elastic · ilyannn · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024 · Apr 26, 2024
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -307,6 +307,7 @@
 /packages/system_audit @elastic/sec-linux-platform
 /packages/tanium @elastic/security-service-integrations
 /packages/tcp @elastic/sec-deployment-and-devices
+/packages/teleport @elastic/security-service-integrations
 /packages/tenable_io @elastic/security-service-integrations
 /packages/tenable_sc @elastic/security-service-integrations
 /packages/thycotic_ss @elastic/security-service-integrations

diff --git a/packages/teleport/_dev/build/build.yml b/packages/teleport/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: "git@v8.11.0"
diff --git a/packages/teleport/_dev/build/docs/README.md b/packages/teleport/_dev/build/docs/README.md
@@ -0,0 +1,25 @@
+# teleport Integration
+
+This integration is for ingesting data from [teleport](https://example.com/).
+
+- `audit`: Collect Teleport Audit logs
+
+See [Link to docs](https://example.com/docs) for more information.
+
+## Compatibility
+
+Insert compatibility information here. This could for example be which versions of the product it was tested with.
+
+## Setup
+
+Insert how to configure the vendor side of the integration here, for example how to configure the API, create a syslog remote destination etc.
+
+## Logs
+
+### audit
+
+Insert a description of the data stream here.
+
+{{event "audit"}}
+
+{{fields "audit"}}
diff --git a/packages/teleport/_dev/deploy/docker/docker-compose.yml b/packages/teleport/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,8 @@
+version: "2.3"
+services:
+  teleport-audit-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
diff --git a/packages/teleport/_dev/deploy/docker/sample_logs/test-teleport-audit.log b/packages/teleport/_dev/deploy/docker/sample_logs/test-teleport-audit.log
@@ -0,0 +1,20 @@
+{"ei":0,"event":"user.login","uid":"b675d102-fc25-4f7a-bf5d-96468cc176ea","code":"T1000I","time":"2024-02-23T18:56:50.628Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","required_private_key_policy":"none","success":true,"method":"local","mfa_device":{"mfa_device_name":"otp-device","mfa_device_uuid":"d07bf388-af49-4ec2-b8a4-c8a9e785b70b","mfa_device_type":"TOTP"},"user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36","addr.remote":"136.61.214.196:50332"}
+{"ei":0,"event":"cert.create","uid":"efd326fc-dd13-4df8-acef-3102c2d717d3","code":"TC000I","time":"2024-02-23T18:56:50.653Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T06:56:50.648137154Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","client_ip":"136.61.214.196","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"}}
+{"ei":0,"event":"session.start","uid":"fff30583-13be-49e8-b159-32952c6ea34f","code":"T2000I","time":"2024-02-23T18:56:57.199Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3","private_key_policy":"none","namespace":"default","server_id":"face0091-2bf1-43fd-a16a-f1514b4119f4","server_hostname":"ip-172-31-8-163.us-east-2.compute.internal","server_labels":{"hostname":"ip-172-31-8-163.us-east-2.compute.internal","teleport.internal/resource-id":"dccb2999-9fb8-4169-aded-ec7a1c0a26de"},"addr.remote":"136.61.214.196:50339","proto":"ssh","size":"80:25","initial_command":[""],"session_recording":"node"}
+{"ei":143,"event":"session.leave","uid":"24d6ca7a-ec45-484a-b43b-6fb908c5aaeb","code":"T2003I","time":"2024-02-23T18:57:21.318Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3","private_key_policy":"none","namespace":"default","server_id":"face0091-2bf1-43fd-a16a-f1514b4119f4","server_hostname":"ip-172-31-8-163.us-east-2.compute.internal","server_labels":{"hostname":"ip-172-31-8-163.us-east-2.compute.internal","teleport.internal/resource-id":"dccb2999-9fb8-4169-aded-ec7a1c0a26de"}}
+{"ei":2147483646,"event":"session.data","uid":"03248be4-c07b-4b55-80b5-3b00ecba0bd5","code":"T2006I","time":"2024-02-23T18:57:21.322Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3","private_key_policy":"none","namespace":"default","server_id":"face0091-2bf1-43fd-a16a-f1514b4119f4","server_hostname":"ip-172-31-8-163.us-east-2.compute.internal","addr.remote":"136.61.214.196:50339","tx":8560,"rx":47585}
+{"ei":144,"event":"session.end","uid":"5fe43042-074f-47f9-a7f5-3d7d1b20c89c","code":"T2004I","time":"2024-02-23T18:57:26.308Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3","private_key_policy":"none","addr.remote":"136.61.214.196:50339","proto":"ssh","namespace":"default","server_id":"face0091-2bf1-43fd-a16a-f1514b4119f4","server_hostname":"ip-172-31-8-163.us-east-2.compute.internal","server_labels":{"hostname":"ip-172-31-8-163.us-east-2.compute.internal","teleport.internal/resource-id":"dccb2999-9fb8-4169-aded-ec7a1c0a26de"},"enhanced_recording":false,"interactive":true,"participants":["teleport-admin"],"session_start":"2024-02-23T18:56:57.190681808Z","session_stop":"2024-02-23T18:57:26.308304046Z","session_recording":"node"}
+{"ei":0,"event":"session.start","uid":"74986446-ee50-4f28-827a-e4cd79c76276","code":"T2000I","time":"2024-02-23T18:57:27.101Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"0f9b4848-b0a5-411e-bcd1-bc3d04eb8cbf","private_key_policy":"none","namespace":"default","server_id":"b321c207-fd08-46c8-b248-0c20436feb62","server_hostname":"ip-172-31-13-98.us-east-2.compute.internal","server_addr":"[::]:3022","server_labels":{"hostname":"ip-172-31-13-98.us-east-2.compute.internal"},"addr.local":"172.31.13.98:443","addr.remote":"136.61.214.196:50343","proto":"ssh","size":"80:25","initial_command":[""],"session_recording":"node"}
+{"ei":2147483647,"event":"session.upload","uid":"b9f1ebc1-972a-4ada-b654-ceb5adda4ace","code":"T2005I","time":"2024-02-23T18:57:29.568Z","cluster_name":"teleport.ericbeahan.com","sid":"293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3","url":"file:///var/lib/teleport/log/records/multi/293fda2d-2266-4d4d-b9d1-bd5ea9dd9fc3"}
+{"ei":38,"event":"session.leave","uid":"21c82c73-19c3-4024-aa41-abb1abf0850f","code":"T2003I","time":"2024-02-23T18:57:34.068Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"0f9b4848-b0a5-411e-bcd1-bc3d04eb8cbf","private_key_policy":"none","namespace":"default","server_id":"b321c207-fd08-46c8-b248-0c20436feb62","server_hostname":"ip-172-31-13-98.us-east-2.compute.internal","server_addr":"[::]:3022","server_labels":{"hostname":"ip-172-31-13-98.us-east-2.compute.internal"}}
+{"ei":2147483646,"event":"session.data","uid":"df548c83-24dd-4cf6-b296-173ce15305e4","code":"T2006I","time":"2024-02-23T18:57:34.071Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"0f9b4848-b0a5-411e-bcd1-bc3d04eb8cbf","private_key_policy":"none","namespace":"default","server_id":"b321c207-fd08-46c8-b248-0c20436feb62","server_hostname":"ip-172-31-13-98.us-east-2.compute.internal","addr.local":"172.31.13.98:443","addr.remote":"136.61.214.196:50343","tx":6828,"rx":6693}
+{"ei":39,"event":"session.end","uid":"a39494a7-9a41-440d-8b13-d114fce572f6","code":"T2004I","time":"2024-02-23T18:57:39.053Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","login":"ec2-user","user_kind":1,"sid":"0f9b4848-b0a5-411e-bcd1-bc3d04eb8cbf","private_key_policy":"none","addr.remote":"136.61.214.196:50343","proto":"ssh","namespace":"default","server_id":"b321c207-fd08-46c8-b248-0c20436feb62","server_hostname":"ip-172-31-13-98.us-east-2.compute.internal","server_addr":"[::]:3022","server_labels":{"hostname":"ip-172-31-13-98.us-east-2.compute.internal"},"enhanced_recording":false,"interactive":true,"participants":["teleport-admin"],"session_start":"2024-02-23T18:57:27.092546104Z","session_stop":"2024-02-23T18:57:39.053053982Z","session_recording":"node"}
+{"ei":0,"event":"user.login","uid":"6bf5553c-f162-4cb2-85f5-479be47b2aa0","code":"T1000W","time":"2024-02-23T19:00:22.473Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","success":false,"error":"invalid username, password or second factor","method":"local","user_agent":"Go-http-client/1.1","addr.remote":"3.144.89.23:36550"}
+{"ei":0,"event":"user.login","uid":"8b0b9478-f450-4ee0-a29a-4f9e4199fe40","code":"T1000I","time":"2024-02-23T19:00:41.243Z","cluster_name":"teleport.ericbeahan.com","user":"teleport-admin","required_private_key_policy":"none","success":true,"method":"local","mfa_device":{"mfa_device_name":"otp-device","mfa_device_uuid":"d07bf388-af49-4ec2-b8a4-c8a9e785b70b","mfa_device_type":"TOTP"},"user_agent":"Go-http-client/1.1","addr.remote":"3.144.89.23:34496"}
+{"ei":0,"event":"cert.create","uid":"056f5443-6624-4795-80b7-b31debb9ef9b","code":"TC000I","time":"2024-02-23T19:00:41.253Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T07:00:41.248756028Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","client_ip":"3.144.89.23","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"}}
+{"ei":0,"event":"cert.create","uid":"fd5baa90-8f3f-4cbf-97fd-b0ea4c39fc01","code":"TC000I","time":"2024-02-23T19:04:02.99Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T06:56:50.63704628Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","client_ip":"136.61.214.196","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"}}
+{"ei":0,"event":"role.created","uid":"19d21e38-fdd2-4098-8b8d-37c0950982ef","code":"T9000I","time":"2024-02-23T19:07:51.318Z","cluster_name":"teleport.ericbeahan.com","name":"aws-dynamodb-access","expires":"0001-01-01T00:00:00Z","user":"b321c207-fd08-46c8-b248-0c20436feb62.teleport.ericbeahan.com","user_kind":1,"addr.remote":"127.0.0.1:58222"}
+{"ei":0,"event":"user.create","uid":"002e4b73-4fb5-47d5-98d3-a6deeb67f893","code":"T1002I","time":"2024-02-23T19:08:33.987Z","cluster_name":"teleport.ericbeahan.com","user":"b321c207-fd08-46c8-b248-0c20436feb62.teleport.ericbeahan.com","user_kind":1,"name":"teleport-admin","expires":"0001-01-01T00:00:00Z","roles":["access","editor","aws-dynamodb-access"],"connector":"local","addr.remote":"127.0.0.1:47976"}
+{"ei":0,"event":"cert.create","uid":"ea016617-7422-4869-86c2-d1fb011a907c","code":"TC000I","time":"2024-02-23T19:11:50.083Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T06:56:50.659794559Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","client_ip":"136.61.214.196","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"}}
+{"ei":0,"event":"cert.create","uid":"f529b4c5-2e3b-48c2-acef-0a732d68b19d","code":"TC000I","time":"2024-02-23T19:15:50.226Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"usage":["usage:db"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T07:00:41.004340974Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","route_to_database":{"service_name":"example-dynamodb","protocol":"dynamodb","username":"ExampleTeleportDynamoDBRole"},"client_ip":"3.144.89.23","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"},"user_agent":"tsh/15.0.2 grpc-go/1.60.1"}
+{"ei":0,"event":"cert.create","uid":"8e7b4aea-4476-4940-b769-81fa465f0fc8","code":"TC000I","time":"2024-02-23T19:16:40.07Z","cluster_name":"teleport.ericbeahan.com","cert_type":"user","identity":{"user":"teleport-admin","roles":["access","editor"],"usage":["usage:db"],"logins":["root","ubuntu","ec2-user","-teleport-internal-join"],"expires":"2024-02-24T07:00:41.004476337Z","route_to_cluster":"teleport.ericbeahan.com","traits":{"aws_role_arns":null,"azure_identities":null,"db_names":null,"db_roles":null,"db_users":null,"gcp_service_accounts":null,"host_user_gid":[""],"host_user_uid":[""],"kubernetes_groups":null,"kubernetes_users":null,"logins":["root","ubuntu","ec2-user"],"windows_logins":null},"teleport_cluster":"teleport.ericbeahan.com","route_to_database":{"service_name":"example-dynamodb","protocol":"dynamodb","username":"ExampleTeleportDynamoDBRole"},"client_ip":"3.144.89.23","prev_identity_expires":"0001-01-01T00:00:00Z","private_key_policy":"none"},"user_agent":"tsh/15.0.2 grpc-go/1.60.1"}
diff --git a/packages/teleport/changelog.yml b/packages/teleport/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+  changes:
+    - description: Initial Version
+      type: enhancement
+      link: https://github.com/ilyannn/elastic-integrations/pull/3
diff --git a/packages/teleport/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/teleport/data_stream/audit/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+  tags:
+    - preserve_original_event