[WithSecure] Added the WithSecure Elements integration for collecting security incident and events

packages/withsecure_elements/changelog.yml

@@ -0,0 +1,122 @@
+- version: "1.0.3"
+  changes:
+    - description: "Fixed security_events pipeline to decode JSON from message field or event.original to extract individual fields"
+      type: bugfix
+      link: ""
+    - description: "Fixed incidents pipeline to decode JSON from message field or event.original to extract individual fields"
+      type: bugfix
+      link: ""
+    - description: "Fixed issue where message field contained entire JSON instead of readable event content for both security_events and incidents"
+      type: bugfix
+      link: ""
+    - description: "Added proper field extraction for all security_events fields (id, action, severity, engine, details, device, organization, etc.) from JSON payload"
+      type: bugfix
+      link: ""
+    - description: "Added proper field extraction for all incidents fields (incidentId, status, severity, categories, sources, etc.) from JSON payload"
+      type: bugfix
+      link: ""
+    - description: "Changed initial lookback window for security_events from 30 days to 7 days"
+      type: enhancement
+      link: ""
+    - description: "Changed initial lookback window for incidents from 24 hours to 7 days for consistent historical data collection"
+      type: enhancement
+      link: ""
+    - description: "Added eventTransactionId field mapping to withsecure.security.event.event_transaction_id"
+      type: enhancement
+      link: ""
+    - description: "Added message field mapping to withsecure.security.event.message for events that contain it"
+      type: enhancement
+      link: ""
+    - description: "Added timestamp fields (server_timestamp, persistence_timestamp, client_timestamp) to withsecure.security.event namespace"
+      type: enhancement
+      link: ""
+- version: "1.0.2"
+  changes:
+    - description: "Fixed API request limits to comply with WithSecure API constraints (changed from 200 to 50 for incidents and incident_detections)"
+      type: bugfix
+      link: ""
+    - description: "Fixed security_events data collection by changing from POST to GET method (API accepts both but GET is simpler with httpjson)"
+      type: bugfix
+      link: ""
+    - description: "Added cursor-based data collection for incidents using updatedTimestampStart to prevent duplicate events"
+      type: enhancement
+      link: ""
+    - description: "Added cursor-based data collection for security_events using persistenceTimestampStart to prevent duplicate events"
+      type: enhancement
+      link: ""
+    - description: "Added pagination support with nextAnchor for all data streams to handle large result sets"
+      type: enhancement
+      link: ""
+    - description: "Fixed pagination errors by adding conditional check for nextAnchor existence before using it"
+      type: bugfix
+      link: ""
+    - description: "Added all engine groups (epp, edr, ecp, xm) to security_events data stream for comprehensive event collection"
+      type: enhancement
+      link: ""
+    - description: "Increased initial lookback window for security_events from 24 hours to 30 days to ensure historical data collection"
+      type: enhancement
+      link: ""
+    - description: "Simplified security_events ingest pipeline with proper error handling and conditional field processing"
+      type: enhancement
+      link: ""
+    - description: "Added enable_request_tracer option to all data streams for HTTP request/response debugging"
+      type: enhancement
+      link: ""
+    - description: "Disabled incident_detections data stream by default (requires specific incident_id configuration)"
+      type: enhancement
+      link: ""
+    - description: "Added archived=false filter to incidents data stream to exclude archived incidents"
+      type: enhancement
+      link: ""
+- version: "1.0.1"
+  changes:
+    - description: "Simplified configuration: API credentials (URL, Client ID, Client Secret, Organization ID) are now defined at the input level and shared across all data streams"
+      type: enhancement
+      link: ""
+    - description: "Fixed httpjson template syntax to use correct Handlebars variable notation"
+      type: bugfix
+      link: ""
+    - description: "Added missing document separators (---) to ingest pipeline files"
+      type: bugfix
+      link: ""
+    - description: "Added required object_type property to object fields in field definitions"
+      type: bugfix
+      link: ""
+    - description: "Fixed duplicate field definitions between base-fields.yml and fields.yml"
+      type: bugfix
+      link: ""
+    - description: "Added required ECS fields (@timestamp, data_stream.*) with constant_keyword type"
+      type: bugfix
+      link: ""
+    - description: "Added official WithSecure Elements logo (SVG format)"
+      type: enhancement
+      link: ""
+    - description: "Updated documentation to reflect simplified single-input configuration"
+      type: enhancement
+      link: ""
+    - description: "Improved OAuth2 authentication configuration with proper endpoint_params structure"
+      type: enhancement
+      link: ""
+    - description: "Removed incorrect validation.yml file"
+      type: bugfix
+      link: ""
+- version: "1.0.0"
+  changes:
+    - description: "Initial release of WithSecure Elements integration"
+      type: enhancement
+      link: ""
+    - description: "Add support for collecting incidents (BCDs) from WithSecure Elements API"
+      type: enhancement
+      link: ""
+    - description: "Add support for collecting security events from WithSecure Elements API"
+      type: enhancement
+      link: ""
+    - description: "Add support for collecting incident detections from WithSecure Elements API"
+      type: enhancement
+      link: ""
+    - description: "Add OAuth2 authentication support"
+      type: enhancement
+      link: ""
+    - description: "Add ECS field mapping for incidents, security events, and incident detections"
+      type: enhancement
+      link: ""

packages/withsecure_elements/data_stream/incident_detections/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,28 @@
+---
+- name: "Test common configuration"
+  input:
+    withsecure.incident.detection:
+      id: "detection-12345"
+      incident_id: "2c902c73-e2a6-40fd-9532-257ee102e1c1"
+      detection_type: "malware"
+      severity: "high"
+      status: "active"
+      created_timestamp: "2023-08-09T12:10:43.537Z"
+      updated_timestamp: "2023-08-09T12:15:43.537Z"
+      source: "endpoint"
+      category: "MALWARE"
+      description: "Malware detected on endpoint"
+      device:
+        id: "device-123"
+        name: "WORKSTATION-01"
+        ip_address: "192.168.1.100"
+        os: "Windows 10"
+      user:
+        id: "user-123"
+        name: "John Doe"
+        email: "[email protected]"
+      file:
+        name: "malware.exe"
+        path: "C:\\Users\\John\\Downloads\\malware.exe"
+        hash: "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6"
+        size: 1024000

packages/withsecure_elements/data_stream/incident_detections/_dev/test/pipeline/test-detection.json

@@ -0,0 +1,40 @@
+{
+  "id": "detection-12345",
+  "incidentId": "2c902c73-e2a6-40fd-9532-257ee102e1c1",
+  "detectionType": "malware",
+  "severity": "high",
+  "status": "active",
+  "createdTimestamp": "2023-08-09T12:10:43.537Z",
+  "updatedTimestamp": "2023-08-09T12:15:43.537Z",
+  "source": "endpoint",
+  "category": "MALWARE",
+  "description": "Malware detected on endpoint",
+  "device": {
+    "id": "device-123",
+    "name": "WORKSTATION-01",
+    "ipAddress": "192.168.1.100",
+    "os": "Windows 10"
+  },
+  "user": {
+    "id": "user-123",
+    "name": "John Doe",
+    "email": "[email protected]"
+  },
+  "file": {
+    "name": "malware.exe",
+    "path": "C:\\Users\\John\\Downloads\\malware.exe",
+    "hash": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
+    "size": 1024000
+  },
+  "network": {
+    "sourceIp": "192.168.1.100",
+    "destinationIp": "10.0.0.1",
+    "port": 443,
+    "protocol": "HTTPS"
+  },
+  "details": {
+    "threatName": "Trojan.Generic.123456",
+    "confidence": 95,
+    "behavior": "suspicious_network_activity"
+  }
+}

packages/withsecure_elements/data_stream/incident_detections/_dev/test/pipeline/test-detection.json-expected.json

@@ -0,0 +1,62 @@
+{
+  "event": {
+    "dataset": "withsecure_elements.incident_detections",
+    "module": "withsecure_elements",
+    "category": "threat",
+    "type": "detection",
+    "kind": "alert",
+    "provider": "withsecure_elements",
+    "action": "detected",
+    "outcome": "success",
+    "id": "detection-12345",
+    "created": "2023-08-09T12:10:43.537Z",
+    "start": "2023-08-09T12:10:43.537Z",
+    "end": "2023-08-09T12:15:43.537Z",
+    "severity": "high",
+    "original": "{{_source}}"
+  },
+  "withsecure": {
+    "incident": {
+      "detection": {
+        "id": "detection-12345",
+        "incident_id": "2c902c73-e2a6-40fd-9532-257ee102e1c1",
+        "detection_type": "malware",
+        "severity": "high",
+        "status": "active",
+        "created_timestamp": "2023-08-09T12:10:43.537Z",
+        "updated_timestamp": "2023-08-09T12:15:43.537Z",
+        "source": "endpoint",
+        "category": "MALWARE",
+        "description": "Malware detected on endpoint",
+        "details": {
+          "threatName": "Trojan.Generic.123456",
+          "confidence": 95,
+          "behavior": "suspicious_network_activity"
+        },
+        "device": {
+          "id": "device-123",
+          "name": "WORKSTATION-01",
+          "ip_address": "192.168.1.100",
+          "os": "Windows 10"
+        },
+        "user": {
+          "id": "user-123",
+          "name": "John Doe",
+          "email": "[email protected]"
+        },
+        "file": {
+          "name": "malware.exe",
+          "path": "C:\\Users\\John\\Downloads\\malware.exe",
+          "hash": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
+          "size": 1024000
+        },
+        "network": {
+          "source_ip": "192.168.1.100",
+          "destination_ip": "10.0.0.1",
+          "port": 443,
+          "protocol": "HTTPS"
+        }
+      }
+    }
+  }
+}

packages/withsecure_elements/data_stream/incident_detections/agent/stream/httpjson.yml.hbs

@@ -0,0 +1,61 @@
+config_version: 2
+interval: {{interval}}
+{{#if enable_request_tracer}}
+request.tracer.filename: "../../logs/httpjson/http-request-trace-*.ndjson"
+request.tracer.maxbackups: 5
+{{/if}}
+request.url: {{url}}/incidents/v1/incidents/{{incident_id}}/detections
+request.method: GET
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+{{#if proxy_url}}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+auth.oauth2.client.id: {{client_id}}
+auth.oauth2.client.secret: {{client_secret}}
+auth.oauth2.token_url: {{url}}/as/token.oauth2
+auth.oauth2.endpoint_params:
+  grant_type: client_credentials
+  scope: connect.api.read
+request.transforms:
+  - set:
+      target: url.params.limit
+      value: '50'
+  - set:
+      target: url.params.order
+      value: 'desc'
+  - set:
+      target: header.User-Agent
+      value: "Elastic-WithSecure-Elements-Connector/1.0.1"
+  - set:
+      target: header.Accept
+      value: "application/json"
+response.split:
+  target: body.items
+  ignore_empty_value: true
+response.pagination:
+  - set:
+      target: url.params.anchor
+      value: '[[.last_response.body.nextAnchor]]'
+      fail_on_template_error: true
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+  - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+  {{processors}}
+{{/if}}