Skip to content

Commit

Permalink
Add text & flattened fields in aws cloudtrail fileset (elastic#19121)
Browse files Browse the repository at this point in the history
AWS cloudtrail events have the following fields where the subfields
are highley variable: requestParameters, responseElements,
additionalEventData and serviceEventDetails.

multi_fields added to following fields
- aws.cloudtrail.request_parameters
- aws.cloudtrail.response_elements
- aws.cloudtrail.additiona_eventdata
- aws.cloudtrail.service_event_details

flattened version of the fields are stored here:
- aws.cloudtrail.flattened.request_parameters
- aws.cloudtrail.flattened.response_elements
- aws.cloudtrail.flattened.additiona_eventdata
- aws.cloudtrail.flattened.service_event_details

Closes elastic#18866
  • Loading branch information
leehinman authored and melchiormoulin committed Oct 14, 2020
1 parent 05f82e7 commit ba8f633
Show file tree
Hide file tree
Showing 36 changed files with 291 additions and 26 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -438,6 +438,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add support for timezone offsets and `Z` to decode_cef timestamp parser. {pull}19346[19346]
- Improve ECS categorization field mappings in traefik module. {issue}16183[16183] {pull}19379[19379]
- Improve ECS categorization field mappings in azure module. {issue}16155[16155] {pull}19376[19376]
- Add text & flattened versions of fields with unknown subfields in aws cloudtrail fileset. {issue}18866[18866] {pull}19121[19121]

*Heartbeat*

Expand Down
71 changes: 71 additions & 0 deletions filebeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1229,6 +1229,13 @@ type: keyword
--
*`aws.cloudtrail.request_parameters.text`*::
+
--
type: text
--
*`aws.cloudtrail.response_elements`*::
+
--
Expand All @@ -1238,6 +1245,13 @@ type: keyword
--
*`aws.cloudtrail.response_elements.text`*::
+
--
type: text
--
*`aws.cloudtrail.additional_eventdata`*::
+
--
Expand All @@ -1247,6 +1261,13 @@ type: keyword
--
*`aws.cloudtrail.additional_eventdata.text`*::
+
--
type: text
--
*`aws.cloudtrail.request_id`*::
+
--
Expand Down Expand Up @@ -1343,6 +1364,13 @@ type: keyword
--
*`aws.cloudtrail.service_event_details.text`*::
+
--
type: text
--
*`aws.cloudtrail.shared_event_id`*::
+
--
Expand Down Expand Up @@ -1401,6 +1429,49 @@ type: boolean
--
[float]
=== flattened
ES flattened datatype for objects where the subfields aren't known in advance.
*`aws.cloudtrail.flattened.additional_eventdata`*::
+
--
Additional data about the event that was not part of the request or response.
type: flattened
--
*`aws.cloudtrail.flattened.request_parameters`*::
+
--
The parameters, if any, that were sent with the request.
type: flattened
--
*`aws.cloudtrail.flattened.response_elements`*::
+
--
The response element for actions that make changes (create, update, or delete actions).
type: flattened
--
*`aws.cloudtrail.flattened.service_event_details`*::
+
--
Identifies the service event, including what triggered the event and the result.
type: flattened
--
[float]
=== cloudwatch
Expand Down
2 changes: 1 addition & 1 deletion libbeat/mapping/field.go
Original file line number Diff line number Diff line change
Expand Up @@ -138,7 +138,7 @@ func (f *Field) validateType() error {
if f.Format != "" {
return fmt.Errorf("no format expected for field %s, found: %s", f.Name, f.Format)
}
case "object", "group", "nested":
case "object", "group", "nested", "flattened":
// No check for them yet
case "":
// Module keys, not used as fields
Expand Down
2 changes: 1 addition & 1 deletion libbeat/tests/system/beat/beat.py
Original file line number Diff line number Diff line change
Expand Up @@ -571,7 +571,7 @@ def extract_fields(doc_list, name):
aliases.extend(subaliases)
else:
fields.append(newName)
if field.get("type") in ["object", "geo_point"]:
if field.get("type") in ["object", "geo_point", "flattened"]:
dictfields.append(newName)

if field.get("type") == "object" and field.get("object_type") == "histogram":
Expand Down
40 changes: 40 additions & 0 deletions x-pack/filebeat/module/aws/cloudtrail/_meta/fields.yml
Original file line number Diff line number Diff line change
Expand Up @@ -90,16 +90,28 @@
type: keyword
description: >-
The parameters, if any, that were sent with the request.
multi_fields:
- name: text
type: text
default_field: false
- name: response_elements
type: keyword
description: >-
The response element for actions that make changes (create,
update, or delete actions).
multi_fields:
- name: text
type: text
default_field: false
- name: additional_eventdata
type: keyword
description: >-
Additional data about the event that was not part of the
request or response.
multi_fields:
- name: text
type: text
default_field: false
- name: request_id
type: keyword
description: >-
Expand Down Expand Up @@ -149,6 +161,10 @@
description: >-
Identifies the service event, including what triggered the
event and the result.
multi_fields:
- name: text
type: text
default_field: false
- name: shared_event_id
type: keyword
description: >-
Expand Down Expand Up @@ -183,3 +199,27 @@
description: >-
Identifies whether multi factor authentication was
used during ConsoleLogin
- name: flattened
type: group
description: >-
ES flattened datatype for objects where the subfields aren't known in advance.
fields:
- name: additional_eventdata
type: flattened
description: >
Additional data about the event that was not part of the
request or response.
- name: request_parameters
type: flattened
description: >-
The parameters, if any, that were sent with the request.
- name: response_elements
type: flattened
description: >-
The response element for actions that make changes (create,
update, or delete actions).
- name: service_event_details
type: flattened
description: >-
Identifies the service event, including what triggered the
event and the result.
59 changes: 36 additions & 23 deletions x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,25 +135,37 @@ processors:
field: "json.errorMessage"
target_field: "aws.cloudtrail.error_message"
ignore_failure: true
- rename:
field: json.requestParameters
target_field: "aws.cloudtrail.flattened.request_parameters"
if: ctx.json.requestParameters != null
- script:
lang: painless
source: |
if (ctx.json.requestParameters != null) {
ctx.aws.cloudtrail.request_parameters = ctx.json.requestParameters.toString();
if (ctx.aws.cloudtrail.flattened.request_parameters != null) {
ctx.aws.cloudtrail.request_parameters = ctx.aws.cloudtrail.flattened.request_parameters.toString();
}
ignore_failure: true
- rename:
field: json.responseElements
target_field: "aws.cloudtrail.flattened.response_elements"
if: ctx.json.responseElements != null
- script:
lang: painless
source: |
if (ctx.json.responseElements != null) {
ctx.aws.cloudtrail.response_elements = ctx.json.responseElements.toString();
if (ctx.aws.cloudtrail.flattened.response_elements != null) {
ctx.aws.cloudtrail.response_elements = ctx.aws.cloudtrail.flattened.response_elements.toString();
}
ignore_failure: true
- rename:
field: json.additionalEventData
target_field: "aws.cloudtrail.flattened.additional_eventdata"
if: ctx?.json?.additionalEventData != null
- script:
lang: painless
source: |
if (ctx.json.additionalEventData != null) {
ctx.aws.cloudtrail.additional_eventdata = ctx.json.additionalEventData.toString();
if (ctx.aws.cloudtrail.flattened.additional_eventdata != null) {
ctx.aws.cloudtrail.additional_eventdata = ctx.aws.cloudtrail.flattened.additional_eventdata.toString();
}
ignore_failure: true
- rename:
Expand Down Expand Up @@ -196,11 +208,15 @@ processors:
field: "json.recipientAccountId"
target_field: "aws.cloudtrail.recipient_account_id"
ignore_failure: true
- rename:
field: json.serviceEventDetails
target_field: "aws.cloudtrail.flattened.service_event_details"
if: ctx.json.serviceEventDetails != null
- script:
lang: painless
source: |
if (ctx.json.serviceEventDetails != null) {
ctx.aws.cloudtrail.service_event_details = ctx.json.serviceEventDetails.toString();
if (ctx.aws.cloudtrail.flattened.service_event_details != null) {
ctx.aws.cloudtrail.service_event_details = ctx.aws.cloudtrail.flattened.service_event_details.toString();
}
ignore_failure: true
- rename:
Expand All @@ -226,14 +242,11 @@ processors:
}
ctx.related.user.add(userName);
}
if (ctx.json?.requestParameters.userName != null) {
addRelatedUser(ctx, ctx.json.requestParameters.userName);
if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.userName != null) {
addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.userName);
}
if (ctx.json?.requestParameters.newUserName != null) {
addRelatedUser(ctx, ctx.json.requestParameters.newUserName);
if (ctx?.aws?.cloudtrail?.flattened?.request_parameters?.newUserName != null) {
addRelatedUser(ctx, ctx.aws.cloudtrail.flattened.request_parameters.newUserName);
}
- script:
Expand All @@ -244,18 +257,18 @@ processors:
return;
}
Map aed_map = new HashMap();
if (ctx.json?.additionalEventData?.MobileVersion != null) {
if (ctx.json.additionalEventData.MobileVersion == 'No') {
if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MobileVersion != null) {
if (ctx.aws.cloudtrail.flattened.additional_eventdata.MobileVersion == 'No') {
aed_map.put("mobile_version", false);
} else {
aed_map.put("mobile_version", true);
}
}
if (ctx.json?.additionalEventData?.LoginTo != null) {
aed_map.put("login_to", ctx.json.additionalEventData.LoginTo);
if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.LoginTo != null) {
aed_map.put("login_to", ctx.aws.cloudtrail.flattened.additional_eventdata.LoginTo);
}
if (ctx.json?.additionalEventData?.MFAUsed != null) {
if (ctx.json.additionalEventData.MFAUsed == 'No') {
if (ctx?.aws?.cloudtrail?.flattened?.additional_eventdata?.MFAUsed != null) {
if (ctx.aws.cloudtrail.flattened.additional_eventdata.MFAUsed == 'No') {
aed_map.put("mfa_used", false);
} else {
aed_map.put("mfa_used", true);
Expand Down Expand Up @@ -598,8 +611,8 @@ processors:
return;
}
if (ctx.event.action == 'ConsoleLogin' && ctx.json?.responseElements.ConsoleLogin != null) {
ctx.event.outcome = Processors.lowercase(ctx.json.responseElements.ConsoleLogin);
if (ctx.event.action == 'ConsoleLogin' && ctx?.aws?.cloudtrail?.flattened?.response_elements.ConsoleLogin != null) {
ctx.event.outcome = Processors.lowercase(ctx.aws.cloudtrail.flattened.response_elements.ConsoleLogin);
}
def hm = new HashMap(params.get(ctx.event.action));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
{
"@timestamp": "2014-03-25T21:08:14.000Z",
"aws.cloudtrail.event_version": "1.0",
"aws.cloudtrail.flattened.request_parameters.groupName": "admin",
"aws.cloudtrail.flattened.request_parameters.userName": "Bob",
"aws.cloudtrail.request_parameters": "{groupName=admin, userName=Bob}",
"aws.cloudtrail.user_identity.access_key_id": "EXAMPLE_KEY_ID",
"aws.cloudtrail.user_identity.arn": "arn:aws:iam::123456789012:user/Alice",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,29 @@
"@timestamp": "2019-10-02T22:12:29.000Z",
"aws.cloudtrail.event_type": "AwsApiCall",
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.flattened.request_parameters.durationSeconds": 3600,
"aws.cloudtrail.flattened.request_parameters.incomingTransitiveTags.Department": "Engineering",
"aws.cloudtrail.flattened.request_parameters.roleArn": "arn:aws:iam::111111111111:role/JohnRole2",
"aws.cloudtrail.flattened.request_parameters.roleSessionName": "Role2WithTags",
"aws.cloudtrail.flattened.request_parameters.tags": [
{
"key": "Email",
"value": "[email protected]"
},
{
"key": "CostCenter",
"value": "12345"
}
],
"aws.cloudtrail.flattened.request_parameters.transitiveTagKeys": [
"Email",
"CostCenter"
],
"aws.cloudtrail.flattened.response_elements.assumedRoleUser.arn": "arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags",
"aws.cloudtrail.flattened.response_elements.assumedRoleUser.assumedRoleId": "AROAIFR7WHDTSOYQYHFUE:Role2WithTags",
"aws.cloudtrail.flattened.response_elements.credentials.accessKeyId": "ASIAWHOJDLGPOEXAMPLE",
"aws.cloudtrail.flattened.response_elements.credentials.expiration": "Oct 2, 2019 11:12:29 PM",
"aws.cloudtrail.flattened.response_elements.credentials.sessionToken": "AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN",
"aws.cloudtrail.recipient_account_id": "111111111111",
"aws.cloudtrail.request_parameters": "{incomingTransitiveTags={Department=Engineering}, transitiveTagKeys=[Email, CostCenter], durationSeconds=3600, roleArn=arn:aws:iam::111111111111:role/JohnRole2, roleSessionName=Role2WithTags, tags=[{[email protected], key=Email}, {value=12345, key=CostCenter}]}",
"aws.cloudtrail.response_elements": "{assumedRoleUser={assumedRoleId=AROAIFR7WHDTSOYQYHFUE:Role2WithTags, arn=arn:aws:sts::111111111111:assumed-role/test-role/Role2WithTags}, credentials={accessKeyId=ASIAWHOJDLGPOEXAMPLE, sessionToken=AgoJb3JpZ2luX2VjEB4aCXVzLXdlc3QtMSJHMEXAMPLETOKEN+//rJb8Lo30mFc5MlhFCEbubZvEj0wHB/mDMwIgSEe9gk/Zjr09tZV7F1HDTMhmEXAMPLETOKEN/iEJ/rkqngII9///////////ARABGgw0MjgzMDc4NjM5NjYiDLZjZFKwP4qxQG5sFCryASO4UPz5qE97wPPH1eLMvs7CgSDBSWfonmRTCfokm2FN1+hWUdQQH6adjbbrVLFL8c3jSsBhQ383AvxpwK5YRuDE1AI/+C+WKFZb701eiv9J5La2EXAMPLETOKEN/c7S5Iro1WUJ0q3Cxuo/8HUoSxVhQHM7zF7mWWLhXLEQ52ivL+F6q5dpXu4aTFedpMfnJa8JtkWwG9x1Axj0Ypy2ok8v5unpQGWych1vwdvj6ez1Dm8Xg1+qIzXILiEXAMPLETOKEN/vQGqu8H+nxp3kabcrtOvTFTvxX6vsc8OGwUfHhzAfYGEXAMPLETOKEN/L6v1yMM3B1OwFOrQBno1HEjf1oNI8RnQiMNFdUOtwYj7HUZIOCZmjfN8PPHq77N7GJl9lzvIZKQA0Owcjg+mc78zHCj8y0siY8C96paEXAMPLETOKEN/E3cpksxWdgs91HRzJWScjN2+r2LTGjYhyPqcmFzzo2mCE7mBNEXAMPLETOKEN/oJy+2o83YNW5tOiDmczgDzJZ4UKR84yGYOMfSnF4XcEJrDgAJ3OJFwmTcTQICAlSwLEXAMPLETOKEN, expiration=Oct 2, 2019 11:12:29 PM}}",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@
"aws.cloudtrail.console_login.additional_eventdata.mfa_used": false,
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/s3/",
"aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No",
"aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No",
"aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Success",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Success}",
"aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JohnDoe",
"aws.cloudtrail.user_identity.type": "IAMUser",
Expand Down Expand Up @@ -52,6 +56,10 @@
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.error_message": "Failed authentication",
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/sns",
"aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No",
"aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No",
"aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Failure",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",
"aws.cloudtrail.user_identity.arn": "arn:aws:iam::111122223333:user/JaneDoe",
"aws.cloudtrail.user_identity.type": "IAMUser",
Expand Down Expand Up @@ -98,6 +106,10 @@
"aws.cloudtrail.console_login.additional_eventdata.mobile_version": false,
"aws.cloudtrail.error_message": "Failed authentication",
"aws.cloudtrail.event_version": "1.05",
"aws.cloudtrail.flattened.additional_eventdata.LoginTo": "https://console.aws.amazon.com/sns",
"aws.cloudtrail.flattened.additional_eventdata.MFAUsed": "No",
"aws.cloudtrail.flattened.additional_eventdata.MobileVersion": "No",
"aws.cloudtrail.flattened.response_elements.ConsoleLogin": "Failure",
"aws.cloudtrail.response_elements": "{ConsoleLogin=Failure}",
"aws.cloudtrail.user_identity.access_key_id": "AKIAIOSFODNN7EXAMPLE",
"aws.cloudtrail.user_identity.arn": "arn:aws:sts::123456789012:assumed-role/RoleToBeAssumed/MySessionName",
Expand Down
Loading

0 comments on commit ba8f633

Please sign in to comment.