Skip to content

Commit

Permalink
[Filebeat] Add ECS tls fields to zeek and aws modules (elastic#15936)
Browse files Browse the repository at this point in the history
* Add ECS tls fields to zeek and aws modules

- zeek/smtp
  + tls.established
- zeek/rdp
  + tls.established
- zeek/ssl
  + tls.cipher
  + tls.curve
  + tls.client.issuer
  + tls.established
  + tls.resumed
  + tls.server.issuer
  + tls.version
  + tls.version_protocol
- aws/elb
  + tls.cipher
  + tls.version
  + tls.version_protocol
- aws/s3access
  + tls.cipher
  + tls.version
  + tls.version_protocol

Closes elastic#15757
  • Loading branch information
leehinman authored Feb 3, 2020
1 parent 249929e commit b6baae0
Show file tree
Hide file tree
Showing 17 changed files with 388 additions and 399 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
- Add dashboard for AWS ELB fileset. {pull}15804[15804]
- Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
- Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]

*Heartbeat*

Expand Down
20 changes: 20 additions & 0 deletions x-pack/filebeat/module/aws/elb/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,26 @@ processors:
target_field: source.as.organization.name
ignore_missing: true

- set:
field: tls.cipher
value: '{{aws.elb.ssl_cipher}}'
if: ctx.aws?.elb?.ssl_cipher != null

- script:
lang: painless
if: ctx.aws?.elb?.ssl_protocol != null
source: >-
def parts = ctx.aws.elb.ssl_protocol.splitOnToken("v");
if (parts.length != 2) {
return;
}
if (parts[1].contains(".")) {
ctx.tls.version = parts[1];
} else {
ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1);
}
ctx.tls.version_protocol = parts[0].toLowerCase();
- remove:
field:
- message
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,9 @@
"service.type": "aws",
"source.ip": "192.168.131.39",
"source.port": "2817",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"user_agent.original": "curl/7.46.0"
},
{
Expand Down Expand Up @@ -110,6 +113,9 @@
"service.type": "aws",
"source.ip": "10.0.1.252",
"source.port": "48160",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"user_agent.original": "curl/7.46.0"
},
{
Expand Down Expand Up @@ -174,6 +180,9 @@
"service.type": "aws",
"source.ip": "10.0.0.140",
"source.port": "44244",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"user_agent.original": "-"
},
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,9 @@
"service.type": "aws",
"source.ip": "192.168.131.39",
"source.port": "2817",
"tls.cipher": "DHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls",
"user_agent.original": "curl/7.38.0"
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,9 @@
"source.geo.region_iso_code": "US-VA",
"source.geo.region_name": "Virginia",
"source.ip": "72.21.218.154",
"source.port": "51341"
"source.port": "51341",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
}
]
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@
"service.type": "aws",
"source.bytes": 57,
"source.ip": "192.168.131.39",
"source.port": "2817"
"source.port": "2817",
"tls.cipher": "ECDHE-ECDSA-AES128-GCM-SHA256",
"tls.version": "1.2",
"tls.version_protocol": "tls"
}
]
15 changes: 15 additions & 0 deletions x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,21 @@ processors:
ignore_failure: true
formats:
- "dd/MMM/yyyy:H:m:s Z"
- set:
field: tls.cipher
value: '{{aws.s3access.cipher_suite}}'
if: ctx.aws?.s3access?.cipher_suite != null

- script:
lang: painless
if: ctx.aws?.s3access?.tls_version != null
source: >-
def parts = ctx.aws.s3access.tls_version.toLowerCase().splitOnToken("v");
if (parts.length != 2) {
return;
}
ctx.tls.version = parts[1];
ctx.tls.version_protocol = parts[0]
#
# Remove temporary fields
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 0,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-08-01T00:24:42.000Z",
Expand All @@ -51,7 +54,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 715,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-08-01T00:24:43.000Z",
Expand Down Expand Up @@ -79,7 +85,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 1429,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-08-01T00:24:43.000Z",
Expand All @@ -106,7 +115,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 2161,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-09-10T15:11:07.000Z",
Expand All @@ -130,7 +142,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 2875,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-09-19T17:06:39.000Z",
Expand All @@ -154,6 +169,9 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 3280,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.2",
"tls.version_protocol": "tls"
}
]
25 changes: 20 additions & 5 deletions x-pack/filebeat/module/aws/s3access/test/test.log-expected.json
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 0,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.1",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-02-06T00:00:38.000Z",
Expand All @@ -51,7 +54,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 471,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.1",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-02-06T00:00:38.000Z",
Expand Down Expand Up @@ -79,7 +85,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 944,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.1",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-02-06T00:01:00.000Z",
Expand All @@ -106,7 +115,10 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 1431,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256",
"tls.version": "1.1",
"tls.version_protocol": "tls"
},
{
"@timestamp": "2019-02-06T00:01:57.000Z",
Expand Down Expand Up @@ -135,6 +147,9 @@
"fileset.name": "s3access",
"input.type": "log",
"log.offset": 1903,
"service.type": "aws"
"service.type": "aws",
"tls.cipher": "ECDHE-RSA-AES128-SHA",
"tls.version": "1.1",
"tls.version_protocol": "tls"
}
]
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/zeek/rdp/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,14 @@
"if": "ctx.zeek.session_id != null"
}
},
{
"convert": {
"field": "zeek.rdp.ssl",
"target_field": "tls.established",
"type": "boolean",
"ignore_missing": true
}
},
{
"set": {
"field": "source.ip",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"tags": [
"zeek.rdp"
],
"tls.established": true,
"zeek.rdp.cert.count": 0,
"zeek.rdp.result": "encrypted",
"zeek.rdp.security_protocol": "HYBRID",
Expand Down
8 changes: 8 additions & 0 deletions x-pack/filebeat/module/zeek/smtp/ingest/pipeline.json
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@
"value": "{{destination.address}}"
}
},
{
"convert": {
"field": "zeek.smtp.tls",
"target_field": "tls.established",
"type": "boolean",
"ignore_missing": true
}
},
{
"date": {
"field": "zeek.smtp.date",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"tags": [
"zeek.smtp"
],
"tls.established": true,
"zeek.session_id": "CWWzPB3RjqhFf528c",
"zeek.smtp.fuids": [],
"zeek.smtp.helo": "EXAMPLE.COM",
Expand Down
Loading

0 comments on commit b6baae0

Please sign in to comment.