[Filebeat][zeek] Map new x509 fields for ssl module (elastic#20927)

* Map new x509 fields for ssl module * Add changelog entry (cherry picked from commit 8fce110)
marc-gr · Sep 3, 2020 · 73fba0b · 73fba0b
1 parent 31e2708
commit 73fba0b
Show file tree

Hide file tree

Showing 3 changed files with 113 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -627,6 +627,7 @@ field. You can revert this change by configuring tags for the module and omittin
 - Return error when log harvester tries to open a named pipe. {issue}18682[18682] {pull}20450[20450]
 - Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455]
 - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
+- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml
@@ -76,26 +76,50 @@ processors:
     field: zeek.ssl.server.issuer.C
     target_field: zeek.ssl.server.issuer.country
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.country
+    value: '{{zeek.ssl.server.issuer.country}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.issuer.CN
     target_field: zeek.ssl.server.issuer.common_name
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.common_name
+    value: '{{zeek.ssl.server.issuer.common_name}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.issuer.L
     target_field: zeek.ssl.server.issuer.locality
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.locality
+    value: '{{zeek.ssl.server.issuer.locality}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.issuer.O
     target_field: zeek.ssl.server.issuer.organization
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.organization
+    value: '{{zeek.ssl.server.issuer.organization}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.issuer.OU
     target_field: zeek.ssl.server.issuer.organizational_unit
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.organizational_unit
+    value: '{{zeek.ssl.server.issuer.organizational_unit}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.issuer.ST
     target_field: zeek.ssl.server.issuer.state
     ignore_missing: true
+- set:
+    field: tls.server.x509.issuer.state_or_province
+    value: '{{zeek.ssl.server.issuer.state}}'
+    ignore_empty_value: true
 - gsub:
     field: zeek.ssl.subject
     pattern: \\,
@@ -114,26 +138,50 @@ processors:
     field: zeek.ssl.server.subject.C
     target_field: zeek.ssl.server.subject.country
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.country
+    value: '{{zeek.ssl.server.subject.country}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.subject.CN
     target_field: zeek.ssl.server.subject.common_name
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.common_name
+    value: '{{zeek.ssl.server.subject.common_name}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.subject.L
     target_field: zeek.ssl.server.subject.locality
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.locality
+    value: '{{zeek.ssl.server.subject.locality}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.subject.O
     target_field: zeek.ssl.server.subject.organization
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.organization
+    value: '{{zeek.ssl.server.subject.organization}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.subject.OU
     target_field: zeek.ssl.server.subject.organizational_unit
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.organizational_unit
+    value: '{{zeek.ssl.server.subject.organizational_unit}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.server.subject.ST
     target_field: zeek.ssl.server.subject.state
     ignore_missing: true
+- set:
+    field: tls.server.x509.subject.state_or_province
+    value: '{{zeek.ssl.server.subject.state}}'
+    ignore_empty_value: true
 - gsub:
     field: zeek.ssl.client_issuer
     pattern: \\,
@@ -153,26 +201,50 @@ processors:
     field: zeek.ssl.client.issuer.C
     target_field: zeek.ssl.client.issuer.country
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.country
+    value: '{{zeek.ssl.client.issuer.country}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.issuer.CN
     target_field: zeek.ssl.client.issuer.common_name
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.common_name
+    value: '{{zeek.ssl.client.issuer.common_name}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.issuer.L
     target_field: zeek.ssl.client.issuer.locality
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.locality
+    value: '{{zeek.ssl.client.issuer.locality}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.issuer.O
     target_field: zeek.ssl.client.issuer.organization
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.organization
+    value: '{{zeek.ssl.client.issuer.organization}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.issuer.OU
     target_field: zeek.ssl.client.issuer.organizational_unit
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.organizational_unit
+    value: '{{zeek.ssl.client.issuer.organizational_unit}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.issuer.ST
     target_field: zeek.ssl.client.issuer.state
     ignore_missing: true
+- set:
+    field: tls.client.x509.issuer.state_or_province
+    value: '{{zeek.ssl.client.issuer.state}}'
+    ignore_empty_value: true
 - gsub:
     field: zeek.ssl.client_subject
     pattern: \\,
@@ -191,26 +263,50 @@ processors:
     field: zeek.ssl.client.subject.C
     target_field: zeek.ssl.client.subject.country
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.country
+    value: '{{zeek.ssl.client.subject.country}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.subject.CN
     target_field: zeek.ssl.client.subject.common_name
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.common_name
+    value: '{{zeek.ssl.client.subject.common_name}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.subject.L
     target_field: zeek.ssl.client.subject.locality
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.locality
+    value: '{{zeek.ssl.client.subject.locality}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.subject.O
     target_field: zeek.ssl.client.subject.organization
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.organization
+    value: '{{zeek.ssl.client.subject.organization}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.subject.OU
     target_field: zeek.ssl.client.subject.organizational_unit
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.organizational_unit
+    value: '{{zeek.ssl.client.subject.organizational_unit}}'
+    ignore_empty_value: true
 - rename:
     field: zeek.ssl.client.subject.ST
     target_field: zeek.ssl.client.subject.state
     ignore_missing: true
+- set:
+    field: tls.client.x509.subject.state_or_province
+    value: '{{zeek.ssl.client.subject.state}}'
+    ignore_empty_value: true
 - set:
     field: tls.cipher
     value: '{{zeek.ssl.cipher}}'

diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json
@@ -47,6 +47,14 @@
         "tls.established": true,
         "tls.resumed": false,
         "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
+        "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA",
+        "tls.server.x509.issuer.country": "US",
+        "tls.server.x509.issuer.organization": "DigiCert Inc",
+        "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
+        "tls.server.x509.subject.country": "US",
+        "tls.server.x509.subject.locality": "Mountain View",
+        "tls.server.x509.subject.organization": "Elasticsearch Inc.",
+        "tls.server.x509.subject.state_or_province": "California",
         "tls.version": "1.2",
         "tls.version_protocol": "tls",
         "zeek.session_id": "CAOvs1BMFCX2Eh0Y3",
@@ -119,6 +127,14 @@
         "tls.established": true,
         "tls.resumed": false,
         "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US",
+        "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA",
+        "tls.server.x509.issuer.country": "US",
+        "tls.server.x509.issuer.organization": "DigiCert Inc",
+        "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
+        "tls.server.x509.subject.country": "US",
+        "tls.server.x509.subject.locality": "Mountain View",
+        "tls.server.x509.subject.organization": "Elasticsearch Inc.",
+        "tls.server.x509.subject.state_or_province": "California",
         "tls.version": "1.2",
         "tls.version_protocol": "tls",
         "zeek.session_id": "C3mki91FnnNtm0u1ok",