Uploading findings from a file

Opus supports adding uploading findings in several formats, and custom format as a CSV

To upload findings from a custom CSV file into Opus you'll need to have it formatted with specific fields to match the fields in Opus to allow Opus to map the findings and enrich them.

Uploading file:

1. Navigate to Risks:

  • On the top right hand side click Import

  • In the first drop-down list select "Custom Finding Source"

  • Under the "finding sources" section, click on "Custom finding source". and select Generic CSV

  • Browse or drag & drop a single file of your choice (up to 30MB) and click Import

📘

See the Next Section related to the possibilities data fields and their mapping

Data Scheme for Ingestion:

The following Shema described mandatory fields and their usage within Opus

Schema Attribute Breakdown

FieldTypeValueDescription
typeStringType of the eventActs as the rule generator of the finding. Group by risk is grouped around this value.
externalIdString Unique id of the findingImportant for resolving existing findings in Opus and for avoiding creating duplications.
titleStringTitle for finding pageThe title of the finding
descriptionStringDescription for finding pageThe description of the finding
createdAtdatetimeCreation date of the issue on the finding source.

2024-01-30T13:12:06.729Z
The finding detection time
resourceIdStringUnique id of the resource (e.g., Aws ARN, Azure URI, Gcp Id, Hostname)Important for cloud to code purposes, ensure to provide the exact vendor id. For code, provide the code path.
resourceNameStringName of the resourceName of the resource
resourceTypeStringType of the resource (e.g., AwsEc2Instance, AzureVm...)Flexible value, logos are loaded according to Opus reserved types (See below for a complete list of Resource Types)
severityEnumSeverity of the issue - Informational, Low, Medium, High, CriticalProvides the sensor score as an input for the risk score computation.
cloudProviderStringProvider of the issue (e.g., AWS, AZURE, GCP, Github, GitLab, On-Premises)Cloud or code provider vendor
findingSourceStringSource of the finding (e.g., Orca, Wiz, Snyk)Your desired source name, with the ability to filter by it.
workspaceIdStringCloud account unique id (e.g., Aws account id, Azure subscription id, Gcp project id, Github/Gitlab repo id)Used for matching the finding to the proper workspace and for the correct Business Unit/service.
categoryStringCategory of the finding (e.g., Vulnerabilities, Code Vulnerability, Data Protection...)Flexible text, with the ability to filter by it.
externalStatusEnumExternal status on finding source (Open, Suppress, Resolved)Incase finding with the same externalId exist in Opus with externalStatus Resolved the finding is resolved in Opus.
layerEnumDetection layer of the finding (e.g., Runtime, Artifact, Code, On-Premises)Detection layer of the finding.
findingTypeEnumType of the finding (e.g Secrets, SCA, SAST, IAC Security, Container Vulnerability, Cloud Vulnerability, On-Premises Vulnerability,
Cloud Misconfiguration, Web Application Vulnerability)
Type of the finding.

Example #1 - Cloud Layer

"type","title","description","createdAt","resourceId","resourceName","resourceType","severity","cloudProvider","findingSource","workspaceId","category","externalId","externalStatus","layer","findingType","resourceTags__Owner","resourceTags__Env"
"standards/aws-foundational-security-best-practices/v/1.0.0/S3.2","S3 buckets allow public read access","This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","2023-09-10T11:25:53.000Z","arn:aws:s3:::802256041567-bucket-8","bucket-8","AwsS3Bucket","HIGH","AWS","MySourceName","802256041567","Data Protection","arn:aws:securityhub:us-east-1:802256041567:security-control/S3.2/finding/80225604156701","Open","Runtime","Cloud Misconfiguration","[[email protected]](mailto:[email protected])","Dev"

Example #2 - Code Layer

"type","title","description","createdAt","resourceId","resourceName","resourceType","severity","cloudProvider","workspaceId","findingSource","externalId","externalStatus","category","layer","findingType"
"aws_access_key_id","Possibly active secret","Possibly active secret\nPath: terraform/aws/ec22.tf\nStart line: 15\nEnd line: 15 \n Blob SHA: 4e7b92c3e89b5e7229a208379fc465b03749ec6c\nCommit SHA: 1e25f4212a1c4e176bb122531a7ebd5969815367\nRepository Info: \nname: OpusSecurityLab/terragoat","2024-01-09T15:13:31Z","OpusSecurityLab/terragoat/terraform/aws/ec22.tf","terraform/aws/ec22.tf","CodeFile","MEDIUM","Github","OpusSecurityLab/terragoat","Github Advanced Security","2","Open","Secerts","Code","Code Vulnerability"

Update Finding Status

Opus provides the functionality to synchronize the finding status with changes occurring in the external source. By uploading an update event to Opus, and adjusting the externalStatus field to the value 'Resolved', the status within Opus will be updated to reflect this change.

Example 3- Resolved Status Update

"type","title","description","createdAt","resourceId","resourceName","resourceType","severity","cloudProvider","findingSource","workspaceId","category","externalId","externalStatus","layer","findingType","resourceTags__Owner","resourceTags__Env"
"standards/aws-foundational-security-best-practices/v/1.0.0/S3.2","S3 buckets allow public read access","This AWS control checks whether your S3 buckets allow public read access by evaluating the Block Public Access settings, the bucket policy, and the bucket access control list (ACL).","2023-09-10T11:25:53.000Z","arn:aws:s3:::802256041567-bucket-8","bucket-8","AwsS3Bucket","HIGH","AWS","MySourceName","802256041567","Data Protection","arn:aws:securityhub:us-east-1:802256041567:security-control/S3.2/finding/80225604156701","Resolved","Runtime","Cloud Misconfiguration","[[email protected]](mailto:[email protected])","Dev"

.

Supported Rescource Types
AccessRoleBinding
AwsAccount
AwsAsg
AwsAthenaWorkGroup
AwsAutoScalingAutoScalingGroup
AwsAutoScalingGroup
AwsCertificate
AwsCloudFormationStack
AwsCloudFront
AwsCloudTrail
AwsCloudTrailTrail
AwsEc2EbsSnapshot
AwsEc2EbsVolume
AwsEc2ElasticIpAddress
AwsEc2Elb
AwsEc2Elbv2
AwsEc2Instance
AwsEc2LaunchTemplate
AwsEc2NetworkAcl
AwsEc2NetworkInterface
AwsEc2SecurityGroup
AwsEc2Snapshot
AwsEc2Subnet
AwsEc2Volume
AwsEc2Vpc
AwsEc2VpcEndpoint
AwsEcrContainerImage
AwsEcrRepository
AwsEcsCluster
AwsEcsContainerInstance
AwsEcsService
AwsEcsTaskDefinition
AwsEfsAccessPoint
AwsEfsFileSystem
AwsEksCluster
AwsEksNodegroup
AwsElbv2LoadBalancer
AwsGlueDataCatalog
AwsIamAccessKey
AwsIamGroup
AwsIamManagedPolicy
AwsIamPasswordPolicy
AwsIamPolicy
AwsIamRole
AWSIAMRole
AwsIamUser
AwsKmsKey
AwsLambdaFunction
AwsRdsDbCluster
AwsRdsDbClusterSnapshot
AwsRdsDbInstance
AwsRdsDbInstanceGabay
AwsRdsDbInstanceSnapshot
AwsRdsDbSnapshot
AwsRegion
AwsRoute53HostedZone
AwsS3Bucket
AwsSecretsManagerSecret
AwsSnsSubscription
AwsSnsTopic
AwsSqsQueue
AwsSsmAssociationCompliance
AwsSubnet
AwsSystemsManagerParameter
AwsUser
AwsVpc
AzureAcrContainerImage
AzureAcrImage
AzureComputeVm
AzureContainerRegistry
AzureDisk
AzureFunction
AzureNetworkInterface
AzureNetworkSecurityGroup
AzureNetworkSecurityGroupRule
AzureNetworkWatcher
AzurePostgresDbServer
AzureRoleAssignment
AzureSotrageAccount
AzureSqlDbServer
AzureStorageAccount
AzureStorageContainer
AzureSubscription
AzureUser
AzureVNet
AzureWebAppService
CloudFormationFile
CodeFile
Container
Dockerfile
GcpGcrContainerImage
GcpGcrImage
GcpIamServiceAccount
GcpNewDomain
GcpSqlInstance
GcpStorageBucket
GcpSubnet
GcpVmInstance
GcpVpc
GcpVpcSubnet
PackageManager
TerraformFile
URL
WorkStation