From 5b89c850436c5ea6f4d5e7ad02d1cd9fba3b63f8 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Fri, 4 Sep 2020 17:12:29 +0200 Subject: [PATCH] [Filebeat][zeek] Add mappings for x509 fields in kerberos (#20958) (#20975) * Add mappings for x509 fields in kerberos * Add changelog entry * Do gsub in place (cherry picked from commit de5a4196b138c01d8d50b0c69d5a82c3448e697a) --- CHANGELOG.next.asciidoc | 1 + .../module/zeek/kerberos/ingest/pipeline.yml | 76 +++++++++++++++++++ .../zeek/kerberos/test/kerberos-json.log | 2 +- .../test/kerberos-json.log-expected.json | 12 +++ 4 files changed, 90 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0e91429fe8a8..399788bb84ba 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -631,6 +631,7 @@ field. You can revert this change by configuring tags for the module and omittin - Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455] - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] +- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml index 3604287cb5e7..e0f45f715850 100644 --- a/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml @@ -87,6 +87,82 @@ processors: field: related.user value: "{{user.name}}" if: "ctx?.user?.name != null" +- gsub: + field: zeek.kerberos.cert.client.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.client.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.C + target_field: tls.client.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.CN + target_field: tls.client.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.L + target_field: tls.client.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.O + target_field: tls.client.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.OU + target_field: tls.client.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.client.kv_sub.ST + target_field: tls.client.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.client.kv_sub + ignore_missing: true +- gsub: + field: zeek.kerberos.cert.server.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.kerberos.cert.server.subject + field_split: ',' + value_split: '=' + target_field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.C + target_field: tls.server.x509.subject.country + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.CN + target_field: tls.server.x509.subject.common_name + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.L + target_field: tls.server.x509.subject.locality + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.O + target_field: tls.server.x509.subject.organization + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.OU + target_field: tls.server.x509.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.kerberos.cert.server.kv_sub.ST + target_field: tls.server.x509.subject.state_or_province + ignore_missing: true +- remove: + field: zeek.kerberos.cert.server.kv_sub + ignore_missing: true on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log index 416f2a09c3ea..bb5b2c52004d 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log @@ -1 +1 @@ -{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true} +{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"} diff --git a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json index e01e42a40366..686322c40578 100644 --- a/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json @@ -40,8 +40,20 @@ "tags": [ "zeek.kerberos" ], + "tls.client.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.client.x509.subject.country": "US", + "tls.client.x509.subject.locality": "Mountain View", + "tls.client.x509.subject.organization": "Elasticsearch Inc.", + "tls.client.x509.subject.state_or_province": "California", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "user.domain": "CONTOSO.LOCAL", "user.name": "RonHD", + "zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", + "zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US", "zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96", "zeek.kerberos.client": "RonHD/CONTOSO.LOCAL", "zeek.kerberos.forwardable": true,