[Filebeat] Update event categorization for configuration events for a…

…uditd, gsuite, o365, and zoom (#23010)

* [Filebeat] Update event categorization for configuration events for auditd, gsuite, o365, and zoom

* Update bad AppendTo

* Update changelog

* Convert processor to painless

CHANGELOG.next.asciidoc

@@ -747,6 +747,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add configuration option to set external and internal networks for panw panos fileset {pull}22998[22998]
 - Add subdomain enrichment for suricata/eve fileset. {pull}23011[23011]
 - Add subdomain enrichment for zeek/dns fileset. {pull}23011[23011]
+- Add `event.category` "configuration" to auditd module events. {pull}23010[23010]
+- Add `event.category` "configuration" to gsuite module events. {pull}23010[23010]
+- Add `event.category` "configuration" to o365 module events. {pull}23010[23010]
+- Add `event.category` "configuration" to zoom module events. {pull}23010[23010]
 
 *Heartbeat*
 

filebeat/module/auditd/log/ingest/pipeline.yml

@@ -176,30 +176,86 @@ processors:
 - set:
     field: event.kind
     value: event
-- set:
-    if: "ctx.auditd.log?.record_type == 'USER_AUTH'"
-    field: event.category
-    value: authentication
-- set:
-    if: "ctx.auditd.log?.record_type == 'USER_AUTH'"
-    field: event.type
-    value: info
-- set:
-    if: "ctx.auditd.log?.record_type == 'KERN_MODULE'"
-    field: event.category
-    value: driver
-- set:
-    if: "ctx.auditd.log?.record_type == 'KERN_MODULE'"
-    field: event.type
-    value: info
-- set:
-    if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'"
-    field: event.category
-    value: package
-- set:
-    if: "ctx.auditd.log?.record_type == 'SOFTWARE_UPDATE'"
-    field: event.type
-    value: info
+- script:
+    lang: painless
+    ignore_failure: true
+    params:
+      CONFIG_CHANGE:
+        category:
+          - configuration
+        type:
+          - change
+      DAEMON_CONFIG:
+        category:
+          - configuration
+        type:
+          - change
+      DAEMON_RECONFIG:
+        category:
+          - configuration
+        type:
+          - info
+      USYS_CONFIG:
+        category:
+          - configuration
+        type:
+          - change
+      NETFILTER_CFG:
+        category:
+          - configuration
+        type:
+          - change
+      FEATURE_CHANGE:
+        category:
+          - configuration
+        type:
+          - change
+      MAC_CONFIG_CHANGE:
+        category:
+          - configuration
+        type:
+          - change
+      MAC_POLICY_LOAD:
+        category:
+          - configuration
+        type:
+          - access
+      MAC_STATUS:
+        category:
+          - configuration
+        type:
+          - change
+      USER_MAC_CONFIG_CHANGE:
+        category:
+          - configuration
+        type:
+          - change
+      USER_MAC_POLICY_LOAD:
+        category:
+          - configuration
+        type:
+          - access
+      USER_AUTH:
+        category:
+          - authentication
+        type:
+          - info
+      KERN_MODULE:
+        category:
+          - driver
+        type:
+          - info
+      SOFTWARE_UPDATE:
+        category:
+          - package
+        type:
+          - info
+    source: >-
+      if (ctx?.auditd?.log.record_type == null) {
+        return;
+      }
+      def hm = new HashMap(params.get(ctx.auditd.log.record_type));
+      hm.forEach((k, v) -> ctx.event[k] = v);
 - set:
     if: "ctx.auditd.log?.record_type == 'SYSTEM_BOOT' || ctx.auditd.log?.record_type == 'SYSTEM_SHUTDOWN'"
     field: event.category

filebeat/module/auditd/log/test/audit-cent7-node.log-expected.json

@@ -31,10 +31,16 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0",
         "event.action": "config_change",
+        "event.category": [
+            "configuration"
+        ],
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "1",
+        "event.type": [
+            "change"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 234,
@@ -50,10 +56,16 @@
         "auditd.log.ses": "4294967295",
         "auditd.log.subj": "system_u:system_r:unconfined_service_t:s0",
         "event.action": "config_change",
+        "event.category": [
+            "configuration"
+        ],
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "1",
+        "event.type": [
+            "change"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 425,

filebeat/module/auditd/log/test/audit-rhel6.log-expected.json

@@ -222,12 +222,16 @@
         "auditd.log.sequence": 19623789,
         "auditd.log.ses": "6793",
         "event.action": "user_auth",
-        "event.category": "authentication",
+        "event.category": [
+            "authentication"
+        ],
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "info",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 1926,
@@ -257,12 +261,16 @@
         "auditd.log.sequence": 19623807,
         "auditd.log.ses": "12286",
         "event.action": "user_auth",
-        "event.category": "authentication",
+        "event.category": [
+            "authentication"
+        ],
         "event.dataset": "auditd.log",
         "event.kind": "event",
         "event.module": "auditd",
         "event.outcome": "success",
-        "event.type": "info",
+        "event.type": [
+            "info"
+        ],
         "fileset.name": "log",
         "input.type": "log",
         "log.offset": 2122,