[Filebeat][zeek] Add mappings for x509 fields in kerberos (#20958)

* Add mappings for x509 fields in kerberos

* Add changelog entry

* Do gsub in place

CHANGELOG.next.asciidoc

@@ -555,6 +555,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Convert httpjson to v2 input {pull}20226[20226]
 - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
 - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
+- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
 
 *Heartbeat*
 

x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml

@@ -87,6 +87,82 @@ processors:
     field: related.user
     value: "{{user.name}}"
     if: "ctx?.user?.name != null"
+- gsub:
+    field: zeek.kerberos.cert.client.subject
+    pattern: \\,
+    replacement: ""
+    ignore_missing: true
+- kv:
+    field: zeek.kerberos.cert.client.subject
+    field_split: ','
+    value_split: '='
+    target_field: zeek.kerberos.cert.client.kv_sub
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.C
+    target_field: tls.client.x509.subject.country
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.CN
+    target_field: tls.client.x509.subject.common_name
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.L
+    target_field: tls.client.x509.subject.locality
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.O
+    target_field: tls.client.x509.subject.organization
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.OU
+    target_field: tls.client.x509.subject.organizational_unit
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.client.kv_sub.ST
+    target_field: tls.client.x509.subject.state_or_province
+    ignore_missing: true
+- remove:
+    field: zeek.kerberos.cert.client.kv_sub
+    ignore_missing: true
+- gsub:
+    field: zeek.kerberos.cert.server.subject
+    pattern: \\,
+    replacement: ""
+    ignore_missing: true
+- kv:
+    field: zeek.kerberos.cert.server.subject
+    field_split: ','
+    value_split: '='
+    target_field: zeek.kerberos.cert.server.kv_sub
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.C
+    target_field: tls.server.x509.subject.country
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.CN
+    target_field: tls.server.x509.subject.common_name
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.L
+    target_field: tls.server.x509.subject.locality
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.O
+    target_field: tls.server.x509.subject.organization
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.OU
+    target_field: tls.server.x509.subject.organizational_unit
+    ignore_missing: true
+- rename:
+    field: zeek.kerberos.cert.server.kv_sub.ST
+    target_field: tls.server.x509.subject.state_or_province
+    ignore_missing: true
+- remove:
+    field: zeek.kerberos.cert.server.kv_sub
+    ignore_missing: true
 on_failure:
 - set:
     field: error.message

x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log

@@ -1 +1 @@
-{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
+{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"}

x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json

@@ -40,8 +40,20 @@
         "tags": [
             "zeek.kerberos"
         ],
+        "tls.client.x509.subject.common_name": "*.gcp.cloud.es.io",
+        "tls.client.x509.subject.country": "US",
+        "tls.client.x509.subject.locality": "Mountain View",
+        "tls.client.x509.subject.organization": "Elasticsearch Inc.",
+        "tls.client.x509.subject.state_or_province": "California",
+        "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
+        "tls.server.x509.subject.country": "US",
+        "tls.server.x509.subject.locality": "Mountain View",
+        "tls.server.x509.subject.organization": "Elasticsearch Inc.",
+        "tls.server.x509.subject.state_or_province": "California",
         "user.domain": "CONTOSO.LOCAL",
         "user.name": "RonHD",
+        "zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US",
+        "zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US",
         "zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96",
         "zeek.kerberos.client": "RonHD/CONTOSO.LOCAL",
         "zeek.kerberos.forwardable": true,