adding a for loop with script processor to add values from cisco.umbr…

…ella.identities to related.user field (#25776) * adding users from cisco.umbrella.identities to related.user field Co-authored-by: Lee E. Hinman <[email protected]> (cherry picked from commit cec5906)
elastic · May 25, 2021 · 831755c · 831755c
1 parent 5e60010
commit 831755c
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -541,6 +541,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add multiline support to aws-s3 input. {issue}25249[25249] {pull}25710[25710]
 - Add monitoring metrics to the `aws-s3` input. {pull}25711[25711]
 - Add Content-Type override to aws-s3 input. {issue}25697[25697] {pull}25772[25772]
+- In Cisco Umbrella fileset add users from cisco.umbrella.identities to related.user. {pull}25776[25776]
 
 *Heartbeat*
 

diff --git a/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml b/x-pack/filebeat/module/cisco/umbrella/ingest/pipeline.yml
@@ -236,6 +236,29 @@ processors:
     field: related.hash
     value: "{{cisco.umbrella.sha_sha256}}"
     if: ctx?.cisco?.umbrella?.sha_sha256 != null
+- script:
+    if: ctx?.cisco?.umbrella?.identities != null && ctx.cisco.umbrella.identities instanceof List
+    lang: painless
+    description: "Extract user name values from ctx.cisco.umbrella.identities and append it to related.user"
+    source: |-
+      void addRelatedUser(def ctx, def x) {
+        if (ctx?.related == null) {
+          Map map = new HashMap();
+          ctx.put("related", map);
+        }
+        if (ctx?.related?.user == null) {
+          ArrayList al = new ArrayList();
+          ctx.related.put("user", al);
+        }
+        if (!ctx.related.user.contains(x)) {
+          ctx.related.user.add(x);
+        }
+      }
+      for (cisco_identity in ctx.cisco.umbrella.identities) {
+        if (cisco_identity.contains('@')) {
+          addRelatedUser(ctx, cisco_identity);
+        }
+      }
 
 ###########
 # Cleanup #

diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log
@@ -1,2 +1,3 @@
 "2020-07-23 23:49:54","elasticuser","elasticuser2","some other identity","192.168.1.1","8.8.8.8","Allowed","1 (A)","NOERROR","elastic.co.","Software/Technology,Business Services,Application","Test Policy Name","SomeIdentityType",""
 "2020-07-23 23:50:25","elasticuser","elasticuser2","some other identity","192.168.1.1","4.4.4.4","Blocked","1 (A)","NOERROR","elastic.co/something.","Chat,Instant Messaging,Block List,Application","Test Policy Name","SomeIdentityType","BlockedCategories"
+"2021-05-14 19:39:58","elastic_machine","elastic_machine,Elastic User ([email protected])","1.1.1.1","2.2.2.2","Allowed","1 (A)","NOERROR","elastic.co.","Infrastructure","Roaming Computers","Roaming Computers,AD Users",""
diff --git a/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json b/x-pack/filebeat/module/cisco/umbrella/test/umbrella-dnslogs.log-expected.json
@@ -88,5 +88,52 @@
         "source.address": "some other identity",
         "source.domain": "some other identity",
         "source.user.name": "elasticuser"
+    },
+    {
+        "@timestamp": "2021-05-14T19:39:58.000Z",
+        "cisco.umbrella.categories": "Infrastructure",
+        "cisco.umbrella.identities": [
+            "Elastic User ([email protected])",
+            "elastic_machine"
+        ],
+        "cisco.umbrella.identity_types": "Roaming Computers,AD Users",
+        "cisco.umbrella.policy_identity_type": "Roaming Computers",
+        "destination.address": "2.2.2.2",
+        "destination.domain": "elastic.co.",
+        "destination.ip": "2.2.2.2",
+        "dns.question.type": "1 (A)",
+        "dns.response_code": "NOERROR",
+        "dns.type": "query",
+        "event.action": "dns-request-Allowed",
+        "event.category": "network",
+        "event.dataset": "cisco.umbrella",
+        "event.module": "cisco",
+        "event.original": "\\\"2021-05-14 19:39:58\\\",\\\"elastic_machine\\\",\\\"elastic_machine,Elastic User ([email protected])\\\",\\\"1.1.1.1\\\",\\\"2.2.2.2\\\",\\\"Allowed\\\",\\\"1 (A)\\\",\\\"NOERROR\\\",\\\"elastic.co.\\\",\\\"Infrastructure\\\",\\\"Roaming Computers\\\",\\\"Roaming Computers,AD Users\\\",\\\"\\\"",
+        "event.type": [
+            "allowed",
+            "connection"
+        ],
+        "fileset.name": "umbrella",
+        "input.type": "log",
+        "log.offset": 487,
+        "message": "\"2021-05-14 19:39:58\",\"elastic_machine\",\"elastic_machine,Elastic User ([email protected])\",\"1.1.1.1\",\"2.2.2.2\",\"Allowed\",\"1 (A)\",\"NOERROR\",\"elastic.co.\",\"Infrastructure\",\"Roaming Computers\",\"Roaming Computers,AD Users\",\"\"",
+        "observer.product": "Umbrella",
+        "observer.type": "dns",
+        "observer.vendor": "Cisco",
+        "related.hosts": [
+            "elastic.co."
+        ],
+        "related.ip": [
+            "1.1.1.1",
+            "2.2.2.2"
+        ],
+        "related.user": [
+            "Elastic User ([email protected])",
+            "elastic_machine"
+        ],
+        "service.type": "cisco",
+        "source.address": "1.1.1.1",
+        "source.ip": "1.1.1.1",
+        "source.user.name": "elastic_machine"
     }
 ]