Skip to content

Commit

Permalink
Revert back to identity field
Browse files Browse the repository at this point in the history
  • Loading branch information
@legoguy1000
legoguy1000 committed Sep 2, 2022
1 parent ef7eaef commit 5c77032
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 20 deletions.
18 changes: 5 additions & 13 deletions ...sco_umbrella/data_stream/log/_dev/test/pipeline/test-umbrella-proxylogs.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
"amp_disposition": "MalwareName",
"av_detections": "AVDetectionName",
"categories": "Business Services",
"identity": "elasticuser",
"identity_types": [
"Roaming Computers"
],
Expand Down Expand Up @@ -81,9 +82,6 @@
"path": "/blog/ext_id=Anyclip",
"scheme": "https"
},
"user": {
"name": "elasticuser"
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36"
}
Expand All @@ -95,6 +93,7 @@
"amp_disposition": "MalwareName",
"av_detections": "AVDetectionName",
"categories": "Business Services",
"identity": "elasticuser",
"identity_types": [
"Roaming Computers"
],
Expand Down Expand Up @@ -169,9 +168,6 @@
"path": "/blog/ext_id=Anyclip",
"scheme": "https"
},
"user": {
"name": "elasticuser"
},
"user_agent": {
"original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36"
}
Expand All @@ -180,7 +176,8 @@
"@timestamp": "2017-10-02T23:52:53.000Z",
"cisco": {
"umbrella": {
"blocked_categories": "Networks"
"blocked_categories": "Networks",
"identity": "elasticuser"
}
},
"ecs": {
Expand Down Expand Up @@ -236,9 +233,6 @@
"path": "/the.js",
"scheme": "http"
},
"user": {
"name": "elasticuser"
},
"user_agent": {
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
}
Expand All @@ -254,6 +248,7 @@
"ADSite",
"Network"
],
"identity": "TheComputerName",
"identity_types": [
"Roaming Computer",
"Site",
Expand Down Expand Up @@ -338,9 +333,6 @@
"path": "/the.js",
"scheme": "http"
},
"user": {
"name": "TheComputerName"
},
"user_agent": {
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"
}
Expand Down
8 changes: 6 additions & 2 deletions packages/cisco_umbrella/data_stream/log/agent/stream/aws-s3.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,11 @@ tags:
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{#if processors}}
{{processors}}
{{/if}}
{{/if}}
- add_fields:
target: _config
fields:
identity_pipeline: {{identities_pipeline}}
8 changes: 7 additions & 1 deletion packages/cisco_umbrella/data_stream/log/elasticsearch/ingest_pipeline/default.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ processors:
field: event.original
target_fields:
- cisco.umbrella._tmp.time
- user.name
- cisco.umbrella.identity
- source.address
- source.nat.ip
- destination.address
Expand Down Expand Up @@ -180,6 +180,7 @@ processors:
separator: ",\\s*"
preserve_trailing: false
if: "ctx.cisco?.umbrella?.identity_types != null"

######################
# General ECS Fields #
######################
Expand Down Expand Up @@ -417,6 +418,10 @@ processors:
addRelatedUser(ctx, cisco_identity);
}
}
- pipeline:
name: '{{ _config.identity_pipeline }}'
ignore_failure: true
if: ctx._config?.identity_pipeline != null

###########
# Cleanup #
Expand All @@ -427,6 +432,7 @@ processors:
- cisco.umbrella.direction
- cisco.umbrella.action
- cisco.umbrella.verdict
- _config
ignore_missing: true

- remove:
Expand Down
6 changes: 6 additions & 0 deletions packages/cisco_umbrella/data_stream/log/fields/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,11 @@
Fields for Cisco Umbrella.
fields:
- name: identity
type: keyword
description: >
The identity that made the request.
- name: identities
type: keyword
description: >
Expand Down Expand Up @@ -73,6 +78,7 @@
type: keyword
description: >
The unique identity of the network tunnel.
- name: request_method
type: keyword
- name: dlp_status
Expand Down
8 changes: 8 additions & 0 deletions packages/cisco_umbrella/data_stream/log/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,14 @@ streams:
required: false
show_user: false
description: URL to proxy connections in the form of http\[s\]://<user>:<password>@<server name/ip>:<port>
- name: identities_pipeline
type: text
title: Identities Customization Pipeline
multi: false
required: false
show_user: false
description: Elasticsearch ingest pipeline to customize the Identities into the proper ECS fields
default: cisco-umbrella-identities-customization
- name: tags
type: text
title: Tags
Expand Down
8 changes: 4 additions & 4 deletions packages/cisco_umbrella/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -130,14 +130,14 @@ An example event for `log` looks as following:
| cisco.umbrella.blocked_categories | The categories that resulted in the destination being blocked. Available in version 4 and above. | keyword |
| cisco.umbrella.categories | The security or content categories that the destination matches. | keyword |
| cisco.umbrella.certificate_errors | | keyword |
| cisco.umbrella.computer_name | The computer name related to the event. | keyword |
| cisco.umbrella.content_type | The type of web content, typically text/html. | keyword |
| cisco.umbrella.datacenter | The name of the Umbrella Data Center that processed the user-generated traffic. | keyword |
| cisco.umbrella.destination_lists_id | | keyword |
| cisco.umbrella.dlp_status | | keyword |
| cisco.umbrella.file_name | | keyword |
| cisco.umbrella.identities | | keyword |
| cisco.umbrella.identity_types | | keyword |
| cisco.umbrella.identities | An array of the different identities related to the event. | keyword |
| cisco.umbrella.identity | The identity that made the request. | keyword |
| cisco.umbrella.identity_types | The type of identity that made the request. For example, Roaming Computer or Network. | keyword |
| cisco.umbrella.origin_id | The unique identity of the network tunnel. | keyword |
| cisco.umbrella.policy_identity_type | The first identity type matched with this request. Available in version 3 and above. | keyword |
| cisco.umbrella.puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | keyword |
Expand Down Expand Up @@ -206,7 +206,7 @@ An example event for `log` looks as following:
| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword |
| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword |
| host.ip | Host ip addresses. | ip |
| host.mac | Host mac addresses. | keyword |
| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword |
| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
Expand Down

0 comments on commit 5c77032

Please sign in to comment.