Skip to content

wiz.issue: Remove deprecated source_rule field #16892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kcreddy wants to merge 3 commits into
base: main
Choose a base branch
from
Open

wiz.issue: Remove deprecated source_rule field #16892

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
f7bf8e6
Remove deprecated `sourceRule` field from the issue data stream.
kcreddy Jan 7, 2026
ec11398
update changelog
kcreddy Jan 7, 2026
bce355a
Update changelog description.
kcreddy Jan 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions packages/wiz/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "4.0.0"
changes:
- description: |
As `sourceRule` is deprecated by the Wiz Get Issue API, this version removes the deprecated `source_rule` field from the issue data stream.
Previous versions added the new `source_rules` field to the issue data stream.
Users should update their custom-user artifacts if they are using the deprecated `source_rule` field to use the new `source_rules` field.
type: breaking-change
link: https://github.com/elastic/integrations/pull/16892
- version: "3.12.0"
changes:
- description: |
Expand Down
79 changes: 0 additions & 79 deletions packages/wiz/data_stream/issue/_dev/test/pipeline/test-issue.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,36 +133,6 @@
}
],
"severity": "INFORMATIONAL",
"source_rule": {
"__typename": "CloudEventRule",
"cloud_event_rule_description": "SSH server was executed. This could indicate the presence of a threat actor setting up a backdoor connection.",
"id": "cer-sen-id-001",
"name": "SSH server was executed",
"risks": [
"UNPROTECTED_DATA",
"RELIABILITY_IMPACT"
],
"security_sub_categories": [
{
"category": {
"framework": {
"name": "Wiz for Threat Detection"
},
"name": "C2 & Exfiltration"
},
"title": "Remote shell"
},
{
"category": {
"framework": {
"name": "MITRE ATT&CK Matrix"
},
"name": "Lateral Movement"
},
"title": "Remote Services: SSH"
}
]
},
"source_rules": [
{
"__typename": "CloudEventRule",
Expand Down Expand Up @@ -385,55 +355,6 @@
}
],
"severity": "INFORMATIONAL",
"source_rule": {
"__typename": "Control",
"control_description": "These EKS principals assume roles that provide bind, escalate and impersonate permissions. \n\nThe `bind` permission allows users to create bindings to roles with rights they do not already have. The `escalate` permission allows users effectively escalate their privileges. The `impersonate` permission allows users to impersonate and gain the rights of other users in the cluster. Running containers with these permissions has the potential to effectively allow privilege escalation to the cluster-admin level.",
"id": "wc-id-1335",
"name": "EKS principals assume roles that provide bind, escalate and impersonate permissions",
"resolution_recommendation": "To follow the principle of least privilege and minimize the risk of unauthorized access and data breaches, it is recommended not to grant `bind`, `escalate` or `impersonate` permissions.",
"risks": [
"INSECURE_KUBERNETES_CLUSTER",
"VULNERABILITY"
],
"security_sub_categories": [
{
"category": {
"framework": {
"name": "CIS EKS 1.2.0"
},
"name": "4.1 RBAC and Service Accounts"
},
"title": "4.1.8 Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster - Level 1 (Manual)"
},
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "Identity Management"
},
"title": "Privileged principal"
},
{
"category": {
"framework": {
"name": "Wiz"
},
"name": "9 Container Security"
},
"title": "Container Security"
},
{
"category": {
"framework": {
"name": "Wiz for Risk Assessment"
},
"name": "Container & Kubernetes Security"
},
"title": "Cluster misconfiguration"
}
]
},
"source_rules": [
{
"__typename": "Control",
Expand Down
36 changes: 2 additions & 34 deletions packages/wiz/data_stream/issue/elasticsearch/ingest_pipeline/default.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -332,50 +332,25 @@ processors:
lang: painless
source: |
def sourceRulesList = new ArrayList();
ctx.wiz.issue.source_rule = ctx.wiz.issue.source_rule ?: [:];
for (def rule : ctx.json.sourceRules) {
boolean doSourceRule = sourceRulesList.size() == 0;
def mappedRule = new HashMap();
if (rule.__typename != null) {
mappedRule.put('__typename', rule.__typename);
if (doSourceRule) {
ctx.wiz.issue.source_rule.__typename = rule.__typename;
}
}
if (rule.id != null) {
mappedRule.put('id', rule.id);
if (doSourceRule) {
ctx.wiz.issue.source_rule.id = rule.id;
}
}
if (rule.name != null) {
mappedRule.put('name', rule.name);
if (doSourceRule) {
ctx.wiz.issue.source_rule.name = rule.name;
}
}
if (rule.description != null) {
mappedRule.put('description', rule.description);
if (doSourceRule && (rule.__typename != null)) {
if (rule.__typename == "Control") {
ctx.wiz.issue.source_rule.control_description = rule.description;
}
if (rule.__typename == "CloudConfigurationEvent") {
ctx.wiz.issue.source_rule.control_cloud_configuration_rule_description = rule.description;
}
if (rule.__typename == "CloudEventRule") {
ctx.wiz.issue.source_rule.cloud_event_rule_description = rule.description;
}
if (ctx.message == null) {
ctx.message = rule.description;
}
if (ctx.message == null) {
ctx.message = rule.description;
}
}
if (rule.resolutionRecommendation != null) {
mappedRule.put('resolution_recommendation', rule.resolutionRecommendation);
if (doSourceRule) {
ctx.wiz.issue.source_rule.resolution_recommendation = rule.resolutionRecommendation;
}
}
if (rule.remediationInstructions != null) {
mappedRule.put('remediation_instructions', rule.remediationInstructions);
Expand All @@ -384,15 +359,9 @@ processors:
def risksList = new ArrayList();
risksList.addAll(rule.risks);
mappedRule.put('risks', risksList);
if (doSourceRule) {
ctx.wiz.issue.source_rule.risks = risksList;
}
}
if (rule.securitySubCategories != null) {
mappedRule.put('security_sub_categories', rule.securitySubCategories);
if (doSourceRule) {
ctx.wiz.issue.source_rule.security_sub_categories = rule.securitySubCategories;
}
}
if (rule.type != null) {
mappedRule.put('type', rule.type);
Expand Down Expand Up @@ -447,7 +416,6 @@ processors:
- wiz.issue.entity_snapshot.region
- wiz.issue.created_at
- wiz.issue.id
- wiz.issue.source_rule.control_description
tag: remove_custom_duplicate_fields
ignore_missing: true
if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))
Expand Down
46 changes: 0 additions & 46 deletions packages/wiz/data_stream/issue/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,52 +96,6 @@
type: keyword
- name: severity
type: keyword
- name: source_rule
type: group
description: DEPRECATED. Use `wiz.issue.source_rules` instead.
fields:
- name: __typename
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.__typename` instead.
- name: control_description
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.description` instead.
- name: cloud_configuration_rule_description
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.description` instead.
- name: cloud_event_rule_description
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.description` instead.
- name: id
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.id` instead.
- name: name
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.name` instead.
- name: resolution_recommendation
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.resolution_recommendation` instead.
- name: risks
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.risks` instead.
- name: security_sub_categories
type: group
fields:
- name: category
type: group
fields:
- name: framework
type: group
fields:
- name: name
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.framework.name` instead.
- name: name
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.category.name` instead.
- name: title
type: keyword
description: DEPRECATED. Use `wiz.issue.source_rules.security_sub_categories.title` instead.
- name: source_rules
type: nested
fields:
Expand Down
Loading