diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index c9b5182c6d1..3c1ed5c91f7 100755 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -82,12 +82,6 @@ if [[ "${BUILDKITE_PIPELINE_SLUG}" == "integrations-publish" ]]; then fi if [[ "${BUILDKITE_PIPELINE_SLUG}" == "integrations" ]]; then - if [[ "${BUILDKITE_STEP_KEY}" == "trigger-publish" ]]; then - # TODO: To be removed - BUILDKITE_API_TOKEN=$(retry 5 vault kv get -field buildkite_token ${BUILDKITE_API_TOKEN_PATH}) - export BUILDKITE_API_TOKEN - fi - if [[ "${BUILDKITE_STEP_KEY}" == "test-integrations" ]]; then BUILDKITE_API_TOKEN=$(retry 5 vault kv get -field buildkite_token "${BUILDKITE_API_TOKEN_PATH}") export BUILDKITE_API_TOKEN diff --git a/.buildkite/pipeline.publish.yml b/.buildkite/pipeline.publish.yml index 9f699c2364c..03dc56849b7 100644 --- a/.buildkite/pipeline.publish.yml +++ b/.buildkite/pipeline.publish.yml @@ -9,8 +9,7 @@ env: JQ_VERSION: '1.7' # Elastic package settings # Manage docker output/logs - ELASTIC_PACKAGE_COMPOSE_DISABLE_ANSI: "true" - ELASTIC_PACKAGE_COMPOSE_DISABLE_PULL_PROGRESS_INFORMATION: "true" + ELASTIC_PACKAGE_COMPOSE_DISABLE_VERBOSE_OUTPUT: "true" # Default license to use by `elastic-package build` ELASTIC_PACKAGE_REPOSITORY_LICENSE: "licenses/Elastic-2.0.txt" # Link definitions path (full path to be set in the corresponding step) diff --git a/packages/azure/changelog.yml b/packages/azure/changelog.yml index bc13cd00b17..03a2a0aa3ac 100644 --- a/packages/azure/changelog.yml +++ b/packages/azure/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.11.3" + changes: + - description: Update Azure Audit Logs pipeline with support for initiated_by user fields. + type: bugfix + link: https://github.com/elastic/integrations/pull/9701 - version: "1.11.2" changes: - description: Add missing ECS field definitions. diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log index ed3d729c837..c8ef89bdff3 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-audit-logs-sample.log @@ -1,3 +1,3 @@ { "time": "2022-01-22T18:15:02.5168093Z", "resourceId": "/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam", "operationName": "Add service principal credentials", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "4bbb79f7-5724-4c9e-95f3-de075f6ec090", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.128.3.4", "correlationId": "53161141-e3f4-4944-85b6-7b953f17265e", "identity": "Managed Service Identity", "Level": 4, "properties": {"id":"Directory_53161141-e3f4-4944-85b6-7b953f17265e_6X649_134684731","category":"ApplicationManagement","correlationId":"53161141-e3f4-4944-85b6-7b953f17265e","result":"success","resultReason":"","activityDisplayName":"Add service principal credentials","activityDateTime":"2022-01-22T18:15:02.5168093+00:00","loggedByService":"Core Directory","operationType":"Update","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"Managed Service Identity","servicePrincipalId":"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0","servicePrincipalName":null}},"targetResources":[{"id":"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42","displayName":"billing-test-wus","type":"ServicePrincipal","modifiedProperties":[{"displayName":"KeyDescription","oldValue":"[\"[KeyIdentifier=7dffcdc5-f2d5-43ae-86f1-682561befd4b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=CN=a70a7931-c387-4dce-9f35-fbf95bdcc91e]\",\"[KeyIdentifier=c9c0b961-a80a-4a71-9c3a-b67b33edf874,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=CN=a70a7931-c387-4dce-9f35-fbf95bdcc91e]\"]","newValue":"[\"[KeyIdentifier=c9c0b961-a80a-4a71-9c3a-b67b33edf874,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=CN=a70a7931-c387-4dce-9f35-fbf95bdcc91e]\",\"[KeyIdentifier=7dffcdc5-f2d5-43ae-86f1-682561befd4b,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=CN=a70a7931-c387-4dce-9f35-fbf95bdcc91e]\",\"[KeyIdentifier=d747da7e-e11b-4af2-aede-0487c44067af,KeyType=AsymmetricX509Cert,KeyUsage=Verify,DisplayName=CN=a70a7931-c387-4dce-9f35-fbf95bdcc91e]\"]"},{"displayName":"Included Updated Properties","oldValue":null,"newValue":"\"KeyDescription\""},{"displayName":"TargetId.ServicePrincipalNames","oldValue":null,"newValue":"\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\""}],"administrativeUnits":[]}],"additionalDetails":[{"key":"User-Agent","value":"Microsoft Azure Graph Client Library 2.1.17-internal"},{"key":"AppId","value":"a70a7931-c387-4dce-9f35-fbf95bdcc91e"}]}} { "time": "2022-01-22T18:15:02.5168093Z", "resourceId": "/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam", "operationName": "Update service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "4bbb79f7-5724-4c9e-95f3-de075f6ec090", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.128.3.4", "correlationId": "53161141-e3f4-4944-85b6-7b953f17265e", "identity": "Managed Service Identity", "Level": 4, "properties": {"id":"Directory_53161141-e3f4-4944-85b6-7b953f17265e_6X649_134684743","category":"ApplicationManagement","correlationId":"53161141-e3f4-4944-85b6-7b953f17265e","result":"success","resultReason":"","activityDisplayName":"Update service principal","activityDateTime":"2022-01-22T18:15:02.5168093+00:00","loggedByService":"Core Directory","operationType":"Update","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"Managed Service Identity","servicePrincipalId":"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0","servicePrincipalName":null}},"targetResources":[{"id":"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42","displayName":"billing-test-wus","type":"ServicePrincipal","modifiedProperties":[{"displayName":"TargetId.ServicePrincipalNames","oldValue":null,"newValue":"\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\""},{"displayName":"Included Updated Properties","oldValue":null,"newValue":"\"KeyDescription\""}],"administrativeUnits":[]}],"additionalDetails":[{"key":"User-Agent","value":"Microsoft Azure Graph Client Library 2.1.17-internal"},{"key":"AppId","value":"a70a7931-c387-4dce-9f35-fbf95bdcc91e"}]}} -{ "time": "2022-01-22T18:15:02.3875429Z", "resourceId": "/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam", "operationName": "Update service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "4bbb79f7-5724-4c9e-95f3-de075f6ec090", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.128.3.4", "correlationId": "87979703-118b-498f-99c2-ccd1a56f1a5a", "identity": "Managed Service Identity", "Level": 4, "properties": {"id":"Directory_87979703-118b-498f-99c2-ccd1a56f1a5a_ULAYA_144938566","category":"ApplicationManagement","correlationId":"87979703-118b-498f-99c2-ccd1a56f1a5a","result":"success","resultReason":"","activityDisplayName":"Update service principal","activityDateTime":"2022-01-22T18:15:02.3875429+00:00","loggedByService":"Core Directory","operationType":"Update","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"Managed Service Identity","servicePrincipalId":"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0","servicePrincipalName":null}},"targetResources":[{"id":"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42","displayName":"billing-test-wus","type":"ServicePrincipal","modifiedProperties":[{"displayName":"TargetId.ServicePrincipalNames","oldValue":null,"newValue":"\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\""}],"administrativeUnits":[]}],"additionalDetails":[{"key":"User-Agent","value":"Microsoft Azure Graph Client Library 2.1.17-internal"},{"key":"AppId","value":"a70a7931-c387-4dce-9f35-fbf95bdcc91e"}]}} +{ "time": "2022-01-22T18:15:02.3875429Z", "resourceId": "/tenants/4bbb79f7-5724-4c9e-95f3-de075f6ec090/providers/Microsoft.aadiam", "operationName": "Update service principal", "operationVersion": "1.0", "category": "AuditLogs", "tenantId": "4bbb79f7-5724-4c9e-95f3-de075f6ec090", "resultSignature": "None", "durationMs": 0, "callerIpAddress": "1.128.3.4", "correlationId": "87979703-118b-498f-99c2-ccd1a56f1a5a", "identity": "Managed Service Identity", "Level": 4, "properties": {"id":"Directory_87979703-118b-498f-99c2-ccd1a56f1a5a_ULAYA_144938566","category":"ApplicationManagement","correlationId":"87979703-118b-498f-99c2-ccd1a56f1a5a","result":"success","resultReason":"","activityDisplayName":"Update service principal","activityDateTime":"2022-01-22T18:15:02.3875429+00:00","loggedByService":"Core Directory","operationType":"Update","userAgent":null,"initiatedBy":{"app":{"appId":null,"displayName":"Managed Service Identity","servicePrincipalId":"b9814691-9ca1-4e55-a1ac-8ef5dd010ec0","servicePrincipalName":null}},"targetResources":[{"id":"a7d5dcbe-0627-4ddf-a2f4-86b6785bcc42","displayName":"billing-test-wus","type":"ServicePrincipal","modifiedProperties":[{"displayName":"TargetId.ServicePrincipalNames","oldValue":null,"newValue":"\"a70a7931-c387-4dce-9f35-fbf95bdcc91e;https://identity.azure.net/N8CUySpCeRFU3iB/PEuFlON4zd8+n8d3qgzrF1MviSY=\""}],"administrativeUnits":[]}],"additionalDetails":[{"key":"User-Agent","value":"Microsoft Azure Graph Client Library 2.1.17-internal"},{"key":"AppId","value":"a70a7931-c387-4dce-9f35-fbf95bdcc91e"}]}} \ No newline at end of file diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log index 091ef65ed1b..b493af6325c 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log @@ -1 +1,3 @@ -{"category":"AuditLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Device Registration Service","level":"Informational","operationName":"Update device","operationVersion":"1.0","properties":{"activityDateTime":"2019-10-18T15:30:51.0273716+00:00","activityDisplayName":"Update device","category":"Device","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","id":"Directory_ESQ","initiatedBy":{"app":{"appId":"id","displayName":"Device Registration Service","servicePrincipalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","servicePrincipalName":"Core"}},"loggedByService":"Core Directory","operationType":"Update","result":"success","resultReason":"","targetResources":[{"displayName":"LAPTOP-12","id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","modifiedProperties":[{"displayName":"Included Updated Properties","newValue":"\"\"","oldValue":""}],"type":"Device"}]},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultSignature":"None","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T15:30:51.0273716Z"} \ No newline at end of file +{"category":"AuditLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Device Registration Service","level":"Informational","operationName":"Update device","operationVersion":"1.0","properties":{"activityDateTime":"2019-10-18T15:30:51.0273716+00:00","activityDisplayName":"Update device","category":"Device","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","id":"Directory_ESQ","initiatedBy":{"app":{"appId":"id","displayName":"Device Registration Service","servicePrincipalId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","servicePrincipalName":"Core"}},"loggedByService":"Core Directory","operationType":"Update","result":"success","resultReason":"","targetResources":[{"displayName":"LAPTOP-12","id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","modifiedProperties":[{"displayName":"Included Updated Properties","newValue":"\"\"","oldValue":""}],"type":"Device"}]},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultSignature":"None","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T15:30:51.0273716Z"} +{"category":"AuditLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Device Registration Service","level":"Informational","operationName":"Update device","operationVersion":"1.0","properties":{"activityDateTime":"2019-10-18T15:30:51.0273716+00:00","activityDisplayName":"Update device","category":"Device","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","id":"Directory_ESQ","initiatedBy":{"user":{"userPrincipalName":"UserName","displayName":"User Registration Service","id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"0.0.0.0", "roles": "admin"}},"loggedByService":"Core Directory","operationType":"Update","result":"success","resultReason":"","targetResources":[{"displayName":"LAPTOP-12","id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","modifiedProperties":[{"displayName":"Included Updated Properties","newValue":"\"\"","oldValue":""}],"type":"Device"}]},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultSignature":"None","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T15:30:51.0273716Z"} +{"category":"AuditLogs","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","durationMs":0,"identity":"Device Registration Service","level":"Informational","operationName":"Update device","operationVersion":"1.0","properties":{"activityDateTime":"2019-10-18T15:30:51.0273716+00:00","activityDisplayName":"Update device","category":"Device","correlationId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","id":"Directory_ESQ","initiatedBy":{"user":{"userPrincipalName":"UserName","displayName": null,"id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","ipAddress":"0.0.0.0", "roles": "admin"}},"loggedByService":"Core Directory","operationType":"Update","result":"success","resultReason":"","targetResources":[{"displayName":"LAPTOP-12","id":"8a4de8b5-095c-47d0-a96f-a75130c61d53","modifiedProperties":[{"displayName":"","newValue":"\"\"","oldValue":""}],"type":"Device"}]},"resourceId":"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam","resultSignature":"None","tenantId":"8a4de8b5-095c-47d0-a96f-a75130c61d53","time":"2019-10-18T15:30:51.0273716Z"} \ No newline at end of file diff --git a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json index ecf7a9e18dc..65c3523ac4b 100644 --- a/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json +++ b/packages/azure/data_stream/auditlogs/_dev/test/pipeline/test-auditlogs-raw.log-expected.json @@ -68,6 +68,145 @@ "tags": [ "preserve_original_event" ] + }, + { + "@timestamp": "2019-10-18T15:30:51.027Z", + "azure": { + "auditlogs": { + "category": "AuditLogs", + "identity": "Device Registration Service", + "operation_name": "Update device", + "operation_version": "1.0", + "properties": { + "activity_datetime": "2019-10-18T15:30:51.0273716+00:00", + "activity_display_name": "Update device", + "category": "Device", + "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "id": "Directory_ESQ", + "initiated_by": { + "user": { + "displayName": "User Registration Service", + "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "ipAddress": "0.0.0.0", + "roles": "admin", + "userPrincipalName": "UserName" + } + }, + "logged_by_service": "Core Directory", + "operation_type": "Update", + "result_reason": "", + "target_resources": { + "0": { + "display_name": "LAPTOP-12", + "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "modified_properties": { + "0": { + "display_name": "Included Updated Properties", + "new_value": "\"\"", + "old_value": "" + } + }, + "type": "Device" + } + } + }, + "result_signature": "None" + }, + "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "resource": { + "id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam", + "provider": "Microsoft.aadiam" + }, + "tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53" + }, + "cloud": { + "provider": "azure" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update device", + "duration": 0, + "kind": "event", + "original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"user\":{\"userPrincipalName\":\"UserName\",\"displayName\":\"User Registration Service\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"0.0.0.0\", \"roles\": \"admin\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", + "outcome": "success" + }, + "log": { + "level": "Informational" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2019-10-18T15:30:51.027Z", + "azure": { + "auditlogs": { + "category": "AuditLogs", + "identity": "Device Registration Service", + "operation_name": "Update device", + "operation_version": "1.0", + "properties": { + "activity_datetime": "2019-10-18T15:30:51.0273716+00:00", + "activity_display_name": "Update device", + "category": "Device", + "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "id": "Directory_ESQ", + "initiated_by": { + "user": { + "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "ipAddress": "0.0.0.0", + "roles": "admin", + "userPrincipalName": "UserName" + } + }, + "logged_by_service": "Core Directory", + "operation_type": "Update", + "result_reason": "", + "target_resources": { + "0": { + "display_name": "LAPTOP-12", + "id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "modified_properties": { + "0": { + "display_name": "", + "new_value": "\"\"", + "old_value": "" + } + }, + "type": "Device" + } + } + }, + "result_signature": "None" + }, + "correlation_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "resource": { + "id": "/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam", + "provider": "Microsoft.aadiam" + }, + "tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53" + }, + "cloud": { + "provider": "azure" + }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "Update device", + "duration": 0, + "kind": "event", + "original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"user\":{\"userPrincipalName\":\"UserName\",\"displayName\": null,\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"0.0.0.0\", \"roles\": \"admin\"}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"\",\"newValue\":\"\\\"\\\"\",\"oldValue\":\"\"}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", + "outcome": "success" + }, + "log": { + "level": "Informational" + }, + "tags": [ + "preserve_original_event" + ] } ] } \ No newline at end of file diff --git a/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml b/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml index c9d690f54d4..6b518f6021c 100644 --- a/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml +++ b/packages/azure/data_stream/auditlogs/elasticsearch/ingest_pipeline/default.yml @@ -84,6 +84,7 @@ processors: field: azure.auditlogs.properties.activityDisplayName target_field: azure.auditlogs.properties.activity_display_name ignore_missing: true + ignore_failure: true - rename: field: azure.auditlogs.properties.activityDateTime target_field: azure.auditlogs.properties.activity_datetime @@ -135,6 +136,10 @@ processors: field: azure.auditlogs.properties.resultReason target_field: azure.auditlogs.properties.result_reason ignore_missing: true + - rename: + field: azure.auditlogs.properties.resultDescription + target_field: azure.auditlogs.properties.result_description + ignore_missing: true - rename: field: azure.auditlogs.properties.correlationId target_field: azure.auditlogs.properties.correlation_id @@ -155,6 +160,11 @@ processors: field: azure.auditlogs.properties.additional_details.userAgent target_field: azure.auditlogs.properties.additional_details.user_agent ignore_missing: true + - remove: + description: Drop displayName field if value is null. + if: ctx?.azure?.auditlogs?.properties?.initiatedBy?.user?.displayName == null + field: azure.auditlogs.properties.initiatedBy.user.displayName + ignore_missing: true - script: lang: painless source: >- @@ -178,7 +188,9 @@ processors: for (def j = 0; j < ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties.length; j++) { String n = String.valueOf(j); ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n] = new HashMap(); + ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n].display_name = ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].displayName; + if (ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].newValue != null) { ctx.azure.auditlogs.properties.target_resources[index].modified_properties[n].new_value = ctx.azure.auditlogs.properties.targetResources[i].modifiedProperties[j].newValue; } diff --git a/packages/azure/data_stream/auditlogs/fields/fields.yml b/packages/azure/data_stream/auditlogs/fields/fields.yml index c725d0c8197..64a2283ffe9 100644 --- a/packages/azure/data_stream/auditlogs/fields/fields.yml +++ b/packages/azure/data_stream/auditlogs/fields/fields.yml @@ -25,6 +25,10 @@ type: keyword description: | Result signature + - name: result_description + type: keyword + description: | + Result description - name: level type: float description: Value for level. @@ -146,6 +150,10 @@ type: keyword description: | ip Address + - name: roles + type: keyword + description: | + User roles - name: additional_details type: group fields: diff --git a/packages/azure/docs/adlogs.md b/packages/azure/docs/adlogs.md index 22aaf09b19a..e5597fb4e9f 100644 --- a/packages/azure/docs/adlogs.md +++ b/packages/azure/docs/adlogs.md @@ -1013,6 +1013,7 @@ An example event for `auditlogs` looks as following: | azure.auditlogs.properties.initiated_by.user.displayName | Display name | keyword | | azure.auditlogs.properties.initiated_by.user.id | ID | keyword | | azure.auditlogs.properties.initiated_by.user.ipAddress | ip Address | keyword | +| azure.auditlogs.properties.initiated_by.user.roles | User roles | keyword | | azure.auditlogs.properties.initiated_by.user.userPrincipalName | User principal name | keyword | | azure.auditlogs.properties.logged_by_service | Logged by service | keyword | | azure.auditlogs.properties.operation_type | Operation type | keyword | @@ -1026,6 +1027,7 @@ An example event for `auditlogs` looks as following: | azure.auditlogs.properties.target_resources.\*.modified_properties.\*.old_value | Old value | keyword | | azure.auditlogs.properties.target_resources.\*.type | Type | keyword | | azure.auditlogs.properties.target_resources.\*.user_principal_name | User principal name | keyword | +| azure.auditlogs.result_description | Result description | keyword | | azure.auditlogs.result_signature | Result signature | keyword | | azure.auditlogs.tenant_id | Tenant ID | keyword | | azure.correlation_id | Correlation ID | keyword | diff --git a/packages/azure/manifest.yml b/packages/azure/manifest.yml index d68a34cc8ac..38c28d0510a 100644 --- a/packages/azure/manifest.yml +++ b/packages/azure/manifest.yml @@ -1,6 +1,6 @@ name: azure title: Azure Logs -version: 1.11.2 +version: 1.11.3 description: This Elastic integration collects logs from Azure type: integration icons: diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index f1bf45a5ead..8b0e9b303b8 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.33.0" + changes: + - description: Refactor alert and host collectors and improve error handling. + type: enhancement + link: https://github.com/elastic/integrations/pull/9716 - version: "1.32.2" changes: - description: Fix geoip mapping to destination. diff --git a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs index 8e026b01d15..4e229ca7c03 100644 --- a/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs +++ b/packages/crowdstrike/data_stream/alert/agent/stream/cel.yml.hbs @@ -26,61 +26,86 @@ state: redact: fields: ~ program: | - ( - state.with( - ( - !state.want_more ? - request("GET", state.url + "/alerts/queries/alerts/v2?sort=timestamp|asc&offset=0&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( - has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? - state.cursor.last_timestamp + '"' - : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) + '"' - )) - : - request("GET", state.url + "/alerts/queries/alerts/v2?sort=timestamp|asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=timestamp:>"' + ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - state.cursor.first_timestamp + '"' - : - '"' - )) - ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + state.with( + ( + !state.want_more ? + request( + "GET", + state.url.trim_right("/") + "/alerts/queries/alerts/v2?" + { + "sort": ["timestamp|asc"], + "offset": ["0"], + "limit": [string(state.batch_size)], + "filter": ['timestamp:>"'+state.?cursor.last_timestamp.orValue(string(now - duration(state.initial_interval)))+'"'], + }.format_query() + ) + : + request( + "GET", + state.url.trim_right("/") + "/alerts/queries/alerts/v2?" + { + "sort": ["timestamp|asc"], + "offset": [string(state.offset)], + "limit": [string(state.batch_size)], + ?"filter": has(state.?cursor.first_timestamp) ? optional.of(['timestamp:>"'+state.cursor.first_timestamp+'"']) : optional.none(), + }.format_query() + ) + ).do_request().as(get_resp, get_resp.StatusCode == 200 ? + bytes(get_resp.Body).decode_json().as(body, { "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + int(body.resources.size()) + int(state.offset) + body.resources.size() : 0, - "url": state.url, - "batch_size": state.batch_size, - "initial_interval": state.initial_interval, - })) - ).as(state, state.with( - !has(state.resources) || state.resources == "" ? {"events": []} : - post_request( - state.url + "/alerts/entities/alerts/v2", - "application/json", - {"composite_ids": state.resources}.encode_json() - ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { + }) + : + { + "events": { + "error": { + "code": string(get_resp.StatusCode), + "id": string(get_resp.Status), + "message": string(get_resp.Body) + }, + }, + "want_more": false, + } + ) + ).as(state, state.with( + !has(state.resources) ? state : // Exit early due to GET failure. + post_request( + state.url.trim_right("/") + "/alerts/entities/alerts/v2", + "application/json", + {"composite_ids": state.resources}.encode_json() + ).do_request().as(post_resp, post_resp.StatusCode == 200 ? + bytes(post_resp.Body).decode_json().as(inner_body, { "events": inner_body.resources.map(e, { "message": e.encode_json(), }), "cursor": { - "last_timestamp": ( + ?"last_timestamp": ( has(inner_body.resources) && inner_body.resources.size() > 0 ? - inner_body.resources.map(e, e.timestamp).max() - : has(state.cursor) && has(state.cursor.last_timestamp) ? - state.cursor.last_timestamp + optional.of(inner_body.resources.map(e, e.timestamp).max()) : - null + state.?cursor.last_timestamp ), "first_timestamp": ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? + state.?cursor.first_timestamp.orValue(null) != null ? (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) + string(now - duration(state.initial_interval)) ), }, - })) + }) + : + { + "events": { + "error": { + "code": string(post_resp.StatusCode), + "id": string(post_resp.Status), + "message": string(post_resp.Body) + }, + }, + "want_more": false, + } ) ) ) diff --git a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs index c9f18bb66ce..468259aa3a5 100644 --- a/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs +++ b/packages/crowdstrike/data_stream/host/agent/stream/cel.yml.hbs @@ -26,61 +26,86 @@ state: redact: fields: ~ program: | - ( - state.with( - ( - !state.want_more ? - request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=0&limit=" + string(state.batch_size) + '&filter=modified_timestamp:>"' + ( - has(state.cursor) && has(state.cursor.last_timestamp) && state.cursor.last_timestamp != null ? - state.cursor.last_timestamp + '"' - : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) + '"' - )) - : - request("GET", state.url + "/devices/queries/devices/v1?sort=modified_timestamp.asc&offset=" + string(state.offset) + "&limit=" + string(state.batch_size) + '&filter=modified_timestamp:>"' + ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - state.cursor.first_timestamp + '"' - : - '"' - )) - ).do_request().as(resp, bytes(resp.Body).decode_json().as(body, { + state.with( + ( + !state.want_more ? + request( + "GET", + state.url.trim_right("/") + "/devices/queries/devices/v1?" + { + "sort": ["modified_timestamp.asc"], + "offset": ["0"], + "limit": [string(state.batch_size)], + "filter": ['modified_timestamp:>"'+state.?cursor.last_timestamp.orValue(string(now - duration(state.initial_interval)))+'"'], + }.format_query() + ) + : + request( + "GET", + state.url.trim_right("/") + "/devices/queries/devices/v1?" + { + "sort": ["modified_timestamp.asc"], + "offset": [string(state.offset)], + "limit": [string(state.batch_size)], + ?"filter": has(state.?cursor.first_timestamp) ? optional.of(['modified_timestamp:>"'+state.cursor.first_timestamp+'"']) : optional.none(), + }.format_query() + ) + ).do_request().as(get_resp, get_resp.StatusCode == 200 ? + bytes(get_resp.Body).decode_json().as(body, { "resources": has(body.resources) && body.resources.size() > 0 ? body.resources : "", "want_more": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total), "offset": ((int(state.offset) + body.resources.size()) < body.meta.pagination.total) ? - int(state.offset) + int(body.resources.size()) + int(state.offset) + body.resources.size() : 0, - "url": state.url, - "batch_size": state.batch_size, - "initial_interval": state.initial_interval, - })) - ).as(state, state.with( - !has(state.resources) || state.resources == "" ? {"events": []} : - post_request( - state.url + "/devices/entities/devices/v2", - "application/json", - {"ids": state.resources }.encode_json() - ).do_request().as(resp, bytes(resp.Body).decode_json().as(inner_body, { - "events": inner_body.resources.map(e, { - "message": e.encode_json(), - }), - "cursor": { - "last_timestamp": ( - has(inner_body.resources) && inner_body.resources.size() > 0 ? - inner_body.resources.map(e, e.modified_timestamp).max() - : has(state.cursor) && has(state.cursor.last_timestamp) ? - state.cursor.last_timestamp - : - null - ), - "first_timestamp": ( - has(state.cursor) && has(state.cursor.first_timestamp) && state.cursor.first_timestamp != null ? - ( state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp ) - : - (now - duration(state.initial_interval)).format(time_layout.RFC3339) - ), - }, - })) + }) + : + { + "events": { + "error": { + "code": string(get_resp.StatusCode), + "id": string(get_resp.Status), + "message": string(get_resp.Body) + }, + }, + "want_more": false, + } + ) + ).as(state, state.with( + !has(state.resources) ? state : // Exit early due to GET failure. + post_request( + state.url + "/devices/entities/devices/v2", + "application/json", + {"ids": state.resources }.encode_json() + ).do_request().as(post_resp, post_resp.StatusCode == 200 ? + bytes(post_resp.Body).decode_json().as(inner_body, { + "events": inner_body.resources.map(e, { + "message": e.encode_json(), + }), + "cursor": { + ?"last_timestamp": ( + has(inner_body.resources) && inner_body.resources.size() > 0 ? + optional.of(inner_body.resources.map(e, e.modified_timestamp).max()) + : + state.?cursor.last_timestamp + ), + "first_timestamp": ( + state.?cursor.first_timestamp.orValue(null) != null ? + (state.want_more ? state.cursor.first_timestamp : state.cursor.last_timestamp) + : + string(now - duration(state.initial_interval)) + ), + }, + }) + : + { + "events": { + "error": { + "code": string(post_resp.StatusCode), + "id": string(post_resp.Status), + "message": string(post_resp.Body) + }, + }, + "want_more": false, + } ) ) ) diff --git a/packages/crowdstrike/manifest.yml b/packages/crowdstrike/manifest.yml index 563505fe192..a1420501fdb 100644 --- a/packages/crowdstrike/manifest.yml +++ b/packages/crowdstrike/manifest.yml @@ -1,6 +1,6 @@ name: crowdstrike title: CrowdStrike -version: "1.32.2" +version: "1.33.0" description: Collect logs from Crowdstrike with Elastic Agent. type: integration format_version: "3.0.0" diff --git a/packages/kubernetes/changelog.yml b/packages/kubernetes/changelog.yml index c06f25e6c3f..24cce5727d9 100644 --- a/packages/kubernetes/changelog.yml +++ b/packages/kubernetes/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: 1.61.0 + changes: + - description: Remove deprecated fields and add missing status.last_terminated_reason metric + type: enhancement + link: https://github.com/elastic/integrations/pull/9736 - version: 1.60.0 changes: - description: Updating `Memory used vs total memory` and `Cores used vs total cores` visualisations in Cluster Overview Dashboard diff --git a/packages/kubernetes/data_stream/state_container/fields/fields.yml b/packages/kubernetes/data_stream/state_container/fields/fields.yml index 0bfa9351852..fe439a8960f 100644 --- a/packages/kubernetes/data_stream/state_container/fields/fields.yml +++ b/packages/kubernetes/data_stream/state_container/fields/fields.yml @@ -25,8 +25,13 @@ - name: reason dimension: true type: keyword - description: | - Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. + description: > + The reason the container is currently in waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, + ImagePullBackoff) or terminated (Completed, ContainerCannotRun, Error, OOMKilled) state. + - name: last_terminated_reason + type: keyword + description: > + The last reason the container was in terminated state (Completed, ContainerCannotRun, Error or OOMKilled). - name: cpu type: group fields: @@ -40,16 +45,6 @@ metric_type: gauge description: | Container CPU requested cores - - name: limit.nanocores - type: long - metric_type: gauge - description: | - Container CPU nanocores limit - - name: request.nanocores - type: long - metric_type: gauge - description: | - Container CPU requested nanocores - name: memory type: group fields: diff --git a/packages/kubernetes/docs/kube-state-metrics.md b/packages/kubernetes/docs/kube-state-metrics.md index 27657dda9e4..844d70d3aca 100644 --- a/packages/kubernetes/docs/kube-state-metrics.md +++ b/packages/kubernetes/docs/kube-state-metrics.md @@ -193,16 +193,15 @@ An example event for `state_container` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | kubernetes.annotations.\* | Kubernetes annotations map | object | | | | kubernetes.container.cpu.limit.cores | Container CPU cores limit | float | | gauge | -| kubernetes.container.cpu.limit.nanocores | Container CPU nanocores limit | long | | gauge | | kubernetes.container.cpu.request.cores | Container CPU requested cores | float | | gauge | -| kubernetes.container.cpu.request.nanocores | Container CPU requested nanocores | long | | gauge | | kubernetes.container.id | Container id | keyword | | | | kubernetes.container.memory.limit.bytes | Container memory limit in bytes | long | byte | gauge | | kubernetes.container.memory.request.bytes | Container requested memory in bytes | long | byte | gauge | | kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.container.status.last_terminated_reason | The last reason the container was in terminated state (Completed, ContainerCannotRun, Error or OOMKilled). | keyword | | | | kubernetes.container.status.phase | Container phase (running, waiting, terminated) | keyword | | | | kubernetes.container.status.ready | Container ready status | boolean | | | -| kubernetes.container.status.reason | Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. | keyword | | | +| kubernetes.container.status.reason | The reason the container is currently in waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or terminated (Completed, ContainerCannotRun, Error, OOMKilled) state. | keyword | | | | kubernetes.container.status.restarts | Container restarts count | integer | | counter | | kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | | kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | diff --git a/packages/kubernetes/manifest.yml b/packages/kubernetes/manifest.yml index 1b64c5abe9e..22ef5b032de 100644 --- a/packages/kubernetes/manifest.yml +++ b/packages/kubernetes/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.1.2 name: kubernetes title: Kubernetes -version: 1.60.0 +version: 1.61.0 description: Collect logs and metrics from Kubernetes clusters with Elastic Agent. type: integration categories: diff --git a/packages/postgresql/changelog.yml b/packages/postgresql/changelog.yml index 41d7330be15..34f4c276d0c 100644 --- a/packages/postgresql/changelog.yml +++ b/packages/postgresql/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.20.0" + changes: + - description: Add alias field for database oid fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/9695 - version: "1.19.0" changes: - description: Enable secrets for sensitive fields. For more details, refer https://www.elastic.co/guide/en/fleet/current/agent-policy.html#agent-policy-secret-values diff --git a/packages/postgresql/data_stream/activity/fields/fields.yml b/packages/postgresql/data_stream/activity/fields/fields.yml index 847cc0b8bef..00ef905cfd5 100644 --- a/packages/postgresql/data_stream/activity/fields/fields.yml +++ b/packages/postgresql/data_stream/activity/fields/fields.yml @@ -1,3 +1,8 @@ +- name: database.oid + type: alias + path: postgresql.activity.database.oid + description: | + OID of the database that this event is related to. - name: postgresql.activity type: group fields: diff --git a/packages/postgresql/data_stream/activity/sample_event.json b/packages/postgresql/data_stream/activity/sample_event.json index 2ce52842753..91402ded257 100644 --- a/packages/postgresql/data_stream/activity/sample_event.json +++ b/packages/postgresql/data_stream/activity/sample_event.json @@ -1,52 +1,51 @@ { - "@timestamp": "2022-01-12T03:37:42.425Z", + "@timestamp": "2024-04-30T09:14:50.873Z", "agent": { - "ephemeral_id": "095c21dc-35b1-42c4-88f3-56972ef6626a", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "f065ed3c-78fb-41da-9fe6-88ab3ff0f088", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.activity", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.activity", - "duration": 4068224, - "ingested": "2022-01-12T03:37:43Z", + "duration": 6165334, + "ingested": "2024-04-30T09:15:02Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.251.4", + "mac": "02-42-C0-A8-FB-04", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -56,22 +55,23 @@ "postgresql": { "activity": { "application_name": "", - "backend_start": "2022-01-12T03:37:42.427Z", + "backend_start": "2024-04-30T09:14:50.875Z", "client": { - "address": "172.18.0.4", + "address": "192.168.251.4", "hostname": "", - "port": 32884 + "port": 49266 }, "database": { "name": "postgres", "oid": 12379 }, - "pid": 111, + "pid": 113, "query": "SELECT * FROM pg_stat_activity", - "query_start": "2022-01-12T03:37:42.428Z", + "query_id": "W/d3kCHhA8b/M4YpzDBJHlJM7xU=", + "query_start": "2024-04-30T09:14:50.877Z", "state": "active", - "state_change": "2022-01-12T03:37:42.428Z", - "transaction_start": "2022-01-12T03:37:42.428Z", + "state_change": "2024-04-30T09:14:50.877Z", + "transaction_start": "2024-04-30T09:14:50.877Z", "user": { "id": 10, "name": "postgres" @@ -80,7 +80,7 @@ } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } \ No newline at end of file diff --git a/packages/postgresql/data_stream/database/fields/fields.yml b/packages/postgresql/data_stream/database/fields/fields.yml index cdeb0caaacd..20c2a4edb7e 100644 --- a/packages/postgresql/data_stream/database/fields/fields.yml +++ b/packages/postgresql/data_stream/database/fields/fields.yml @@ -1,3 +1,8 @@ +- name: database.oid + type: alias + path: postgresql.database.oid + description: | + OID of the database that this event is related to. - name: postgresql.database type: group fields: diff --git a/packages/postgresql/data_stream/database/sample_event.json b/packages/postgresql/data_stream/database/sample_event.json index 33f11476445..7a88aef472d 100644 --- a/packages/postgresql/data_stream/database/sample_event.json +++ b/packages/postgresql/data_stream/database/sample_event.json @@ -1,52 +1,51 @@ { - "@timestamp": "2022-01-12T03:39:15.742Z", + "@timestamp": "2024-05-01T09:58:10.541Z", "agent": { - "ephemeral_id": "ee7be3cd-b6c4-4228-84e5-1c5b44ddfee2", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "f01bc762-745d-4991-8e9e-72d8b06d0460", + "id": "de455097-cace-48cd-b1db-e2dda1bf1ecd", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.database", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "de455097-cace-48cd-b1db-e2dda1bf1ecd", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.database", - "duration": 31647610, - "ingested": "2022-01-12T03:39:16Z", + "duration": 17453448, + "ingested": "2024-05-01T09:58:22Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.241.7", + "mac": "02-42-C0-A8-F1-07", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -56,8 +55,8 @@ "postgresql": { "database": { "blocks": { - "hit": 0, - "read": 0, + "hit": 2604, + "read": 256, "time": { "read": { "ms": 0 @@ -69,28 +68,29 @@ }, "conflicts": 0, "deadlocks": 0, - "name": "template1", - "number_of_backends": 0, - "oid": 1, + "name": "postgres", + "number_of_backends": 1, + "oid": 12379, "rows": { "deleted": 0, - "fetched": 0, - "inserted": 0, - "returned": 0, - "updated": 0 + "fetched": 1514, + "inserted": 43, + "returned": 1719, + "updated": 3 }, + "stats_reset": "2024-05-01T09:57:46.179Z", "temporary": { "bytes": 0, "files": 0 }, "transactions": { - "commit": 0, + "commit": 10, "rollback": 0 } } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } \ No newline at end of file diff --git a/packages/postgresql/data_stream/statement/fields/fields.yml b/packages/postgresql/data_stream/statement/fields/fields.yml index b6f2ada789c..3dbffdd03d1 100644 --- a/packages/postgresql/data_stream/statement/fields/fields.yml +++ b/packages/postgresql/data_stream/statement/fields/fields.yml @@ -1,3 +1,8 @@ +- name: database.oid + type: alias + path: postgresql.statement.database.oid + description: | + OID of the database that this event is related to. - name: postgresql.statement type: group fields: diff --git a/packages/postgresql/data_stream/statement/sample_event.json b/packages/postgresql/data_stream/statement/sample_event.json index 84b356c56f0..e80a2402fe4 100644 --- a/packages/postgresql/data_stream/statement/sample_event.json +++ b/packages/postgresql/data_stream/statement/sample_event.json @@ -1,52 +1,51 @@ { - "@timestamp": "2022-01-12T03:40:04.168Z", + "@timestamp": "2024-04-30T09:17:42.181Z", "agent": { - "ephemeral_id": "9ffa86f7-ad81-4b53-84c2-9d263b6b9522", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "0bad7d4e-66f6-408c-9ae4-f6f4daddb7ab", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.statement", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.statement", - "duration": 3146548, - "ingested": "2022-01-12T03:40:05Z", + "duration": 5544043, + "ingested": "2024-04-30T09:17:54Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.251.4", + "mac": "02-42-C0-A8-FB-04", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -59,8 +58,8 @@ "oid": 12379 }, "query": { - "calls": 1, - "id": 1592910677, + "calls": 2, + "id": 1691311383, "memory": { "local": { "dirtied": 0, @@ -70,7 +69,7 @@ }, "shared": { "dirtied": 0, - "hit": 0, + "hit": 12, "read": 0, "written": 0 }, @@ -79,23 +78,23 @@ "written": 0 } }, - "rows": 1, - "text": "SELECT * FROM pg_stat_statements", + "rows": 6, + "text": "SELECT d.datname as \"Name\",\n pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n d.datcollate as \"Collate\",\n d.datctype as \"Ctype\",\n pg_catalog.array_to_string(d.datacl, ?) AS \"Access privileges\"\nFROM pg_catalog.pg_database d\nORDER BY 1;", "time": { "max": { - "ms": 0.10900000000000001 + "ms": 0.107 }, "mean": { - "ms": 0.10900000000000001 + "ms": 0 }, "min": { - "ms": 0.10900000000000001 + "ms": 0.096 }, "stddev": { "ms": 0 }, "total": { - "ms": 0.10900000000000001 + "ms": 0.203 } } }, @@ -105,7 +104,7 @@ } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } \ No newline at end of file diff --git a/packages/postgresql/docs/README.md b/packages/postgresql/docs/README.md index 369b41964d7..f524117b814 100644 --- a/packages/postgresql/docs/README.md +++ b/packages/postgresql/docs/README.md @@ -150,54 +150,53 @@ An example event for `activity` looks as following: ```json { - "@timestamp": "2022-01-12T03:37:42.425Z", + "@timestamp": "2024-04-30T09:14:50.873Z", "agent": { - "ephemeral_id": "095c21dc-35b1-42c4-88f3-56972ef6626a", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "f065ed3c-78fb-41da-9fe6-88ab3ff0f088", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.activity", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.activity", - "duration": 4068224, - "ingested": "2022-01-12T03:37:43Z", + "duration": 6165334, + "ingested": "2024-04-30T09:15:02Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.251.4", + "mac": "02-42-C0-A8-FB-04", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -207,22 +206,23 @@ An example event for `activity` looks as following: "postgresql": { "activity": { "application_name": "", - "backend_start": "2022-01-12T03:37:42.427Z", + "backend_start": "2024-04-30T09:14:50.875Z", "client": { - "address": "172.18.0.4", + "address": "192.168.251.4", "hostname": "", - "port": 32884 + "port": 49266 }, "database": { "name": "postgres", "oid": 12379 }, - "pid": 111, + "pid": 113, "query": "SELECT * FROM pg_stat_activity", - "query_start": "2022-01-12T03:37:42.428Z", + "query_id": "W/d3kCHhA8b/M4YpzDBJHlJM7xU=", + "query_start": "2024-04-30T09:14:50.877Z", "state": "active", - "state_change": "2022-01-12T03:37:42.428Z", - "transaction_start": "2022-01-12T03:37:42.428Z", + "state_change": "2024-04-30T09:14:50.877Z", + "transaction_start": "2024-04-30T09:14:50.877Z", "user": { "id": 10, "name": "postgres" @@ -231,7 +231,7 @@ An example event for `activity` looks as following: } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } @@ -259,6 +259,7 @@ An example event for `activity` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | +| database.oid | OID of the database that this event is related to. | alias | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | @@ -466,54 +467,53 @@ An example event for `database` looks as following: ```json { - "@timestamp": "2022-01-12T03:39:15.742Z", + "@timestamp": "2024-05-01T09:58:10.541Z", "agent": { - "ephemeral_id": "ee7be3cd-b6c4-4228-84e5-1c5b44ddfee2", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "f01bc762-745d-4991-8e9e-72d8b06d0460", + "id": "de455097-cace-48cd-b1db-e2dda1bf1ecd", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.database", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "de455097-cace-48cd-b1db-e2dda1bf1ecd", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.database", - "duration": 31647610, - "ingested": "2022-01-12T03:39:16Z", + "duration": 17453448, + "ingested": "2024-05-01T09:58:22Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.241.7", + "mac": "02-42-C0-A8-F1-07", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -523,8 +523,8 @@ An example event for `database` looks as following: "postgresql": { "database": { "blocks": { - "hit": 0, - "read": 0, + "hit": 2604, + "read": 256, "time": { "read": { "ms": 0 @@ -536,28 +536,29 @@ An example event for `database` looks as following: }, "conflicts": 0, "deadlocks": 0, - "name": "template1", - "number_of_backends": 0, - "oid": 1, + "name": "postgres", + "number_of_backends": 1, + "oid": 12379, "rows": { "deleted": 0, - "fetched": 0, - "inserted": 0, - "returned": 0, - "updated": 0 + "fetched": 1514, + "inserted": 43, + "returned": 1719, + "updated": 3 }, + "stats_reset": "2024-05-01T09:57:46.179Z", "temporary": { "bytes": 0, "files": 0 }, "transactions": { - "commit": 0, + "commit": 10, "rollback": 0 } } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } @@ -585,6 +586,7 @@ An example event for `database` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | data_stream.type | Data stream type. | constant_keyword | | +| database.oid | OID of the database that this event is related to. | alias | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | error.message | Error message. | match_only_text | | | event.dataset | Event dataset | constant_keyword | | @@ -637,54 +639,53 @@ An example event for `statement` looks as following: ```json { - "@timestamp": "2022-01-12T03:40:04.168Z", + "@timestamp": "2024-04-30T09:17:42.181Z", "agent": { - "ephemeral_id": "9ffa86f7-ad81-4b53-84c2-9d263b6b9522", - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "ephemeral_id": "0bad7d4e-66f6-408c-9ae4-f6f4daddb7ab", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "name": "docker-fleet-agent", "type": "metricbeat", - "version": "8.0.0-beta1" + "version": "8.13.0" }, "data_stream": { "dataset": "postgresql.statement", "namespace": "ep", "type": "metrics" }, + "database": { + "oid": 12379 + }, "ecs": { - "version": "8.5.1" + "version": "8.0.0" }, "elastic_agent": { - "id": "9878d192-22ad-49b6-a6c2-9959b0815d04", + "id": "69c77328-4412-45c4-8f98-cc7e7b1fc216", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.13.0" }, "event": { "agent_id_status": "verified", "dataset": "postgresql.statement", - "duration": 3146548, - "ingested": "2022-01-12T03:40:05Z", + "duration": 5544043, + "ingested": "2024-04-30T09:17:54Z", "module": "postgresql" }, "host": { "architecture": "x86_64", "containerized": true, "hostname": "docker-fleet-agent", - "id": "4ccba669f0df47fa3f57a9e4169ae7f1", - "ip": [ - "172.18.0.4" - ], - "mac": [ - "02:42:ac:12:00:04" - ], + "id": "8259e024976a406e8a54cdbffeb84fec", + "ip": "192.168.251.4", + "mac": "02-42-C0-A8-FB-04", "name": "docker-fleet-agent", "os": { - "codename": "Core", - "family": "redhat", - "kernel": "5.11.0-44-generic", - "name": "CentOS Linux", - "platform": "centos", + "codename": "focal", + "family": "debian", + "kernel": "3.10.0-1160.99.1.el7.x86_64", + "name": "Ubuntu", + "platform": "ubuntu", "type": "linux", - "version": "7 (Core)" + "version": "20.04.6 LTS (Focal Fossa)" } }, "metricset": { @@ -697,8 +698,8 @@ An example event for `statement` looks as following: "oid": 12379 }, "query": { - "calls": 1, - "id": 1592910677, + "calls": 2, + "id": 1691311383, "memory": { "local": { "dirtied": 0, @@ -708,7 +709,7 @@ An example event for `statement` looks as following: }, "shared": { "dirtied": 0, - "hit": 0, + "hit": 12, "read": 0, "written": 0 }, @@ -717,23 +718,23 @@ An example event for `statement` looks as following: "written": 0 } }, - "rows": 1, - "text": "SELECT * FROM pg_stat_statements", + "rows": 6, + "text": "SELECT d.datname as \"Name\",\n pg_catalog.pg_get_userbyid(d.datdba) as \"Owner\",\n pg_catalog.pg_encoding_to_char(d.encoding) as \"Encoding\",\n d.datcollate as \"Collate\",\n d.datctype as \"Ctype\",\n pg_catalog.array_to_string(d.datacl, ?) AS \"Access privileges\"\nFROM pg_catalog.pg_database d\nORDER BY 1;", "time": { "max": { - "ms": 0.10900000000000001 + "ms": 0.107 }, "mean": { - "ms": 0.10900000000000001 + "ms": 0 }, "min": { - "ms": 0.10900000000000001 + "ms": 0.096 }, "stddev": { "ms": 0 }, "total": { - "ms": 0.10900000000000001 + "ms": 0.203 } } }, @@ -743,7 +744,7 @@ An example event for `statement` looks as following: } }, "service": { - "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10\u0026sslmode=disable", + "address": "postgres://elastic-package-service-postgresql-1:5432?connect_timeout=10&sslmode=disable", "type": "postgresql" } } @@ -771,6 +772,7 @@ An example event for `statement` looks as following: | data_stream.dataset | Data stream dataset. | constant_keyword | | | data_stream.namespace | Data stream namespace. | constant_keyword | | | data_stream.type | Data stream type. | constant_keyword | | +| database.oid | OID of the database that this event is related to. | alias | | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | error.message | Error message. | match_only_text | | | event.dataset | Event dataset | constant_keyword | | diff --git a/packages/postgresql/manifest.yml b/packages/postgresql/manifest.yml index a5631260bf7..3187cddd683 100644 --- a/packages/postgresql/manifest.yml +++ b/packages/postgresql/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: postgresql title: PostgreSQL -version: "1.19.0" +version: "1.20.0" description: Collect logs and metrics from PostgreSQL servers with Elastic Agent. type: integration categories: diff --git a/packages/security_detection_engine/changelog.yml b/packages/security_detection_engine/changelog.yml index 134023a32d9..30a07981349 100644 --- a/packages/security_detection_engine/changelog.yml +++ b/packages/security_detection_engine/changelog.yml @@ -1,5 +1,15 @@ # newer versions go on top # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production +- version: 8.13.5 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9762 +- version: 8.13.5-beta.1 + changes: + - description: Release security rules update + type: enhancement + link: https://github.com/elastic/integrations/pull/9758 - version: 8.13.4 changes: - description: Release security rules update diff --git a/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json new file mode 100644 index 00000000000..d00f552056d --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/25d917c4-aa3c-4111-974c-286c0312ff95_4.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for network connections from a kworker process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.", + "from": "now-9m", + "history_window_start": "now-14d", + "index": [ + "logs-endpoint.events.*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Network Activity Detected via Kworker", + "new_terms_fields": [ + "process.name", + "destination.ip", + "destination.port" + ], + "query": "host.os.type:linux and event.category:network and event.action:(connection_attempted or connection_accepted) and \nprocess.name:kworker* and not destination.ip:(\n 10.0.0.0/8 or\n 127.0.0.0/8 or\n 169.254.0.0/16 or\n 172.16.0.0/12 or\n 192.168.0.0/16 or\n 224.0.0.0/4 or\n \"::1\" or\n \"FE80::/10\" or\n \"FF00::/8\"\n) and not destination.port:2049\n", + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "destination.ip", + "type": "ip" + }, + { + "ecs": true, + "name": "destination.port", + "type": "long" + }, + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + } + ], + "risk_score": 21, + "rule_id": "25d917c4-aa3c-4111-974c-286c0312ff95", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows\nthe Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest to select \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "low", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + }, + { + "id": "T1014", + "name": "Rootkit", + "reference": "https://attack.mitre.org/techniques/T1014/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0010", + "name": "Exfiltration", + "reference": "https://attack.mitre.org/tactics/TA0010/" + }, + "technique": [ + { + "id": "T1041", + "name": "Exfiltration Over C2 Channel", + "reference": "https://attack.mitre.org/techniques/T1041/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 4 + }, + "id": "25d917c4-aa3c-4111-974c-286c0312ff95_4", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json new file mode 100644 index 00000000000..0d2808a8dc8 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/28f6f34b-8e16-487a-b5fd-9d22eb903db8_1.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors the creation/alteration of a shell configuration by a previously unknown process executable using the new terms rule type. Unix systems use shell configuration files to set environment variables, create aliases, and customize the user's environment. Adversaries may modify or add a shell configuration file to execute malicious code and gain persistence in the system. This behavior is consistent with the Kaiji malware family.", + "false_positives": [ + "Legitimate user shell modification activity." + ], + "from": "now-9m", + "history_window_start": "now-10d", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "kuery", + "license": "Elastic License v2", + "name": "Shell Configuration Modification", + "new_terms_fields": [ + "host.id", + "user.id", + "process.executable" + ], + "query": "event.category:file and host.os.type:linux and\nevent.action:(creation or file_create_event or rename or file_rename_event) and file.path:(\n \"/etc/profile\" or \"/etc/profile.local\" or \"/etc/bashrc\" or \"/etc/bash.bashrc\" or \"/etc/bash.bashrc.local\" or\n \"/etc/zshenv\" or \"/etc/zprofile\" or \"/etc/zlogin\" or \"/etc/zlogout\" or \"/root/.profile\" or \"/root/.bash_logout\" or\n \"/root/.bashrc\" or \"/root/.bash_login\" or /etc/profile.d/* or /home/*/.profile or /home/*/.bash_logout or\n /home/*/.bashrc or /home/*/.bash_login\n) and not (\n (process.executable: (\n \"/bin/dpkg\" or \"/usr/bin/dpkg\" or \"/bin/useradd\" or \"/usr/sbin/useradd\" or \"/bin/adduser\" or \"/usr/sbin/adduser\" or\n \"/bin/dockerd\" or \"/usr/bin/dockerd\" or \"/bin/microdnf\" or \"/usr/bin/microdnf\" or \"/bin/rpm\" or \"/usr/bin/rpm\" or\n \"/bin/snapd\" or \"/usr/bin/snapd\" or \"/bin/yum\" or \"/usr/bin/yum\" or \"/bin/dnf\" or \"/usr/bin/dnf\" or \"/bin/podman\" or\n \"/usr/bin/podman\" or \"/bin/dnf-automatic\" or \"/usr/bin/dnf-automatic\" or \"/bin/pacman\" or \"/usr/bin/pacman\"\n )\n) or\n (file.extension:(\"swp\" or \"swpx\")) or\n (process.executable:(\"/bin/sed\" or \"/usr/bin/sed\") and file.name:sed*) or\n (process.executable:(\"/bin/perl\" or \"/usr/bin/perl\") and file.name:e2scrub_all.tmp*)\n)\n", + "references": [ + "https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.category", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.extension", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.executable", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0003", + "name": "Persistence", + "reference": "https://attack.mitre.org/tactics/TA0003/" + }, + "technique": [ + { + "id": "T1546", + "name": "Event Triggered Execution", + "reference": "https://attack.mitre.org/techniques/T1546/", + "subtechnique": [ + { + "id": "T1546.004", + "name": "Unix Shell Configuration Modification", + "reference": "https://attack.mitre.org/techniques/T1546/004/" + } + ] + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "new_terms", + "version": 1 + }, + "id": "28f6f34b-8e16-487a-b5fd-9d22eb903db8_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_7.json b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_7.json new file mode 100644 index 00000000000..699a3f67b31 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/6ee947e9-de7e-4281-a55d-09289bdf947e_7.json @@ -0,0 +1,99 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "This rule monitors for a set of Linux utilities that can be used for tunneling and port forwarding. Attackers can leverage tunneling and port forwarding techniques to bypass network defenses, establish hidden communication channels, and gain unauthorized access to internal resources, facilitating data exfiltration, lateral movement, and remote control.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential Linux Tunneling and/or Port Forwarding", + "note": "## Triage and analysis\n\n### Investigating Potential Linux Tunneling and/or Port Forwarding\n\nAttackers can leverage many utilities to clandestinely tunnel network communications and evade security measures, potentially gaining unauthorized access to sensitive systems.\n\nThis rule looks for several utilities that are capable of setting up tunnel network communications by analyzing process names or command line arguments. \n\n> **Note**:\n> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.\n> This investigation guide uses [placeholder fields](https://www.elastic.co/guide/en/security/current/osquery-placeholder-fields.html) to dynamically pass alert data into Osquery queries. Placeholder fields were introduced in Elastic Stack version 8.7.0. If you're using Elastic Stack version 8.6.0 or earlier, you'll need to manually adjust this investigation guide's queries to ensure they properly run.\n\n#### Possible investigation steps\n\n- Identify any signs of suspicious network activity or anomalies that may indicate protocol tunneling. This could include unexpected traffic patterns or unusual network behavior.\n - Investigate listening ports and open sockets to look for potential protocol tunneling, reverse shells, or data exfiltration.\n - !{osquery{\"label\":\"Osquery - Retrieve Listening Ports\",\"query\":\"SELECT pid, address, port, socket, protocol, path FROM listening_ports\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Open Sockets\",\"query\":\"SELECT pid, family, remote_address, remote_port, socket, state FROM process_open_sockets\"}}\n- Identify the user account that performed the action, analyze it, and check whether it should perform this kind of action.\n - !{osquery{\"label\":\"Osquery - Retrieve Information for a Specific User\",\"query\":\"SELECT * FROM users WHERE username = {{user.name}}\"}}\n- Investigate whether the user is currently logged in and active.\n - !{osquery{\"label\":\"Osquery - Investigate the Account Authentication Status\",\"query\":\"SELECT * FROM logged_in_users WHERE user = {{user.name}}\"}}\n- Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations.\n - !{osquery{\"label\":\"Osquery - Retrieve Running Processes by User\",\"query\":\"SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username\"}}\n - !{osquery{\"label\":\"Osquery - Retrieve Process Info\",\"query\":\"SELECT name, cmdline, parent, path, uid FROM processes\"}}\n- Investigate other alerts associated with the user/host during the past 48 hours.\n - If scripts or executables were dropped, retrieve the files and determine if they are malicious:\n - Use a private sandboxed malware analysis system to perform analysis.\n - Observe and collect information about the following activities:\n - Attempts to contact external domains and addresses.\n - Check if the domain is newly registered or unexpected.\n - Check the reputation of the domain or IP address.\n - File access, modification, and creation activities.\n\n### Related rules\n\n- Potential Protocol Tunneling via Chisel Client - 3f12325a-4cc6-410b-8d4c-9fbbeb744cfd\n- Potential Protocol Tunneling via Chisel Server - ac8805f6-1e08-406c-962e-3937057fa86f\n- Potential Protocol Tunneling via EarthWorm - 9f1c4ca3-44b5-481d-ba42-32dc215a2769\n- Suspicious Utility Launched via ProxyChains - 6ace94ba-f02c-4d55-9f53-87d99b6f9af4\n- ProxyChains Activity - 4b868f1f-15ff-4ba3-8c11-d5a7a6356d37\n\n### False positive analysis\n\n- If this activity is related to new benign software installation activity, consider adding exceptions \u2014 preferably with a combination of user and command line conditions.\n- If this activity is related to a system administrator or developer who uses port tunneling/forwarding for benign purposes, consider adding exceptions for specific user accounts or hosts. \n- Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Isolate the involved host to prevent further post-compromise behavior.\n- If the triage identified malware, search the environment for additional compromised hosts.\n - Implement temporary network rules, procedures, and segmentation to contain the malware.\n - Stop suspicious processes.\n - Immediately block the identified indicators of compromise (IoCs).\n - Inspect the affected systems for additional malware backdoors, such as reverse shells, reverse proxies, or droppers, that attackers could use to reinfect the system.\n- Remove and block malicious artifacts identified during triage.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.\n- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.\n- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.\n- Leverage the incident response data and logging to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).\n", + "query": "process where host.os.type == \"linux\" and event.type == \"start\" and event.action in (\"exec\", \"exec_event\") and (\n (\n // gost & pivotnacci - spawned without process.parent.name\n (process.name == \"gost\" and process.args : (\"-L*\", \"-C*\", \"-R*\")) or (process.name == \"pivotnacci\")) or (\n // ssh\n (process.name in (\"ssh\", \"sshd\") and (process.args in (\"-R\", \"-L\", \"-D\", \"-w\") and process.args_count >= 4 and \n not process.args : \"chmod\")) or\n // sshuttle\n (process.name == \"sshuttle\" and process.args in (\"-r\", \"--remote\", \"-l\", \"--listen\") and process.args_count >= 4) or\n // socat\n (process.name == \"socat\" and process.args : (\"TCP4-LISTEN:*\", \"SOCKS*\") and process.args_count >= 3) or\n // chisel\n (process.name : \"chisel*\" and process.args in (\"client\", \"server\")) or\n // iodine(d), dnscat, hans, ptunnel-ng, ssf, 3proxy & ngrok \n (process.name in (\"iodine\", \"iodined\", \"dnscat\", \"hans\", \"hans-ubuntu\", \"ptunnel-ng\", \"ssf\", \"3proxy\", \"ngrok\"))\n ) and process.parent.name in (\"bash\", \"dash\", \"ash\", \"sh\", \"tcsh\", \"csh\", \"zsh\", \"ksh\", \"fish\")\n)\n", + "references": [ + "https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform", + "https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "event.action", + "type": "keyword" + }, + { + "ecs": true, + "name": "event.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.args_count", + "type": "long" + }, + { + "ecs": true, + "name": "process.name", + "type": "keyword" + }, + { + "ecs": true, + "name": "process.parent.name", + "type": "keyword" + } + ], + "risk_score": 47, + "rule_id": "6ee947e9-de7e-4281-a55d-09289bdf947e", + "setup": "## Setup\n\nThis rule requires data coming in from Elastic Defend.\n\n### Elastic Defend Integration Setup\nElastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.\n\n#### Prerequisite Requirements:\n- Fleet is required for Elastic Defend.\n- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).\n\n#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:\n- Go to the Kibana home page and click \"Add integrations\".\n- In the query bar, search for \"Elastic Defend\" and select the integration to see more details about it.\n- Click \"Add Elastic Defend\".\n- Configure the integration name and optionally add a description.\n- Select the type of environment you want to protect, either \"Traditional Endpoints\" or \"Cloud Workloads\".\n- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).\n- We suggest selecting \"Complete EDR (Endpoint Detection and Response)\" as a configuration setting, that provides \"All events; all preventions\"\n- Enter a name for the agent policy in \"New agent policy name\". If other agent policies already exist, you can click the \"Existing hosts\" tab and select an existing policy instead.\nFor more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).\n- Click \"Save and Continue\".\n- To complete the integration, select \"Add Elastic Agent to your hosts\" and continue to the next section to install the Elastic Agent on your hosts.\nFor more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).\n", + "severity": "medium", + "tags": [ + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0011", + "name": "Command and Control", + "reference": "https://attack.mitre.org/tactics/TA0011/" + }, + "technique": [ + { + "id": "T1572", + "name": "Protocol Tunneling", + "reference": "https://attack.mitre.org/techniques/T1572/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 7 + }, + "id": "6ee947e9-de7e-4281-a55d-09289bdf947e_7", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json new file mode 100644 index 00000000000..db4101d6340 --- /dev/null +++ b/packages/security_detection_engine/kibana/security_rule/dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "author": [ + "Elastic" + ], + "description": "Identifies a privilege escalation attempt via exploiting CVE-2022-38028 to hijack the print spooler service execution.", + "from": "now-9m", + "index": [ + "logs-endpoint.events.file-*", + "logs-windows.sysmon_operational-*", + "endgame-*" + ], + "language": "eql", + "license": "Elastic License v2", + "name": "Potential privilege escalation via CVE-2022-38028", + "query": "file where host.os.type == \"windows\" and\n file.path : (\"?:\\\\*\\\\Windows\\\\system32\\\\DriVerStoRe\\\\FiLeRePoSiToRy\\\\*\\\\MPDW-constraints.js\",\n \"?:\\\\*\\\\Windows\\\\WinSxS\\\\amd64_microsoft-windows-printing-printtopdf_*\\\\MPDW-constraints.js\")\n", + "references": [ + "https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/" + ], + "related_integrations": [ + { + "package": "endpoint", + "version": "^8.2.0" + }, + { + "package": "windows", + "version": "^1.5.0" + } + ], + "required_fields": [ + { + "ecs": true, + "name": "file.path", + "type": "keyword" + }, + { + "ecs": true, + "name": "host.os.type", + "type": "keyword" + } + ], + "risk_score": 73, + "rule_id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c", + "severity": "high", + "tags": [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Data Source: Elastic Defend", + "Data Source: Sysmon" + ], + "threat": [ + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0004", + "name": "Privilege Escalation", + "reference": "https://attack.mitre.org/tactics/TA0004/" + }, + "technique": [ + { + "id": "T1068", + "name": "Exploitation for Privilege Escalation", + "reference": "https://attack.mitre.org/techniques/T1068/" + } + ] + }, + { + "framework": "MITRE ATT&CK", + "tactic": { + "id": "TA0005", + "name": "Defense Evasion", + "reference": "https://attack.mitre.org/tactics/TA0005/" + }, + "technique": [ + { + "id": "T1036", + "name": "Masquerading", + "reference": "https://attack.mitre.org/techniques/T1036/" + } + ] + } + ], + "timestamp_override": "event.ingested", + "type": "eql", + "version": 1 + }, + "id": "dffbd37c-d4c5-46f8-9181-5afdd9172b4c_1", + "type": "security-rule" +} \ No newline at end of file diff --git a/packages/security_detection_engine/manifest.yml b/packages/security_detection_engine/manifest.yml index b7c3fbba507..16f955d9ceb 100644 --- a/packages/security_detection_engine/manifest.yml +++ b/packages/security_detection_engine/manifest.yml @@ -19,4 +19,4 @@ source: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration -version: 8.13.4 +version: 8.13.5