wiz: fix result.evaluation to be lowercased in cloud_configuration_fi…

…nding (#10914) * fix result.evaluation to be lowercased * add PR link to the changelog * Update packages/wiz/changelog.yml Co-authored-by: Dan Kortschak <[email protected]> --------- Co-authored-by: Dan Kortschak <[email protected]>
elastic · Aug 30, 2024 · 21d32e9 · 21d32e9
1 parent 902829e
commit 21d32e9
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 8 deletions.
diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.1"
+  changes:
+    - description: Lowercase `result.evaluation` values.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/10914
 - version: "1.7.0"
   changes:
     - description: Improve support for CDR in vulnerability data stream.

diff --git a/...nfiguration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json b/...nfiguration_finding/_dev/test/pipeline/test-cloud-configuration-finding.log-expected.json
@@ -36,7 +36,7 @@
                 "type": "POD"
             },
             "result": {
-                "evaluation": "FAILED"
+                "evaluation": "failed"
             },
             "rule": {
                 "description": "This rule is part of the Kubernetes [Pod Security Standards (PSS) restricted policies](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted).   \nThis rule checks whether the pod is running containers with authorized additional capabilities.     \nThis rule fails if the `securityContext.capabilities.add` contains any capability beyond `NET_BIND_SERVICE` and if `securityContext.capabilities.drop` is not set to `ALL`.  \nBy default, if the `securityContext.capabilities.add` key is not set, the pod will not run with additional capabilities, and the rule will pass.   \nLinux capabilities allow granting certain privileges to a container without granting any unnecessary ones intended for the root user.",
@@ -115,7 +115,7 @@
                 "type": "USER_ACCOUNT"
             },
             "result": {
-                "evaluation": "PASSED"
+                "evaluation": "passed"
             },
             "rule": {
                 "description": "This rule checks if the AWS Root Account has access keys. \nThis rule fails if `AccountAccessKeysPresent` is not set to `0`. Note that it does not take into consideration the status of the keys if present. \nThe root account should avoid using access keys. Since the root account has full permissions across the entire account, creating access keys for it increases the chance that they will be compromised. Instead, it is recommended to create IAM users with predefined roles.\n>**Note** \nSee Cloud Configuration Rule `IAM-207` to see if the Root account's access keys are active.",
@@ -200,7 +200,7 @@
                 "type": "VIRTUAL_MACHINE"
             },
             "result": {
-                "evaluation": "PASSED",
+                "evaluation": "passed",
                 "evidence": {
                     "cloud_configuration_link": "https://learn.microsoft.com/en-us/azure/virtual-machines/states-billing",
                     "current_value": "The VM is stopped(allocated) since 2024-08-15",
@@ -293,7 +293,7 @@
                 "type": "VIRTUAL_MACHINE"
             },
             "result": {
-                "evaluation": "UNKNOWN"
+                "evaluation": "unknown"
             },
             "rule": {
                 "description": "This rule checks if the Virtual Machine (VM) is stopped (and not deallocated) for at least a week. \nThis rule fails if `code: PowerState/stopped` and the timestamp was more than 7 days ago. \nWhen you are logged in to the operating system of an Azure VM, you can issue a command to shut down the server (or via Azure CLI). This will kick you out of the OS and stop all processes but will maintain the allocated hardware (including the IP addresses currently assigned). If you find the VM in the Azure console, you will see the state listed as `Stopped`. The biggest thing you need to know about this state is that **you are still being charged by the hour for this instance**. \nFor cost optimization and management purposes, it is recommended to deallocate (charges no longer apply) VMs that have been stopped for more than a week.",

diff --git a/...ges/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml b/...ges/wiz/data_stream/cloud_configuration_finding/elasticsearch/ingest_pipeline/default.yml
@@ -254,19 +254,19 @@ processors:
   - set:
       field: result.evaluation
       tag: set_result_evaluation_passed
-      value: 'PASSED'
+      value: 'passed'
       if: ctx?.wiz?.cloud_configuration_finding?.result == 'PASS'
       ignore_empty_value: true
   - set:
       field: result.evaluation
       tag: set_result_evaluation_failed
-      value: 'FAILED'
+      value: 'failed'
       if: ctx?.wiz?.cloud_configuration_finding?.result == 'FAIL'
       ignore_empty_value: true
   - set:
       field: result.evaluation
       tag: set_result_evaluation_unknown
-      value: 'UNKNOWN'
+      value: 'unknown'
       if: ctx?.wiz?.cloud_configuration_finding?.result != 'PASS' && ctx?.wiz?.cloud_configuration_finding?.result != 'FAIL'
       ignore_empty_value: true
   - set:

diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: wiz
 title: Wiz
-version: "1.7.0"
+version: "1.7.1"
 description: Collect logs from Wiz with Elastic Agent.
 type: integration
 categories: