New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GCP] Handle empty cloud.account.name and cloud.account.id fields on CSPM GCP findings #2053
Comments
@opauloh should we send |
@orouz It's better not to send the fields at all, also in favour of establishing a consistent behaviour with other fields (for example, Cloudbeat does not send |
This breaks the dashboards though, no?
In what way? What are we trying to fix here @opauloh? |
There is a work in progress to handle missing fields in Kibana for 8.14 + |
The presence of empty strings in these fields introduces ambiguity in what the data represents. To clarify, when a field is represented as an empty string, it implies that the field exists but holds no value (for example, having a Therefore, as part of the solution, we propose that when there is no |
in aws / azure we do this: cloudbeat/internal/dataprovider/providers/cloud/data_provider.go Lines 63 to 64 in 392f969
if GCP did the same, would it solve the issue? (if so, then this would be fixed in #2085) i'm a bit unsure because you say we shouldn't send empty fields at all, but that code is from a PR that fixes crashing dashboards due to lack of fields by sending empty string fields if we have no value to send (as in in anyway, whatever we decide here: send fields without data as an empty string or not send those fields at all, should be done for all cloud vendors |
Thanks for sharing the PR with the fix, that was true and necessary for Kibana on versions 8.13 and lower as we were not considering the use case of Findings with organization data that does not relate to a specific cloud account, we now fixed that for 8.14+ on this PR, so this behaviour can now be reverted to use
I agree, all cloud vendors can use |
Closing as it was addressed here with ingest pipelines |
Motivation
While investigating this kibana issue, we found out the GCP Benchmark Rule 2.3 introduced findings data with empty
cloud.account.name
andcloud.account.id
field, while it's expected behaviour to not havecloud.account.*
data since the data is related to a misconfiguration at an organization level not attached to an account, it would make more sense if the field where missing rather than empty strings, as that makes difference on how the data is being handled.Definition of done
cloud.account.id
orcloud.account.name
data, cloudbeat should send missing fields instead of empty.Related tasks/epics
Screenshots
Document example:
The text was updated successfully, but these errors were encountered: