[AWS] Support Cloudtrail tlsDetails field

packages/aws/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.5.0"
+  changes:
+    - description: Update Cloudtrail datastream to support tlsDetails field
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6352
 - version: "2.4.1"
   changes:
     - description: Fix Security Hub Findings to abide by ECS allowed values.

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log

@@ -0,0 +1 @@
+{"eventVersion":"1.05","userIdentity":{"type":"IAMUser","principalId":"EXAMPLE_ID","arn":"arn:aws:iam::0123456789012:user/Alice","accountId":"0123456789012","accessKeyId":"EXAMPLE_KEY","userName":"Alice","sessionContext":{"attributes":{"mfaAuthenticated":"true","creationDate":"2020-01-10T14:38:30Z"}},"invokedBy":"signin.amazonaws.com"},"eventTime":"2020-01-10T16:06:40Z","eventSource":"iam.amazonaws.com","eventName":"UploadSSHPublicKey","awsRegion":"us-east-1","sourceIPAddress":"127.0.0.1","userAgent":"signin.amazonaws.com","requestParameters":{"sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain","userName":"Alice"},"responseElements":{"sSHPublicKey":{"fingerprint":"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de","status":"Active","uploadDate":"Jan 10, 2020 4:06:40 PM","userName":"Alice","sSHPublicKeyId":"EXAMPLE_KEY_ID","sSHPublicKeyBody":"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain"}},"requestID":"EXAMPLE-44b9-41cd-90f2-EXAMPLE","eventID":"EXAMPLE-9a9d-4da4-9998-EXAMPLE","eventType":"AwsApiCall","recipientAccountId":"0123456789012","tlsDetails":{"tlsVersion":"TLSv1.2","cipherSuite":"ECDHE-RSA-AES128-GCM-SHA256","clientProvidedHostHeader":"ssm.us-west-2.amazonaws.com"}}

packages/aws/data_stream/cloudtrail/_dev/test/pipeline/test-tls-details-json.log-expected.json

@@ -0,0 +1,96 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2020-01-10T16:06:40.000Z",
+            "aws": {
+                "cloudtrail": {
+                    "event_type": "AwsApiCall",
+                    "event_version": "1.05",
+                    "flattened": {
+                        "request_parameters": {
+                            "sSHPublicKeyBody": "ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain",
+                            "userName": "Alice"
+                        },
+                        "response_elements": {
+                            "sSHPublicKey": {
+                                "fingerprint": "de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de",
+                                "sSHPublicKeyBody": "ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain",
+                                "sSHPublicKeyId": "EXAMPLE_KEY_ID",
+                                "status": "Active",
+                                "uploadDate": "Jan 10, 2020 4:06:40 PM",
+                                "userName": "Alice"
+                            }
+                        }
+                    },
+                    "recipient_account_id": "0123456789012",
+                    "request_id": "EXAMPLE-44b9-41cd-90f2-EXAMPLE",
+                    "request_parameters": "{sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, userName=Alice}",
+                    "response_elements": "{sSHPublicKey={sSHPublicKeyBody=ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain, sSHPublicKeyId=EXAMPLE_KEY_ID, uploadDate=Jan 10, 2020 4:06:40 PM, fingerprint=de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de, userName=Alice, status=Active}}",
+                    "user_identity": {
+                        "access_key_id": "EXAMPLE_KEY",
+                        "arn": "arn:aws:iam::0123456789012:user/Alice",
+                        "invoked_by": "signin.amazonaws.com",
+                        "session_context": {
+                            "creation_date": "2020-01-10T14:38:30.000Z",
+                            "mfa_authenticated": "true"
+                        },
+                        "type": "IAMUser"
+                    }
+                }
+            },
+            "cloud": {
+                "account": {
+                    "id": "0123456789012"
+                },
+                "region": "us-east-1"
+            },
+            "ecs": {
+                "version": "8.0.0"
+            },
+            "event": {
+                "action": "UploadSSHPublicKey",
+                "created": "2021-11-11T01:02:03.123456789Z",
+                "id": "EXAMPLE-9a9d-4da4-9998-EXAMPLE",
+                "kind": "event",
+                "original": "{\"eventVersion\":\"1.05\",\"userIdentity\":{\"type\":\"IAMUser\",\"principalId\":\"EXAMPLE_ID\",\"arn\":\"arn:aws:iam::0123456789012:user/Alice\",\"accountId\":\"0123456789012\",\"accessKeyId\":\"EXAMPLE_KEY\",\"userName\":\"Alice\",\"sessionContext\":{\"attributes\":{\"mfaAuthenticated\":\"true\",\"creationDate\":\"2020-01-10T14:38:30Z\"}},\"invokedBy\":\"signin.amazonaws.com\"},\"eventTime\":\"2020-01-10T16:06:40Z\",\"eventSource\":\"iam.amazonaws.com\",\"eventName\":\"UploadSSHPublicKey\",\"awsRegion\":\"us-east-1\",\"sourceIPAddress\":\"127.0.0.1\",\"userAgent\":\"signin.amazonaws.com\",\"requestParameters\":{\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\",\"userName\":\"Alice\"},\"responseElements\":{\"sSHPublicKey\":{\"fingerprint\":\"de:ad:c0:de:de:ad:c0:de:de:ad:c0:de:de:ad:c0:de\",\"status\":\"Active\",\"uploadDate\":\"Jan 10, 2020 4:06:40 PM\",\"userName\":\"Alice\",\"sSHPublicKeyId\":\"EXAMPLE_KEY_ID\",\"sSHPublicKeyBody\":\"ssh-rsa AAAAdeadcodedeadcode Alice@localhost.domain\"}},\"requestID\":\"EXAMPLE-44b9-41cd-90f2-EXAMPLE\",\"eventID\":\"EXAMPLE-9a9d-4da4-9998-EXAMPLE\",\"eventType\":\"AwsApiCall\",\"recipientAccountId\":\"0123456789012\",\"tlsDetails\":{\"tlsVersion\":\"TLSv1.2\",\"cipherSuite\":\"ECDHE-RSA-AES128-GCM-SHA256\",\"clientProvidedHostHeader\":\"ssm.us-west-2.amazonaws.com\"}}",
+                "outcome": "success",
+                "provider": "iam.amazonaws.com",
+                "type": "info"
+            },
+            "related": {
+                "user": [
+                    "Alice"
+                ]
+            },
+            "source": {
+                "address": "127.0.0.1",
+                "ip": "127.0.0.1"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "tls": {
+                "cipher": "ECDHE-RSA-AES128-GCM-SHA256",
+                "client": {
+                    "server_name": "ssm.us-west-2.amazonaws.com"
+                },
+                "version": "1.2",
+                "version_protocol": "tls"
+            },
+            "user": {
+                "id": "EXAMPLE_ID",
+                "name": "Alice",
+                "target": {
+                    "name": "Alice"
+                }
+            },
+            "user_agent": {
+                "device": {
+                    "name": "Other"
+                },
+                "name": "Other",
+                "original": "signin.amazonaws.com"
+            }
+        }
+    ]
+}

packages/aws/data_stream/cloudtrail/elasticsearch/ingest_pipeline/default.yml

@@ -743,6 +743,21 @@ processors:
       field: aws.cloudtrail.insight_details
       target_field: aws.cloudtrail.flattened.insight_details
       ignore_missing: true
+  - dissect:
+      field: json.tlsDetails.tlsVersion
+      pattern: "%{tls.version_protocol}v%{tls.version}"
+      ignore_missing: true
+  - lowercase:
+      field: tls.version_protocol
+      ignore_missing: true
+  - rename:
+      field: json.tlsDetails.cipherSuite
+      target_field: tls.cipher
+      ignore_missing: true
+  - rename:
+      field: json.tlsDetails.clientProvidedHostHeader
+      target_field: tls.client.server_name
+      ignore_missing: true
   - remove:
       field: json
       ignore_missing: true

packages/aws/data_stream/cloudtrail/fields/ecs.yml

@@ -134,3 +134,11 @@
   name: container.labels
 - external: ecs
   name: container.name
+- external: ecs
+  name: tls.version
+- external: ecs
+  name: tls.version_protocol
+- external: ecs
+  name: tls.cipher
+- external: ecs
+  name: tls.client.server_name

packages/aws/docs/cloudtrail.md

@@ -186,6 +186,10 @@ If blank, CloudTrail Digest logs will be skipped.
 | source.geo.region_name | Region name. | keyword |
 | source.ip | IP address of the source (IPv4 or IPv6). | ip |
 | tags | List of keywords used to tag each event. | keyword |
+| tls.cipher | String indicating the cipher used during the current connection. | keyword |
+| tls.client.server_name | Also called an SNI, this tells the server which hostname to which the client is attempting to connect to. When this value is available, it should get copied to `destination.domain`. | keyword |
+| tls.version | Numeric part of the version parsed from the original string. | keyword |
+| tls.version_protocol | Normalized lowercase protocol name parsed from original string. | keyword |
 | user.changes.name | Short name or login of the user. | keyword |
 | user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text |
 | user.id | Unique identifier of the user. | keyword |

packages/aws/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: aws
 title: AWS
-version: 2.4.1
+version: 2.5.0
 license: basic
 description: Collect logs and metrics from Amazon Web Services (AWS) with Elastic Agent.
 type: integration