Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Missing sessionContext in cloudtrail fields #18894

Closed
ynirk opened this issue Jun 2, 2020 · 1 comment · Fixed by #18915
Closed

[Filebeat] Missing sessionContext in cloudtrail fields #18894

ynirk opened this issue Jun 2, 2020 · 1 comment · Fixed by #18915
Assignees
@leehinman
Labels
Filebeat Filebeat

Comments

@ynirk
Copy link

ynirk commented Jun 2, 2020

Ref issue: #16086
Ref PR: #17155

The parsing of cloudtrail's session issuer information miss session context in the path. From AWS doc the sessionIssuer part is under sessionContext

"sessionContext": {
  "attributes": {
    "mfaAuthenticated": "false",
    "creationDate": "20131102T010628Z"
  },
  "sessionIssuer": {
    "type": "Role",
    "principalId": "AROAIDPPEZS35WEXAMPLE",
    "arn": "arn:aws:iam::123456789012:role/RoleToBeAssumed",
    "accountId": "123456789012",
    "userName": "RoleToBeAssumed"
  }
}

On logstash i've used the following mapping:

sessionContext.sessionIssuer.type -> aws.cloudtrail.user_identity.session_context.issuer.type
sessionContext.sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_context.issuer.id
sessionContext.sessionIssuer.userName -> user.name
sessionContext.sessionIssuer.arn -> aws.cloudtrail.user_identity.session_context.issuer.arn
sessionContext.sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_context.issuer.account.id

I've mapped

  • sessionIssuer to issuer (as we already have session_context)
  • principalId to id and accountId to account.id (to try to have name closer to ECS ones)

What do you think?
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman leehinman self-assigned this Jun 2, 2020
@leehinman leehinman mentioned this issue Jun 2, 2020
Merged
5 tasks
leehinman added a commit to leehinman/beats that referenced this issue Jun 2, 2020
@leehinman
Fix improper nesting of session_issuer in aws/cloudtrail
e71832b 
pipeline & fields.yml had session issuer outside of the
session context object.  session issuer only appears inside
the session context object.  Not a breaking change because prior to
this the data was being skipped.

Closes elastic#18894
leehinman added a commit that referenced this issue Jun 5, 2020
@leehinman
Fix improper nesting of session_issuer in aws/cloudtrail (#18915)
632c086 
pipeline & fields.yml had session issuer outside of the
session context object.  session issuer only appears inside
the session context object.  Not a breaking change because prior to
this the data was being skipped.

Closes #18894
@leehinman leehinman mentioned this issue Jun 5, 2020
Merged
5 tasks
leehinman added a commit to leehinman/beats that referenced this issue Jun 5, 2020
@leehinman
Fix improper nesting of session_issuer in aws/cloudtrail (elastic#18915)
1c0793b 
pipeline & fields.yml had session issuer outside of the
session context object.  session issuer only appears inside
the session context object.  Not a breaking change because prior to
this the data was being skipped.

Closes elastic#18894

(cherry picked from commit 632c086)
leehinman added a commit that referenced this issue Jun 16, 2020
@leehinman
Fix improper nesting of session_issuer in aws/cloudtrail (#18915) (#1…
673cc86 
…9022)

pipeline & fields.yml had session issuer outside of the
session context object.  session issuer only appears inside
the session context object.  Not a breaking change because prior to
this the data was being skipped.

Closes #18894

(cherry picked from commit 632c086)
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this issue Oct 14, 2020
@leehinman @melchiormoulin
Fix improper nesting of session_issuer in aws/cloudtrail (elastic#18915)
fcdeed7 
pipeline & fields.yml had session issuer outside of the
session context object.  session issuer only appears inside
the session context object.  Not a breaking change because prior to
this the data was being skipped.

Closes elastic#18894
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
Filebeat Filebeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] Fix improper nesting of session_issuer in aws/cloudtrail leehinman/beats
3 participants
@elasticmachine @ynirk @leehinman