Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat AWS CloudTrail eventName overwritten by eventCategory during ingest #22776

Closed
adamkrieger opened this issue Nov 26, 2020 · 3 comments · Fixed by #22805
Closed

Filebeat AWS CloudTrail eventName overwritten by eventCategory during ingest #22776

adamkrieger opened this issue Nov 26, 2020 · 3 comments · Fixed by #22805
Assignees
@leehinman

Comments

@adamkrieger
Copy link

Issue: Where ECS = destination elasticsearch record and json = CloudTrail payload being ingested. By default, the pipeline used to process CloudTrail logs will overwrite ECS event.action with json eventCategory where ECS event.action should be json eventName. ECS event.category is also not written to as a result.

I believe this is the line causing the issue:

beats/x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml

Line 95 in 6106aa7

field: "event.action"

Example CloudTrail Payload:

{"awsRegion":"us-east-1","eventCategory":"Management","eventID":"REDACTED","eventName":"DescribeConfigurationRecorders","eventSource":"config.amazonaws.com","eventTime":"REDACTED","eventType":"AwsApiCall","eventVersion":"1.07","managementEvent":true,"readOnly":true,"recipientAccountId":"REDACTED","requestID":"REDACTED","requestParameters":null,"responseElements":null,"sourceIPAddress":"REDACTED","userAgent":"REDACTED","userIdentity":{"accessKeyId":"REDACTED","accountId":"REDACTED","arn":"arn:aws:iam::REDACTED:user/REDACTED","principalId":"REDACTED","sessionContext":{"attributes":{"creationDate":"REDACTED","mfaAuthenticated":"true"},"sessionIssuer":{},"webIdFederationData":{}},"type":"IAMUser","userName":"REDACTED"}}

Results in Elasticsearch ECS fields:

event.action = Management
event.category NOT SET

Expected:

event.action = DescribeConfigurationRecorders
event.category = Management
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Nov 26, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Nov 27, 2020
@leehinman leehinman self-assigned this Nov 30, 2020
@leehinman leehinman mentioned this issue Nov 30, 2020
Merged
4 tasks
@leehinman
Copy link
Contributor

Because ECS specifies a list of accepted values. I stored eventCategory in a new custom field, see #22805

@adamkrieger
Copy link
Author

Ah great, even better.

leehinman added a commit to leehinman/beats that referenced this issue Dec 10, 2020
@leehinman
AWS CloudTrail preserve eventCategory
d704da5 
- map to aws.cloudtrail.event_category

Closes elastic#22776
leehinman added a commit that referenced this issue Dec 10, 2020
@leehinman
[Filebeat] AWS CloudTrail preserve eventCategory (#22805)
971b95b 
* AWS CloudTrail preserve eventCategory

- map to aws.cloudtrail.event_category

Closes #22776
leehinman added a commit to leehinman/beats that referenced this issue Dec 10, 2020
@leehinman
[Filebeat] AWS CloudTrail preserve eventCategory (elastic#22805)
b5a0918 
* AWS CloudTrail preserve eventCategory

- map to aws.cloudtrail.event_category

Closes elastic#22776

(cherry picked from commit 971b95b)
@leehinman leehinman mentioned this issue Dec 10, 2020
Merged
4 tasks
leehinman added a commit that referenced this issue Dec 10, 2020
@leehinman
[Filebeat] AWS CloudTrail preserve eventCategory (#22805) (#23051)
758e830 
* AWS CloudTrail preserve eventCategory

- map to aws.cloudtrail.event_category

Closes #22776

(cherry picked from commit 971b95b)
@leehinman leehinman mentioned this issue Jan 7, 2021
Closed
4 tasks
leehinman added a commit to leehinman/beats that referenced this issue Jan 7, 2021
@leehinman
[Filebeat] AWS CloudTrail preserve eventCategory (elastic#22805)
496feb0 
* AWS CloudTrail preserve eventCategory

- map to aws.cloudtrail.event_category

Closes elastic#22776

(cherry picked from commit 971b95b)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@leehinman leehinman

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Filebeat] AWS CloudTrail preserve eventCategory leehinman/beats
4 participants
@andresrc @adamkrieger @elasticmachine @leehinman