in internal/transformer/events_creator.go [84:148]
func (t *Transformer) CreateBeatEvents(_ context.Context, eventData evaluator.EventData) ([]beat.Event, error) {
if len(eventData.Findings) == 0 {
return nil, nil
}
events := make([]beat.Event, 0)
resMetadata, err := eventData.GetMetadata()
if err != nil {
return []beat.Event{}, fmt.Errorf("failed to get resource metadata: %v", err)
}
id := t.idProvider.GetId(resMetadata.Type, resMetadata.ID)
t.log.Infof("resource of type %s with id %s got a new id %s", resMetadata.Type, resMetadata.ID, id)
resMetadata.ID = id
timestamp := time.Now().UTC()
resource := fetching.ResourceFields{
ResourceMetadata: resMetadata,
Raw: eventData.RuleResult.Resource,
}
related := Related{
Entity: lo.Filter(eventData.GetIds(), func(item string, _ int) bool { return item != "" }),
}
globalEnricher := dataprovider.NewEnricher(t.commonDataProvider)
for _, finding := range eventData.Findings {
event := beat.Event{
Meta: mapstr.M{libevents.FieldMetaIndex: t.index},
Timestamp: timestamp,
Fields: mapstr.M{
"event": BuildECSEvent(eventData.CycleMetadata.Sequence, eventData.Metadata.CreatedAt, []string{ecsCategoryConfiguration}, getEcsOutcome(finding.Result.Evaluation)),
"resource": resource,
"result": finding.Result,
"rule": finding.Rule,
"related": related,
"message": fmt.Sprintf("Rule %q: %s", finding.Rule.Name, finding.Result.Evaluation),
},
}
err := t.benchmarkDataProvider.EnrichEvent(&event, resMetadata)
if err != nil {
return nil, fmt.Errorf("failed to enrich event with benchmark context: %v", err)
}
err = t.ruleECSProvider.EnrichEvent(&event, resMetadata)
if err != nil {
return nil, fmt.Errorf("failed to enrich event with rule ECS context: %v", err)
}
err = globalEnricher.EnrichEvent(&event)
if err != nil {
return nil, fmt.Errorf("failed to enrich event with global context: %v", err)
}
err = dataprovider.NewEnricher(eventData).EnrichEvent(&event)
if err != nil {
return nil, fmt.Errorf("failed to enrich event with resource context: %v", err)
}
events = append(events, event)
}
return events, nil
}