Skip to content

Commit f3e532c

Browse files
marc-grmarc-gr
authored
[Filebeat][santa] Map x509 fields in santa module (elastic#20976)
* Map x509 fields in santa module * Bump ecs version
1 parent e11283e commit f3e532c

4 files changed

Lines changed: 14 additions & 1 deletion

File tree

CHANGELOG.next.asciidoc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -551,6 +551,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
551551
- Improve Zeek SSL module with `x509` ECS mappings {pull}20927[20927]
552552
- Improve Zeek Kerberos module with `x509` ECS mappings {pull}20958[20958]
553553
- Improve Fortinet firewall module with `x509` ECS mappings {pull}20983[20983]
554+
- Improve Santa module with `x509` ECS mappings {pull}20976[20976]
554555

555556
*Heartbeat*
556557

filebeat/module/santa/log/config/file.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,4 +8,4 @@ processors:
88
- add_fields:
99
target: ''
1010
fields:
11-
ecs.version: 1.5.0
11+
ecs.version: 1.6.0

filebeat/module/santa/log/ingest/pipeline.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,10 @@ processors:
8989
field: related.hash
9090
value: "{{process.hash.sha256}}"
9191
if: "ctx?.process?.hash != null"
92+
- set:
93+
field: file.x509.issuer.common_name
94+
value: "{{santa.certificate.common_name}}"
95+
ignore_empty_value: true
9296
on_failure:
9397
- set:
9498
field: error.message

filebeat/module/santa/log/test/santa.log-expected.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
"event.type": [
1313
"start"
1414
],
15+
"file.x509.issuer.common_name": "Software Signing",
1516
"fileset.name": "log",
1617
"group.id": "0",
1718
"group.name": "wheel",
@@ -58,6 +59,7 @@
5859
"event.type": [
5960
"start"
6061
],
62+
"file.x509.issuer.common_name": "Software Signing",
6163
"fileset.name": "log",
6264
"group.id": "0",
6365
"group.name": "wheel",
@@ -105,6 +107,7 @@
105107
"event.type": [
106108
"start"
107109
],
110+
"file.x509.issuer.common_name": "Software Signing",
108111
"fileset.name": "log",
109112
"group.id": "0",
110113
"group.name": "wheel",
@@ -151,6 +154,7 @@
151154
"event.type": [
152155
"start"
153156
],
157+
"file.x509.issuer.common_name": "Software Signing",
154158
"fileset.name": "log",
155159
"group.id": "0",
156160
"group.name": "wheel",
@@ -198,6 +202,7 @@
198202
"event.type": [
199203
"start"
200204
],
205+
"file.x509.issuer.common_name": "Software Signing",
201206
"fileset.name": "log",
202207
"group.id": "0",
203208
"group.name": "wheel",
@@ -244,6 +249,7 @@
244249
"event.type": [
245250
"start"
246251
],
252+
"file.x509.issuer.common_name": "Software Signing",
247253
"fileset.name": "log",
248254
"group.id": "0",
249255
"group.name": "wheel",
@@ -336,6 +342,7 @@
336342
"event.type": [
337343
"start"
338344
],
345+
"file.x509.issuer.common_name": "Software Signing",
339346
"fileset.name": "log",
340347
"group.id": "20",
341348
"group.name": "staff",
@@ -381,6 +388,7 @@
381388
"event.type": [
382389
"start"
383390
],
391+
"file.x509.issuer.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)",
384392
"fileset.name": "log",
385393
"group.id": "20",
386394
"group.name": "staff",

0 commit comments

Comments
 (0)