elastic · kfirpeled · Jun 18, 2026
@@ -0,0 +1,67 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_bedrockEvaluations = {
+  integration: "aws_bedrock",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:sts:*:assumed-role/*", "assumed_role",
+    data_stream.dataset == "aws_bedrock.invocation" AND user.id IS NOT NULL AND user.id LIKE "arn:aws:iam:*:user/*", "iam_user",
+    null
+  ),
+  service.target.sub_type = CASE(
+    service.target.sub_type IS NOT NULL, service.target.sub_type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, "foundation_model",
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock.guardrails" AND aws_bedrock.guardrails.operation IS NOT NULL, aws_bedrock.guardrails.operation,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock.invocation" AND cloud.service.name IS NOT NULL, cloud.service.name,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.id IS NOT NULL, gen_ai.request.model.id,
+    null
+  ),
+  service.target.type = CASE(
+    service.target.type IS NOT NULL, service.target.type,
+    data_stream.dataset == "aws_bedrock.invocation" AND gen_ai.request.model.type IS NOT NULL, gen_ai.request.model.type,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
@@ -0,0 +1,99 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_bedrock_agentcoreEvaluations = {
+  integration: "aws_bedrock_agentcore",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = user.id IS NOT NULL OR user.name IS NOT NULL OR user.email IS NOT NULL
+    OR host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = user.target.id IS NOT NULL OR user.target.name IS NOT NULL OR user.target.email IS NOT NULL
+    OR host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.type = CASE(
+    entity.type IS NOT NULL, entity.type,
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "user",
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "service",
+    null
+  ),
+  entity.sub_type = CASE(
+    entity.sub_type IS NOT NULL, entity.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs", "agentcore_gateway",
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "general",
+    data_stream.dataset IN ("aws_bedrock_agentcore.runtime_application_logs", "aws_bedrock_agentcore.memory_application_logs"), "service",
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, "tool_target",
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs", "runtime_endpoint",
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.memory_strategy IS NOT NULL, aws.bedrock_agentcore.memory.memory_strategy,
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.request_payload.actor_id IS NOT NULL, aws.bedrock_agentcore.request_payload.actor_id,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.actor_id IS NOT NULL, aws.bedrock_agentcore.memory.actor_id,
+    null
+  ),
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.resource_arn IS NOT NULL, aws.bedrock_agentcore.gateway.resource_arn,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.operation IS NOT NULL, aws.bedrock_agentcore.operation,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.operation_name IS NOT NULL, aws.bedrock_agentcore.memory.operation_name,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND aws.bedrock_agentcore.resource_arn IS NOT NULL, aws.bedrock_agentcore.resource_arn,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND aws.bedrock_agentcore.memory.resource_arn IS NOT NULL, aws.bedrock_agentcore.memory.resource_arn,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws_bedrock_agentcore.runtime_application_logs" AND service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_bedrock_agentcore.memory_application_logs" AND service.name IS NOT NULL, service.name,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_bedrock_agentcore.gateway_application_logs" AND aws.bedrock_agentcore.gateway.target IS NOT NULL, aws.bedrock_agentcore.gateway.target,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
@@ -0,0 +1,63 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_cloudtrail_otelEvaluations = {
+  integration: "aws_cloudtrail_otel",
+  evaluations: [
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  user.id = CASE(
+    user.id IS NOT NULL, user.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type IN ("IAMUser", "AssumedRole", "FederatedUser", "Root", "IdentityCenterUser") AND aws.principal.arn IS NOT NULL, aws.principal.arn,
+    null
+  ),
+  user.name = CASE(
+    user.name IS NOT NULL, user.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AssumedRole" AND aws.user_identity.session_context.issuer.user_name IS NOT NULL, aws.user_identity.session_context.issuer.user_name,
+    null
+  ),
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.cloudtrail.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND aws.principal.type == "AWSService" AND aws.user_identity.invoked_by IS NOT NULL, aws.user_identity.invoked_by,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IS NOT NULL, rpc.method,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "GetCallerIdentity" AND rpc.service IS NOT NULL, rpc.service,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method IN ("PutObject", "GetObject") AND rpc.service IS NOT NULL, rpc.service,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  ),
+  user.target.name = CASE(
+    user.target.name IS NOT NULL, user.target.name,
+    data_stream.dataset == "aws.cloudtrail.otel" AND rpc.method == "AttachUserPolicy" AND aws.request.parameters.userName IS NOT NULL, aws.request.parameters.userName,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
@@ -0,0 +1,75 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_securityhubEvaluations = {
+  integration: "aws_securityhub",
+  evaluations: [
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  service.id = CASE(
+    service.id IS NOT NULL, service.id,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.uid,
+    null
+  ),
+  service.name = CASE(
+    service.name IS NOT NULL, service.name,
+    data_stream.dataset == "aws_securityhub.finding", aws_securityhub.finding.metadata.product.name,
+    null
+  ),
+  service.type = CASE(
+    service.type IS NOT NULL, service.type,
+    data_stream.dataset == "aws_securityhub.finding", "service",
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.id = CASE(
+    host.target.id IS NOT NULL, host.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.id,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.name,
+    null
+  ),
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::EC2::Instance", host.ip,
+    null
+  ),
+  service.target.id = CASE(
+    service.target.id IS NOT NULL, service.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::Lambda::Function", resource.id,
+    null
+  ),
+  user.target.id = CASE(
+    user.target.id IS NOT NULL, user.target.id,
+    data_stream.dataset == "aws_securityhub.finding" AND resource.type == "AWS::IAM::User", user.id,
+    null
+  ),
+  entity.target.id = CASE(
+    entity.target.id IS NOT NULL, entity.target.id,
+    data_stream.dataset == "aws_securityhub.finding"
+      AND resource.type != "AWS::EC2::Instance"
+      AND resource.type != "AWS::Lambda::Function"
+      AND resource.type != "AWS::IAM::User", resource.id,
+    null
+  ),
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws_securityhub.finding", resource.type,
+    null
+  ),
+  entity.target.sub_type = CASE(
+    entity.target.sub_type IS NOT NULL, entity.target.sub_type,
+    data_stream.dataset == "aws_securityhub.finding", "cloud_resource",
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;
@@ -0,0 +1,76 @@
+import type { IntegrationEvaluations } from "./types";
+
+export const aws_vpcflow_otelEvaluations = {
+  integration: "aws_vpcflow_otel",
+  evaluations: [
+    {
+      id: "detection_flags",
+      section: "Detection flags (mandatory \u2014 run first)",
+      esql: `| EVAL
+  actor_exists = host.id IS NOT NULL OR host.ip IS NOT NULL OR host.name IS NOT NULL
+    OR service.id IS NOT NULL OR service.name IS NOT NULL
+    OR entity.id IS NOT NULL OR entity.name IS NOT NULL,
+  target_exists = host.target.id IS NOT NULL OR host.target.ip IS NOT NULL OR host.target.name IS NOT NULL
+    OR service.target.id IS NOT NULL OR service.target.name IS NOT NULL
+    OR entity.target.id IS NOT NULL OR entity.target.name IS NOT NULL,
+  action_exists = event.action IS NOT NULL`,
+    },
+    {
+      id: "optional_classification",
+      section: "Optional classification helpers (when needed)",
+      esql: `| EVAL
+  entity.target.type = CASE(
+    entity.target.type IS NOT NULL, entity.target.type,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, "service",
+    data_stream.dataset == "aws.vpcflow.otel", "host",
+    null
+  )`,
+    },
+    {
+      id: "actor",
+      section: "Combined ES|QL \u2014 actor fields",
+      esql: `| EVAL
+  host.ip = CASE(
+    host.ip IS NOT NULL, host.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  ),
+  host.name = CASE(
+    host.name IS NOT NULL, host.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND source.address IS NOT NULL, source.address,
+    null
+  )`,
+    },
+    {
+      id: "event_action",
+      section: "Combined ES|QL \u2014 event action",
+      esql: `| EVAL
+  event.action = CASE(
+    event.action IS NOT NULL, event.action,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.action IS NOT NULL, aws.vpc.flow.action,
+    null
+  )`,
+    },
+    {
+      id: "target",
+      section: "Combined ES|QL \u2014 target fields",
+      esql: `| EVAL
+  host.target.ip = CASE(
+    host.target.ip IS NOT NULL, host.target.ip,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  host.target.name = CASE(
+    host.target.name IS NOT NULL, host.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND destination.address IS NOT NULL, destination.address,
+    null
+  ),
+  service.target.name = CASE(
+    service.target.name IS NOT NULL, service.target.name,
+    data_stream.dataset == "aws.vpcflow.otel" AND aws.vpc.flow.destination.service IS NOT NULL, aws.vpc.flow.destination.service,
+    data_stream.dataset == "aws.vpcflow.otel" AND network.protocol.name IS NOT NULL, network.protocol.name,
+    null
+  )`,
+    },
+  ],
+} as const satisfies IntegrationEvaluations;