[XM Cyber][Entity Inventory] Add Entity Inventory data stream

packages/xm_cyber/_dev/build/docs/README.md

@@ -8,7 +8,7 @@ This integration collects data from the XM Cyber REST API using scheduled pollin
 
 ### Compatibility
 
-The XM Cyber integration is compatible with the API version **1.0.0**.
+The XM Cyber integration is compatible with the API version **v2**.
 
 ### How it works
 
@@ -26,12 +26,14 @@ The XM Cyber integration collects the following types of data:
 |---|---|---|
 | `audit_trail` | Audit Records | `/api/audit-trail/auditRecords` |
 | `vulnerability` | CVE records from XM Cyber's Vulnerability Risk Management (VRM) feed, including CVSS v2/v3/v4 scores, EPSS metrics, CISA KEV / in-the-wild exploitation flags, and per-CVE counts of devices, products, and critical assets at risk | `/api/v2/vrm/public/vulnerabilities` |
+| `entity_inventory` | Inventory of entities (devices, identities, and cloud resources) tracked by XM Cyber, enriched with OS, network, agent, and cloud-account metadata. | `/api/entityInventory/entities` |
 
 ### Supported use cases
 
 - **Audit and compliance monitoring**: Track administrative and user activity within your XM Cyber tenant — including console logins, sensor scan results, and configuration changes — and correlate it with the rest of your security telemetry to support compliance reviews and incident investigations.
 - **Risk-based vulnerability prioritization**: Rank CVEs by CVSS impact, EPSS exploit probability, and CISA KEV / in-the-wild exploitation flags to focus remediation effort where it actually reduces business risk.
 - **Attack-path-aware exposure analysis**: Correlate detected CVEs with XM Cyber's attack-technique simulations to identify which vulnerabilities act as choke points or stepping stones to crown-jewel assets.
+- **Asset and exposure visibility**: Maintain a unified inventory of the devices, identities, and cloud resources XM Cyber discovers across hybrid environments — with OS, network, agent, and cloud-account context — to support asset management, attack-surface monitoring, and prioritization of critical assets.
 
 ## What do I need to use this integration?
 
@@ -128,6 +130,18 @@ For help with Elastic ingest tools, check [Common problems](https://www.elastic.
 
 {{event "vulnerability"}}
 
+### Entity Inventory
+
+#### Entity Inventory fields
+
+{{fields "entity_inventory"}}
+
+### Example event
+
+#### Entity Inventory
+
+{{event "entity_inventory"}}
+
 ### Inputs used
 
 {{ inputDocs }}
@@ -142,7 +156,8 @@ These XM Cyber REST API endpoints are used by this integration:
 | `/api/refresh-token` | POST | all | Refresh an expired access token |
 | `/api/audit-trail/auditRecords` | GET | `audit_trail` | Audit Records |
 | `/api/v2/vrm/public/vulnerabilities` | GET | `vulnerabilities` | Paginated exposure rows (attack techniques / CVE context) |
+| `/api/entityInventory/entities` | GET | `entity_inventory` | List entities (devices, identities, cloud resources) tracked by XM Cyber |
 
 ### ILM Policy
 
-To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.
+To facilitate vulnerability data stream-backed indices `.ds-logs-xm_cyber.vulnerability-*` is allowed to contain duplicates from each polling interval. ILM policies `logs-xm_cyber.vulnerability-default_policy` is added to these source indices, so it doesn't lead to unbounded growth. This means that in these source indices data will be deleted after `30 days` from ingested date.

packages/xm_cyber/_dev/deploy/docker/files/config.yml

@@ -142,7 +142,6 @@ rules:
             "metadata": {}
           }
           `}}
-
   - path: /api/v2/vrm/public/vulnerabilities
     methods: ['GET']
     query_params:
@@ -226,3 +225,219 @@ rules:
             }
           }
           `}}
+  # Page 2 — fetched via nextLink cursor=page2
+  - path: /api/entityInventory/entities
+    methods: ['GET']
+    query_params:
+      cursor: 'page2'
+    request_headers:
+      Authorization: "Bearer mock-access-token-abc123"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+            "data": [
+              {
+                "id": "awsSsmParameter-arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "accountId": "702947630755",
+                "arn": "arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "customProperties": {
+                  "domainWorkgroup": {
+                    "type": "domain",
+                    "data": "AWS/702947630755"
+                  },
+                  "ouComputer": "AWS/702947630755/us-east-2/SSM/ParameterMetadata",
+                  "ouUser": "AWS/702947630755/SSM/ParameterMetadata",
+                  "subnetInfo": "AWS_702947630755_us-east-2"
+                },
+                "disabled": false,
+                "displayName": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "entityType": "AwsSsmParameterEntity",
+                "name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "notIncludedInAttacks": false,
+                "region": "us-east-2",
+                "ruleDisplayName": "702947630755 / /EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "ssmParameterDataType": "text",
+                "ssmParameterDescription": "New local Administrator password for instance i-0d056ac1b7c822c92",
+                "ssmParameterKeyId": "alias/aws/ssm",
+                "ssmParameterLastModifiedDate": "2021-07-28T08:11:54.200Z",
+                "ssmParameterLastModifiedUser": "arn:aws:sts::702947630755:assumed-role/AmazonSSMRoleForInstancesQuickSetup/i-0d056ac1b7c822c92",
+                "ssmParameterName": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                "ssmParameterTier": "Standard",
+                "ssmParameterType": "SecureString",
+                "ssmParameterVersion": 1,
+                "status": "active",
+                "type": "awsSsmParameter",
+                "typeDisplayName": "AWS SSM Parameter",
+                "useType": "Storage",
+                "xmProviderAccount": "xm-test3",
+                "xmUpdateTime": "2026-05-05T21:05:15.079Z",
+                "accountName": "xm-test3",
+                "organizationId": "o-wvjziar78j",
+                "category": "Cloud",
+                "entityDetails": {
+                  "name": "/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                  "id": "awsSsmParameter-arn:aws:ssm:us-east-2:702947630755:parameter/EC2Rescue/Passwords/i-0d056ac1b7c822c92",
+                  "isAsset": null,
+                  "subType": "awsSsmParameter",
+                  "subTypeDisplayName": "AWS SSM Parameter"
+                }
+              }
+            ],
+            "paging": {
+              "page": 1,
+              "pageSize": 2,
+              "total": 3,
+              "totalPages": 2,
+              "nextLink": null
+            },
+            "metadata": {}
+          }
+          `}}
+  # Page 1 — initial full fetch (cursor absent so it does not match Page 2 requests)
+  - path: /api/entityInventory/entities
+    methods: ['GET']
+    query_params:
+      pageSize: '2'
+      cursor: null
+    request_headers:
+      Authorization: "Bearer mock-access-token-abc123"
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - 'application/json'
+        body: |-
+          {{ minify_json `
+          {
+            "data": [
+              {
+                "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys",
+                "accountId": "702947630755",
+                "arn": "arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys",
+                "customProperties": {
+                  "domainWorkgroup": {
+                    "type": "domain",
+                    "data": "AWS/702947630755"
+                  },
+                  "ouComputer": "AWS/702947630755/us-east-1/SSM/ParameterMetadata",
+                  "ouUser": "AWS/702947630755/SSM/ParameterMetadata",
+                  "subnetInfo": "AWS_702947630755_us-east-1"
+                },
+                "disabled": false,
+                "displayName": "/CodeBuild/accessKeys",
+                "entityType": "AwsSsmParameterEntity",
+                "name": "/CodeBuild/accessKeys",
+                "notIncludedInAttacks": false,
+                "region": "us-east-1",
+                "ruleDisplayName": "702947630755 / /CodeBuild/accessKeys",
+                "ssmParameterDataType": "text",
+                "ssmParameterKeyId": "alias/aws/ssm",
+                "ssmParameterLastModifiedDate": "2020-07-19T09:53:58.629Z",
+                "ssmParameterLastModifiedUser": "arn:aws:sts::702947630755:assumed-role/AWSReservedSSO_AdministratorAccess_4b70f7a69b186776/zur@xmcyber.com",
+                "ssmParameterName": "/CodeBuild/accessKeys",
+                "ssmParameterTier": "Standard",
+                "ssmParameterType": "SecureString",
+                "ssmParameterVersion": 1,
+                "status": "active",
+                "type": "awsSsmParameter",
+                "typeDisplayName": "AWS SSM Parameter",
+                "useType": "Storage",
+                "xmProviderAccount": "xm-test3",
+                "xmUpdateTime": "2026-05-05T21:05:15.079Z",
+                "accountName": "xm-test3",
+                "organizationId": "o-wvjziar78j",
+                "category": "Cloud",
+                "entityDetails": {
+                  "name": "/CodeBuild/accessKeys",
+                  "id": "awsSsmParameter-arn:aws:ssm:us-east-1:702947630755:parameter/CodeBuild/accessKeys",
+                  "isAsset": null,
+                  "subType": "awsSsmParameter",
+                  "subTypeDisplayName": "AWS SSM Parameter"
+                }
+              },
+              {
+                "id": "awsSecret-/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                "useType": "Storage",
+                "entityType": "AwsSecretEntity",
+                "accountId": "908522078858",
+                "accountName": "aws-908522078858",
+                "organizationId": "o-wvjziar78j",
+                "arn": "arn:aws:secretsmanager:us-east-1:908522078858:secret:/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials-4BkOB0",
+                "xmUpdateTime": "2026-05-05T21:05:15.079Z",
+                "customProperties": {
+                  "domainWorkgroup": {
+                    "type": "domain",
+                    "data": "AWS/908522078858"
+                  },
+                  "ouComputer": "AWS/908522078858/us-east-1/SecretsManager/SecretListEntry",
+                  "ouUser": "AWS/908522078858/SecretsManager/SecretListEntry",
+                  "subnetInfo": "AWS_908522078858_us-east-1"
+                },
+                "region": "us-east-1",
+                "awsTags": [
+                  {
+                    "Key": "aws:cloudformation:stack-id",
+                    "Value": "arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df"
+                  },
+                  {
+                    "Key": "aws:cloudformation:stack-name",
+                    "Value": "StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487"
+                  },
+                  {
+                    "Key": "aws:cloudformation:logical-id",
+                    "Value": "CrowdStrikeSensorManagementFalconCredentialsSecret"
+                  }
+                ],
+                "ruleDisplayName": "908522078858 / /CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                "secretDescription": "Falcon API credentials used by the 1-Click sensor management orchestrator.",
+                "status": "active",
+                "type": "awsSecret",
+                "displayName": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                "name": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                "disabled": false,
+                "notIncludedInAttacks": false,
+                "typeDisplayName": "AWS Secret",
+                "labels": [
+                  {
+                    "id": "aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df",
+                    "type": "cloud"
+                  },
+                  {
+                    "id": "aws:cloudformation:stack-name: StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487",
+                    "type": "cloud"
+                  },
+                  {
+                    "id": "aws:cloudformation:logical-id: CrowdStrikeSensorManagementFalconCredentialsSecret",
+                    "type": "cloud"
+                  }
+                ],
+                "tagsStr": [
+                  "aws:cloudformation:stack-id: arn:aws:cloudformation:us-east-1:908522078858:stack/StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487/3493fc10-2bf9-11f0-a92a-0affd5d0d7df",
+                  "aws:cloudformation:stack-name: StackSet-crowdstrike-SensorManagement-9fb10f6b-9dc3-4c3c-a078-dcec6bde4487",
+                  "aws:cloudformation:logical-id: CrowdStrikeSensorManagementFalconCredentialsSecret"
+                ],
+                "category": "Cloud",
+                "entityDetails": {
+                  "name": "/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                  "id": "awsSecret-/CrowdStrike/CSPM/SensorManagement/FalconAPICredentials",
+                  "isAsset": null,
+                  "subType": "awsSecret",
+                  "subTypeDisplayName": "AWS Secret"
+                }
+              }
+            ],
+            "paging": {
+              "page": 0,
+              "pageSize": 2,
+              "total": 3,
+              "totalPages": 2,
+              "nextLink": "/api/entityInventory/entities?cursor=page2"
+            },
+            "metadata": {}
+          }
+          `}}

packages/xm_cyber/changelog.yml

@@ -1,6 +1,9 @@
 # newer versions go on top
 - version: 0.1.0
   changes:
+    - description: Add support for entity inventory data stream.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/19550
     - description: Add support for audit trail data stream.
       type: enhancement
       link: https://github.com/elastic/integrations/pull/18823

packages/xm_cyber/data_stream/entity_inventory/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event