Skip to content

Commit de5a419

Browse files
marc-grmarc-gr
authored
[Filebeat][zeek] Add mappings for x509 fields in kerberos (#20958)
* Add mappings for x509 fields in kerberos * Add changelog entry * Do gsub in place
1 parent 0032c0c commit de5a419

4 files changed

Lines changed: 90 additions & 1 deletion

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -555,6 +555,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
555555
- Convert httpjson to v2 input {pull}20226[20226]
556556
- Improve Zeek x509 module with `x509` ECS mappings {pull}20867[20867]
557557
- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
558+
- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
558559

559560
*Heartbeat*
560561

x-pack/filebeat/module/zeek/kerberos/ingest/pipeline.yml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -87,6 +87,82 @@ processors:
8787
field: related.user
8888
value: "{{user.name}}"
8989
if: "ctx?.user?.name != null"
90+
- gsub:
91+
field: zeek.kerberos.cert.client.subject
92+
pattern: \\,
93+
replacement: ""
94+
ignore_missing: true
95+
- kv:
96+
field: zeek.kerberos.cert.client.subject
97+
field_split: ','
98+
value_split: '='
99+
target_field: zeek.kerberos.cert.client.kv_sub
100+
ignore_missing: true
101+
- rename:
102+
field: zeek.kerberos.cert.client.kv_sub.C
103+
target_field: tls.client.x509.subject.country
104+
ignore_missing: true
105+
- rename:
106+
field: zeek.kerberos.cert.client.kv_sub.CN
107+
target_field: tls.client.x509.subject.common_name
108+
ignore_missing: true
109+
- rename:
110+
field: zeek.kerberos.cert.client.kv_sub.L
111+
target_field: tls.client.x509.subject.locality
112+
ignore_missing: true
113+
- rename:
114+
field: zeek.kerberos.cert.client.kv_sub.O
115+
target_field: tls.client.x509.subject.organization
116+
ignore_missing: true
117+
- rename:
118+
field: zeek.kerberos.cert.client.kv_sub.OU
119+
target_field: tls.client.x509.subject.organizational_unit
120+
ignore_missing: true
121+
- rename:
122+
field: zeek.kerberos.cert.client.kv_sub.ST
123+
target_field: tls.client.x509.subject.state_or_province
124+
ignore_missing: true
125+
- remove:
126+
field: zeek.kerberos.cert.client.kv_sub
127+
ignore_missing: true
128+
- gsub:
129+
field: zeek.kerberos.cert.server.subject
130+
pattern: \\,
131+
replacement: ""
132+
ignore_missing: true
133+
- kv:
134+
field: zeek.kerberos.cert.server.subject
135+
field_split: ','
136+
value_split: '='
137+
target_field: zeek.kerberos.cert.server.kv_sub
138+
ignore_missing: true
139+
- rename:
140+
field: zeek.kerberos.cert.server.kv_sub.C
141+
target_field: tls.server.x509.subject.country
142+
ignore_missing: true
143+
- rename:
144+
field: zeek.kerberos.cert.server.kv_sub.CN
145+
target_field: tls.server.x509.subject.common_name
146+
ignore_missing: true
147+
- rename:
148+
field: zeek.kerberos.cert.server.kv_sub.L
149+
target_field: tls.server.x509.subject.locality
150+
ignore_missing: true
151+
- rename:
152+
field: zeek.kerberos.cert.server.kv_sub.O
153+
target_field: tls.server.x509.subject.organization
154+
ignore_missing: true
155+
- rename:
156+
field: zeek.kerberos.cert.server.kv_sub.OU
157+
target_field: tls.server.x509.subject.organizational_unit
158+
ignore_missing: true
159+
- rename:
160+
field: zeek.kerberos.cert.server.kv_sub.ST
161+
target_field: tls.server.x509.subject.state_or_province
162+
ignore_missing: true
163+
- remove:
164+
field: zeek.kerberos.cert.server.kv_sub
165+
ignore_missing: true
90166
on_failure:
91167
- set:
92168
field: error.message

x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true}
1+
{"ts":1507565599.590346,"uid":"C56Flhb4WQBNkfMOl","id.orig_h":"192.168.10.31","id.orig_p":49242,"id.resp_h":"192.168.10.10","id.resp_p":88,"request_type":"TGS","client":"RonHD/CONTOSO.LOCAL","service":"HOST/admin-pc","success":true,"till":2136422885.0,"cipher":"aes256-cts-hmac-sha1-96","forwardable":true,"renewable":true,"cert.client_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","cert.server_subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US"}

x-pack/filebeat/module/zeek/kerberos/test/kerberos-json.log-expected.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,8 +40,20 @@
4040
"tags": [
4141
"zeek.kerberos"
4242
],
43+
"tls.client.x509.subject.common_name": "*.gcp.cloud.es.io",
44+
"tls.client.x509.subject.country": "US",
45+
"tls.client.x509.subject.locality": "Mountain View",
46+
"tls.client.x509.subject.organization": "Elasticsearch Inc.",
47+
"tls.client.x509.subject.state_or_province": "California",
48+
"tls.server.x509.subject.common_name": "*.gcp.cloud.es.io",
49+
"tls.server.x509.subject.country": "US",
50+
"tls.server.x509.subject.locality": "Mountain View",
51+
"tls.server.x509.subject.organization": "Elasticsearch Inc.",
52+
"tls.server.x509.subject.state_or_province": "California",
4353
"user.domain": "CONTOSO.LOCAL",
4454
"user.name": "RonHD",
55+
"zeek.kerberos.cert.client.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US",
56+
"zeek.kerberos.cert.server.subject": "CN=*.gcp.cloud.es.io,O=Elasticsearch Inc.,L=Mountain View,ST=California,C=US",
4557
"zeek.kerberos.cipher": "aes256-cts-hmac-sha1-96",
4658
"zeek.kerberos.client": "RonHD/CONTOSO.LOCAL",
4759
"zeek.kerberos.forwardable": true,

0 commit comments

Comments
 (0)