packages/wiz/data_stream/vulnerability/agent/stream/cel.yml.hbs (220 lines of code) (raw):
config_version: 2
interval: {{interval}}
resource.tracer:
enabled: {{enable_request_tracer}}
filename: "../../logs/cel/http-request-trace-*.ndjson"
maxbackups: 5
{{#if proxy_url}}
resource.proxy_url: {{proxy_url}}
{{/if}}
{{#if ssl}}
resource.ssl: {{ssl}}
{{/if}}
{{#if http_client_timeout}}
resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: {{url}}
auth.oauth2:
client.id: {{client_id}}
client.secret: {{client_secret}}
token_url: {{token_url}}
endpoint_params:
grant_type: client_credentials
audience: wiz-api
state:
initial_interval: {{initial_interval}}
want_more: false
batch_size: {{batch_size}}
query: >-
query VulnerabilityFindingsPage($filterBy: VulnerabilityFindingFilters $first: Int $after: String $orderBy: VulnerabilityFindingOrder) {
vulnerabilityFindings(filterBy: $filterBy first: $first after: $after orderBy: $orderBy) {
nodes {
id
portalUrl
name
CVEDescription
CVSSSeverity
score
exploitabilityScore
impactScore
dataSourceName
hasExploit
hasCisaKevExploit
status
vendorSeverity
firstDetectedAt
lastDetectedAt
resolvedAt
description
remediation
detailedName
version
fixedVersion
detectionMethod
link
locationPath
resolutionReason
epssSeverity
epssPercentile
epssProbability
validatedInRuntime
layerMetadata{
id
details
isBaseLayer
}
projects {
id
name
slug
businessUnit
riskProfile {
businessImpact
}
}
ignoreRules{
id
name
enabled
expiredAt
}
vulnerableAsset {
... on VulnerableAssetBase {
id
type
name
region
providerUniqueId
cloudProviderURL
cloudPlatform
status
subscriptionName
subscriptionExternalId
subscriptionId
tags
hasLimitedInternetExposure
hasWideInternetExposure
isAccessibleFromVPN
isAccessibleFromOtherVnets
isAccessibleFromOtherSubscriptions
}
... on VulnerableAssetVirtualMachine {
operatingSystem
ipAddresses
}
... on VulnerableAssetServerless {
runtime
}
... on VulnerableAssetContainerImage {
imageId
}
... on VulnerableAssetContainer {
ImageExternalId
VmExternalId
ServerlessContainer
PodNamespace
PodName
NodeName
}
}
}
pageInfo {
hasNextPage
endCursor
}
}
}
redact:
fields: ~
program: |
state.with(
post_request(
state.url.trim_right("/") + "/graphql",
"application/json",
{
"query": state.query,
"variables": {
"first": state.batch_size,
"after": state.?end_cursor.value.orValue(null),
"filterBy": {
"updatedAt": {
"after": state.want_more ?
state.?cursor.first_timestamp.orValue(null)
:
state.?cursor.last_timestamp.orValue(string(now() - duration(state.initial_interval)))
}
}
}
}.encode_json()
).do_request().as(resp, resp.StatusCode == 200 ?
bytes(resp.Body).decode_json().as(body, body.?data.vulnerabilityFindings.nodes.orValue(null) != null ?
{
"events": body.data.vulnerabilityFindings.nodes.map(e, {
"message": e.encode_json(),
}),
"cursor": {
?"last_timestamp": body.data.vulnerabilityFindings.nodes.size() > 0 ?
optional.of(body.data.vulnerabilityFindings.nodes.map(e, timestamp(e.lastDetectedAt)).max().as(last,
has(state.?cursor.last_timestamp) && last < timestamp(state.cursor.last_timestamp) ?
state.cursor.last_timestamp
:
string(last)
))
:
state.?cursor.last_timestamp,
?"first_timestamp": !has(body.data) || state.?cursor.first_timestamp.orValue(null) == null ?
optional.of(string(now() - duration(state.initial_interval)))
: body.data.vulnerabilityFindings.pageInfo.hasNextPage ?
state.?cursor.first_timestamp
:
state.?cursor.last_timestamp,
},
"end_cursor": {
?"value": body.?data.vulnerabilityFindings.pageInfo.hasNextPage.orValue(false) ?
body.?data.vulnerabilityFindings.pageInfo.endCursor
:
optional.none()
},
"want_more": body.?data.vulnerabilityFindings.pageInfo.hasNextPage.orValue(false),
}
:
{
"events": [],
"want_more": false,
}
)
:
{
"events": {
"error": {
"code": string(resp.StatusCode),
"id": string(resp.Status),
"message": "POST:"+(
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
},
"want_more": false,
}
)
)
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#if preserve_duplicate_custom_fields}}
- preserve_duplicate_custom_fields
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}