Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Add source.as.organization.name to cloudtrail fileset #18644

Closed
leehinman opened this issue May 19, 2020 · 2 comments · Fixed by #18958
Closed

[Filebeat] Add source.as.organization.name to cloudtrail fileset #18644

leehinman opened this issue May 19, 2020 · 2 comments · Fixed by #18958
Assignees
@leehinman
Labels
enhancement Filebeat Filebeat

Comments

@leehinman
Copy link
Contributor

Describe the enhancement:
Add source.as.organization.name to cloudtrail fileset

- geoip:
    database_file: GeoLite2-ASN.mmdb
    field: source.ip
    target_field: source.as
    properties:
    - asn
    - organization_name
    ignore_missing: true
- rename:
    field: source.as.organization_name
    target_field: source.as.organization.name
    ignore_missing: true
- rename:
    field: destination.as.asn
    target_field: destination.as.number
    ignore_missing: true

Describe a specific use case for the enhancement or feature:

** Backport
7.6, 7.7, 7.8, 7.x
@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels May 19, 2020
@leehinman leehinman self-assigned this May 19, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@randomuserid
Copy link

We could use this both in rules and ML jobs for CloudTrail events. Most CloudTrail events are just records of API method calls which are often not inherently suspicious. The ability to consider the attributes of the client or caller network will be important in addition to the user context or creds.

@leehinman leehinman mentioned this issue Jun 3, 2020
Merged
4 tasks
leehinman added a commit to leehinman/beats that referenced this issue Jun 3, 2020
@leehinman
Improve AWS cloudtrail fileset
dada2a5 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644
leehinman added a commit that referenced this issue Jun 5, 2020
@leehinman
Improve AWS cloudtrail fileset (#18958)
c01dfe6 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes #18644
leehinman added a commit to leehinman/beats that referenced this issue Jun 5, 2020
@leehinman
Improve AWS cloudtrail fileset (elastic#18958)
6867068 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644

(cherry picked from commit c01dfe6)
@leehinman leehinman mentioned this issue Jun 5, 2020
Merged
4 tasks
leehinman added a commit that referenced this issue Jun 8, 2020
@leehinman
Improve AWS cloudtrail fileset (#18958) (#19023)
4d30c52 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes #18644

(cherry picked from commit c01dfe6)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@leehinman @melchiormoulin
Improve AWS cloudtrail fileset (elastic#18958)
6e4526f 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644
@andrewkroh andrewkroh removed the needs_backport PR is waiting to be backported to other branches. label Dec 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
enhancement Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Improve AWS cloudtrail fileset leehinman/beats
4 participants
@randomuserid @andrewkroh @elasticmachine @leehinman