Host information is incorrect
Closed this issue · 3 comments
Motivation
Alerts generated from rules that were created from findings display wrong host information on the alert host flyout - the information displayed belongs to the host where the agent is running which is unrelated to the actual alert or misconfiguration (related only in KSPM). The second problem is that for alerts and misconfigurations that actually have a host or user relevant to them (which are not many) we didn't map the host or user Information to the relevant ECS fields.
Definition of done
What needs to be completed at the end of this task
- Populate
host.nameanduser.namewith the correct values- AWS
- GCP
- Azure
- Popoluate the relevant ECS fields
Releated
Linking a reference document: https://docs.google.com/spreadsheets/d/1p7m6c-sPn_Orgfc-jwJod9wupvF-2Qp7SDrDLle15_8/edit#gid=124010285
Pushed a draft PR with changes. Tested on Azure, IT tests passing. PTAL.
I have prepared separate PRs for host and user details. I have also added an integration test check to ensure I did not break CNVM, which already provides correct host section.
Please look at PR descriptions and code to find out which rules got the new Elastic Common Schema fields, since it affects only some of them.
The host section will become empty for most findings and I have confirmed with @maxcold and @Omolola-Akinleye that it should not affect our telemetry.