diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 4bf08898fc8d..012f13a5fc09 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -283,6 +283,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix syscall kprobe arguments for 32-bit systems in socket module. {pull}17500[17500] - Fix memory leak on when we miss socket close kprobe events. {pull}17500[17500] - Add system module process dataset ECS categorization fields. {pull}18032[18032] +- Add system module socket dataset ECS categorization fields. {pull}18036[18036] *Filebeat* diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go index 19be9d0a0ee8..5719bf3b1389 100644 --- a/x-pack/auditbeat/module/system/socket/state.go +++ b/x-pack/auditbeat/module/system/socket/state.go @@ -884,6 +884,11 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) { if inetType == inetTypeIPv6 && f.local.addr.IP.To4() != nil && f.remote.addr.IP.To4() != nil { inetType = inetTypeIPv4 } + eventType := []string{"info"} + if inetType == inetTypeIPv6 || inetType == inetTypeIPv4 { + eventType = append(eventType, "connection") + } + root := common.MapStr{ "source": src, "client": src, @@ -906,7 +911,8 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) { "event": common.MapStr{ "kind": "event", "action": "network_flow", - "category": "network_traffic", + "category": []string{"network", "network_traffic"}, + "type": eventType, "start": f.createdTime, "end": f.lastSeenTime, "duration": f.lastSeenTime.Sub(f.createdTime).Nanoseconds(), @@ -917,6 +923,17 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) { }, } + relatedIPs := []string{} + if len(localAddr.IP) != 0 { + relatedIPs = append(relatedIPs, localAddr.IP.String()) + } + if len(localAddr.IP) > 0 { + relatedIPs = append(relatedIPs, remoteAddr.IP.String()) + } + if len(relatedIPs) > 0 { + root.Put("related.ip", relatedIPs) + } + metricset := common.MapStr{ "kernel_sock_address": fmt.Sprintf("0x%x", f.sock), } @@ -940,6 +957,7 @@ func (f *flow) toEvent(final bool) (ev mb.Event, err error) { root.Put("group.id", gid) if name := userCache.LookupUID(uid); name != "" { root.Put("user.name", name) + root.Put("related.user", []string{name}) } if name := groupCache.LookupGID(gid); name != "" { root.Put("group.name", name) diff --git a/x-pack/auditbeat/module/system/socket/state_test.go b/x-pack/auditbeat/module/system/socket/state_test.go index bde87dfed02c..1fcaeb78abf9 100644 --- a/x-pack/auditbeat/module/system/socket/state_test.go +++ b/x-pack/auditbeat/module/system/socket/state_test.go @@ -54,7 +54,7 @@ func TestTCPConnWithProcess(t *testing.T) { lAddr, rAddr := ipv4(localIP), ipv4(remoteIP) evs := []event{ callExecve(meta(1234, 1234, 1), []string{"/usr/bin/curl", "https://example.net/", "-o", "/tmp/site.html"}), - &commitCreds{Meta: meta(1234, 1234, 2), UID: 501, GID: 20, EUID: 501, EGID: 20}, + &commitCreds{Meta: meta(1234, 1234, 2), UID: 0, GID: 20, EUID: 501, EGID: 20}, &execveRet{Meta: meta(1234, 1234, 2), Retval: 1234}, &inetCreate{Meta: meta(1234, 1235, 5), Proto: 0}, &sockInitData{Meta: meta(1234, 1235, 5), Sock: sock}, @@ -119,7 +119,12 @@ func TestTCPConnWithProcess(t *testing.T) { "network.type": "ipv4", "process.pid": 1234, "process.name": "curl", - "user.id": "501", + "user.id": "0", + "user.name": "root", + "event.type": []string{"info", "connection"}, + "event.category": []string{"network", "network_traffic"}, + "related.ip": []string{localIP, remoteIP}, + "related.user": []string{"root"}, } { if !assertValue(t, flow, expected, field) { t.Fatal("expected value not found") @@ -212,6 +217,8 @@ func TestTCPConnWithProcessSocketTimeouts(t *testing.T) { "process.pid": 1234, "process.name": "curl", "user.id": "501", + "event.type": []string{"info", "connection"}, + "event.category": []string{"network", "network_traffic"}, } { if !assertValue(t, flow, expected, field) { t.Fatal("expected value not found") @@ -234,6 +241,8 @@ func TestTCPConnWithProcessSocketTimeouts(t *testing.T) { "network.direction": "unknown", "network.transport": "tcp", "network.type": "ipv4", + "event.type": []string{"info", "connection"}, + "event.category": []string{"network", "network_traffic"}, } { if !assertValue(t, flow, expected, field) { t.Fatal("expected value not found") @@ -300,6 +309,8 @@ func TestUDPOutgoingSinglePacketWithProcess(t *testing.T) { "process.pid": 1234, "process.name": "exfil-udp", "user.id": "501", + "event.type": []string{"info", "connection"}, + "event.category": []string{"network", "network_traffic"}, } { assertValue(t, flow, expected, field) } @@ -370,6 +381,8 @@ func TestUDPIncomingSinglePacketWithProcess(t *testing.T) { "process.pid": 1234, "process.name": "exfil-udp", "user.id": "501", + "event.type": []string{"info", "connection"}, + "event.category": []string{"network", "network_traffic"}, } { assertValue(t, flow, expected, field) } diff --git a/x-pack/auditbeat/tests/system/test_system_socket.py b/x-pack/auditbeat/tests/system/test_system_socket.py index 410967ffba2c..b4c6b7cec606 100644 --- a/x-pack/auditbeat/tests/system/test_system_socket.py +++ b/x-pack/auditbeat/tests/system/test_system_socket.py @@ -617,7 +617,7 @@ def expected(self): "destination.packets": 1, "destination.port": self.dns_server_addr[1], "event.action": "network_flow", - "event.category": "network_traffic", + "event.category": ["network", "network_traffic"], "event.dataset": "socket", "event.kind": "event", "event.module": "system", @@ -648,7 +648,7 @@ def expected(self): "destination.packets": server_packets, "destination.port": self.server_addr[1], "event.action": "network_flow", - "event.category": "network_traffic", + "event.category": ["network", "network_traffic"], "event.dataset": "socket", "event.kind": "event", "event.module": "system",