From adc63fe02d74c33ee9f7bd6dcf55e39c28210522 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 9 Sep 2020 16:43:01 +0200 Subject: [PATCH] [Filebeat][santa] Map x509 fields in santa module (#20976) (#21016) * Map x509 fields in santa module * Bump ecs version (cherry picked from commit f3e532cf7ffb8bc94ceb0c429b027919e027673d) --- CHANGELOG.next.asciidoc | 1 + filebeat/module/santa/log/config/file.yml | 2 +- filebeat/module/santa/log/ingest/pipeline.yml | 4 ++++ filebeat/module/santa/log/test/santa.log-expected.json | 8 ++++++++ 4 files changed, 14 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index aecfab555bfb..e43eda5b8972 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -640,6 +640,7 @@ field. You can revert this change by configuring tags for the module and omittin - Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927] - Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958] - Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983] +- Improve Santa module with `x509` ECS mappings {pull}20976[20976] *Heartbeat* diff --git a/filebeat/module/santa/log/config/file.yml b/filebeat/module/santa/log/config/file.yml index 183de6298673..b39221031f39 100644 --- a/filebeat/module/santa/log/config/file.yml +++ b/filebeat/module/santa/log/config/file.yml @@ -8,4 +8,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.5.0 + ecs.version: 1.6.0 diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml index e914253f8eec..482aef34e8ba 100644 --- a/filebeat/module/santa/log/ingest/pipeline.yml +++ b/filebeat/module/santa/log/ingest/pipeline.yml @@ -89,6 +89,10 @@ processors: field: related.hash value: "{{process.hash.sha256}}" if: "ctx?.process?.hash != null" +- set: + field: file.x509.issuer.common_name + value: "{{santa.certificate.common_name}}" + ignore_empty_value: true on_failure: - set: field: error.message diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index 6c1fbe811843..589aeae75f86 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -12,6 +12,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -58,6 +59,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -105,6 +107,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -151,6 +154,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -198,6 +202,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -244,6 +249,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "0", "group.name": "wheel", @@ -336,6 +342,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Software Signing", "fileset.name": "log", "group.id": "20", "group.name": "staff", @@ -381,6 +388,7 @@ "event.type": [ "start" ], + "file.x509.issuer.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", "fileset.name": "log", "group.id": "20", "group.name": "staff",