cisa_kevs: migrate input to CEL (#14804)

efd6 · web-flow · commit cd9bc7b6d0ec · 2025-08-11T18:51:38.000+09:30
diff --git a/packages/cisa_kevs/_dev/build/docs/README.md b/packages/cisa_kevs/_dev/build/docs/README.md
@@ -37,6 +37,10 @@ from logs-nessus.vulnerability*
 | limit 10
 ```
 
+## Upgrading to v1.7.0+
+
+If upgrading from a version of the package before v1.7.0, you will need to re-enter your configuration details and re-enable the package.
+
 ## Logs
 
 ### Vulnerabilities
diff --git a/packages/cisa_kevs/_dev/deploy/docker/files/config.yml b/packages/cisa_kevs/_dev/deploy/docker/files/config.yml
@@ -5,4 +5,50 @@ rules:
       Content-Type: "application/json"
     responses:
       - status_code: 200
-        body: "{\n  \"title\": \"CISA Catalog of Known Exploited Vulnerabilities\",\n  \"catalogVersion\": \"2024.02.16\",\n  \"dateReleased\": \"2024-02-16T19:54:05.3915Z\",\n  \"count\": 1081,\n  \"vulnerabilities\": [\n      {\n          \"cveID\":\"CVE-2020-3259\",\"vendorProject\":\"Cisco\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\"\n      },\n      {\n          \"cveID\":\"CVE-2024-21410\",\"vendorProject\":\"Microsoft\",\"product\":\"Exchange Server\",\"vulnerabilityName\":\"Microsoft Exchange Server Privilege Escalation Vulnerability\",\"dateAdded\":\"2024-02-15\",\"shortDescription\":\"Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Unknown\",\"notes\":\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410\"\n      },\n      {   \n          \"cveID\":\"CVE-2024-1709\",\"vendorProject\":\"ConnectWise\",\"product\":\"ScreenConnect\",\"vulnerabilityName\":\"ConnectWise ScreenConnect Authentication Bypass Vulnerability\",\"dateAdded\":\"2024-02-22\",\"shortDescription\":\"ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"dueDate\":\"2024-02-29\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8\"\n      }\n  ]\n}"
+        body: |-
+          {{ minify_json `
+          {
+              "title": "CISA Catalog of Known Exploited Vulnerabilities",
+              "catalogVersion": "2024.02.16",
+              "dateReleased": "2024-02-16T19:54:05.3915Z",
+              "count": 1081,
+              "vulnerabilities": [
+                  {
+                      "cveID": "CVE-2020-3259",
+                      "vendorProject": "Cisco",
+                      "product": "Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)",
+                      "vulnerabilityName": "Cisco ASA and FTD Information Disclosure Vulnerability",
+                      "dateAdded": "2024-02-15",
+                      "shortDescription": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.",
+                      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+                      "dueDate": "2024-03-07",
+                      "knownRansomwareCampaignUse": "Known",
+                      "notes": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB"
+                  },
+                  {
+                      "cveID": "CVE-2024-21410",
+                      "vendorProject": "Microsoft",
+                      "product": "Exchange Server",
+                      "vulnerabilityName": "Microsoft Exchange Server Privilege Escalation Vulnerability",
+                      "dateAdded": "2024-02-15",
+                      "shortDescription": "Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.",
+                      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+                      "dueDate": "2024-03-07",
+                      "knownRansomwareCampaignUse": "Unknown",
+                      "notes": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410"
+                  },
+                  {
+                      "cveID": "CVE-2024-1709",
+                      "vendorProject": "ConnectWise",
+                      "product": "ScreenConnect",
+                      "vulnerabilityName": "ConnectWise ScreenConnect Authentication Bypass Vulnerability",
+                      "dateAdded": "2024-02-22",
+                      "shortDescription": "ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices.",
+                      "requiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.",
+                      "dueDate": "2024-02-29",
+                      "knownRansomwareCampaignUse": "Known",
+                      "notes": "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
+                  }
+              ]
+          }
+          `}}
diff --git a/packages/cisa_kevs/changelog.yml b/packages/cisa_kevs/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.7.0"
+  changes:
+    - description: Migrate data streams to the CEL input.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/14804
 - version: "1.6.0"
   changes:
     - description: Add 'Security Solution' tag in the dashboard.
diff --git a/packages/cisa_kevs/data_stream/vulnerability/_dev/test/system/test-default-config.yml b/packages/cisa_kevs/data_stream/vulnerability/_dev/test/system/test-default-config.yml
@@ -1,7 +1,9 @@
-input: httpjson
+input: cel
 service: cisakev
 data_stream:
   vars:
     url: http://{{Hostname}}:{{Port}}/sites/default/files/feeds/known_exploited_vulnerabilities.json
     preserve_original_event: true
     enable_request_tracer: true
+assert:
+  hit_count: 3
diff --git a/packages/cisa_kevs/data_stream/vulnerability/agent/stream/cel.yml.hbs b/packages/cisa_kevs/data_stream/vulnerability/agent/stream/cel.yml.hbs
@@ -0,0 +1,64 @@
+config_version: "2"
+interval: {{interval}}
+{{#if enable_request_tracer}}
+resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson"
+resource.tracer.maxbackups: 5
+{{/if}}
+
+{{#if url}}
+resource.url: {{url}}
+{{/if}}
+{{#if proxy_url }}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+redact:
+  fields: ~
+program: |-
+  get_request(state.url).with(
+    {
+      "Header": {
+        "Content-Type": ["application/json"],
+      },
+    }
+  ).do_request().as(resp, resp.StatusCode == 200 ?
+    dyn({
+      "events": bytes(resp.Body).decode_json().vulnerabilities.map(v,
+        {"message": v.encode_json()}
+  	  )
+    })
+  :
+    dyn({
+      "events": {
+        "error": {
+          "code": string(resp.StatusCode),
+          "id": string(resp.Status),
+          "message": "GET: "+(
+            size(resp.Body) != 0 ?
+              string(resp.Body)
+            :
+              string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+          ),
+        },
+      },
+    })
+  )
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/cisa_kevs/data_stream/vulnerability/agent/stream/httpjson.yml.hbs b/packages/cisa_kevs/data_stream/vulnerability/agent/stream/httpjson.yml.hbs
diff --git a/packages/cisa_kevs/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml b/packages/cisa_kevs/data_stream/vulnerability/elasticsearch/ingest_pipeline/default.yml
@@ -7,6 +7,10 @@ processors:
   - set:
       field: ecs.version
       value: '8.11.0'
+  - fail:
+      tag: data_collection_error
+      if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+      message: error message set and no data to process.
   - set:
       field: event.kind
       value: enrichment
diff --git a/packages/cisa_kevs/data_stream/vulnerability/manifest.yml b/packages/cisa_kevs/data_stream/vulnerability/manifest.yml
@@ -1,7 +1,7 @@
 title: "CISA Known Exploited Vulnerabilities List"
 type: logs
 streams:
-  - input: httpjson
+  - input: cel
     vars:
       - name: url
         type: text
@@ -65,6 +65,7 @@ streams:
         description: >
           Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
 
-    template_path: httpjson.yml.hbs
+    template_path: cel.yml.hbs
     title: CISA KEV Catalog logs
     description: Collect CISA Known Exploited Vulnerability logs
+    enabled: false
diff --git a/packages/cisa_kevs/data_stream/vulnerability/sample_event.json b/packages/cisa_kevs/data_stream/vulnerability/sample_event.json
@@ -1,11 +1,11 @@
 {
     "@timestamp": "2024-02-15T00:00:00.000Z",
     "agent": {
-        "ephemeral_id": "39957f93-aff4-4e3f-84f0-66d18441ccd6",
-        "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "fc07fa12-f549-40b8-b71a-d49f02d4941d",
+        "id": "5f9e8c36-28d7-4df6-bdeb-68a9e24bfdc0",
+        "name": "elastic-agent-37763",
         "type": "filebeat",
-        "version": "8.12.2"
+        "version": "8.13.0"
     },
     "cisa_kev": {
         "vulnerability": {
@@ -21,33 +21,32 @@
     },
     "data_stream": {
         "dataset": "cisa_kevs.vulnerability",
-        "namespace": "ep",
+        "namespace": "77864",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
+        "id": "5f9e8c36-28d7-4df6-bdeb-68a9e24bfdc0",
         "snapshot": false,
-        "version": "8.12.2"
+        "version": "8.13.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "vulnerability"
         ],
-        "created": "2024-03-13T01:01:09.893Z",
         "dataset": "cisa_kevs.vulnerability",
-        "ingested": "2024-03-13T01:01:21Z",
+        "ingested": "2025-08-05T05:37:31Z",
         "kind": "enrichment",
         "original": "{\"cveID\":\"CVE-2020-3259\",\"dateAdded\":\"2024-02-15\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"vendorProject\":\"Cisco\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\"}",
         "type": [
             "info"
         ]
     },
     "input": {
-        "type": "httpjson"
+        "type": "cel"
     },
     "tags": [
         "preserve_original_event",
@@ -58,4 +57,4 @@
         "description": "Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.",
         "id": "CVE-2020-3259"
     }
-}
+}
diff --git a/packages/cisa_kevs/docs/README.md b/packages/cisa_kevs/docs/README.md
@@ -37,6 +37,10 @@ from logs-nessus.vulnerability*
 | limit 10
 ```
 
+## Upgrading to v1.7.0+
+
+If upgrading from a version of the package before v1.7.0, you will need to re-enter your configuration details and re-enable the package.
+
 ## Logs
 
 ### Vulnerabilities
@@ -49,11 +53,11 @@ An example event for `vulnerability` looks as following:
 {
     "@timestamp": "2024-02-15T00:00:00.000Z",
     "agent": {
-        "ephemeral_id": "39957f93-aff4-4e3f-84f0-66d18441ccd6",
-        "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
-        "name": "docker-fleet-agent",
+        "ephemeral_id": "fc07fa12-f549-40b8-b71a-d49f02d4941d",
+        "id": "5f9e8c36-28d7-4df6-bdeb-68a9e24bfdc0",
+        "name": "elastic-agent-37763",
         "type": "filebeat",
-        "version": "8.12.2"
+        "version": "8.13.0"
     },
     "cisa_kev": {
         "vulnerability": {
@@ -69,33 +73,32 @@ An example event for `vulnerability` looks as following:
     },
     "data_stream": {
         "dataset": "cisa_kevs.vulnerability",
-        "namespace": "ep",
+        "namespace": "77864",
         "type": "logs"
     },
     "ecs": {
         "version": "8.11.0"
     },
     "elastic_agent": {
-        "id": "7edf8be5-ad5d-4c57-a6bd-b86bddc66601",
+        "id": "5f9e8c36-28d7-4df6-bdeb-68a9e24bfdc0",
         "snapshot": false,
-        "version": "8.12.2"
+        "version": "8.13.0"
     },
     "event": {
         "agent_id_status": "verified",
         "category": [
             "vulnerability"
         ],
-        "created": "2024-03-13T01:01:09.893Z",
         "dataset": "cisa_kevs.vulnerability",
-        "ingested": "2024-03-13T01:01:21Z",
+        "ingested": "2025-08-05T05:37:31Z",
         "kind": "enrichment",
         "original": "{\"cveID\":\"CVE-2020-3259\",\"dateAdded\":\"2024-02-15\",\"dueDate\":\"2024-03-07\",\"knownRansomwareCampaignUse\":\"Known\",\"notes\":\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB\",\"product\":\"Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD)\",\"requiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"shortDescription\":\"Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) contain an information disclosure vulnerability. An attacker could retrieve memory contents on an affected device, which could lead to the disclosure of confidential information due to a buffer tracking issue when the software parses invalid URLs that are requested from the web services interface. This vulnerability affects only specific AnyConnect and WebVPN configurations.\",\"vendorProject\":\"Cisco\",\"vulnerabilityName\":\"Cisco ASA and FTD Information Disclosure Vulnerability\"}",
         "type": [
             "info"
         ]
     },
     "input": {
-        "type": "httpjson"
+        "type": "cel"
     },
     "tags": [
         "preserve_original_event",
diff --git a/packages/cisa_kevs/manifest.yml b/packages/cisa_kevs/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.3
 name: cisa_kevs
 title: "CISA Known Exploited Vulnerabilities"
-version: "1.6.0"
+version: "1.7.0"
 description: "This package allows the ingest of known exploited vulnerabilities according to the Cybersecurity and Infrastructure Security Agency of the United States of America. This information could be used to enrich or track exisiting vulnerabilities that are known to be exploited in the wild."
 type: integration
 categories:
@@ -24,7 +24,7 @@ policy_templates:
     title: CISA Known Exploited Vulnerabilities
     description: Ingest the CISA KEVs with Elastic Agent.
     inputs:
-      - type: httpjson
+      - type: cel
         title: "Collect CISA KEVs via API"
         description: "Ingest the CISA KEVs with Elastic Agent."
         vars:
