Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filebeat module RabbitMQ - add ECS authentication fields for SIEM #31159

Closed
leweafan opened this issue Apr 5, 2022 · 3 comments · Fixed by #31680
Closed

Filebeat module RabbitMQ - add ECS authentication fields for SIEM #31159

leweafan opened this issue Apr 5, 2022 · 3 comments · Fixed by #31680
Assignees
@efd6
Labels
Team:Integrations Label for the Integrations team

Comments

@leweafan
Copy link
Contributor

leweafan commented Apr 5, 2022
edited
Loading

Describe the enhancement:

RabbitMQ log has authentication messages for successful and failed attempt. But ECS fields important for SIEM like
event.category, event.type, event.action, event.outcome and user.name are missing.

Describe a specific use case for the enhancement or feature:

2021-11-22 17:48:20.003114+03:00 [info] <0.1345.0> connection <0.1345.0> (127.0.0.1:64875 -> 127.0.0.1:5672): user 'guest' authenticated and granted access to vhost '/'
2021-11-22 17:48:20.003114+03:00 [warning] <0.8084.263> HTTP access denied: user 'guest' - Not monitor user

Successful authentication message should have fields:

  • event.category = "authentication"
  • event.type = "logged-in"
  • event.action = "start"
  • event.outcome = "success"
  • user.name = "guest"

Failed authentication message should have fields:

  • event.category = "authentication"
  • event.type = "logon-failed"
  • event.action = "start"
  • event.outcome = "failure"
  • user.name = "guest"
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 5, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 12, 2022
@efd6 efd6 self-assigned this May 19, 2022
@efd6 efd6 mentioned this issue May 19, 2022
Merged
6 tasks
@efd6
Copy link
Contributor

efd6 commented May 19, 2022

This should be Integrations rather than SEI, but I had a change before I read the code owners to find that out.

@efd6 efd6 added Team:Integrations Label for the Integrations team and removed Team:Security-External Integrations labels May 19, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/filebeat/module/rabbitmq: add handling of authentication data efd6/beats
4 participants
@endorama @leweafan @elasticmachine @efd6