diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index df2254e24733..9ce116c58a73 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -796,6 +796,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Google Workspace module and mark Gsuite module as deprecated {pull}22950[22950] - Mark m365 defender, defender atp, okta and google workspace modules as GA {pull}23113[23113] - Added support for first_event context in filebeat httpjson input {pull}23437[23437] +- Add parsing of tcp flags to AWS vpcflow fileset {issue}228020[22820] {pull}23157[23157] - Added `alternative_host` option to google pubsub input {pull}23215[23215] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 70156f74feea..f55a29a067ee 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -2250,6 +2250,16 @@ type: keyword The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST +type: keyword + +-- + +*`aws.vpcflow.tcp_flags_array`*:: ++ +-- +List of TCP flags: 'fin, syn, rst, psh, ack, urg' + + type: keyword -- diff --git a/x-pack/filebeat/module/aws/fields.go b/x-pack/filebeat/module/aws/fields.go index 18b5652f8046..51481178803e 100644 --- a/x-pack/filebeat/module/aws/fields.go +++ b/x-pack/filebeat/module/aws/fields.go @@ -19,5 +19,5 @@ func init() { // AssetAws returns asset data. // This is the base64 encoded gzipped contents of module/aws. func AssetAws() string { - return "eJzcXN9z47Zzf7+/Yicv8c1I7nwvmU7HnXRG5/M1apyLa+mS9omByBWFGgIYAJROmf7xnQXAHxJBWbaoXKZ+SHwmCXx2sb+xwBiecHcDbGveAFhuBd7A5LfZGwCNApnBG1igZW8AMjSp5oXlSt7Av70BAPhZZaVAWCoNKyYzwWUOQuUGllqtaZjrNwBLjiIzN+6DMUi2xmo6+rG7Am8g16oswl8i89DPRzdMPbKb5zo8bU/RniYVqsysZlzUj2Iz0s8htdVPhktWCpu4KW5gyYTBvcdRsG3ASju8t4RlTlj2oMfgt0nADUqbbFAbruTeGxUlT7jbKp0dPDsCjH7mK2wjCuODWoJdIQH0ExP6NbPXUWilQZ3wDKXldheFdsjkLrBxFBmNPA0DAwpcE5RUScu4NJChZVwYYAtVWoeXZgO17Iw1nfwMFUCwK2ZhzTJ0n2j8o0RjR8BkBtsVT1eQanTvMmFgixo7w5UGs2uYLsHiulCa6V3nG/fOyM1Q4TYrtTWwUlv6a2fMzgBqQVRidn3wakxI2qtBPOg8PC4j3eWIvOBXJHDYEdaz5C3t1oeS+nIkXcGooEzW7E8l4RGNKnWK8ImtEa4mj5/eVgALzWXKCyYO1jxlQhyytYU6TdGY5Al3CY/hGwq/n4cGgukHj3DLjBMcsAoMz2VbQvsBGzSktAkpBn6xvZBjWngq4OmyjcUBdezccrtqqYHBtNQxkYB9ESd1qxXDkV5oteEZGuDS2xoyQ41mBxqj49asSzUyi5kztXalDLanjHzap0pt5q6XLGGlXdEoKY0efft5qTiV0RCkY8NEicANWE3/D+xXyjqjCEo7o+Z+3xKpvYNFLVNgUbOgTBjleLhHq19eFmc7/fz8cQIZbniK/wrKrlBvucGR945dgW3z1a0VSW3GbB94z9MjL7yEoTSMM/KWrxG2K/Ta1ZXdLse4MWXXEO/TUymhe1cfJahPD19C0RD6CK/Xyd7xgns73Z1VP8d0EZ53b9XPKWoIL+AzBOkJPiY4luNCMwJTpqujQzIDj0rZESnxZ4N6RAr9qESP0rQZUDu1uHe6NCO4tKglE+SzAjfacVXbg+XYLyewL3vPkx2PJS5N7eTxU0VlkIArlqaqlH7pnP11a6eVwLdHh4ux5xlBOoErHszXEYUwuadMbaW5nDRU9HK5UU+YJYuYRRsqMKOpqlWnjM2gJg/XlziQsgOLxRdQxah3t+9gUloFs5S55DjkgneCGctTeI9MGsvEUzzBQq2VTlKVHVq+0xO/eH7Vps5NUgcawa9otKWWxnkGen4M3xqNYfmQEKfHwfj0qjVIbZD6oYaxkoJptkaL+nDdzmVpM/CImMnkbhR0gbygId/qfXR/ZL8uheXJs3nesVC/5+EzRYw2m0yhpMEkxANDc6kav443KB5lKX1jKj17QkhXTOZo4MpH9qNuJl5QWOcscIYCKcLzg7z9GzKVZRkncEwkrqiSsb0K07l8ndTDU6zLWsmTL+HUFlkqS2Jqg7p0Bqr0jdxaWKe/ITcrTe64vnNl02dejlu+wrHkaPb01UeEwW4ukMu8W85hQmAGOUrUzLrvufFD99hQV9+LRLdnGdB9/FXxpiUPFcCsJSgaU6WzOExW8LOLkM/inDxM60okM0alvElG3fOtmRT8lgnRGclRMCc6j/B6zSTLnd3xijikEsJ7pQQy2SNG2xVSmtziNjdwaAWghdC/1efMWJYoKeJF17OXosHKDaiC5IRWhAC7qcc0dfOgD6MPnOMe5DWF4QkIbpzxqscOtTTMgMuGtS+tnF6uXFnXKCePn7qB4knB/BAwJiFgb1K3ioMUvkeqFoPWlJ9hjTNOtaboaiV94cHtRd3csK0ZB7s7dshuyNON6VP37x4JTHnBSdl7GXyOwjxioZHiOm+7WMNjp/saU+QbZ1+5OabMgS5vkZKwt3E5G1uH/TTdCLhMRZlRarIl1FbzPEft3ULcyPpampehUvwdg1izYhqzwNBB1/zfP08/tFznYtfeQ7MKSsn/KFHsKnluP49zM2xoupWh9JMyMx/KBhdifO5gFWR8uURN//D7s/s/Qf5MXMg2RZqgzArFh2bJgXj9+nAL1USkyn5nLQRQoSToUmlHdtcB0vdWAZOuqtxOVOuEu0quZ98di6hSZjFX+tUu8n+7pM7cRl7jwasp6pUqgye6V+qpLO78+lJE2FqVrmCP4aPSHc9vfJZbbwc0zyPVIT+Ei/6jH9OT3s+m0vB8ZU38U+6fxlmdKmmUwESonMfjwtc4+rBxbgpM+ZKnJA+3fqJ7mifgfKmTfz4JO466izzua5tszAkAfKBVoTT3eRqO0dGmZa0WXGBPPL5PycJHpT3vnLzr0A0O96ih7NIptEcGx5BVRDiZSaw6Cn+YfbXPj/edFTjO4CVLSJm/DmudC4UlS63S7X05cgrbnoIjhPYEyEpN3ryX1IrEpWDWouzQ+Hq1vZs1gzqL4yI74rta/A+m1hGofRHVlAsv6MA0ym8tPEm1lWQ7WbZhMu0UHgZV7z7au1Q+p+LnFVzgtKLLC6qYr6GxvyA+QE3z9NLisNCHKjTCi4qNL4vqh6N4wBgfTorzKzIznqOJ11HO8PzOldzWvXvwwc0C9yp/qdcXKk+WXHSqEA1MiSbe3HFSYl2XJO5V7uaputSakoRn0RFJsUzbxPJ1f6bd0wlxqi64GWj5P89vfReEJqn3atBABCIAUkXOO64Ilj3RMMwXglwyknp77katw32hcvDcWLFNXMQWiJK0iW+cJO5lUv28QpldlFMos/8XfDLfJYsyfYruvF5kt7TKyMBPSyG7J9H1hJRad6utYbYWS1fMHNB7lEIfVVyQwoYqP5Vr2bsKyd4oSnh0LKF88Fb3JwaGtInvp1Tillx+2Ce4oPDXUh9QrpXxZawqJQW2ViTWQhwLaEJZI1i/RsRPNIdKZF+HXD9xD6X9+Rq8mtJC44ar0iR/hbYe19AKyp469qUaJ2hnTdqKmVXCRK40t6v1X2SNaFKoJ+12pLjnfeIbY8URQsuF4KnrGV5ymaMuNI9auqHoXOEXlmHK10wAylRlmEFr5roD2uFyBovIjw63ZjZdhYix0HzDLLoPDhqR+YmsoNeZLTX+JevdLG+nb7oXbdNM5EpaR2vtfRH5c/h8jTDey1zKDLXYUWgQYnBD68VkXYKL14ibyqc3Tn7jZOSbgFnu37DMcmN5akZuG5Uo7QYn/qxDZCfSVmEiJTkos0qOjgNr2Lt34GZLgvXmkKNf58DNb4TlRQdujrUzRXYmnqkX7IOoBu8yDtN3X59jd7fv/PEtLlvAT2UcLxKWZRrN63evOuxrOk/RQhi92cN0FQfUEW6KxenczC/Dy/v3LxK7zjbm2Xxru0ShWAYLJphMsadD7qwWlCiA9pmhPQCOSZt3cE9/fB/+2LNzZZnO0SZu9a67O/VnQmz1+fqJvJg0pxl7S1t1hYEb8hOHe+hn4nLSE0bu7CdT8iklpv3NF4VWVqXqcM/xTFDVqPE1vVpZW5D7sGnx9pkmTK1SNIbL3EX41wbTHiesOrHLKXKnLBN1qm0wVTIzYHiVhDfc81VXX4DlpuFxKS0XwPe2XymVz2lJXB7O0ieUPb1S4eHfiMwWGfQkAATLhdj7gwsBTCieZlzmvb09vpT7lSmsi7zttav30/eo3F9Lxx7Be3syGtZ5utZxlyZUpwPwZVRV9YDWSklYcyF4IHYUqPXwVeH2VloEpUKZw0SstpyC8i+ZmRV7wsvSUZ0qm9/PoJ6SGJ2qdeEq5gd0gYpIaV3/QWPZQnCz6iOtUj9+WGA+08JNHw6DjEqIGkn3KdFzFrhCWCj9+jbDuBVW2lYlhnPRkcm+rredKIcozXnnDaKQ/cBAA3fV86r9tKug/gPyh6S/VmlfWf+9F/rvUYqNEUnKi9XQjno2uwc/bt39Mb+f/ZP7c70IPaENYbqMp6bpa2/9YlzpShmUSYraXjTi8vMAzcOX7uAphJY6n9G3hOC18A1qzgZmrh8TZLleoL4wLVymau3cqzAJEzi0MaHcKkcd2n3U0llwN0/Loy52sRC+0mNPldsgDhT3uyP6LUtiO4Nn0kGw3eA+fu9BoFmK53S/Rad2p++lrT3G7/81nqz/lOM5zTaeZr/DClnWl3X5IlyW6FJQOMVV5NTu2WG7H7VZZBc7laI+2eYg7B9u40sKeOmd8LjnWIAPkvALpmV3G/VM4KEPshrcn93ec3XNGbGrpdJbprMRLPkXzMaVZxjtHWy/vr5+ew1TCymT1U4tGNygZsKzp0cPNWZcY2qTUg9sTT4/3gcL7Tge5nGFw7Tq+KlZcOQY3rVGZoa+IcafDfQjV0cE6+UI+JaMi94Q1CfvwwZB92HLvQnW0LjKJk1j6ljUz23qE+3hoICLj45m9AH0RaKhCnsr5ml1AFdCa/ZrEn1+TjBjvLMZ/Gqg/bEdTzM0O5nCmlueHzn3sf9lcgmpPAAXxJN42a0Emu/8EZGvXQ6cfee6clBX17+8pDbot+yS2FmNc1nJpJI8ZcJvJjQHRNxcB0fgPYyejCK2gTlgAbPataxaMdoXYDTKzXLGZZ9ea1wri0lPztj58ykOqiiY9iHdySVq6NbD/rJFredzvWwMxk48S7l/90vVrH+8hjdkGDUBY13X6t7RimbLOnqyAllzsCAOtT6hNix7mxNxrkKbwcrfFQMZpoJRfsoMzH6ZPFzXb47g8W42v/5xPn9I1mhXKruuTmC5o58j+O3u/Ww6vzv2itLwfjK//fH6w9393fzu+pf3/3F3O4+T/oQDB5HfPOHum3YzaxMqUgQTtqIdyG/G31SxQsOqTKHvh7XsCYG5jea6vfS4pJWaD0vLox94/PlxukcR8b42LJ2duja0lbVFCBAGLKjJco2apx5HuyrSHNqL9AcPeFlEPGGv1fDORYO3KsP2OksVwkSVur6mvpLdzqJJTN+p21dzLOTgdSnYzePqSCPAL1Xjq2Nps3+xQU1JWZuMP1GrHjPimr8Sw/+Mc/ac6ikNWrtc32TGJTgJ7I2w3Jex1qhhOLlXpj10tVzCUvB8ZVvH1lxY862BArUpKHfZ9EioLbVMmFZlvIvzIvCZbQmwKchZtzLInSr1cR/i2jf10B56LxN3svkY5gnFgufLKe7yTdf8cWlonw3q8YRmOlrJCGd+Bq+vVBcCTD9UVe/a85zqbMIQ0+w5l7NSA0c2RMCXMVv/OebZ+J27/qeWRvxiUWZNwAXTDz114rqz6iLXwNbDV3wawYznvzq09Mv3o24LXTti3DMSr44rfRE9MSXvdHWeWwzHlIibKcogDNyzHWq4ms3u31aV++bADubK8vouSRL/WYw0etBTENs7rnXevR5xvxGaKuoLHPfPh/nrZyelXf3odNWfe9l/x2uxGcF/lqh3Mx9603t/0L+rWPyq0Dgm2cCMQry3r19ap1V+0oHLU9VB40osQz2dfn3mkLAV5jLaNNdMGrdH5wVtVt3vdjW/n72trVlL0kJ5/XA/unV0eynU9vQCxqW6w359uAVC8qLSxUV4TEg+EpJ7lZtqCncx806VJAzhgjBHeLhJIhxrDuznBt7VH/iDxjtgkJbGqnXfFz2iNMDtEvHA210FUN8qUdU1qyXo2zCyqJeX2OdoyggS7Vbpp2Yuh63pJreaLZc8DV0ZSmfHdw+GhXlweULsGqGAbwST29u7h7m7gvOuP5cWKj+W670aqVB5ToY2ZHqBudXyjuCXn0bw6ZcPk/nEeeKfpg/0e29Ls2XyoqteTeFY+22Xs6+QilEVutVjc+Mqj84o7lTZ0932ZBOjU5ZlcX/ymlJewSg6GAvcoIArpXnOJRNvq9JntzEkkNOPMDP2L0GYUa4ovWdvway3QY7h3BTpBSXG3eVBeljf3D+o9TDlQuLwZrfB7ye4JAk2LZKlYJ1jrWeSsOB2zcxTyOVqx6GEUFuyOPPbB3DT3sC7H2b//Wn0j3+h/40ntz+N/vHDx+mn0fc/PM7mcciXaxP2XLuB6cPm+xH9959dinf3cXL95v8CAAD//7hdU30=" + return "eJzcXN9z47Zzf7+/Yicv8c1I7nwvmU7HnXRG5/M1apyLa+mS9omByBWFGgIYAJROmf7xnQXAHxJBWbaoXKZ+SHwmCXx2sb+xwBiecHcDbGveAFhuBd7A5LfZGwCNApnBG1igZW8AMjSp5oXlSt7Av70BAPhZZaVAWCoNKyYzwWUOQuUGllqtaZjrNwBLjiIzN+6DMUi2xmo6+rG7Am8g16oswl8i89DPRzdMPbKb5zo8bU/RniYVqsysZlzUj2Iz0s8htdVPhktWCpu4KW5gyYTBvcdRsG3ASju8t4RlTlj2oMfgt0nADUqbbFAbruTeGxUlT7jbKp0dPDsCjH7mK2wjCuODWoJdIQH0ExP6NbPXUWilQZ3wDKXldheFdsjkLrBxFBmNPA0DAwpcE5RUScu4NJChZVwYYAtVWoeXZgO17Iw1nfwMFUCwK2ZhzTJ0n2j8o0RjR8BkBtsVT1eQanTvMmFgixo7w5UGs2uYLsHiulCa6V3nG/fOyM1Q4TYrtTWwUlv6a2fMzgBqQVRidn3wakxI2qtBPOg8PC4j3eWIvOBXJHDYEdaz5C3t1oeS+nIkXcGooEzW7E8l4RGNKnWK8ImtEa4mj5/eVgALzWXKCyYO1jxlQhyytYU6TdGY5Al3CY/hGwq/n4cGgukHj3DLjBMcsAoMz2VbQvsBGzSktAkpBn6xvZBjWngq4OmyjcUBdezccrtqqYHBtNQxkYB9ESd1qxXDkV5oteEZGuDS2xoyQ41mBxqj49asSzUyi5kztXalDLanjHzap0pt5q6XLGGlXdEoKY0efft5qTiV0RCkY8NEicANWE3/D+xXyjqjCEo7o+Z+3xKpvYNFLVNgUbOgTBjleLhHq19eFmc7/fz8cQIZbniK/wrKrlBvucGR945dgW3z1a0VSW3GbB94z9MjL7yEoTSMM/KWrxG2K/Ta1ZXdLse4MWXXEO/TUymhe1cfJahPD19C0RD6CK/Xyd7xgns73Z1VP8d0EZ53b9XPKWoIL+AzBOkJPiY4luNCMwJTpqujQzIDj0rZESnxZ4N6RAr9qESP0rQZUDu1uHe6NCO4tKglE+SzAjfacVXbg+XYLyewL3vPkx2PJS5N7eTxU0VlkIArlqaqlH7pnP11a6eVwLdHh4ux5xlBOoErHszXEYUwuadMbaW5nDRU9HK5UU+YJYuYRRsqMKOpqlWnjM2gJg/XlziQsgOLxRdQxah3t+9gUloFs5S55DjkgneCGctTeI9MGsvEUzzBQq2VTlKVHVq+0xO/eH7Vps5NUgcawa9otKWWxnkGen4M3xqNYfmQEKfHwfj0qjVIbZD6oYaxkoJptkaL+nDdzmVpM/CImMnkbhR0gbygId/qfXR/ZL8uheXJs3nesVC/5+EzRYw2m0yhpMEkxANDc6kav443KB5lKX1jKj17QkhXTOZo4MpH9qNuJl5QWOcscIYCKcLzg7z9GzKVZRkncEwkrqiSsb0K07l8ndTDU6zLWsmTL+HUFlkqS2Jqg7p0Bqr0jdxaWKe/ITcrTe64vnNl02dejlu+wrHkaPb01UeEwW4ukMu8W85hQmAGOUrUzLrvufFD99hQV9+LRLdnGdB9/FXxpiUPFcCsJSgaU6WzOExW8LOLkM/inDxM60okM0alvElG3fOtmRT8lgnRGclRMCc6j/B6zSTLnd3xijikEsJ7pQQy2SNG2xVSmtziNjdwaAWghdC/1efMWJYoKeJF17OXosHKDaiC5IRWhAC7qcc0dfOgD6MPnOMe5DWF4QkIbpzxqscOtTTMgMuGtS+tnF6uXFnXKCePn7qB4knB/BAwJiFgb1K3ioMUvkeqFoPWlJ9hjTNOtaboaiV94cHtRd3csK0ZB7s7dshuyNON6VP37x4JTHnBSdl7GXyOwjxioZHiOm+7WMNjp/saU+QbZ1+5OabMgS5vkZKwt3E5G1uH/TTdCLhMRZlRarIl1FbzPEft3ULcyPpampehUvwdg1izYhqzwNBB1/zfP08/tFznYtfeQ7MKSsn/KFHsKnluP49zM2xoupWh9JMyMx/KBhdifO5gFWR8uURN//D7s/s/Qf5MXMg2RZqgzArFh2bJgXj9+nAL1USkyn5nLQRQoSToUmlHdtcB0vdWAZOuqtxOVOuEu0quZ98di6hSZjFX+tUu8n+7pM7cRl7jwasp6pUqgye6V+qpLO78+lJE2FqVrmCP4aPSHc9vfJZbbwc0zyPVIT+Ei/6jH9OT3s+m0vB8ZU38U+6fxlmdKmmUwESonMfjwtc4+rBxbgpM+ZKnJA+3fqJ7mifgfKmTfz4JO466izzua5tszAkAfKBVoTT3eRqO0dGmZa0WXGBPPL5PycJHpT3vnLzr0A0O96ih7NIptEcGx5BVRDiZSaw6Cn+YfbXPj/edFTjO4CVLSJm/DmudC4UlS63S7X05cgrbnoIjhPYEyEpN3ryX1IrEpWDWouzQ+Hq1vZs1gzqL4yI74rta/A+m1hGofRHVlAsv6MA0ym8tPEm1lWQ7WbZhMu0UHgZV7z7au1Q+p+LnFVzgtKLLC6qYr6GxvyA+QE3z9NLisNCHKjTCi4qNL4vqh6N4wBgfTorzKzIznqOJ11HO8PzOldzWvXvwwc0C9yp/qdcXKk+WXHSqEA1MiSbe3HFSYl2XJO5V7uaputSakoRn0RFJsUzbxPJ1f6bd0wlxqi64GWj5P89vfReEJqn3atBABCIAUkXOO64Ilj3RMMwXglwyknp77katw32hcvDcWLFNXMQWiJK0iW+cJO5lUv28QpldlFMos/8XfDLfJYsyfYruvF5kt7TKyMBPSyG7J9H1hJRad6utYbYWS1fMHNB7lEIfVVyQwoYqP5Vr2bsKyd4oSnh0LKF88Fb3JwaGtInvp1Tillx+2Ce4oPDXUh9QrpXxZawqJQW2ViTWQhwLaEJZI1i/RsRPNIdKZF+HXD9xD6X9+Rq8mtJC44ar0iR/hbYe19AKyp469qUaJ2hnTdqKmVXCRK40t6v1X2SNaFKoJ+12pLjnfeIbY8URQsuF4KnrGV5ymaMuNI9auqHoXOEXlmHK10wAylRlmEFr5roD2uFyBovIjw63ZjZdhYix0HzDLLoPDhqR+YmsoNeZLTX+JevdLG+nb7oXbdNM5EpaR2vtfRH5c/h8jTDey1zKDLXYUWgQYnBD68VkXYKL14ibyqc3Tn7jZOSbgFnu37DMcmN5akZuG5Uo7QYn/qxDZCfSVmEiJTkos0qOjgNr2Lt34GZLgvXmkKNf58DNb4TlRQdujrUzRXYmnqkX7IOoBu8yDtN3X59jd7fv/PEtLlvAT2UcLxKWZRrN63evOuxrOk/RQhi92cN0FQfUEW6KxenczC/Dy/v3LxK7zjbm2Xxru0ShWAYLJphMsadD7qwWlCiA9pmhPQCOSZt3cE9/fB/+2LNzZZnO0SZu9a67O/VnQmz1+fqJvJg0pxl7S1t1hYEb8hOHe+hn4nLSE0bu7CdT8iklpv3NF4VWVqXqcM/xTFDVqPE1vVpZW5D7sGnx9pkmTK1SNIbL3EX41wbTHiesOrHLKXKnLBN1qm0wVTIzYHiVhDfc81VXX4DlpuFxKS0XwPe2XymVz2lJXB7O0ieUPb1S4eHfiMwWGfQkAATLhdj7gwsBTCieZlzmvb09vpT7lSmsi7zttav30/eo3F9Lxx7Be3syGtZ5utZxlyZUpwPwZVRV9YDWSklYcyF4IHYUqPXwVeH2VloEpUKZw0SstpyC8i+ZmRV7wsvSUZ0qm9/PoJ6SGJ2qdeEq5gd0gYpIaV3/QWPZQnCz6iOtUj9+WGA+08JNHw6DjEqIGkn3KdFzFrhCWCj9+jbDuBVW2lYlhnPRkcm+rredKIcozXnnDaKQ/cBAA3fV86r9tKug/gPyh6S/VmlfWf+9F/rvUYqNEUnKi9XQjno2uwc/bt39Mb+f/ZP7c70IPaENYbqMp6bpa2/9YlzpShmUSYraXjTi8vMAzcOX7uAphJY6n9G3hOC18A1qzgZmrh8TZLleoL4wLVymau3cqzAJEzi0MaHcKkcd2n3U0llwN0/Loy52sRC+0mNPldsgDhT3uyP6LUtiO4Nn0kGw3eA+fu9BoFmK53S/Rad2p++lrT3G7/81nqz/lOM5zTaeZr/DClnWl3X5IlyW6FJQOMVV5NTu2WG7H7VZZBc7laI+2eYg7B9u40sKeOmd8LjnWIAPkvALpmV3G/VM4KEPshrcn93ec3XNGbGrpdJbprMRLPkXzMaVZxjtHWy/vr5+ew1TCymT1U4tGNygZsKzp0cPNWZcY2qTUg9sTT4/3gcL7Tge5nGFw7Tq+KlZcOQY3rVGZoa+IcafDfQjV0cE6+UI+JaMi94Q1CfvwwZB92HLvQnW0LjKJk1j6ljUz23qE+3hoICLj45m9AH0RaKhCnsr5ml1AFdCa/ZrEn1+TjBjvLMZ/Gqg/bEdTzM0O5nCmlueHzn3sf9lcgmpPAAXxJN42a0Emu/8EZGvXQ6cfee6clBX17+8pDbot+yS2FmNc1nJpJI8ZcJvJjQHRNxcB0fgPYyejCK2gTlgAbPataxaMdoXYDTKzXLGZZ9ea1wri0lPztj58ykOqiiY9iHdySVq6NbD/rJFredzvWwMxk48S7l/90vVrH+8hjdkGDUBY13X6t7RimbLOnqyAllzsCAOtT6hNix7mxNxrkKbwcrfFQMZpoJRfsoMzH6ZPFzXb47g8W42v/5xPn9I1mhXKruuTmC5o58j+O3u/Ww6vzv2itLwfjK//fH6w9393fzu+pf3/3F3O4+T/oQDB5HfPOHum3YzaxMqUgQTtqIdyG/G31SxQsOqTKHvh7XsCYG5jea6vfS4pJWaD0vLox94/PlxukcR8b42LJ2duja0lbVFCBAGLKjJco2apx5HuyrSHNqL9AcPeFlEPGGv1fDORYO3KsP2OksVwkSVur6mvpLdzqJJTN+p21dzLOTgdSnYzePqSCPAL1Xjq2Nps3+xQU1JWZuMP1GrHjPimr8Sw/+Mc/ac6ikNWrtc32TGJTgJ7I2w3Jex1qhhOLlXpj10tVzCUvB8ZVvH1lxY862BArUpKHfZ9EioLbVMmFZlvIvzIvCZbQmwKchZtzLInSr1cR/i2jf10B56LxN3svkY5gnFgufLKe7yTdf8cWlonw3q8YRmOlrJCGd+Bq+vVBcCTD9UVe/a85zqbMIQ0+w5l7NSA0c2RMCXMVv/OebZ+J27/qeWRvxiUWZNwAXTDz114rqz6iLXwNbDV3wawYznvzq09Mv3o24LXTti3DMSr44rfRE9MSXvdHWeWwzHlIibKcogDNyzHWq4ms3u31aV++bADubK8vouSRL/WYw0etBTENs7rnXevR5xvxGaKuoLHPfPh/nrZyelXf3odNWfe9l/x2uxGcF/lqh3Mx9603t/0L+rWPyq0Dgm2cCMQry3r19ap1V+0oHLU9VB40osQz2dfn3mkLAV5jLaNNdMGrdH5wVtVt3vdjW/n72trVlL0kJ5/XA/unV0eynU9vQCxqW6w359uAVC8qLSxUV4TEg+EpJ7lZtqCncx806VJAzhgjBHeLhJIhxrDuznBt7VH/iDxjtgkJbGqnXfFz2iNMDtEvHA210FUN8qUdU1qyXo2zCyqJeX2OdoyggS7Vbpp2Yuh63pJreaLZc8DV0ZSmfHdw+GhXlweULsGqGAbwST29u7h7m7gvOuP5cWKj+W670aqVB5ToY2ZHqBudXyjuCXn0bw6ZcPk/nEeeKfpg/0e29Ls2XyoqteTeFY+22Xs6+QilEVutVjc+Mqj84o7lTZ0932ZBOjU5ZlcX/ymlJewSg6GAvcoIArpXnOJRNvq9JntzEkkNOPMDP2L0GYUa4ovWdvway3QY7h3BTpBSXG3eVBeljf3D+o9TDlQuLwZrfB7ye4JAk2LZKlYJ1jrWeSsOB2zcxTyOVqx6GEUFuyOPPbB3DT3sC7H2b//Wn0j3+h/40ntz+N/vHDx+mn0fc/PM7mxyEnTGs2YJWx2hprgft2yeUIzE6OQFO+V5jVCFj6NIJS59/G4V2ui9kv6g1MHzbfj+i//+wy0LuPk+s3/xcAAP//jpR9HA==" } diff --git a/x-pack/filebeat/module/aws/vpcflow/_meta/fields.yml b/x-pack/filebeat/module/aws/vpcflow/_meta/fields.yml index 226860698481..f1c658b8a450 100644 --- a/x-pack/filebeat/module/aws/vpcflow/_meta/fields.yml +++ b/x-pack/filebeat/module/aws/vpcflow/_meta/fields.yml @@ -49,6 +49,10 @@ type: keyword description: > The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST + - name: tcp_flags_array + type: keyword + description: > + List of TCP flags: 'fin, syn, rst, psh, ack, urg' - name: type type: keyword description: > diff --git a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml index a8a6e5ae7262..0a87d6baaded 100644 --- a/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/vpcflow/ingest/pipeline.yml @@ -128,6 +128,39 @@ processors: field: event.kind value: event + - script: + lang: painless + ignore_failure: true + source: | + if (ctx?.aws?.vpcflow?.tcp_flags == null) + return; + + if (ctx?.aws?.vpcflow?.tcp_flags_array == null) { + ArrayList al = new ArrayList(); + ctx.aws.vpcflow.put("tcp_flags_array", al); + } + + def flags = Integer.parseUnsignedInt(ctx.aws.vpcflow.tcp_flags); + + if ((flags & 0x01) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('fin'); + } + if ((flags & 0x02) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('syn'); + } + if ((flags & 0x04) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('rst'); + } + if ((flags & 0x08) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('psh'); + } + if ((flags & 0x10) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('ack'); + } + if ((flags & 0x20) != 0) { + ctx.aws.vpcflow.tcp_flags_array.add('urg'); + } + on_failure: - set: field: "error.message" diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json index 0a8feef3be5a..f8b8a3a33574 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json @@ -9,6 +9,10 @@ "aws.vpcflow.pkt_srcaddr": "10.20.33.164", "aws.vpcflow.subnet_id": "subnet-22222222bbbbbbbbb", "aws.vpcflow.tcp_flags": "3", + "aws.vpcflow.tcp_flags_array": [ + "fin", + "syn" + ], "aws.vpcflow.type": "IPv4", "aws.vpcflow.version": "3", "aws.vpcflow.vpc_id": "vpc-abcdefab012345678", diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log index 28ca1ca949f1..32c4f31a9b67 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log @@ -1,2 +1,4 @@ version vpc-id subnet-id instance-id interface-id account-id type srcaddr dstaddr srcport dstport pkt-srcaddr pkt-dstaddr protocol bytes packets start end action tcp-flags log-status 3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43416 5001 52.213.180.42 10.0.0.62 6 568 8 1566848875 1566848933 ACCEPT 2 OK +3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43638 5001 52.213.180.42 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK +3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 52.213.180.42 5001 43638 10.0.0.62 52.213.180.42 6 967 14 1566933133 1566933193 ACCEPT 19 OK diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index ba0293752ca0..7f79d4895956 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -10,6 +10,9 @@ "aws.vpcflow.pkt_srcaddr": "52.213.180.42", "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678", "aws.vpcflow.tcp_flags": "2", + "aws.vpcflow.tcp_flags_array": [ + "syn" + ], "aws.vpcflow.type": "IPv4", "aws.vpcflow.version": "3", "aws.vpcflow.vpc_id": "vpc-abcdefab012345678", @@ -60,5 +63,138 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2019-08-27T19:13:13.000Z", + "aws.vpcflow.account_id": "123456789010", + "aws.vpcflow.action": "ACCEPT", + "aws.vpcflow.instance_id": "i-01234567890123456", + "aws.vpcflow.interface_id": "eni-1235b8ca123456789", + "aws.vpcflow.log_status": "OK", + "aws.vpcflow.pkt_dstaddr": "10.0.0.62", + "aws.vpcflow.pkt_srcaddr": "52.213.180.42", + "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678", + "aws.vpcflow.tcp_flags": "3", + "aws.vpcflow.tcp_flags_array": [ + "fin", + "syn" + ], + "aws.vpcflow.type": "IPv4", + "aws.vpcflow.version": "3", + "aws.vpcflow.vpc_id": "vpc-abcdefab012345678", + "cloud.account.id": "123456789010", + "cloud.instance.id": "i-01234567890123456", + "cloud.provider": "aws", + "destination.address": "10.0.0.62", + "destination.ip": "10.0.0.62", + "destination.port": 5001, + "event.category": "network_traffic", + "event.dataset": "aws.vpcflow", + "event.end": "2019-08-27T19:13:13.000Z", + "event.kind": "event", + "event.module": "aws", + "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 52.213.180.42 10.0.0.62 43638 5001 52.213.180.42 10.0.0.62 6 1260 17 1566933133 1566933193 ACCEPT 3 OK", + "event.outcome": "allow", + "event.start": "2019-08-27T19:12:13.000Z", + "event.type": "flow", + "fileset.name": "vpcflow", + "input.type": "log", + "log.offset": 393, + "network.bytes": 1260, + "network.community_id": "1:nOrJcppKxIxs557D2oKADkNCpno=", + "network.iana_number": "6", + "network.packets": 17, + "network.transport": "tcp", + "network.type": "ipv4", + "related.ip": [ + "52.213.180.42", + "10.0.0.62" + ], + "service.type": "aws", + "source.address": "52.213.180.42", + "source.as.number": 16509, + "source.as.organization.name": "Amazon.com, Inc.", + "source.bytes": 1260, + "source.geo.city_name": "Dublin", + "source.geo.continent_name": "Europe", + "source.geo.country_iso_code": "IE", + "source.geo.country_name": "Ireland", + "source.geo.location.lat": 53.3338, + "source.geo.location.lon": -6.2488, + "source.geo.region_iso_code": "IE-L", + "source.geo.region_name": "Leinster", + "source.ip": "52.213.180.42", + "source.packets": 17, + "source.port": 43638, + "tags": [ + "forwarded" + ] + }, + { + "@timestamp": "2019-08-27T19:13:13.000Z", + "aws.vpcflow.account_id": "123456789010", + "aws.vpcflow.action": "ACCEPT", + "aws.vpcflow.instance_id": "i-01234567890123456", + "aws.vpcflow.interface_id": "eni-1235b8ca123456789", + "aws.vpcflow.log_status": "OK", + "aws.vpcflow.pkt_dstaddr": "52.213.180.42", + "aws.vpcflow.pkt_srcaddr": "10.0.0.62", + "aws.vpcflow.subnet_id": "subnet-aaaaaaaa012345678", + "aws.vpcflow.tcp_flags": "19", + "aws.vpcflow.tcp_flags_array": [ + "fin", + "syn", + "ack" + ], + "aws.vpcflow.type": "IPv4", + "aws.vpcflow.version": "3", + "aws.vpcflow.vpc_id": "vpc-abcdefab012345678", + "cloud.account.id": "123456789010", + "cloud.instance.id": "i-01234567890123456", + "cloud.provider": "aws", + "destination.address": "52.213.180.42", + "destination.as.number": 16509, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Dublin", + "destination.geo.continent_name": "Europe", + "destination.geo.country_iso_code": "IE", + "destination.geo.country_name": "Ireland", + "destination.geo.location.lat": 53.3338, + "destination.geo.location.lon": -6.2488, + "destination.geo.region_iso_code": "IE-L", + "destination.geo.region_name": "Leinster", + "destination.ip": "52.213.180.42", + "destination.port": 43638, + "event.category": "network_traffic", + "event.dataset": "aws.vpcflow", + "event.end": "2019-08-27T19:13:13.000Z", + "event.kind": "event", + "event.module": "aws", + "event.original": "3 vpc-abcdefab012345678 subnet-aaaaaaaa012345678 i-01234567890123456 eni-1235b8ca123456789 123456789010 IPv4 10.0.0.62 52.213.180.42 5001 43638 10.0.0.62 52.213.180.42 6 967 14 1566933133 1566933193 ACCEPT 19 OK", + "event.outcome": "allow", + "event.start": "2019-08-27T19:12:13.000Z", + "event.type": "flow", + "fileset.name": "vpcflow", + "input.type": "log", + "log.offset": 605, + "network.bytes": 967, + "network.community_id": "1:nOrJcppKxIxs557D2oKADkNCpno=", + "network.iana_number": "6", + "network.packets": 14, + "network.transport": "tcp", + "network.type": "ipv4", + "related.ip": [ + "10.0.0.62", + "52.213.180.42" + ], + "service.type": "aws", + "source.address": "10.0.0.62", + "source.bytes": 967, + "source.ip": "10.0.0.62", + "source.packets": 14, + "source.port": 5001, + "tags": [ + "forwarded" + ] } ] \ No newline at end of file