Skip to content

Commit 488d1c3

Browse files
theletterftheletterf
authored
Merge branch 'main' into fix-broken-link-in-system-integration
2 parents 8cce8c4 + dfd04e6 commit 488d1c3

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

52 files changed

+3269
-29
lines changed

.github/CODEOWNERS

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -348,6 +348,7 @@
348348
/packages/mysql @elastic/obs-infraobs-integrations
349349
/packages/mysql_enterprise @elastic/sec-windows-platform
350350
/packages/mysql_otel @elastic/obs-infraobs-integrations
351+
/packages/mysql_input_otel @elastic/ecosystem
351352
/packages/nagios_xi @elastic/obs-infraobs-integrations
352353
/packages/nats @elastic/obs-infraobs-integrations
353354
/packages/neon_cyber @elastic/security-service-integrations

.github/ISSUE_TEMPLATE/integration_bug.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,7 @@ body:
148148
- Defend for Containers (BETA) [cloud_defend]
149149
- Digital Guardian [digital_guardian]
150150
- Docker OpenTelemetry Assets [docker_otel]
151+
- Docker OpenTelemetry Input Package [docker_input_otel]
151152
- Docker [docker]
152153
- Domain Generation Algorithm Detection [dga]
153154
- DomainTools Feeds [ti_domaintools]
@@ -279,6 +280,7 @@ body:
279280
- Netskope [netskope]
280281
- Network Beaconing Identification [beaconing]
281282
- Network Packet Capture [network_traffic]
283+
- Nextron Thor APT Scanner [nextron_thor]
282284
- Nginx Ingress Controller Logs [nginx_ingress_controller]
283285
- Nginx Ingress Controller OpenTelemetry Logs [nginx_ingress_controller_otel]
284286
- NGINX OpenTelemetry Assets [nginx_otel]

.github/ISSUE_TEMPLATE/integration_feature_request.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,7 @@ body:
148148
- Defend for Containers (BETA) [cloud_defend]
149149
- Digital Guardian [digital_guardian]
150150
- Docker OpenTelemetry Assets [docker_otel]
151+
- Docker OpenTelemetry Input Package [docker_input_otel]
151152
- Docker [docker]
152153
- Domain Generation Algorithm Detection [dga]
153154
- DomainTools Feeds [ti_domaintools]
@@ -279,6 +280,7 @@ body:
279280
- Netskope [netskope]
280281
- Network Beaconing Identification [beaconing]
281282
- Network Packet Capture [network_traffic]
283+
- Nextron Thor APT Scanner [nextron_thor]
282284
- Nginx Ingress Controller Logs [nginx_ingress_controller]
283285
- Nginx Ingress Controller OpenTelemetry Logs [nginx_ingress_controller_otel]
284286
- NGINX OpenTelemetry Assets [nginx_otel]

packages/aws/changelog.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,13 @@
11
# newer versions go on top
2+
- version: "6.2.0"
3+
changes:
4+
- description: |
5+
Add support for the `aws.waf.captcha_response.*`, `aws.waf.challenge_response.*`, `aws.waf.format_version`, `aws.waf.ja4_fingerprint`,
6+
`aws.waf.labels.name`, `aws.waf.oversize_fields`, `aws.waf.request_body_size`, `aws.waf.request_body_size_inspected_by_waf`, `aws.waf.response_code_sent`,
7+
`aws.waf.request_headers_inserted.*`, `host.domain`, `tls.client.ja3`, `url.fragment` and `url.scheme` in waf data stream.
8+
`aws.waf.request_headers_inserted.*`, `tls.client.ja3`, `url.registered_domain`, `url.fragment` and `url.scheme` in waf data stream.
9+
type: enhancement
10+
link: https://github.com/elastic/integrations/pull/17205
211
- version: "6.1.1"
312
changes:
413
- description: Remove duplicate security-solution-default tag references

packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
11
{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","AND","1"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"x-stm-test","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
22
{"timestamp":1592357192516,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"Default_Action","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":[],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[{"ruleId":"TestRule","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"foo","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
33
{"timestamp":1592361810888,"formatVersion":1,"webaclId":"arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9","terminatingRuleId":"RG-Reference","terminatingRuleType":"GROUP","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"XSS","location":"HEADER","matchedData":["<","frameset"]}],"httpSourceName":"-","httpSourceId":"-","ruleGroupList":[{"ruleGroupId":"arn:aws:wafv2:us-east-1:123456789012:global/rulegroup/hello-world/c05lb698-1f11-4m41-aef4-99a506d53f4b","terminatingRule":{"ruleId":"RuleA-XSS","action":"BLOCK","ruleMatchDetails":null},"nonTerminatingMatchingRules":[{"ruleId":"RuleB-SQLi","action":"COUNT","ruleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"HEADER","matchedData":["10","and","1"]}]}],"excludedRules":null}],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"httpRequest":{"clientIp":"89.160.20.156","country":"US","headers":[{"name":"Host","value":"localhost:1989"},{"name":"User-Agent","value":"curl/7.61.1"},{"name":"Accept","value":"*/*"},{"name":"xssfoo","value":"<frameset onload=alert(1)>"},{"name":"bar","value":"10 AND 1=1"}],"uri":"/foo","args":"","httpVersion":"HTTP/1.1","httpMethod":"GET","requestId":"rid"},"labels":[{"name":"value"}]}
4-
{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"null"},"labels":[{"name":"value"}]}
4+
{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":{"clientIp":"89.160.20.156","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"null"},"labels":[{"name":"value"}]}
5+
{"timestamp":1576280412771,"formatVersion":1,"webaclId":"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111","terminatingRuleId":"STMTest_SQLi_XSS","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":[{"conditionType":"SQL_INJECTION","location":"UNKNOWN","matchedData":["10","AND","1"]}],"httpSourceName":"ALB","httpSourceId":"alb","ruleGroupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":[],"responseCodeSent":405,"httpRequest":{"clientIp":"89.160.20.128","country":"AU","headers":[],"uri":"","args":"","httpVersion":"HTTP/1.1","httpMethod":"POST","requestId":"null","host":"farsharbor.com","scheme":"https"},"labels":[{"name":"awswaf:managed-token:absent"}],"captchaResponse":{"responseCode":0,"solveTimestamp":1632420429,"failureReason":"TOKEN_MISSING"},"ja3Fingerprint":"4ab0360295808cf27301e94571be303f","ja4Fingerprint":"t13d1510h2_8dadd6152771_dfbe2de304cd","requestHeadersInserted":[{"name":"x-amzn-waf-test-header-name","value":"test-header-value"}]}

packages/aws/data_stream/waf/_dev/test/pipeline/test-waf.log-expected.json

Lines changed: 143 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,13 @@
55
"aws": {
66
"waf": {
77
"arn": "arn:aws:wafv2:ap-southeast-2:EXAMPLE12345:regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE",
8+
"format_version": "1",
89
"id": "regional/webacl/STMTest/1EXAMPLE-2ARN-3ARN-4ARN-123456EXAMPLE",
10+
"labels": [
11+
{
12+
"name": "value"
13+
}
14+
],
915
"request": {
1016
"headers": {
1117
"Accept": "*/*",
@@ -106,7 +112,13 @@
106112
"aws": {
107113
"waf": {
108114
"arn": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9",
115+
"format_version": "1",
109116
"id": "global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9",
117+
"labels": [
118+
{
119+
"name": "value"
120+
}
121+
],
110122
"non_terminating_matching_rules": [
111123
{
112124
"action": "COUNT",
@@ -213,7 +225,13 @@
213225
"aws": {
214226
"waf": {
215227
"arn": "arn:aws:wafv2:us-east-1:123456789012:global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9",
228+
"format_version": "1",
216229
"id": "global/webacl/hello-world/5933d6d9-9dde-js82-v8aw-9ck28nv9",
230+
"labels": [
231+
{
232+
"name": "value"
233+
}
234+
],
217235
"request": {
218236
"headers": {
219237
"Accept": "*/*",
@@ -340,7 +358,13 @@
340358
"aws": {
341359
"waf": {
342360
"arn": "arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111",
361+
"format_version": "1",
343362
"id": "regional/webacl/test/111",
363+
"labels": [
364+
{
365+
"name": "value"
366+
}
367+
],
344368
"source": {
345369
"id": "alb",
346370
"name": "ALB"
@@ -428,6 +452,125 @@
428452
"tags": [
429453
"preserve_original_event"
430454
]
455+
},
456+
{
457+
"@timestamp": "2019-12-13T23:40:12.771Z",
458+
"aws": {
459+
"waf": {
460+
"arn": "arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111",
461+
"captcha_response": {
462+
"failure_reason": "TOKEN_MISSING",
463+
"response_code": 0,
464+
"solve_timestamp": "1970-01-19T21:27:00.429Z"
465+
},
466+
"format_version": "1",
467+
"id": "regional/webacl/test/111",
468+
"ja4_fingerprint": "t13d1510h2_8dadd6152771_dfbe2de304cd",
469+
"labels": [
470+
{
471+
"name": "awswaf:managed-token:absent"
472+
}
473+
],
474+
"request_headers_inserted": {
475+
"x-amzn-waf-test-header-name": "test-header-value"
476+
},
477+
"response_code_sent": 405,
478+
"source": {
479+
"id": "alb",
480+
"name": "ALB"
481+
},
482+
"terminating_rule_match_details": [
483+
{
484+
"conditionType": "SQL_INJECTION",
485+
"location": "UNKNOWN",
486+
"matchedData": [
487+
"10",
488+
"AND",
489+
"1"
490+
]
491+
}
492+
]
493+
}
494+
},
495+
"cloud": {
496+
"account": {
497+
"id": "12345"
498+
},
499+
"provider": "aws",
500+
"region": "ap-southeast-2",
501+
"service": {
502+
"name": "wafv2"
503+
}
504+
},
505+
"ecs": {
506+
"version": "8.11.0"
507+
},
508+
"event": {
509+
"action": "BLOCK",
510+
"category": [
511+
"web",
512+
"network"
513+
],
514+
"kind": "alert",
515+
"original": "{\"timestamp\":1576280412771,\"formatVersion\":1,\"webaclId\":\"arn:aws:wafv2:ap-southeast-2:12345:regional/webacl/test/111\",\"terminatingRuleId\":\"STMTest_SQLi_XSS\",\"terminatingRuleType\":\"REGULAR\",\"action\":\"BLOCK\",\"terminatingRuleMatchDetails\":[{\"conditionType\":\"SQL_INJECTION\",\"location\":\"UNKNOWN\",\"matchedData\":[\"10\",\"AND\",\"1\"]}],\"httpSourceName\":\"ALB\",\"httpSourceId\":\"alb\",\"ruleGroupList\":[],\"rateBasedRuleList\":[],\"nonTerminatingMatchingRules\":[],\"responseCodeSent\":405,\"httpRequest\":{\"clientIp\":\"89.160.20.128\",\"country\":\"AU\",\"headers\":[],\"uri\":\"\",\"args\":\"\",\"httpVersion\":\"HTTP/1.1\",\"httpMethod\":\"POST\",\"requestId\":\"null\",\"host\":\"farsharbor.com\",\"scheme\":\"https\"},\"labels\":[{\"name\":\"awswaf:managed-token:absent\"}],\"captchaResponse\":{\"responseCode\":0,\"solveTimestamp\":1632420429,\"failureReason\":\"TOKEN_MISSING\"},\"ja3Fingerprint\":\"4ab0360295808cf27301e94571be303f\",\"ja4Fingerprint\":\"t13d1510h2_8dadd6152771_dfbe2de304cd\",\"requestHeadersInserted\":[{\"name\":\"x-amzn-waf-test-header-name\",\"value\":\"test-header-value\"}]}",
516+
"type": [
517+
"access",
518+
"denied"
519+
]
520+
},
521+
"http": {
522+
"request": {
523+
"id": "null",
524+
"method": "POST"
525+
},
526+
"version": "1.1"
527+
},
528+
"network": {
529+
"protocol": "http",
530+
"transport": "tcp"
531+
},
532+
"related": {
533+
"ip": [
534+
"89.160.20.128"
535+
]
536+
},
537+
"rule": {
538+
"id": "STMTest_SQLi_XSS",
539+
"ruleset": "REGULAR"
540+
},
541+
"source": {
542+
"as": {
543+
"number": 29518,
544+
"organization": {
545+
"name": "Bredband2 AB"
546+
}
547+
},
548+
"geo": {
549+
"city_name": "Linköping",
550+
"continent_name": "Europe",
551+
"country_iso_code": "SE",
552+
"country_name": "Sweden",
553+
"location": {
554+
"lat": 58.4167,
555+
"lon": 15.6167
556+
},
557+
"region_iso_code": "SE-E",
558+
"region_name": "Östergötland County"
559+
},
560+
"ip": "89.160.20.128"
561+
},
562+
"tags": [
563+
"preserve_original_event"
564+
],
565+
"tls": {
566+
"client": {
567+
"ja3": "4ab0360295808cf27301e94571be303f"
568+
}
569+
},
570+
"url": {
571+
"registered_domain": "farsharbor.com",
572+
"scheme": "https"
573+
}
431574
}
432575
]
433576
}

0 commit comments

Comments
 (0)