cloudbeat icon indicating copy to clipboard operation
cloudbeat copied to clipboard
verified publisher icon elastic

Discrepancy in expected findings of KSPM self managed (aka vanilla) benchmark

Open kfirpeled opened this issue 1 year ago • 0 comments

Describe the bug During our regular checks of the expected findings, we found after upgrading the agent from version 8.14.3 to 8.16.1 and increasing number of findings. We confirmed the amount of resources hasn't been changed during the upgrade.

These are the rules that generated findings after the upgrade, which hasn't been reported previously:

  • 5.1.3 (82 findings)
  • 5.1.5 (57 findings)
  • 5.1.6 (57 findings)
  • 5.2.2 (13 findings)
  • 5.2.3 (13 findings)
  • 5.2.4 (13 findings)
  • 5.2.5 (13 findings)
  • 5.2.6 (13 findings)
  • 5.2.7 (13 findings)
  • 5.2.8 (13 findings)
  • 5.2.9 (13 findings)
  • 5.2.10 (13 findings)

Total number of new findings: 313

Total findings: 459 Expected findings: 146

Additional context

Upgrade time: Dec 3, 2024 esql query for investigation

FROM logs-cloud_security_posture.findings-* 
| WHERE rule.benchmark.id == "cis_k8s"
| STATS COUNT_DISTINCT(resource.id) BY agent.version , rule.benchmark.rule_number , event.sequence

kfirpeled avatar Dec 05 '24 14:12 kfirpeled