))
"host;x-amz-date\n" (hash "sha256" (sprintf `%s` .body)))))]]
response.split:
target: body.Insights
ignore_empty_value: true
tags:
- forwarded
- aws_securityhub_insights
publisher_pipeline.disable_host: true
Hi, Julia!
Thank you for your reply.
It looks as low-level details that can be hidden from the user's eyes. Can we hope for a more user-friendly configuration if we consider this issue in the context of ECK?