Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Improve AWS cloudtrail field mappings #17155

Merged
merged 3 commits into from
Mar 23, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Mar 20, 2020

  • sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
  • sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
  • sessionIssuer.userName -> user.name
  • sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
  • sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
  • add aws.cloudtrail.console_login.additional_eventdata.mobile_version
  • add aws.cloudtrail.console_login.additional_eventdata.login_to
  • add aws.cloudtrail.console_login.additional_eventdata.mfa_used
  • copy source.address to source.ip if value is an IP address

Closes #16086
Closes #16110

What does this PR do?

  • Adds session Issuer information when assumed roles are used
  • Adds specific fields when ConsoleLogin events
  • sets source.ip

Why is it important?

  • Session Issuer is needed for assumed roles
  • ConsoleLogin information is needed to easily determine if MFA was used
  • source.ip should be set when source .address is an IP address

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Mar 20, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes elastic#16086
Closes elastic#16110
@leehinman leehinman force-pushed the 16086_16110_cloudtrail branch from 275cd7d to 700b457 Compare March 20, 2020 16:06
Copy link
Contributor

@adriansr adriansr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a minor comment, feel free to merge if not an issue.

ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.userName"
target_field: "user.name"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a chance this overwrites user.name already set from userIdentity.userName earlier in the pipeline? Is this what we want?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was worried about that too, I'll add a comment. sessionIssuer.userName should only be set when there is an assumed role.

@leehinman leehinman merged commit 57e194b into elastic:master Mar 23, 2020
leehinman added a commit to leehinman/beats that referenced this pull request Mar 23, 2020
* Improve AWS cloudtrail field mappings

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes elastic#16086
Closes elastic#16110

(cherry picked from commit 57e194b)
@leehinman leehinman added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Mar 23, 2020
leehinman added a commit that referenced this pull request Mar 23, 2020
* Improve AWS cloudtrail field mappings

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes #16086
Closes #16110

(cherry picked from commit 57e194b)
@leehinman leehinman deleted the 16086_16110_cloudtrail branch March 23, 2020 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Filebeat]Cloudtrail: parse consoleLogin additional data [Filebeat] Add session issuer to cloudtrail fields
3 participants