From 564ea59a3a4f3aeb29a357c86754eb1e2ee6c2cb Mon Sep 17 00:00:00 2001 From: Mathieu Martin Date: Fri, 4 Jan 2019 15:06:50 -0500 Subject: [PATCH] Set event.action=ssh_login (too broad ATM) and event.outcome for some ssh activity Note: when I say event.action is too broad, this is because it lumps in session disconnects as 'ssh_login', when it should likely be ssh_session. --- .../module/system/auth/ingest/pipeline.json | 23 ++++++++++++++++++- .../system/auth/test/test.log-expected.json | 19 +++++++++++++++ 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/filebeat/module/system/auth/ingest/pipeline.json b/filebeat/module/system/auth/ingest/pipeline.json index ce7d0f250a9..49142bc2d18 100644 --- a/filebeat/module/system/auth/ingest/pipeline.json +++ b/filebeat/module/system/auth/ingest/pipeline.json @@ -52,12 +52,33 @@ "if": "ctx.containsKey('process') && ctx.process.containsKey('name') && ctx.process.name == 'sshd'" } }, + { + "set": { + "field": "event.action", + "value": "ssh_login", + "if": "ctx.event.containsKey('category') && ctx.event.category == 'authentication'" + } + }, + { + "set": { + "field": "event.outcome", + "value": "success", + "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Accepted'" + } + }, + { + "set": { + "field": "event.outcome", + "value": "failure", + "if": "ctx.event.containsKey('action') && ctx.event.action == 'ssh_login' && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('action') && ctx.system.auth.ssh.action == 'Failed'" + } + }, { "set": { "field": "source.ip", "value": "{{system.auth.ssh.dropped_ip}}", - "if": "ctx.containsKey('system') && ctx.system.containsKey('auth') && ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" + "if": "ctx.system.auth.containsKey('ssh') && ctx.system.auth.ssh.containsKey('dropped_ip')" } }, { diff --git a/filebeat/module/system/auth/test/test.log-expected.json b/filebeat/module/system/auth/test/test.log-expected.json index cf146207a59..0c1a99cdce5 100644 --- a/filebeat/module/system/auth/test/test.log-expected.json +++ b/filebeat/module/system/auth/test/test.log-expected.json @@ -1,10 +1,12 @@ [ { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", "event.module": "system", + "event.outcome": "success", "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", @@ -21,10 +23,12 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", "event.module": "system", + "event.outcome": "success", "fileset.name": "auth", "host.hostname": "localhost", "input.type": "log", @@ -40,10 +44,12 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", "event.module": "system", + "event.outcome": "failure", "fileset.name": "auth", "host.hostname": "slave22", "input.type": "log", @@ -106,6 +112,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -194,10 +201,12 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", "event.module": "system", + "event.outcome": "success", "fileset.name": "auth", "host.hostname": "ubuntu-xenial", "input.type": "log", @@ -214,6 +223,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -253,6 +263,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -267,6 +278,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -281,6 +293,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -372,6 +385,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -386,6 +400,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -400,6 +415,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -426,6 +442,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -443,6 +460,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event", @@ -457,6 +475,7 @@ }, { "ecs.version": "1.0.0-beta2", + "event.action": "ssh_login", "event.category": "authentication", "event.dataset": "system.auth", "event.kind": "event",