Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat] Improve AWS cloudtrail fileset #18958

Merged
merged 1 commit into from Jun 5, 2020
Merged

[Filebeat] Improve AWS cloudtrail fileset #18958

merged 1 commit into from Jun 5, 2020

Conversation

leehinman
Copy link
Contributor

What does this PR do?

Changes to AWS cloudtrail fileset, specifically:

  • adds geoip AS lookup on source.ip
  • improve mappings event.category
  • improve mappings for event.type

Why is it important?

  • geoip AS is used for detections
  • having correct mappings for event.category & event.type improves detections

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
    - [ ] I have made corresponding changes to the documentation
    - [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

How to test this PR locally

TESTING_FILEBEAT_MODULES=aws TESTING_FILEBEAT_FILESETS=cloudtrail mage -v pythonIntegTest

Related issues

@leehinman leehinman added enhancement Filebeat Filebeat needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Jun 3, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@leehinman
Improve AWS cloudtrail fileset
dada2a5 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644
@leehinman leehinman force-pushed the 18644_improve_cloudtrail_pipeline branch from 5ca81b9 to dada2a5 Compare June 3, 2020 22:09
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [Pull request #18958 updated]

  • Start Time: 2020-06-03T22:09:51.186+0000

  • Duration: 49 min 34 sec

Test stats 🧪

Test Results
Failed 0
Passed 2226
Skipped 382
Total 2608

andrewkroh
andrewkroh approved these changes Jun 4, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

x-pack/filebeat/module/aws/cloudtrail/ingest/pipeline.yml
type:
- admin
- change
UpdateSSHPublicKey:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of these mappings will be great to have. And assume you just scratching the surface of all the possible actions.

@leehinman leehinman merged commit c01dfe6 into elastic:master Jun 5, 2020
@leehinman leehinman deleted the 18644_improve_cloudtrail_pipeline branch June 5, 2020 23:03
leehinman added a commit to leehinman/beats that referenced this pull request Jun 5, 2020
@leehinman
Improve AWS cloudtrail fileset (elastic#18958)
6867068 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644

(cherry picked from commit c01dfe6)
@leehinman leehinman mentioned this pull request Jun 5, 2020
Merged
4 tasks
@leehinman leehinman added v7.9.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jun 5, 2020
leehinman added a commit that referenced this pull request Jun 8, 2020
@leehinman
Improve AWS cloudtrail fileset (#18958) (#19023)
4d30c52 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes #18644

(cherry picked from commit c01dfe6)
@kaiyan-sheng kaiyan-sheng mentioned this pull request Jun 15, 2020
Closed
2 tasks
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
@leehinman @melchiormoulin
Improve AWS cloudtrail fileset (elastic#18958)
6e4526f 
- add geoip AS lookup on source.ip
- improve mappings event.category
- improve mappings for event.type

Closes elastic#18644
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
enhancement Filebeat Filebeat v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Filebeat] Add source.as.organization.name to cloudtrail fileset
3 participants
@leehinman @elasticmachine @andrewkroh