Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Improve AWS cloudtrail field mappings #17155

Merged
merged 3 commits into from
Mar 23, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add custom string mapping to CEF module to support Check Point devices. {issue}16041[16041] {pull}16907[16907]
- Add pattern for Cisco ASA / FTD Message 734001 {issue}16212[16212] {pull}16612[16612]
- Added new module `o365` for ingesting Office 365 management activity API events. {issue}16196[16196] {pull}16386[16386]
- Improve AWS cloudtrail field mappings {issue}16086[16086] {issue}16110[16110] {pull}17155[17155]

*Heartbeat*

Expand Down
82 changes: 82 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1156,6 +1156,48 @@ type: keyword

--

[float]
=== session_issuer

If the request was made with temporary security credentials, an element that provides information about how the credentials were obtained.


*`aws.cloudtrail.user_identity.session_issuer.type`*::
+
--
The source of the temporary security credentials, such as Root, IAMUser, or Role.

type: keyword

--

*`aws.cloudtrail.user_identity.session_issuer.principal_id`*::
+
--
The internal ID of the entity that was used to get credentials.

type: keyword

--

*`aws.cloudtrail.user_identity.session_issuer.arn`*::
+
--
The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.

type: keyword

--

*`aws.cloudtrail.user_identity.session_issuer.account_id`*::
+
--
The account that owns the entity that was used to get credentials.

type: keyword

--

*`aws.cloudtrail.error_code`*::
+
--
Expand Down Expand Up @@ -1315,6 +1357,46 @@ type: keyword

--

[float]
=== console_login

Fields specific to ConsoleLogin events


[float]
=== additional_eventdata

Additional Event Data for ConsoleLogin events



*`aws.cloudtrail.console_login.additional_eventdata.mobile_version`*::
+
--
Identifies whether ConsoleLogin was from mobile version

type: boolean

--

*`aws.cloudtrail.console_login.additional_eventdata.login_to`*::
+
--
URL for ConsoleLogin

type: keyword

--

*`aws.cloudtrail.console_login.additional_eventdata.mfa_used`*::
+
--
Identifies whether multi factor authentication was used during ConsoleLogin

type: boolean

--

[float]
=== cloudwatch

Expand Down
50 changes: 50 additions & 0 deletions x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,33 @@
description: >-
The name of the AWS service that made the request, such as
Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.
- name: session_issuer
type: group
description: >-
If the request was made with temporary security
credentials, an element that provides information about
how the credentials were obtained.
fields:
- name: type
type: keyword
description: >-
The source of the temporary security credentials, such
as Root, IAMUser, or Role.
- name: principal_id
type: keyword
description: >-
The internal ID of the entity that was used to get
credentials.
- name: arn
type: keyword
description: >-
The ARN of the source (account, IAM user, or role)
that was used to get temporary security credentials.
- name: account_id
type: keyword
description: >-
The account that owns the entity that was used to get
credentials.
- name: error_code
type: keyword
description: >-
Expand Down Expand Up @@ -133,3 +160,26 @@
description: >-
Identifies the VPC endpoint in which requests were made from a
VPC to another AWS service, such as Amazon S3.
- name: console_login
type: group
description: >-
Fields specific to ConsoleLogin events
fields:
- name: additional_eventdata
type: group
description: >
Additional Event Data for ConsoleLogin events
fields:
- name: mobile_version
type: boolean
description: >-
Identifies whether ConsoleLogin was from mobile version
- name: login_to
type: keyword
description: >-
URL for ConsoleLogin
- name: mfa_used
type: boolean
description: >-
Identifies whether multi factor authentication was
used during ConsoleLogin
67 changes: 63 additions & 4 deletions x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,27 @@ processors:
field: "json.userIdentity.invokedBy"
target_field: "aws.cloudtrail.user_identity.invoked_by"
ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.type"
target_field: "aws.cloudtrail.user_identity.session_issuer.type"
ignore_failure: true
# userIdentity.sessionIssuer.userName is only set with assumed roles.
- rename:
field: "json.userIdentity.sessionIssuer.userName"
target_field: "user.name"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a chance this overwrites user.name already set from userIdentity.userName earlier in the pipeline? Is this what we want?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was worried about that too, I'll add a comment. sessionIssuer.userName should only be set when there is an assumed role.

ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.principalId"
target_field: "aws.cloudtrail.user_identity.session_issuer.principal_id"
ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.arn"
target_field: "aws.cloudtrail.user_identity.session_issuer.arn"
ignore_failure: true
- rename:
field: "json.userIdentity.sessionIssuer.accountId"
target_field: "aws.cloudtrail.user_identity.session_issuer.account_id"
ignore_failure: true
- rename:
field: "json.eventSource"
target_field: "event.provider"
Expand All @@ -67,14 +88,20 @@ processors:
field: "json.awsRegion"
target_field: "cloud.region"
ignore_failure: true
- geoip:
field: "json.sourceIPAddress"
target_field: "source.geo"
ignore_failure: true
- rename:
field: "json.sourceIPAddress"
target_field: "source.address"
ignore_failure: true
- grok:
field: source.address
ignore_failure: true
patterns:
- ^%{IP:source.ip}$
- geoip:
field: "source.ip"
target_field: "source.geo"
ignore_failure: true
ignore_missing: true
- user_agent:
field: "json.userAgent"
target_field: "user_agent"
Expand Down Expand Up @@ -204,6 +231,38 @@ processors:
if (ctx.json?.requestParameters.newUserName != null) {
addRelatedUser(ctx, ctx.json.requestParameters.newUserName);
}

- script:
lang: painless
ignore_failure: true
source: >-
if (ctx.json?.eventName != 'ConsoleLogin') {
return;
}
Map aed_map = new HashMap();
if (ctx.json?.additionalEventData?.MobileVersion != null) {
if (ctx.json.additionalEventData.MobileVersion == 'No') {
aed_map.put("mobile_version", false);
} else {
aed_map.put("mobile_version", true);
}
}
if (ctx.json?.additionalEventData?.LoginTo != null) {
aed_map.put("login_to", ctx.json.additionalEventData.LoginTo);
}
if (ctx.json?.additionalEventData?.MFAUsed != null) {
if (ctx.json.additionalEventData.MFAUsed == 'No') {
aed_map.put("mfa_used", false);
} else {
aed_map.put("mfa_used", true);
}
}
if (aed_map.size() > 0) {
Map cl_map = new HashMap();
cl_map.put("additional_eventdata", aed_map);
ctx.aws.cloudtrail.put("console_login", cl_map);
}

- remove:
field:
- "json"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
],
"service.type": "aws",
"source.address": "127.0.0.1",
"source.ip": "127.0.0.1",
"user.id": "EX_PRINCIPAL_ID",
"user.name": "Alice",
"user_agent.device.name": "Other",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@
"source.geo.location.lon": 106.5531,
"source.geo.region_iso_code": "CN-CQ",
"source.geo.region_name": "Chongqing",
"source.ip": "123.145.67.89",
"user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1",
"user_agent.device.name": "Spider",
"user_agent.name": "aws-cli",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
"log.offset": 0,
"service.type": "aws",
"source.address": "127.0.0.1",
"source.ip": "127.0.0.1",
"user.id": "0123456789012",
"user.name": "Alice",
"user_agent.device.name": "Spider",
Expand Down Expand Up @@ -56,6 +57,7 @@
"log.offset": 720,
"service.type": "aws",
"source.address": "127.0.0.1",
"source.ip": "127.0.0.1",
"user.id": "0123456789012",
"user.name": "Alice",
"user_agent.device.name": "Spider",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JohnDoe","accountId":"111122223333","userName":"JohnDoe"},"eventTime":"2014-07-16T15:49:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.110","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","requestParameters":null,"responseElements":{"ConsoleLogin":"Success"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/s3/","MFAUsed":"No"},"eventID":"3fcfb182-98f8-4744-bd45-10aEXAMPLE"}
{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"AIDACKCEVSQ6C2EXAMPLE","arn":"arn:aws:iam::111122223333:user/JaneDoe","accountId":"111122223333","userName":"JaneDoe"},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
{"eventVersion":"1.05","userIdentity":{"type":"AssumedRole","principalId":"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName","arn":"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName","accountId":"123456789012","accessKeyId":"AKIAIOSFODNN7EXAMPLE","sessionContext":{"attributes":{"mfaAuthenticated":"false","creationDate":"20131102T010628Z"}},"sessionIssuer":{"type":"Role","principalId":"AROAIDPPEZS35WEXAMPLE","arn":"arn:aws:iam::123456789012:role/RoleToBeAssumed","accountId":"123456789012","userName":"RoleToBeAssumed"}},"eventTime":"2014-07-08T17:35:27Z","eventSource":"signin.amazonaws.com","eventName":"ConsoleLogin","awsRegion":"us-east-2","sourceIPAddress":"192.0.2.100","userAgent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0","errorMessage":"Failed authentication","requestParameters":null,"responseElements":{"ConsoleLogin":"Failure"},"additionalEventData":{"MobileVersion":"No","LoginTo":"https://console.aws.amazon.com/sns","MFAUsed":"No"},"eventID":"11ea990b-4678-4bcd-8fbe-625EXAMPLE"}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@
{
"@timestamp": "2014-07-16T15:49:27.000Z",
"aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/s3/, MobileVersion=No, MFAUsed=No}",
"aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/s3/",
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": false,
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Success}",
"aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe",
Expand All @@ -23,6 +26,7 @@
"log.offset": 0,
"service.type": "aws",
"source.address": "192.0.2.110",
"source.ip": "192.0.2.110",
"user.id": "AIDACKCEVSQ6C2EXAMPLE",
"user.name": "JohnDoe",
"user_agent.device.name": "Other",
Expand All @@ -36,6 +40,9 @@
{
"@timestamp": "2014-07-08T17:35:27.000Z",
"aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}",
"aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/sns",
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": false,
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.error_message": "Failed authentication",
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",
Expand All @@ -58,6 +65,7 @@
"log.offset": 658,
"service.type": "aws",
"source.address": "192.0.2.100",
"source.ip": "192.0.2.100",
"user.id": "AIDACKCEVSQ6C2EXAMPLE",
"user.name": "JaneDoe",
"user_agent.device.name": "Other",
Expand All @@ -67,5 +75,50 @@
"user_agent.os.name": "Windows",
"user_agent.os.version": "7",
"user_agent.version": "24.0."
},
{
"@timestamp": "2014-07-08T17:35:27.000Z",
"aws.cloudtrail.additional_eventdata": "{LoginTo=https://console.aws.amazon.com/sns, MobileVersion=No, MFAUsed=No}",
"aws.cloudtrail.console_login.additional_eventdata.login_to": "https://console.aws.amazon.com/sns",
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": false,
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.error_message": "Failed authentication",
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",
"aws.cloudtrail.user_identity.access_key_id": "AKIAIOSFODNN7EXAMPLE",
"aws.cloudtrail.user_identity.arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
"aws.cloudtrail.user_identity.session_context.mfa_authenticated": "false",
"aws.cloudtrail.user_identity.session_issuer.account_id": "123456789012",
"aws.cloudtrail.user_identity.session_issuer.arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
"aws.cloudtrail.user_identity.session_issuer.principal_id": "AROAIDPPEZS35WEXAMPLE",
"aws.cloudtrail.user_identity.session_issuer.type": "Role",
"aws.cloudtrail.user_identity.type": "AssumedRole",
"cloud.account.id": "123456789012",
"cloud.region": "us-east-2",
"event.action": "ConsoleLogin",
"event.category": "authentication",
"event.dataset": "aws.cloudtrail",
"event.id": "11ea990b-4678-4bcd-8fbe-625EXAMPLE",
"event.kind": "event",
"event.module": "aws",
"event.original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"AssumedRole\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName\",\"arn\":\"arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName\",\"accountId\":\"123456789012\",\"accessKeyId\":\"AKIAIOSFODNN7EXAMPLE\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"false\",\"creationDate\":\"20131102T010628Z\"}},\"sessionIssuer\":{\"type\":\"Role\",\"principalId\":\"AROAIDPPEZS35WEXAMPLE\",\"arn\":\"arn:aws:iam::123456789012:role/RoleToBeAssumed\",\"accountId\":\"123456789012\",\"userName\":\"RoleToBeAssumed\"}},\"eventTime\":\"2014-07-08T17:35:27Z\",\"eventSource\":\"signin.amazonaws.com\",\"eventName\":\"ConsoleLogin\",\"awsRegion\":\"us-east-2\",\"sourceIPAddress\":\"192.0.2.100\",\"userAgent\":\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0\",\"errorMessage\":\"Failed authentication\",\"requestParameters\":null,\"responseElements\":{\"ConsoleLogin\":\"Failure\"},\"additionalEventData\":{\"MobileVersion\":\"No\",\"LoginTo\":\"https://console.aws.amazon.com/sns\",\"MFAUsed\":\"No\"},\"eventID\":\"11ea990b-4678-4bcd-8fbe-625EXAMPLE\"}",
"event.outcome": "failure",
"event.provider": "signin.amazonaws.com",
"event.type": "info",
"fileset.name": "cloudtrail",
"input.type": "log",
"log.offset": 1355,
"service.type": "aws",
"source.address": "192.0.2.100",
"source.ip": "192.0.2.100",
"user.id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName",
"user.name": "RoleToBeAssumed",
"user_agent.device.name": "Other",
"user_agent.name": "Firefox",
"user_agent.original": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0",
"user_agent.os.full": "Windows 7",
"user_agent.os.name": "Windows",
"user_agent.os.version": "7",
"user_agent.version": "24.0."
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@
],
"service.type": "aws",
"source.address": "127.0.0.1",
"source.ip": "127.0.0.1",
"user.id": "EXAMPLE_ID",
"user.name": "Alice",
"user_agent.device.name": "Other",
Expand Down
Loading