diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f39a58de8f15..0e91429fe8a8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -630,6 +630,7 @@ field. You can revert this change by configuring tags for the module and omittin - Return error when log harvester tries to open a named pipe. {issue}18682[18682] {pull}20450[20450] - Avoid goroutine leaks in Filebeat readers. {issue}19193[19193] {pull}20455[20455] - Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867] +- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml index 4f5fd4851bc0..ad8edd5392f2 100644 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -76,26 +76,50 @@ processors: field: zeek.ssl.server.issuer.C target_field: zeek.ssl.server.issuer.country ignore_missing: true +- set: + field: tls.server.x509.issuer.country + value: '{{zeek.ssl.server.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.CN target_field: zeek.ssl.server.issuer.common_name ignore_missing: true +- set: + field: tls.server.x509.issuer.common_name + value: '{{zeek.ssl.server.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.L target_field: zeek.ssl.server.issuer.locality ignore_missing: true +- set: + field: tls.server.x509.issuer.locality + value: '{{zeek.ssl.server.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.O target_field: zeek.ssl.server.issuer.organization ignore_missing: true +- set: + field: tls.server.x509.issuer.organization + value: '{{zeek.ssl.server.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.OU target_field: zeek.ssl.server.issuer.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.issuer.organizational_unit + value: '{{zeek.ssl.server.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.issuer.ST target_field: zeek.ssl.server.issuer.state ignore_missing: true +- set: + field: tls.server.x509.issuer.state_or_province + value: '{{zeek.ssl.server.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.subject pattern: \\, @@ -114,26 +138,50 @@ processors: field: zeek.ssl.server.subject.C target_field: zeek.ssl.server.subject.country ignore_missing: true +- set: + field: tls.server.x509.subject.country + value: '{{zeek.ssl.server.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.CN target_field: zeek.ssl.server.subject.common_name ignore_missing: true +- set: + field: tls.server.x509.subject.common_name + value: '{{zeek.ssl.server.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.L target_field: zeek.ssl.server.subject.locality ignore_missing: true +- set: + field: tls.server.x509.subject.locality + value: '{{zeek.ssl.server.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.O target_field: zeek.ssl.server.subject.organization ignore_missing: true +- set: + field: tls.server.x509.subject.organization + value: '{{zeek.ssl.server.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.OU target_field: zeek.ssl.server.subject.organizational_unit ignore_missing: true +- set: + field: tls.server.x509.subject.organizational_unit + value: '{{zeek.ssl.server.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.server.subject.ST target_field: zeek.ssl.server.subject.state ignore_missing: true +- set: + field: tls.server.x509.subject.state_or_province + value: '{{zeek.ssl.server.subject.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_issuer pattern: \\, @@ -153,26 +201,50 @@ processors: field: zeek.ssl.client.issuer.C target_field: zeek.ssl.client.issuer.country ignore_missing: true +- set: + field: tls.client.x509.issuer.country + value: '{{zeek.ssl.client.issuer.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.CN target_field: zeek.ssl.client.issuer.common_name ignore_missing: true +- set: + field: tls.client.x509.issuer.common_name + value: '{{zeek.ssl.client.issuer.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.L target_field: zeek.ssl.client.issuer.locality ignore_missing: true +- set: + field: tls.client.x509.issuer.locality + value: '{{zeek.ssl.client.issuer.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.O target_field: zeek.ssl.client.issuer.organization ignore_missing: true +- set: + field: tls.client.x509.issuer.organization + value: '{{zeek.ssl.client.issuer.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.OU target_field: zeek.ssl.client.issuer.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.issuer.organizational_unit + value: '{{zeek.ssl.client.issuer.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.issuer.ST target_field: zeek.ssl.client.issuer.state ignore_missing: true +- set: + field: tls.client.x509.issuer.state_or_province + value: '{{zeek.ssl.client.issuer.state}}' + ignore_empty_value: true - gsub: field: zeek.ssl.client_subject pattern: \\, @@ -191,26 +263,50 @@ processors: field: zeek.ssl.client.subject.C target_field: zeek.ssl.client.subject.country ignore_missing: true +- set: + field: tls.client.x509.subject.country + value: '{{zeek.ssl.client.subject.country}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.CN target_field: zeek.ssl.client.subject.common_name ignore_missing: true +- set: + field: tls.client.x509.subject.common_name + value: '{{zeek.ssl.client.subject.common_name}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.L target_field: zeek.ssl.client.subject.locality ignore_missing: true +- set: + field: tls.client.x509.subject.locality + value: '{{zeek.ssl.client.subject.locality}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.O target_field: zeek.ssl.client.subject.organization ignore_missing: true +- set: + field: tls.client.x509.subject.organization + value: '{{zeek.ssl.client.subject.organization}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.OU target_field: zeek.ssl.client.subject.organizational_unit ignore_missing: true +- set: + field: tls.client.x509.subject.organizational_unit + value: '{{zeek.ssl.client.subject.organizational_unit}}' + ignore_empty_value: true - rename: field: zeek.ssl.client.subject.ST target_field: zeek.ssl.client.subject.state ignore_missing: true +- set: + field: tls.client.x509.subject.state_or_province + value: '{{zeek.ssl.client.subject.state}}' + ignore_empty_value: true - set: field: tls.cipher value: '{{zeek.ssl.cipher}}' diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 2897b7df9f29..805d20d2a543 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -47,6 +47,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "CAOvs1BMFCX2Eh0Y3", @@ -119,6 +127,14 @@ "tls.established": true, "tls.resumed": false, "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.server.x509.issuer.common_name": "DigiCert SHA2 Secure Server CA", + "tls.server.x509.issuer.country": "US", + "tls.server.x509.issuer.organization": "DigiCert Inc", + "tls.server.x509.subject.common_name": "*.gcp.cloud.es.io", + "tls.server.x509.subject.country": "US", + "tls.server.x509.subject.locality": "Mountain View", + "tls.server.x509.subject.organization": "Elasticsearch Inc.", + "tls.server.x509.subject.state_or_province": "California", "tls.version": "1.2", "tls.version_protocol": "tls", "zeek.session_id": "C3mki91FnnNtm0u1ok",