Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cherry-pick #17155 to 7.x: [Filebeat] Improve AWS cloudtrail field mappings #17187

Merged
merged 1 commit into from
Mar 23, 2020

Conversation

leehinman
Copy link
Contributor

@leehinman leehinman commented Mar 23, 2020

Cherry-pick of PR #17155 to 7.x branch. Original message:

  • sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
  • sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
  • sessionIssuer.userName -> user.name
  • sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
  • sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
  • add aws.cloudtrail.console_login.additional_eventdata.mobile_version
  • add aws.cloudtrail.console_login.additional_eventdata.login_to
  • add aws.cloudtrail.console_login.additional_eventdata.mfa_used
  • copy source.address to source.ip if value is an IP address

Closes #16086
Closes #16110

What does this PR do?

  • Adds session Issuer information when assumed roles are used
  • Adds specific fields when ConsoleLogin events
  • sets source.ip

Why is it important?

  • Session Issuer is needed for assumed roles
  • ConsoleLogin information is needed to easily determine if MFA was used
  • source.ip should be set when source .address is an IP address

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
    - [] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works

* Improve AWS cloudtrail field mappings

- sessionIssuer.type -> aws.cloudtrail.user_identity.session_issuer.type
- sessionIssuer.principalId -> aws.cloudtrail.user_identity.session_issuer.principal_id
- sessionIssuer.userName -> user.name
- sessionIssuer.arn -> aws.cloudtrail.user_identity.session_issuer.arn
- sessionIssuer.accountId -> aws.cloudtrail.user_identity.session_issuer.account_id
- add aws.cloudtrail.console_login.additional_eventdata.mobile_version
- add aws.cloudtrail.console_login.additional_eventdata.login_to
- add aws.cloudtrail.console_login.additional_eventdata.mfa_used
- copy source.address to source.ip if value is an IP address

Closes elastic#16086
Closes elastic#16110

(cherry picked from commit 57e194b)
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman leehinman merged commit 6a40f4b into elastic:7.x Mar 23, 2020
@leehinman leehinman deleted the backport_17155_7.x branch March 23, 2020 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants