Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve AWS cloudtrail field mappings #17155

Merged
merged 3 commits into from
Mar 23, 2020
Merged

[Filebeat] Improve AWS cloudtrail field mappings #17155

merged 3 commits into from
Mar 23, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Mar 20, 2020
edited by zube bot
Loading

  • sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
  • sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
  • sessionIssuer.userName -> user.name
  • sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
  • sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
  • add aws.cloudtrail.console_login.additional_eventdata.mobile_version
  • add aws.cloudtrail.console_login.additional_eventdata.login_to
  • add aws.cloudtrail.console_login.additional_eventdata.mfa_used
  • copy source.address to source.ip if value is an IP address

Closes #16086
Closes #16110

What does this PR do?

  • Adds session Issuer information when assumed roles are used
  • Adds specific fields when ConsoleLogin events
  • sets source.ip

Why is it important?

  • Session Issuer is needed for assumed roles
  • ConsoleLogin information is needed to easily determine if MFA was used
  • source.ip should be set when source .address is an IP address

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Mar 20, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve AWS cloudtrail field mappings
700b457 
- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes elastic#16086
Closes elastic#16110
adriansr
adriansr approved these changes Mar 23, 2020
View reviewed changes
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment, feel free to merge if not an issue.

x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.userName"
target_field: "user.name"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a chance this overwrites user.name already set from userIdentity.userName earlier in the pipeline? Is this what we want?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was worried about that too, I'll add a comment. sessionIssuer.userName should only be set when there is an assumed role.

@leehinman leehinman merged commit 57e194b into elastic:master Mar 23, 2020
@leehinman leehinman mentioned this pull request Mar 23, 2020
Merged
4 tasks
leehinman added a commit to leehinman/beats that referenced this pull request Mar 23, 2020
@leehinman
[Filebeat] Improve AWS cloudtrail field mappings (elastic#17155)
0edd90d 
* Improve AWS cloudtrail field mappings

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes elastic#16086
Closes elastic#16110

(cherry picked from commit 57e194b)
@leehinman leehinman added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Mar 23, 2020
leehinman added a commit that referenced this pull request Mar 23, 2020
@leehinman
[Filebeat] Improve AWS cloudtrail field mappings (#17155) (#17187)
6a40f4b 
* Improve AWS cloudtrail field mappings

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes #16086
Closes #16110

(cherry picked from commit 57e194b)
@leehinman leehinman deleted the 16086_16110_cloudtrail branch March 23, 2020 21:10
@ynirk ynirk mentioned this pull request Jun 2, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat v7.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat]Cloudtrail: parse consoleLogin additional data [Filebeat] Add session issuer to cloudtrail fields
3 participants
@leehinman @elasticmachine @adriansr