Support ECS session category

elastic · Jan 25, 2021 · fd9ea90 · fd9ea90
1 parent e5c1ed2
commit fd9ea90
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 11 deletions.
diff --git a/aucoalesce/normalizations.yaml b/aucoalesce/normalizations.yaml
@@ -46,6 +46,15 @@ macros:
       - from: subject.secondary
         to: user.effective
 
+  - &ecs-session
+    category: session
+    type: info
+    mappings:
+      - from: subject.primary
+        to: user
+      - from: subject.secondary
+        to: user.effective
+
   - &ecs-host
     category: host
     type: info
@@ -1063,7 +1072,9 @@ normalizations:
   - <<: *macro-user-session
     record_types: USER_END
     action: ended-session
-    ecs: *ecs-auth
+    ecs:
+      <<: *ecs-session
+      type: end
   # AUDIT_USER_ERR - User acct state error
   - <<: *macro-user-session
     record_types: USER_ERR
@@ -1097,7 +1108,9 @@ normalizations:
     record_types: USER_START
     action: started-session
     source_ip: [addr]
-    ecs: *ecs-auth
+    ecs:
+      <<: *ecs-session
+      type: start
 
   # Host virtualization events
 

diff --git a/aucoalesce/testdata/ubuntu-16.10-linux-4.8.0.json.golden b/aucoalesce/testdata/ubuntu-16.10-linux-4.8.0.json.golden
@@ -478,10 +478,10 @@
       "ecs": {
         "event": {
           "category": [
-            "authentication"
+            "session"
           ],
           "type": [
-            "info"
+            "end"
           ]
         },
         "user": {
@@ -687,10 +687,10 @@
       "ecs": {
         "event": {
           "category": [
-            "authentication"
+            "session"
           ],
           "type": [
-            "info"
+            "start"
           ]
         },
         "user": {

diff --git a/aucoalesce/testdata/ubuntu-17.04-linux-4.10.0.json.golden b/aucoalesce/testdata/ubuntu-17.04-linux-4.10.0.json.golden
@@ -533,10 +533,10 @@
       "ecs": {
         "event": {
           "category": [
-            "authentication"
+            "session"
           ],
           "type": [
-            "info"
+            "end"
           ]
         },
         "user": {
@@ -733,10 +733,10 @@
       "ecs": {
         "event": {
           "category": [
-            "authentication"
+            "session"
           ],
           "type": [
-            "info"
+            "start"
           ]
         },
         "user": {

diff --git a/aucoalesce/znormalize_data.go b/aucoalesce/znormalize_data.go