diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b3c9c825cf4c..fc39a1236b04 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -176,6 +176,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Remove Beta label from google-pubsub input. {issue}13346[13346] {pull}14715[14715] - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731] - Add dashboard for AWS vpcflow fileset. {pull}16007[16007] +- Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml index 25db60e41d99..802ea112f374 100644 --- a/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/elb/ingest/pipeline.yml @@ -139,6 +139,26 @@ processors: target_field: source.as.organization.name ignore_missing: true + - set: + field: tls.cipher + value: '{{aws.elb.ssl_cipher}}' + if: ctx.aws?.elb?.ssl_cipher != null + + - script: + lang: painless + if: ctx.aws?.elb?.ssl_protocol != null + source: >- + def parts = ctx.aws.elb.ssl_protocol.splitOnToken("v"); + if (parts.length != 2) { + return; + } + if (parts[1].contains(".")) { + ctx.tls.version = parts[1]; + } else { + ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); + } + ctx.tls.version_protocol = parts[0].toLowerCase(); + - remove: field: - message diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index 2cfc43e54587..65824aab2208 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -72,6 +72,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", "user_agent.original": "curl/7.46.0" }, { @@ -110,6 +113,9 @@ "service.type": "aws", "source.ip": "10.0.1.252", "source.port": "48160", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", "user_agent.original": "curl/7.46.0" }, { @@ -174,6 +180,9 @@ "service.type": "aws", "source.ip": "10.0.0.140", "source.port": "44244", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls", "user_agent.original": "-" }, { diff --git a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json index 22d9a7b32a70..acd0407d4c34 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tls.cipher": "DHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls", "user_agent.original": "curl/7.38.0" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index 88a07dc63c6c..950dc276a5d7 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -32,6 +32,9 @@ "source.geo.region_iso_code": "US-VA", "source.geo.region_name": "Virginia", "source.ip": "72.21.218.154", - "source.port": "51341" + "source.port": "51341", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json index e7dee75bd04b..c19bbbccdacc 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json @@ -20,6 +20,9 @@ "service.type": "aws", "source.bytes": 57, "source.ip": "192.168.131.39", - "source.port": "2817" + "source.port": "2817", + "tls.cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", + "tls.version": "1.2", + "tls.version_protocol": "tls" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml index 8090da4d465d..8c54475ade94 100644 --- a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml @@ -30,6 +30,21 @@ processors: ignore_failure: true formats: - "dd/MMM/yyyy:H:m:s Z" + - set: + field: tls.cipher + value: '{{aws.s3access.cipher_suite}}' + if: ctx.aws?.s3access?.cipher_suite != null + + - script: + lang: painless + if: ctx.aws?.s3access?.tls_version != null + source: >- + def parts = ctx.aws.s3access.tls_version.toLowerCase().splitOnToken("v"); + if (parts.length != 2) { + return; + } + ctx.tls.version = parts[1]; + ctx.tls.version_protocol = parts[0] # # Remove temporary fields diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index a9ce57e1f411..53a2055b6ca2 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -24,7 +24,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 0, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-08-01T00:24:42.000Z", @@ -51,7 +54,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 715, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-08-01T00:24:43.000Z", @@ -79,7 +85,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 1429, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-08-01T00:24:43.000Z", @@ -106,7 +115,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 2161, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-09-10T15:11:07.000Z", @@ -130,7 +142,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 2875, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-09-19T17:06:39.000Z", @@ -154,6 +169,9 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 3280, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.2", + "tls.version_protocol": "tls" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index 75372638969a..9dfe82bcd5a9 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -24,7 +24,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 0, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.1", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-02-06T00:00:38.000Z", @@ -51,7 +54,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 471, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.1", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-02-06T00:00:38.000Z", @@ -79,7 +85,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 944, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.1", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-02-06T00:01:00.000Z", @@ -106,7 +115,10 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 1431, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", + "tls.version": "1.1", + "tls.version_protocol": "tls" }, { "@timestamp": "2019-02-06T00:01:57.000Z", @@ -135,6 +147,9 @@ "fileset.name": "s3access", "input.type": "log", "log.offset": 1903, - "service.type": "aws" + "service.type": "aws", + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.1", + "tls.version_protocol": "tls" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.json b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.json index f78dfbc78055..ae56b98801f1 100644 --- a/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.json +++ b/x-pack/filebeat/module/zeek/rdp/ingest/pipeline.json @@ -25,6 +25,14 @@ "if": "ctx.zeek.session_id != null" } }, + { + "convert": { + "field": "zeek.rdp.ssl", + "target_field": "tls.established", + "type": "boolean", + "ignore_missing": true + } + }, { "set": { "field": "source.ip", diff --git a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json index 0dc2b0c5d377..6d39caef60be 100644 --- a/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/rdp/test/rdp-json.log-expected.json @@ -20,6 +20,7 @@ "tags": [ "zeek.rdp" ], + "tls.established": true, "zeek.rdp.cert.count": 0, "zeek.rdp.result": "encrypted", "zeek.rdp.security_protocol": "HYBRID", diff --git a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.json b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.json index 7180de7a670e..44bc0b189aaa 100644 --- a/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.json +++ b/x-pack/filebeat/module/zeek/smtp/ingest/pipeline.json @@ -37,6 +37,14 @@ "value": "{{destination.address}}" } }, + { + "convert": { + "field": "zeek.smtp.tls", + "target_field": "tls.established", + "type": "boolean", + "ignore_missing": true + } + }, { "date": { "field": "zeek.smtp.date", diff --git a/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json b/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json index 452036ef2349..3d4bd56ac4a8 100644 --- a/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/smtp/test/smtp-json.log-expected.json @@ -20,6 +20,7 @@ "tags": [ "zeek.smtp" ], + "tls.established": true, "zeek.session_id": "CWWzPB3RjqhFf528c", "zeek.smtp.fuids": [], "zeek.smtp.helo": "EXAMPLE.COM", diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.json b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.json deleted file mode 100644 index c2043705140d..000000000000 --- a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.json +++ /dev/null @@ -1,385 +0,0 @@ -{ - "description": "Pipeline for normalizing Zeek ssl.log", - "processors": [ - { - "set": { - "field": "event.created", - "value": "{{_ingest.timestamp}}" - } - }, - { - "date": { - "field": "zeek.ssl.ts", - "formats": ["UNIX"] - } - }, - { - "remove": { - "field": "zeek.ssl.ts" - } - }, - { - "set": { - "field": "event.id", - "value": "{{zeek.session_id}}", - "if": "ctx.zeek.session_id != null" - } - }, - { - "set": { - "field": "source.ip", - "value": "{{source.address}}" - } - }, - { - "set": { - "field": "destination.ip", - "value": "{{destination.address}}" - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo" - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.ssl.client.cert_chain_fuids", - "if": "ctx.zeek.ssl.client?.cert_chain_fuids?.length == 0", - "ignore_missing": true - } - }, - - { - "gsub": { - "field": "zeek.ssl.issuer", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.ssl.issuer", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.ssl.server.issuer", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.ssl.issuer", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.C", - "target_field": "zeek.ssl.server.issuer.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.CN", - "target_field": "zeek.ssl.server.issuer.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.L", - "target_field": "zeek.ssl.server.issuer.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.O", - "target_field": "zeek.ssl.server.issuer.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.OU", - "target_field": "zeek.ssl.server.issuer.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.issuer.ST", - "target_field": "zeek.ssl.server.issuer.state", - "ignore_missing": true - } - }, - - - { - "gsub": { - "field": "zeek.ssl.subject", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.ssl.subject", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.ssl.server.subject", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.ssl.subject", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.C", - "target_field": "zeek.ssl.server.subject.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.CN", - "target_field": "zeek.ssl.server.subject.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.L", - "target_field": "zeek.ssl.server.subject.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.O", - "target_field": "zeek.ssl.server.subject.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.OU", - "target_field": "zeek.ssl.server.subject.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.server.subject.ST", - "target_field": "zeek.ssl.server.subject.state", - "ignore_missing": true - } - }, - - - { - "gsub": { - "field": "zeek.ssl.client_issuer", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.ssl.client_issuer", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.ssl.client.issuer", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.ssl.client_issuer", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.C", - "target_field": "zeek.ssl.client.issuer.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.CN", - "target_field": "zeek.ssl.client.issuer.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.L", - "target_field": "zeek.ssl.client.issuer.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.O", - "target_field": "zeek.ssl.client.issuer.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.OU", - "target_field": "zeek.ssl.client.issuer.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.issuer.ST", - "target_field": "zeek.ssl.client.issuer.state", - "ignore_missing": true - } - }, - - - { - "gsub": { - "field": "zeek.ssl.client_subject", - "pattern": "\\\\,", - "replacement": "", - "ignore_missing": true - } - }, - { - "kv": { - "field": "zeek.ssl.client_subject", - "field_split": ",", - "value_split": "=", - "target_field": "zeek.ssl.client.subject", - "ignore_missing": true - } - }, - { - "remove": { - "field": "zeek.ssl.client_subject", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.C", - "target_field": "zeek.ssl.client.subject.country", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.CN", - "target_field": "zeek.ssl.client.subject.common_name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.L", - "target_field": "zeek.ssl.client.subject.locality", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.O", - "target_field": "zeek.ssl.client.subject.organization", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.OU", - "target_field": "zeek.ssl.client.subject.organizational_unit", - "ignore_missing": true - } - }, - { - "rename": { - "field": "zeek.ssl.client.subject.ST", - "target_field": "zeek.ssl.client.subject.state", - "ignore_missing": true - } - } - ], - "on_failure" : [{ - "set" : { - "field" : "error.message", - "value" : "{{ _ingest.on_failure_message }}" - } - }] -} diff --git a/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml new file mode 100644 index 000000000000..2a5ebf4ce7a7 --- /dev/null +++ b/x-pack/filebeat/module/zeek/ssl/ingest/pipeline.yml @@ -0,0 +1,255 @@ +--- +description: Pipeline for normalizing Zeek ssl.log +processors: +- set: + field: event.created + value: '{{_ingest.timestamp}}' +- date: + field: zeek.ssl.ts + formats: + - UNIX +- remove: + field: zeek.ssl.ts +- set: + field: event.id + value: '{{zeek.session_id}}' + if: ctx.zeek.session_id != null +- set: + field: source.ip + value: '{{source.address}}' +- set: + field: destination.ip + value: '{{destination.address}}' +- geoip: + field: destination.ip + target_field: destination.geo +- geoip: + field: source.ip + target_field: source.geo +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- remove: + field: zeek.ssl.client.cert_chain_fuids + if: ctx.zeek.ssl.client?.cert_chain_fuids?.length == 0 + ignore_missing: true +- gsub: + field: zeek.ssl.issuer + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.issuer + field_split: ',' + value_split: = + target_field: zeek.ssl.server.issuer + ignore_missing: true +- rename: + field: zeek.ssl.issuer + target_field: tls.server.issuer + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.C + target_field: zeek.ssl.server.issuer.country + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.CN + target_field: zeek.ssl.server.issuer.common_name + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.L + target_field: zeek.ssl.server.issuer.locality + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.O + target_field: zeek.ssl.server.issuer.organization + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.OU + target_field: zeek.ssl.server.issuer.organizational_unit + ignore_missing: true +- rename: + field: zeek.ssl.server.issuer.ST + target_field: zeek.ssl.server.issuer.state + ignore_missing: true +- gsub: + field: zeek.ssl.subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.subject + field_split: ',' + value_split: = + target_field: zeek.ssl.server.subject + ignore_missing: true +- remove: + field: zeek.ssl.subject + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.C + target_field: zeek.ssl.server.subject.country + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.CN + target_field: zeek.ssl.server.subject.common_name + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.L + target_field: zeek.ssl.server.subject.locality + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.O + target_field: zeek.ssl.server.subject.organization + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.OU + target_field: zeek.ssl.server.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.ssl.server.subject.ST + target_field: zeek.ssl.server.subject.state + ignore_missing: true +- gsub: + field: zeek.ssl.client_issuer + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.client_issuer + field_split: ',' + value_split: = + target_field: zeek.ssl.client.issuer + ignore_missing: true +- rename: + field: zeek.ssl.client_issuer + target_field: tls.client.issuer + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.C + target_field: zeek.ssl.client.issuer.country + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.CN + target_field: zeek.ssl.client.issuer.common_name + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.L + target_field: zeek.ssl.client.issuer.locality + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.O + target_field: zeek.ssl.client.issuer.organization + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.OU + target_field: zeek.ssl.client.issuer.organizational_unit + ignore_missing: true +- rename: + field: zeek.ssl.client.issuer.ST + target_field: zeek.ssl.client.issuer.state + ignore_missing: true +- gsub: + field: zeek.ssl.client_subject + pattern: \\, + replacement: "" + ignore_missing: true +- kv: + field: zeek.ssl.client_subject + field_split: ',' + value_split: = + target_field: zeek.ssl.client.subject + ignore_missing: true +- remove: + field: zeek.ssl.client_subject + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.C + target_field: zeek.ssl.client.subject.country + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.CN + target_field: zeek.ssl.client.subject.common_name + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.L + target_field: zeek.ssl.client.subject.locality + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.O + target_field: zeek.ssl.client.subject.organization + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.OU + target_field: zeek.ssl.client.subject.organizational_unit + ignore_missing: true +- rename: + field: zeek.ssl.client.subject.ST + target_field: zeek.ssl.client.subject.state + ignore_missing: true +- set: + field: tls.cipher + value: '{{zeek.ssl.cipher}}' + if: ctx.zeek?.ssl?.cipher != null +- set: + field: tls.curve + value: '{{zeek.ssl.curve}}' + if: ctx.zeek?.ssl?.curve != null +- convert: + target_field: tls.established + field: zeek.ssl.established + type: boolean + ignore_missing: true +- convert: + target_field: tls.resumed + field: zeek.ssl.resumed + type: boolean + ignore_missing: true +- script: + lang: painless + if: ctx.zeek?.ssl?.version != null + source: >- + def parts = ctx.zeek.ssl.version.splitOnToken("v"); + if (parts.length != 2) { + return; + } + if (parts[0] == "SSL") { + ctx.tls.version = parts[1] + ".0"; + } else { + ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); + } + ctx.tls.version_protocol = parts[0].toLowerCase(); + +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/zeek/ssl/manifest.yml b/x-pack/filebeat/module/zeek/ssl/manifest.yml index e738859e2326..0b3da1331ff4 100644 --- a/x-pack/filebeat/module/zeek/ssl/manifest.yml +++ b/x-pack/filebeat/module/zeek/ssl/manifest.yml @@ -13,7 +13,7 @@ var: - name: community_id default: true -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/ssl.yml requires.processors: diff --git a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json index 9117cc5bbe44..d7d7ac33ff97 100644 --- a/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/ssl/test/ssl-json.log-expected.json @@ -28,6 +28,13 @@ "tags": [ "zeek.ssl" ], + "tls.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "tls.curve": "secp256r1", + "tls.established": true, + "tls.resumed": false, + "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.version": "1.2", + "tls.version_protocol": "tls", "zeek.session_id": "CAOvs1BMFCX2Eh0Y3", "zeek.ssl.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "zeek.ssl.curve": "secp256r1", @@ -79,6 +86,13 @@ "tags": [ "zeek.ssl" ], + "tls.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "tls.curve": "secp256r1", + "tls.established": true, + "tls.resumed": false, + "tls.server.issuer": "CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US", + "tls.version": "1.2", + "tls.version_protocol": "tls", "zeek.session_id": "C3mki91FnnNtm0u1ok", "zeek.ssl.cipher": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "zeek.ssl.curve": "secp256r1",