diff --git a/packages/carbonblack_edr/changelog.yml b/packages/carbonblack_edr/changelog.yml index dd47def024a..8372f08f37a 100644 --- a/packages/carbonblack_edr/changelog.yml +++ b/packages/carbonblack_edr/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Add JA3/JA3S parsing + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 - version: "1.2.0" changes: - description: Update to ECS 8.2 diff --git a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json index b7ed782b95c..b2254ac9c93 100644 --- a/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/carbonblack_edr/data_stream/log/_dev/test/pipeline/test-events.json-expected.json @@ -885,6 +885,9 @@ "start" ] }, + "network": { + "iana_number": "17" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -1092,6 +1095,9 @@ "start" ] }, + "network": { + "iana_number": "6" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -1391,6 +1397,9 @@ "start" ] }, + "network": { + "iana_number": "6" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -1735,16 +1744,33 @@ "start" ] }, + "network": { + "iana_number": "6" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", "type": "edr", "vendor": "VMWare" }, + "related": { + "hash": [ + "eb1d94daa7e0344597e756a1fb6e7054", + "598872011444709307b861ae817a4b60" + ] + }, "tags": [ "carbonblack_edr-log", "forwarded" - ] + ], + "tls": { + "client": { + "ja3": "598872011444709307b861ae817a4b60" + }, + "server": { + "ja3s": "eb1d94daa7e0344597e756a1fb6e7054" + } + } }, { "@timestamp": "2014-09-09T19:00:21.380Z", @@ -2110,6 +2136,9 @@ "start" ] }, + "network": { + "iana_number": "17" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -2535,6 +2564,9 @@ "start" ] }, + "network": { + "iana_number": "6" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -2906,6 +2938,9 @@ "start" ] }, + "network": { + "iana_number": "17" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -3337,6 +3372,9 @@ "start" ] }, + "network": { + "iana_number": "6" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -3817,6 +3855,9 @@ "start" ] }, + "network": { + "iana_number": "17" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", @@ -4320,6 +4361,9 @@ "start" ] }, + "network": { + "iana_number": "17" + }, "observer": { "name": "CB_SERVER_HOSTNAME", "product": "Carbon Black EDR", diff --git a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml index aec93b30b72..a415c18f141 100644 --- a/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml +++ b/packages/carbonblack_edr/data_stream/log/elasticsearch/ingest_pipeline/default.yml @@ -795,6 +795,20 @@ processors: target_field: network.transport ignore_missing: true +- convert: + field: json.protocol + target_field: network.iana_number + type: string + ignore_missing: true +- set: + field: tls.client.ja3 + copy_from: json.ja3 + ignore_empty_value: true +- set: + field: tls.server.ja3s + copy_from: json.ja3s + ignore_empty_value: true + # # Related fields # @@ -817,6 +831,15 @@ processors: allow_duplicates: false if: 'ctx.process?.parent?.hash?.md5 != null' +- append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" +- append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false # # Remove unneeded fields # diff --git a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml b/packages/carbonblack_edr/data_stream/log/fields/ecs.yml index f156d565bb4..337f2e224da 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/ecs.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/ecs.yml @@ -52,6 +52,8 @@ external: ecs - name: network.transport external: ecs +- name: network.iana_number + external: ecs - name: observer.name external: ecs - name: observer.product @@ -106,3 +108,7 @@ external: ecs - name: threat.indicator.port external: ecs +- name: tls.client.ja3 + external: ecs +- name: tls.server.ja3s + external: ecs diff --git a/packages/carbonblack_edr/docs/README.md b/packages/carbonblack_edr/docs/README.md index 88cd6f93c0c..ede9799204f 100644 --- a/packages/carbonblack_edr/docs/README.md +++ b/packages/carbonblack_edr/docs/README.md @@ -312,6 +312,7 @@ An example event for `log` looks as following: | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | | observer.product | The product name of the observer. | keyword | @@ -344,5 +345,7 @@ An example event for `log` looks as following: | threat.indicator.port | Identifies a threat indicator as a port number (irrespective of direction). | long | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. Recommended values: \* autonomous-system \* artifact \* directory \* domain-name \* email-addr \* file \* ipv4-addr \* ipv6-addr \* mac-addr \* mutex \* port \* process \* software \* url \* user-account \* windows-registry-key \* x509-certificate | keyword | | threat.indicator.url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | diff --git a/packages/carbonblack_edr/manifest.yml b/packages/carbonblack_edr/manifest.yml index 07261a6ae97..44f0d8a86eb 100644 --- a/packages/carbonblack_edr/manifest.yml +++ b/packages/carbonblack_edr/manifest.yml @@ -1,6 +1,6 @@ name: carbonblack_edr title: VMware Carbon Black EDR -version: 1.2.0 +version: 1.3.0 release: ga description: Collect logs from VMware Carbon Black EDR with Elastic Agent. type: integration diff --git a/packages/fireeye/changelog.yml b/packages/fireeye/changelog.yml index 3e1575fc75b..7acd6dcf3c2 100644 --- a/packages/fireeye/changelog.yml +++ b/packages/fireeye/changelog.yml @@ -1,3 +1,8 @@ +- version: "1.4.0" + changes: + - description: Add JA3/JA3S to `related.hash` + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 - version: "1.3.1" changes: - description: Move invalid field value in sample event file diff --git a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json index a5c10f1a94c..221d5a84a86 100644 --- a/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json +++ b/packages/fireeye/data_stream/nx/_dev/test/pipeline/test-nx.log-expected.json @@ -399,6 +399,10 @@ "vendor": "Fireeye" }, "related": { + "hash": [ + "9873b112313d7c4e5e8ef6207e6c6f0d", + "21536525fbf9e289f79e0f98af64bb59" + ], "ip": [ "192.168.1.99", "67.43.156.13" diff --git a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml index 208d849700e..4e8f31ac8ed 100644 --- a/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml +++ b/packages/fireeye/data_stream/nx/elasticsearch/ingest_pipeline/default.yml @@ -165,6 +165,15 @@ processors: value: "{{destination.ip}}" allow_duplicates: false if: ctx.destination?.ip != null + - append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" + - append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false - remove: field: - rawmsg diff --git a/packages/fireeye/data_stream/nx/fields/ecs.yml b/packages/fireeye/data_stream/nx/fields/ecs.yml index f1d3ef0500a..806e86cf15f 100644 --- a/packages/fireeye/data_stream/nx/fields/ecs.yml +++ b/packages/fireeye/data_stream/nx/fields/ecs.yml @@ -30,6 +30,8 @@ name: log.file.path - external: ecs name: related.ip +- external: ecs + name: related.hash - external: ecs name: source.bytes - external: ecs diff --git a/packages/fireeye/docs/README.md b/packages/fireeye/docs/README.md index 31bbc638b51..81b7470f208 100644 --- a/packages/fireeye/docs/README.md +++ b/packages/fireeye/docs/README.md @@ -114,6 +114,7 @@ The `nx` integration ingests network security logs from FireEye NX through TCP/U | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | observer.product | The product name of the observer. | keyword | | observer.vendor | Vendor name of the observer. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.ip | All of the IPs seen on your event. | ip | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | diff --git a/packages/fireeye/manifest.yml b/packages/fireeye/manifest.yml index e8c250355fb..ff214315adc 100644 --- a/packages/fireeye/manifest.yml +++ b/packages/fireeye/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: fireeye title: "Fireeye" -version: 1.3.1 +version: 1.4.0 license: basic description: "This Elastic integration collects Fireeye NX logs." type: integration diff --git a/packages/network_traffic/changelog.yml b/packages/network_traffic/changelog.yml index 21cb64a16dd..d10fe687353 100644 --- a/packages/network_traffic/changelog.yml +++ b/packages/network_traffic/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.3.0" + changes: + - description: Add JA3/JA3S to `related.hash` + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 - version: "1.2.0" changes: - description: Add option to monitor processes. diff --git a/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml b/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml index bd7f3b2b61d..af2d5a91f59 100644 --- a/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml +++ b/packages/network_traffic/data_stream/tls/elasticsearch/ingest_pipeline/default.yml @@ -64,6 +64,16 @@ processors: } } +- append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" +- append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false + on_failure: - set: field: error.message diff --git a/packages/network_traffic/data_stream/tls/fields/ecs.yml b/packages/network_traffic/data_stream/tls/fields/ecs.yml index 9bebfd74618..ffe8919e5da 100644 --- a/packages/network_traffic/data_stream/tls/fields/ecs.yml +++ b/packages/network_traffic/data_stream/tls/fields/ecs.yml @@ -44,6 +44,8 @@ name: network.type - external: ecs name: related.ip +- external: ecs + name: related.hash - external: ecs name: server.bytes - external: ecs diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index 1d726b438fe..ddb4873213d 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -4279,6 +4279,7 @@ Fields published for TLS packets. | params | The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. | text | | path | The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. | keyword | | query | The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.ip | All of the IPs seen on your event. | ip | | request | For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. | text | | resource | The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. | keyword | diff --git a/packages/network_traffic/manifest.yml b/packages/network_traffic/manifest.yml index 984817a8432..4fab59a91cf 100644 --- a/packages/network_traffic/manifest.yml +++ b/packages/network_traffic/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: network_traffic title: Network Packet Capture -version: 1.2.0 +version: 1.3.0 license: basic description: Capture and analyze network traffic from a host with Elastic Agent. type: integration diff --git a/packages/suricata/changelog.yml b/packages/suricata/changelog.yml index 93b6d14ac51..567542096bb 100644 --- a/packages/suricata/changelog.yml +++ b/packages/suricata/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Add JA3/JA3S to `related.hash` + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 - version: "2.0.0" changes: - description: Migrate map visualisation from tile_map to map object diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json index 71dbac966eb..7bf5a0fc89b 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-alerts.log-expected.json @@ -2495,7 +2495,9 @@ }, "related": { "hash": [ - "00112233445566778899AABBCCDDEEFF00112233" + "00112233445566778899AABBCCDDEEFF00112233", + "0993626a07ad09e1ce91293be7aa5721", + "d92325c876e7279f4eb8c62415e3a6b7" ], "ip": [ "10.126.2.140", @@ -2608,7 +2610,9 @@ }, "related": { "hash": [ - "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC" + "363FEE2A1CFADEADBEEF4299CFA9B09101EBA9CC", + "391231ba5675e42807b9e1f457b2614e", + "3f1ea03f5822e8021b60cc3e4b233181" ], "ip": [ "10.137.3.54", diff --git a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json index 5addf457c9c..ecc4598de7b 100644 --- a/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json +++ b/packages/suricata/data_stream/eve/_dev/test/pipeline/test-eve-small.log-expected.json @@ -868,7 +868,8 @@ }, "related": { "hash": [ - "183C114546E926C787640FED47861B31BF0F8425" + "183C114546E926C787640FED47861B31BF0F8425", + "adc06261ef82c2e4688b3cf08c1b2f24" ], "ip": [ "192.168.50.1" @@ -1050,6 +1051,9 @@ "transport": "tcp" }, "related": { + "hash": [ + "44d502d471cfdb99c59bdfb0f220e5a8" + ], "ip": [ "192.168.50.1" ] diff --git a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml index f31b1e465be..b619ad869f7 100644 --- a/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml +++ b/packages/suricata/data_stream/eve/elasticsearch/ingest_pipeline/default.yml @@ -631,6 +631,15 @@ processors: field: related.ip value: '{{{destination.ip}}}' allow_duplicates: false + - append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" + - append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false - remove: field: suricata.eve.alert.metadata if: "ctx.suricata?.eve?.alert?.metadata == null || ctx.suricata?.eve?.alert?.metadata.isEmpty()" diff --git a/packages/suricata/manifest.yml b/packages/suricata/manifest.yml index d752c823fb2..cb4ae492971 100644 --- a/packages/suricata/manifest.yml +++ b/packages/suricata/manifest.yml @@ -1,6 +1,6 @@ name: suricata title: Suricata Events -version: 2.0.0 +version: 2.1.0 release: ga description: Collect and parse event logs from Suricata instances with Elastic Agent. type: integration diff --git a/packages/zeek/changelog.yml b/packages/zeek/changelog.yml index d73f263696e..fde5da00436 100644 --- a/packages/zeek/changelog.yml +++ b/packages/zeek/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Add JA3/JA3S parsing & fix certificate data parsing; hash, not valid before/after timestamps + type: enhancement + link: https://github.com/elastic/integrations/pull/3440 - version: "2.0.0" changes: - description: Migrate map visualisation from tile_map to map object diff --git a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log index e717fff3a89..cc7b284316c 100644 --- a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log +++ b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log @@ -1,10 +1,12 @@ {"ts":1547688736.805088,"uid":"CAOvs1BMFCX2Eh0Y3","id.orig_h":"10.178.98.102","id.orig_p":63199,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FebkbHWVCV8rEEEne","F4BDY41MGUBT6URZMd","FWlfEfiHVkv8evDL3"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} {"ts":1547688736.80509,"uid":"C3mki91FnnNtm0u1ok","id.orig_h":"10.178.98.102","id.orig_p":63198,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["Fue9H32OmuitQk2zR","FpbiBP215tk2xftxM6","FEdROj1vUzTGw3BIUa"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} -{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"}{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} +{"ts":1547688736.805527,"uid":"CfGBt82PzCXzHa0iek","id.orig_h":"10.178.98.102","id.orig_p":63197,"id.resp_h":"89.160.20.156","id.resp_p":9243,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","curve":"secp256r1","server_name":"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io","resumed":false,"established":true,"cert_chain_fuids":["FiFLYv3UjeWyv2gcW","FvSsiB1Xi816EMagI9","FWpPS4mjGaAhTRXLf"],"client_cert_chain_fuids":[],"subject":"CN=*.gcp.cloud.es.io,O=Elasticsearch\u005c, Inc.,L=Mountain View,ST=California,C=US","issuer":"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US","validation_status":"ok"} +{"ts":1602179457.352156,"uid":"CK17Dl2SB8bZOVonSl","id.orig_h":"10.0.0.1","id.orig_p":49228,"id.resp_h":"192.168.50.1","id.resp_p":443,"version":"TLSv12","cipher":"TLS_RSA_WITH_AES_128_CBC_SHA256","resumed":false,"established":true,"cert_chain_fuids":["FOLwYQ6rs70bIMSf9"],"client_cert_chain_fuids":[],"subject":"CN=foo,OU=foo@bar,O=org,L=locality,C=LO","issuer":"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI","validation_status":"self signed certificate","ja3":"74927e242d6c3febf8cb9cab10a7f889","ja3s":"80b3a14bccc8598a1f3bbe83e71f735f","resp_certificate_sha1":"5dad8b55621b6b9c30679d9d61248dd132a83c94","not_valid_before":1562022421,"not_valid_after":1577748224} {"ts":1617091251.151303,"uid":"CLQiVH1VcpvT3ruEak","id.orig_h":"10.156.0.2","id.orig_p":52730,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","resumed":false,"established":false} {"ts":1617090955.826099,"uid":"CBiXOC4IqYxMv1xzf9","id.orig_h":"89.160.20.156","id.orig_p":52678,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} {"ts":1617091253.726384,"uid":"C4jH9IqWGZwc1PPUh","id.orig_h":"89.160.20.156","id.orig_p":53368,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"tickets.swiftcrypto.com","resumed":false,"established":false} {"ts":1617091253.91861,"uid":"CXVMSq6Dainy4WFN9","id.orig_h":"89.160.20.156","id.orig_p":53382,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"rundeck.swiftcrypto.com","resumed":false,"established":false} {"ts":1617091254.325291,"uid":"CsgtQe4AikDZBsIM6k","id.orig_h":"10.156.0.2","id.orig_p":55120,"id.resp_h":"89.160.20.156","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","curve":"secp256r1","resumed":false,"established":false,"cert_chain_fuids":["FeyRIk4nUtwwcUcnRf"],"client_cert_chain_fuids":[],"validation_status":"self signed certificate"} {"ts":1617091255.065602,"uid":"CPGhJS3UPpcnR96NQc","id.orig_h":"89.160.20.156","id.orig_p":53095,"id.resp_h":"10.156.0.2","id.resp_p":443,"server_name":"splunk-api.swiftcrypto.com","resumed":false,"established":false} -{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/ssl.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}"}} +{"preview":false,"offset":0,"result":{"_bkt":"main~0~0758E7C3-1D0C-4B2B-8CF0-682BFEA86CDC","_cd":"0:12","_indextime":"1608752616","_raw":"{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}","_serial":"0","_si":["b590508aafed","main"],"_sourcetype":"access_log-too_small","_time":"2020-12-23 19:43:35.000 UTC","host":"Lees-MBP.localdomain","index":"main","linecount":"1","my_max":"1608759317","source":"/usr/local/var/log/zeek/ssl.log","sourcetype":"access_log-too_small","splunk_server":"b590508aafed"}} diff --git a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json index 934857aaffd..7e5603217ef 100644 --- a/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json +++ b/packages/zeek/data_stream/ssl/_dev/test/pipeline/test-ssl.log-expected.json @@ -288,7 +288,7 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CfGBt82PzCXzHa0iek", "kind": "event", - "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "type": [ "connection", "protocol" @@ -375,6 +375,125 @@ } } }, + { + "@timestamp": "2020-10-08T17:50:57.352Z", + "client": { + "address": "10.0.0.1" + }, + "destination": { + "address": "192.168.50.1", + "ip": "192.168.50.1", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "network" + ], + "created": "2020-04-28T11:07:58.223Z", + "id": "CK17Dl2SB8bZOVonSl", + "kind": "event", + "original": "{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "type": [ + "connection", + "protocol" + ] + }, + "network": { + "community_id": "1:qNHgoGHFvyhhK2jU7LlS3537ODc=", + "transport": "tcp" + }, + "related": { + "hash": [ + "80b3a14bccc8598a1f3bbe83e71f735f", + "74927e242d6c3febf8cb9cab10a7f889" + ], + "ip": [ + "10.0.0.1", + "192.168.50.1" + ] + }, + "server": { + "address": "192.168.50.1" + }, + "source": { + "address": "10.0.0.1", + "ip": "10.0.0.1", + "port": 49228 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "client": { + "ja3": "74927e242d6c3febf8cb9cab10a7f889" + }, + "established": true, + "resumed": false, + "server": { + "hash": { + "sha1": "5DAD8B55621B6B9C30679D9D61248DD132A83C94" + }, + "issuer": "CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI", + "ja3s": "80b3a14bccc8598a1f3bbe83e71f735f", + "not_after": "2019-12-30T23:23:44.000Z", + "not_before": "2019-07-01T23:07:01.000Z", + "subject": "CN=foo,OU=foo@bar,O=org,L=locality,C=LO", + "x509": { + "issuer": { + "common_name": "CA", + "country": "HI", + "locality": "foo", + "organization": "Example Corp", + "organizational_unit": "CA@example.com" + }, + "subject": { + "common_name": "foo", + "country": "LO", + "locality": "locality", + "organization": "org", + "organizational_unit": "foo@bar" + } + } + }, + "version": "1.2", + "version_protocol": "tls" + }, + "zeek": { + "session_id": "CK17Dl2SB8bZOVonSl", + "ssl": { + "cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "established": true, + "resumed": false, + "server": { + "cert_chain_fuids": [ + "FOLwYQ6rs70bIMSf9" + ], + "issuer": { + "common_name": "CA", + "country": "HI", + "locality": "foo", + "organization": "Example Corp", + "organizational_unit": "CA@example.com" + }, + "subject": { + "common_name": "foo", + "country": "LO", + "locality": "locality", + "organization": "org", + "organizational_unit": "foo@bar" + } + }, + "validation": { + "status": "self signed certificate" + }, + "version": "TLSv12" + } + } + }, { "@timestamp": "2021-03-30T08:00:51.151Z", "client": { @@ -907,20 +1026,12 @@ "created": "2020-04-28T11:07:58.223Z", "id": "CfGBt82PzCXzHa0iek", "kind": "event", - "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "original": "{\"ts\":1547688736.805527,\"uid\":\"CfGBt82PzCXzHa0iek\",\"id.orig_h\":\"10.178.98.102\",\"id.orig_p\":63197,\"id.resp_h\":\"89.160.20.156\",\"id.resp_p\":9243,\"version\":\"TLSv12\",\"cipher\":\"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\",\"curve\":\"secp256r1\",\"server_name\":\"dd625ffb4fc54735b281862aa1cd6cd4.us-west1.gcp.cloud.es.io\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FiFLYv3UjeWyv2gcW\",\"FvSsiB1Xi816EMagI9\",\"FWpPS4mjGaAhTRXLf\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=*.gcp.cloud.es.io,O=Elasticsearch\\u005c, Inc.,L=Mountain View,ST=California,C=US\",\"issuer\":\"CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US\",\"validation_status\":\"ok\"}", "type": [ "connection", "protocol" ] }, - "host": { - "name": "Lees-MBP.localdomain" - }, - "log": { - "file": { - "path": "/usr/local/var/log/zeek/ssl.log" - } - }, "network": { "community_id": "1:mDZkdHx1U/LONMQj/IW5B+esLpU=", "transport": "tcp" @@ -1001,6 +1112,133 @@ "version": "TLSv12" } } + }, + { + "@timestamp": "2020-10-08T17:50:57.352Z", + "client": { + "address": "10.0.0.1" + }, + "destination": { + "address": "192.168.50.1", + "ip": "192.168.50.1", + "port": 443 + }, + "ecs": { + "version": "8.2.0" + }, + "event": { + "category": [ + "network" + ], + "created": "2020-04-28T11:07:58.223Z", + "id": "CK17Dl2SB8bZOVonSl", + "kind": "event", + "original": "{\"ts\":1602179457.352156,\"uid\":\"CK17Dl2SB8bZOVonSl\",\"id.orig_h\":\"10.0.0.1\",\"id.orig_p\":49228,\"id.resp_h\":\"192.168.50.1\",\"id.resp_p\":443,\"version\":\"TLSv12\",\"cipher\":\"TLS_RSA_WITH_AES_128_CBC_SHA256\",\"resumed\":false,\"established\":true,\"cert_chain_fuids\":[\"FOLwYQ6rs70bIMSf9\"],\"client_cert_chain_fuids\":[],\"subject\":\"CN=foo,OU=foo@bar,O=org,L=locality,C=LO\",\"issuer\":\"CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI\",\"validation_status\":\"self signed certificate\",\"ja3\":\"74927e242d6c3febf8cb9cab10a7f889\",\"ja3s\":\"80b3a14bccc8598a1f3bbe83e71f735f\",\"resp_certificate_sha1\":\"5dad8b55621b6b9c30679d9d61248dd132a83c94\",\"not_valid_before\":1562022421,\"not_valid_after\":1577748224}", + "type": [ + "connection", + "protocol" + ] + }, + "host": { + "name": "Lees-MBP.localdomain" + }, + "log": { + "file": { + "path": "/usr/local/var/log/zeek/ssl.log" + } + }, + "network": { + "community_id": "1:qNHgoGHFvyhhK2jU7LlS3537ODc=", + "transport": "tcp" + }, + "related": { + "hash": [ + "80b3a14bccc8598a1f3bbe83e71f735f", + "74927e242d6c3febf8cb9cab10a7f889" + ], + "ip": [ + "10.0.0.1", + "192.168.50.1" + ] + }, + "server": { + "address": "192.168.50.1" + }, + "source": { + "address": "10.0.0.1", + "ip": "10.0.0.1", + "port": 49228 + }, + "tags": [ + "preserve_original_event" + ], + "tls": { + "cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "client": { + "ja3": "74927e242d6c3febf8cb9cab10a7f889" + }, + "established": true, + "resumed": false, + "server": { + "hash": { + "sha1": "5DAD8B55621B6B9C30679D9D61248DD132A83C94" + }, + "issuer": "CN=CA,OU=CA@example.com,O=Example Corp,L=foo,C=HI", + "ja3s": "80b3a14bccc8598a1f3bbe83e71f735f", + "not_after": "2019-12-30T23:23:44.000Z", + "not_before": "2019-07-01T23:07:01.000Z", + "subject": "CN=foo,OU=foo@bar,O=org,L=locality,C=LO", + "x509": { + "issuer": { + "common_name": "CA", + "country": "HI", + "locality": "foo", + "organization": "Example Corp", + "organizational_unit": "CA@example.com" + }, + "subject": { + "common_name": "foo", + "country": "LO", + "locality": "locality", + "organization": "org", + "organizational_unit": "foo@bar" + } + } + }, + "version": "1.2", + "version_protocol": "tls" + }, + "zeek": { + "session_id": "CK17Dl2SB8bZOVonSl", + "ssl": { + "cipher": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "established": true, + "resumed": false, + "server": { + "cert_chain_fuids": [ + "FOLwYQ6rs70bIMSf9" + ], + "issuer": { + "common_name": "CA", + "country": "HI", + "locality": "foo", + "organization": "Example Corp", + "organizational_unit": "CA@example.com" + }, + "subject": { + "common_name": "foo", + "country": "LO", + "locality": "locality", + "organization": "org", + "organizational_unit": "foo@bar" + } + }, + "validation": { + "status": "self signed certificate" + }, + "version": "TLSv12" + } + } } ] } \ No newline at end of file diff --git a/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml b/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml index d18e3cd5a1f..449a24acde4 100644 --- a/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml +++ b/packages/zeek/data_stream/ssl/elasticsearch/ingest_pipeline/default.yml @@ -130,6 +130,14 @@ processors: - ISO8601 - remove: field: zeek.ssl.ts + - rename: + field: zeek.ssl.not_valid_after + target_field: tls.server.not_after + ignore_missing: true + - rename: + field: zeek.ssl.not_valid_before + target_field: tls.server.not_before + ignore_missing: true - date: if: ctx.tls?.server?.not_before != null field: tls.server.not_before @@ -207,6 +215,13 @@ processors: field: zeek.ssl.server.issuer.C target_field: zeek.ssl.server.issuer.country ignore_missing: true + - rename: + field: zeek.ssl.resp_certificate_sha1 + target_field: tls.server.hash.sha1 + ignore_missing: true + - uppercase: + field: tls.server.hash.sha1 + ignore_missing: true - set: field: tls.server.x509.issuer.country value: "{{zeek.ssl.server.issuer.country}}" @@ -471,6 +486,14 @@ processors: ctx.tls.version = parts[1].substring(0,1) + "." + parts[1].substring(1); } ctx.tls.version_protocol = parts[0].toLowerCase(); + - rename: + field: zeek.ssl.ja3 + target_field: tls.client.ja3 + ignore_missing: true + - rename: + field: zeek.ssl.ja3s + target_field: tls.server.ja3s + ignore_missing: true - append: field: related.ip value: "{{source.ip}}" @@ -481,6 +504,15 @@ processors: value: "{{destination.ip}}" if: "ctx?.destination?.ip != null" allow_duplicates: false + - append: + field: related.hash + value: "{{tls.server.ja3s}}" + if: "ctx?.tls?.server?.ja3s != null" + - append: + field: related.hash + value: "{{tls.client.ja3}}" + if: "ctx?.tls?.client?.ja3 != null" + allow_duplicates: false - community_id: target_field: network.community_id - remove: diff --git a/packages/zeek/data_stream/ssl/fields/ecs.yml b/packages/zeek/data_stream/ssl/fields/ecs.yml index 27c39bf622b..6aa9ef6b90c 100644 --- a/packages/zeek/data_stream/ssl/fields/ecs.yml +++ b/packages/zeek/data_stream/ssl/fields/ecs.yml @@ -52,6 +52,8 @@ name: network.transport - external: ecs name: related.ip +- external: ecs + name: related.hash - external: ecs name: server.address - external: ecs @@ -98,6 +100,8 @@ name: tls.client.x509.subject.organizational_unit - external: ecs name: tls.client.x509.subject.state_or_province +- external: ecs + name: tls.client.ja3 - external: ecs name: tls.curve - external: ecs @@ -134,6 +138,14 @@ name: tls.server.x509.subject.organizational_unit - external: ecs name: tls.server.x509.subject.state_or_province +- external: ecs + name: tls.server.ja3s +- external: ecs + name: tls.server.not_after +- external: ecs + name: tls.server.not_before +- external: ecs + name: tls.server.hash.sha1 - external: ecs name: tls.version - external: ecs diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md index 2d9054112e0..2eb68159225 100644 --- a/packages/zeek/docs/README.md +++ b/packages/zeek/docs/README.md @@ -3492,6 +3492,7 @@ SSL/TLS handshake info. | log.offset | Offset of the entry in the log file. | long | | network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | +| related.hash | All the hashes seen on your event. Populating this field, then using it to search for hashes can help in situations where you're unsure what the hash algorithm is (and therefore which key name to search). | keyword | | related.ip | All of the IPs seen on your event. | ip | | server.address | Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | @@ -3511,6 +3512,7 @@ SSL/TLS handshake info. | tags | List of keywords used to tag each event. | keyword | | tls.cipher | String indicating the cipher used during the current connection. | keyword | | tls.client.issuer | Distinguished name of subject of the issuer of the x.509 certificate presented by the client. | keyword | +| tls.client.ja3 | A hash that identifies clients based on how they perform an SSL/TLS handshake. | keyword | | tls.client.x509.subject.common_name | List of common names (CN) of subject. | keyword | | tls.client.x509.subject.country | List of country (C) code | keyword | | tls.client.x509.subject.locality | List of locality names (L) | keyword | @@ -3520,7 +3522,11 @@ SSL/TLS handshake info. | tls.curve | String indicating the curve used for the given cipher, when applicable. | keyword | | tls.established | Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. | boolean | | tls.resumed | Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. | boolean | +| tls.server.hash.sha1 | Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. For consistency with other hash values, this value should be formatted as an uppercase hash. | keyword | | tls.server.issuer | Subject of the issuer of the x.509 certificate presented by the server. | keyword | +| tls.server.ja3s | A hash that identifies servers based on how they perform an SSL/TLS handshake. | keyword | +| tls.server.not_after | Timestamp indicating when server certificate is no longer considered valid. | date | +| tls.server.not_before | Timestamp indicating when server certificate is first considered valid. | date | | tls.server.subject | Subject of the x.509 certificate presented by the server. | keyword | | tls.server.x509.issuer.common_name | List of common name (CN) of issuing certificate authority. | keyword | | tls.server.x509.issuer.country | List of country (C) codes | keyword | diff --git a/packages/zeek/manifest.yml b/packages/zeek/manifest.yml index c345f422281..4f66bdcf7f1 100644 --- a/packages/zeek/manifest.yml +++ b/packages/zeek/manifest.yml @@ -1,6 +1,6 @@ name: zeek title: Zeek Logs -version: 2.0.0 +version: 2.1.0 release: ga description: Collect and parse logs from Zeek network security with Elastic Agent. type: integration