From f7bf8e6272f9b997a933391c336a22a85120cf82 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 7 Jan 2026 14:27:10 +0530 Subject: [PATCH 1/3] Remove deprecated `sourceRule` field from the issue data stream. --- packages/wiz/changelog.yml | 5 ++ .../pipeline/test-issue.log-expected.json | 79 ------------------- .../elasticsearch/ingest_pipeline/default.yml | 36 +-------- .../wiz/data_stream/issue/fields/fields.yml | 46 ----------- .../wiz/data_stream/issue/sample_event.json | 61 ++------------ packages/wiz/docs/README.md | 72 ++--------------- packages/wiz/manifest.yml | 2 +- 7 files changed, 20 insertions(+), 281 deletions(-) diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 5259236e965..0baec45e5d6 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "4.0.0" + changes: + - description: Remove `sourceRule` field from the issue data stream. + type: breaking-change + link: https://github.com/elastic/integrations/pull/1 - version: "3.12.0" changes: - description: | diff --git a/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json b/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json index 8f1add1f544..7b2e04e9048 100644 --- a/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json +++ b/packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json @@ -133,36 +133,6 @@ } ], "severity": "INFORMATIONAL", - "source_rule": { - "__typename": "CloudEventRule", - "cloud_event_rule_description": "SSH server was executed. This could indicate the presence of a threat actor setting up a backdoor connection.", - "id": "cer-sen-id-001", - "name": "SSH server was executed", - "risks": [ - "UNPROTECTED_DATA", - "RELIABILITY_IMPACT" - ], - "security_sub_categories": [ - { - "category": { - "framework": { - "name": "Wiz for Threat Detection" - }, - "name": "C2 & Exfiltration" - }, - "title": "Remote shell" - }, - { - "category": { - "framework": { - "name": "MITRE ATT&CK Matrix" - }, - "name": "Lateral Movement" - }, - "title": "Remote Services: SSH" - } - ] - }, "source_rules": [ { "__typename": "CloudEventRule", @@ -385,55 +355,6 @@ } ], "severity": "INFORMATIONAL", - "source_rule": { - "__typename": "Control", - "control_description": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.", - "id": "wc-id-1335", - "name": "EKS principals assume roles that provide bind, escalate and impersonate permissions", - "resolution_recommendation": "To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.", - "risks": [ - "INSECURE_KUBERNETES_CLUSTER", - "VULNERABILITY" - ], - "security_sub_categories": [ - { - "category": { - "framework": { - "name": "CIS EKS 1.2.0" - }, - "name": "4.1 RBAC and Service Accounts" - }, - "title": "4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Identity Management" - }, - "title": "Privileged principal" - }, - { - "category": { - "framework": { - "name": "Wiz" - }, - "name": "9 Container Security" - }, - "title": "Container Security" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Container & Kubernetes Security" - }, - "title": "Cluster misconfiguration" - } - ] - }, "source_rules": [ { "__typename": "Control", diff --git a/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml b/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml index 64c1526cf6c..3eaf203c639 100644 --- a/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml +++ b/packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml @@ -332,50 +332,25 @@ processors: lang: painless source: | def sourceRulesList = new ArrayList(); - ctx.wiz.issue.source_rule = ctx.wiz.issue.source_rule ?: [:]; for (def rule : ctx.json.sourceRules) { - boolean doSourceRule = sourceRulesList.size() == 0; def mappedRule = new HashMap(); if (rule.__typename != null) { mappedRule.put('__typename', rule.__typename); - if (doSourceRule) { - ctx.wiz.issue.source_rule.__typename = rule.__typename; - } } if (rule.id != null) { mappedRule.put('id', rule.id); - if (doSourceRule) { - ctx.wiz.issue.source_rule.id = rule.id; - } } if (rule.name != null) { mappedRule.put('name', rule.name); - if (doSourceRule) { - ctx.wiz.issue.source_rule.name = rule.name; - } } if (rule.description != null) { mappedRule.put('description', rule.description); - if (doSourceRule && (rule.__typename != null)) { - if (rule.__typename == "Control") { - ctx.wiz.issue.source_rule.control_description = rule.description; - } - if (rule.__typename == "CloudConfigurationEvent") { - ctx.wiz.issue.source_rule.control_cloud_configuration_rule_description = rule.description; - } - if (rule.__typename == "CloudEventRule") { - ctx.wiz.issue.source_rule.cloud_event_rule_description = rule.description; - } - if (ctx.message == null) { - ctx.message = rule.description; - } + if (ctx.message == null) { + ctx.message = rule.description; } } if (rule.resolutionRecommendation != null) { mappedRule.put('resolution_recommendation', rule.resolutionRecommendation); - if (doSourceRule) { - ctx.wiz.issue.source_rule.resolution_recommendation = rule.resolutionRecommendation; - } } if (rule.remediationInstructions != null) { mappedRule.put('remediation_instructions', rule.remediationInstructions); @@ -384,15 +359,9 @@ processors: def risksList = new ArrayList(); risksList.addAll(rule.risks); mappedRule.put('risks', risksList); - if (doSourceRule) { - ctx.wiz.issue.source_rule.risks = risksList; - } } if (rule.securitySubCategories != null) { mappedRule.put('security_sub_categories', rule.securitySubCategories); - if (doSourceRule) { - ctx.wiz.issue.source_rule.security_sub_categories = rule.securitySubCategories; - } } if (rule.type != null) { mappedRule.put('type', rule.type); @@ -447,7 +416,6 @@ processors: - wiz.issue.entity_snapshot.region - wiz.issue.created_at - wiz.issue.id - - wiz.issue.source_rule.control_description tag: remove_custom_duplicate_fields ignore_missing: true if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) diff --git a/packages/wiz/data_stream/issue/fields/fields.yml b/packages/wiz/data_stream/issue/fields/fields.yml index dcc10dbaf96..ffba5add299 100644 --- a/packages/wiz/data_stream/issue/fields/fields.yml +++ b/packages/wiz/data_stream/issue/fields/fields.yml @@ -96,52 +96,6 @@ type: keyword - name: severity type: keyword - - name: source_rule - type: group - description: DEPRECATED. Use `wiz.issue.source_rules` instead. - fields: - - name: __typename - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.__typename` instead. - - name: control_description - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.description` instead. - - name: cloud_configuration_rule_description - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.description` instead. - - name: cloud_event_rule_description - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.description` instead. - - name: id - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.id` instead. - - name: name - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.name` instead. - - name: resolution_recommendation - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.resolution_recommendation` instead. - - name: risks - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.risks` instead. - - name: security_sub_categories - type: group - fields: - - name: category - type: group - fields: - - name: framework - type: group - fields: - - name: name - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.framework.name` instead. - - name: name - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.name` instead. - - name: title - type: keyword - description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.title` instead. - name: source_rules type: nested fields: diff --git a/packages/wiz/data_stream/issue/sample_event.json b/packages/wiz/data_stream/issue/sample_event.json index 5829593d450..ffa2e58e5b0 100644 --- a/packages/wiz/data_stream/issue/sample_event.json +++ b/packages/wiz/data_stream/issue/sample_event.json @@ -1,9 +1,9 @@ { "@timestamp": "2023-07-21T06:26:08.708Z", "agent": { - "ephemeral_id": "9008eaae-3456-45c8-9996-e12593b2c6b2", - "id": "67cc7f85-76c3-477e-b1ee-49709af2264a", - "name": "elastic-agent-68256", + "ephemeral_id": "8ed8aec5-5335-4510-a6b6-e98441f37b7a", + "id": "07d85902-c982-4c69-8827-318fa4d8050f", + "name": "elastic-agent-67496", "type": "filebeat", "version": "8.16.6" }, @@ -13,14 +13,14 @@ }, "data_stream": { "dataset": "wiz.issue", - "namespace": "72538", + "namespace": "49382", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "67cc7f85-76c3-477e-b1ee-49709af2264a", + "id": "07d85902-c982-4c69-8827-318fa4d8050f", "snapshot": false, "version": "8.16.6" }, @@ -32,7 +32,7 @@ "created": "2023-08-21T07:56:09.903Z", "dataset": "wiz.issue", "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", - "ingested": "2025-12-24T12:53:12Z", + "ingested": "2026-01-07T08:55:20Z", "kind": "event", "original": "{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"dueAt\":\"2023-08-28T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"f307d472-b7da-5t05-9b25-71a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"ggf9cggd-64a7-412c-9445-cf837f4b0b10\",\"notes\":[{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-09-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-07T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"jf77n35n-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d5h1545-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRules\":[{\"__typename\":\"Control\",\"description\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},{\"__typename\":\"CloudEventRule\",\"description\":\"Process wrote to a security configuration file. This could indicate the presence of a threat actor tampering with security controls.\",\"id\":\"cer-sen-id-002\",\"name\":\"Security configuration file was modified\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"Wiz for Threat Detection\"},\"name\":\"Defense Evasion\"},\"title\":\"Security tool tampering\"}],\"sourceType\":\"WIZ_SENSOR\",\"type\":\"FILE_INTEGRITY_MONITORING_WORKLOAD_RUNTIME_RULE\"},{\"__typename\":\"CloudEventRule\",\"description\":\"Python process spawned interactive shell. This can indicate the presence of a malicious actor enhancing a basic reverse shell.\",\"id\":\"cer-sen-id-003\",\"name\":\"Python process spawned interactive shell\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"Wiz for Threat Detection\"},\"name\":\"C2 \\u0026 Exfiltration\"},\"title\":\"Remote shell\"}],\"sourceType\":\"WIZ_SENSOR\",\"type\":\"WORKLOAD_RUNTIME_RULE\"}],\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-21T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", "type": [ @@ -140,55 +140,6 @@ } ], "severity": "INFORMATIONAL", - "source_rule": { - "__typename": "Control", - "control_description": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.", - "id": "wc-id-1335", - "name": "EKS principals assume roles that provide bind, escalate and impersonate permissions", - "resolution_recommendation": "To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.", - "risks": [ - "INSECURE_KUBERNETES_CLUSTER", - "VULNERABILITY" - ], - "security_sub_categories": [ - { - "category": { - "framework": { - "name": "CIS EKS 1.2.0" - }, - "name": "4.1 RBAC and Service Accounts" - }, - "title": "4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Identity Management" - }, - "title": "Privileged principal" - }, - { - "category": { - "framework": { - "name": "Wiz" - }, - "name": "9 Container Security" - }, - "title": "Container Security" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Container & Kubernetes Security" - }, - "title": "Cluster misconfiguration" - } - ] - }, "source_rules": [ { "__typename": "Control", diff --git a/packages/wiz/docs/README.md b/packages/wiz/docs/README.md index 786ea0bf488..07502ef2506 100644 --- a/packages/wiz/docs/README.md +++ b/packages/wiz/docs/README.md @@ -976,9 +976,9 @@ An example event for `issue` looks as following: { "@timestamp": "2023-07-21T06:26:08.708Z", "agent": { - "ephemeral_id": "9008eaae-3456-45c8-9996-e12593b2c6b2", - "id": "67cc7f85-76c3-477e-b1ee-49709af2264a", - "name": "elastic-agent-68256", + "ephemeral_id": "8ed8aec5-5335-4510-a6b6-e98441f37b7a", + "id": "07d85902-c982-4c69-8827-318fa4d8050f", + "name": "elastic-agent-67496", "type": "filebeat", "version": "8.16.6" }, @@ -988,14 +988,14 @@ An example event for `issue` looks as following: }, "data_stream": { "dataset": "wiz.issue", - "namespace": "72538", + "namespace": "49382", "type": "logs" }, "ecs": { "version": "8.11.0" }, "elastic_agent": { - "id": "67cc7f85-76c3-477e-b1ee-49709af2264a", + "id": "07d85902-c982-4c69-8827-318fa4d8050f", "snapshot": false, "version": "8.16.6" }, @@ -1007,7 +1007,7 @@ An example event for `issue` looks as following: "created": "2023-08-21T07:56:09.903Z", "dataset": "wiz.issue", "id": "ggf9cggd-64a7-412c-9445-cf837f4b0b10", - "ingested": "2025-12-24T12:53:12Z", + "ingested": "2026-01-07T08:55:20Z", "kind": "event", "original": "{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"dueAt\":\"2023-08-28T21:00:00Z\",\"entitySnapshot\":{\"cloudPlatform\":\"Kubernetes\",\"cloudProviderURL\":\"https://portal.az.com/#@sectest.on.com/resource//subscriptions/\",\"externalId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519sad45/system:aggregate-to-edit/12\",\"id\":\"f307d472-b7da-5t05-9b25-71a271336b14\",\"name\":\"system:aggregate-to-edit\",\"nativeType\":\"ClusterRole\",\"providerId\":\"k8s/clusterrole/aaa8e7ca2bf9bc85a75d5bbdd8ffd08d69f8852782a6341c3c3519bac0f24ae9/system:aggregate-to-edit/12\",\"region\":\"us-01\",\"resourceGroupExternalId\":\"/subscriptions/cfd132be-3bc7-4f86-8efd-ed53ae498fec/resourcegroups/test-selfmanaged-eastus\",\"status\":\"Active\",\"subscriptionExternalId\":\"998231069301\",\"subscriptionName\":\"demo-integrations\",\"subscriptionTags\":{},\"tags\":{\"kubernetes.io/bootstrapping\":\"rbac-defaults\",\"rbac.authorization.k8s.io/aggregate-to-edit\":\"true\"},\"type\":\"ACCESS_ROLE\"},\"id\":\"ggf9cggd-64a7-412c-9445-cf837f4b0b10\",\"notes\":[{\"createdAt\":\"2023-08-21T07:56:09.903743Z\",\"serviceAccount\":{\"name\":\"rev-ke\"},\"text\":\"updated\",\"updatedAt\":\"2023-09-09T23:10:22.588721Z\"},{\"createdAt\":\"2023-08-07T23:08:49.918941Z\",\"serviceAccount\":{\"name\":\"rev-ke2\"},\"text\":\"updated\",\"updatedAt\":\"2023-08-09T23:10:22.591487Z\"}],\"projects\":[{\"businessUnit\":\"\",\"id\":\"jf77n35n-a7b6-5762-8a53-8e8f59e68bd8\",\"name\":\"Project 2\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-2\"},{\"businessUnit\":\"Dev\",\"id\":\"af52828c-4eb1-5c4e-847c-ebc3a5ead531\",\"name\":\"project 4\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project-4\"},{\"businessUnit\":\"Dev\",\"id\":\"d5h1545-aec0-52fc-80ab-bacd7b02f178\",\"name\":\"Project1\",\"riskProfile\":{\"businessImpact\":\"MBI\"},\"slug\":\"project1\"}],\"resolvedAt\":\"2023-08-09T23:10:22.588721Z\",\"serviceTickets\":[{\"externalId\":\"638361121bbfdd10f6c1cbf3604bcb7e\",\"name\":\"SIR0010002\",\"url\":\"https://ven05658.testing.com/nav_to.do?uri=%2Fsn_si_incident.do%3Fsys_id%3D6385248sdsae421\"}],\"severity\":\"INFORMATIONAL\",\"sourceRules\":[{\"__typename\":\"Control\",\"description\":\"These EKS principals assume roles that provide bind, escalate and impersonate permissions. \\n\\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.\",\"id\":\"wc-id-1335\",\"name\":\"EKS principals assume roles that provide bind, escalate and impersonate permissions\",\"resolutionRecommendation\":\"To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"CIS EKS 1.2.0\"},\"name\":\"4.1 RBAC and Service Accounts\"},\"title\":\"4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Identity Management\"},\"title\":\"Privileged principal\"},{\"category\":{\"framework\":{\"name\":\"Wiz\"},\"name\":\"9 Container Security\"},\"title\":\"Container Security\"},{\"category\":{\"framework\":{\"name\":\"Wiz for Risk Assessment\"},\"name\":\"Container \\u0026 Kubernetes Security\"},\"title\":\"Cluster misconfiguration\"}]},{\"__typename\":\"CloudEventRule\",\"description\":\"Process wrote to a security configuration file. This could indicate the presence of a threat actor tampering with security controls.\",\"id\":\"cer-sen-id-002\",\"name\":\"Security configuration file was modified\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"Wiz for Threat Detection\"},\"name\":\"Defense Evasion\"},\"title\":\"Security tool tampering\"}],\"sourceType\":\"WIZ_SENSOR\",\"type\":\"FILE_INTEGRITY_MONITORING_WORKLOAD_RUNTIME_RULE\"},{\"__typename\":\"CloudEventRule\",\"description\":\"Python process spawned interactive shell. This can indicate the presence of a malicious actor enhancing a basic reverse shell.\",\"id\":\"cer-sen-id-003\",\"name\":\"Python process spawned interactive shell\",\"risks\":[\"INSECURE_KUBERNETES_CLUSTER\",\"VULNERABILITY\"],\"securitySubCategories\":[{\"category\":{\"framework\":{\"name\":\"Wiz for Threat Detection\"},\"name\":\"C2 \\u0026 Exfiltration\"},\"title\":\"Remote shell\"}],\"sourceType\":\"WIZ_SENSOR\",\"type\":\"WORKLOAD_RUNTIME_RULE\"}],\"status\":\"IN_PROGRESS\",\"statusChangedAt\":\"2023-07-21T06:26:08.708199Z\",\"updatedAt\":\"2023-08-14T06:06:18.331647Z\"}", "type": [ @@ -1115,55 +1115,6 @@ An example event for `issue` looks as following: } ], "severity": "INFORMATIONAL", - "source_rule": { - "__typename": "Control", - "control_description": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.", - "id": "wc-id-1335", - "name": "EKS principals assume roles that provide bind, escalate and impersonate permissions", - "resolution_recommendation": "To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.", - "risks": [ - "INSECURE_KUBERNETES_CLUSTER", - "VULNERABILITY" - ], - "security_sub_categories": [ - { - "category": { - "framework": { - "name": "CIS EKS 1.2.0" - }, - "name": "4.1 RBAC and Service Accounts" - }, - "title": "4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Identity Management" - }, - "title": "Privileged principal" - }, - { - "category": { - "framework": { - "name": "Wiz" - }, - "name": "9 Container Security" - }, - "title": "Container Security" - }, - { - "category": { - "framework": { - "name": "Wiz for Risk Assessment" - }, - "name": "Container & Kubernetes Security" - }, - "title": "Cluster misconfiguration" - } - ] - }, "source_rules": [ { "__typename": "Control", @@ -1317,17 +1268,6 @@ An example event for `issue` looks as following: | wiz.issue.service_tickets.name | | keyword | | wiz.issue.service_tickets.url | | keyword | | wiz.issue.severity | | keyword | -| wiz.issue.source_rule.__typename | DEPRECATED. Use `wiz.issue.source_rules.__typename` instead. | keyword | -| wiz.issue.source_rule.cloud_configuration_rule_description | DEPRECATED. Use `wiz.issue.source_rules.description` instead. | keyword | -| wiz.issue.source_rule.cloud_event_rule_description | DEPRECATED. Use `wiz.issue.source_rules.description` instead. | keyword | -| wiz.issue.source_rule.control_description | DEPRECATED. Use `wiz.issue.source_rules.description` instead. | keyword | -| wiz.issue.source_rule.id | DEPRECATED. Use `wiz.issue.source_rules.id` instead. | keyword | -| wiz.issue.source_rule.name | DEPRECATED. Use `wiz.issue.source_rules.name` instead. | keyword | -| wiz.issue.source_rule.resolution_recommendation | DEPRECATED. Use `wiz.issue.source_rules.resolution_recommendation` instead. | keyword | -| wiz.issue.source_rule.risks | DEPRECATED. Use `wiz.issue.source_rules.risks` instead. | keyword | -| wiz.issue.source_rule.security_sub_categories.category.framework.name | DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.framework.name` instead. | keyword | -| wiz.issue.source_rule.security_sub_categories.category.name | DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.name` instead. | keyword | -| wiz.issue.source_rule.security_sub_categories.title | DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.title` instead. | keyword | | wiz.issue.source_rules.__typename | | keyword | | wiz.issue.source_rules.description | | keyword | | wiz.issue.source_rules.id | | keyword | diff --git a/packages/wiz/manifest.yml b/packages/wiz/manifest.yml index b98a6e0ab33..972e49d87cf 100644 --- a/packages/wiz/manifest.yml +++ b/packages/wiz/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.3.2 name: wiz title: Wiz -version: "3.12.0" +version: "4.0.0" description: Collect logs from Wiz with Elastic Agent. type: integration categories: From ec11398afffdcffd44bae94fb984a99d19c4d7a9 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Wed, 7 Jan 2026 14:27:48 +0530 Subject: [PATCH 2/3] update changelog --- packages/wiz/changelog.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 0baec45e5d6..39bead7646e 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,9 +1,9 @@ # newer versions go on top - version: "4.0.0" changes: - - description: Remove `sourceRule` field from the issue data stream. + - description: Remove deprecated `sourceRule` field from the issue data stream. type: breaking-change - link: https://github.com/elastic/integrations/pull/1 + link: https://github.com/elastic/integrations/pull/16892 - version: "3.12.0" changes: - description: | From bce355adcd670beb312192acdd107e2b13607523 Mon Sep 17 00:00:00 2001 From: kcreddy Date: Thu, 8 Jan 2026 23:21:43 +0530 Subject: [PATCH 3/3] Update changelog description. --- packages/wiz/changelog.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/packages/wiz/changelog.yml b/packages/wiz/changelog.yml index 39bead7646e..b976c04ff80 100644 --- a/packages/wiz/changelog.yml +++ b/packages/wiz/changelog.yml @@ -1,7 +1,10 @@ # newer versions go on top - version: "4.0.0" changes: - - description: Remove deprecated `sourceRule` field from the issue data stream. + - description: | + As `sourceRule` is deprecated by the Wiz Get Issue API, this version removes the deprecated `source_rule` field from the issue data stream. + Previous versions added the new `source_rules` field to the issue data stream. + Users should update their custom-user artifacts if they are using the deprecated `source_rule` field to use the new `source_rules` field. type: breaking-change link: https://github.com/elastic/integrations/pull/16892 - version: "3.12.0"