elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Closed imays11 closed 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
In trying to create a set of detection rules using the
github.auditdatastream, I've come across a few fields that are necessary to include in the field mapping. I;ve included sample logs that include each of the following fields in theevent.originalfield of the ingested log.permission
``` { "_index": ".ds-logs-github.audit-default-2023.08.21-000001", "_id": "iKJXkR+G8OQtqub7PvXkRy5QIbQ=", "_version": 1, "_score": 0, "_source": { "agent": { "name": , "id": , "type": "filebeat", "ephemeral_id": , "version": "8.9.1" }, "github": { "org": "onyxsectec", "category": "org" }, "elastic_agent": { "id": , "version": "8.9.1", "snapshot": false }, "tags": [ "forwarded", "github-audit", "preserve_original_event" ], "cloud": { "availability_zone": "us-west-2b", "instance": { "name": , "id": }, "provider": "openstack", "service": { "name": "Nova" }, "machine": { "type": "t2.micro" } }, "input": { "type": "httpjson" }, "@timestamp": "2023-08-21T21:56:43.441Z", "ecs": { "version": "8.9.0" }, "related": { "user": [ "radsectec", "imays11" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "github.audit" }, "event": { "agent_id_status": "verified", "ingested": "2023-08-21T22:12:59Z", "original": "{\"@timestamp\":1692655003441,\"_document_id\":\"l-qlCkgECpbC74A-ELsoJA\",\"action\":\"org.add_member\",\"actor\":\"radsectec\",\"actor_id\":142823021,\"business\":\"rad-sec-tec\",\"business_id\":67609,\"created_at\":1692655003441,\"operation_type\":\"create\",\"org\":\"onyxsectec\",\"org_id\":142831595,\"permission\":\"admin\",\"user\":\"imays11\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"user_id\":59296946}", "created": "2023-08-21T22:12:58.469Z", "kind": "event", "action": "org.add_member", "id": "l-qlCkgECpbC74A-ELsoJA", "category": [ "configuration", "web", "iam" ], "type": [ "group", "user", "creation" ], "dataset": "github.audit" }, "user": { "name": "radsectec", "target": { "name": "imays11", "group": { "name": "onyxsectec" } } }, "group": { "name": "onyxsectec" } }, "fields": { "user.target.group.name": [ "onyxsectec" ], "elastic_agent.version": [ "8.9.1" ], "event.category": [ "configuration", "web", "iam" ], "github.org": [ "onyxsectec" ], "user.name": [ "radsectec" ], "cloud.availability_zone": [ "us-west-2b" ], "cloud.instance.id": [ "i-06fd0bb89bba80efe" ], "agent.type": [ "filebeat" ], "github.category": [ "org" ], "event.module": [ "github" ], "agent.name": [ "" ], "elastic_agent.snapshot": [ false ], "event.agent_id_status": [ "verified" ], "user.target.name.text": [ "imays11" ], "event.kind": [ "event" ], "group.name": [ "onyxsectec" ], "event.original": [ "{\"@timestamp\":1692655003441,\"_document_id\":\"l-qlCkgECpbC74A-ELsoJA\",\"action\":\"org.add_member\",\"actor\":\"radsectec\",\"actor_id\":142823021,\"business\":\"rad-sec-tec\",\"business_id\":67609,\"created_at\":1692655003441,\"operation_type\":\"create\",\"org\":\"onyxsectec\",\"org_id\":142831595,\"permission\":\"admin\",\"user\":\"imays11\",\"user_agent\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36\",\"user_id\":59296946}" ], "elastic_agent.id": [ "" ], "data_stream.namespace": [ "default" ], "input.type": [ "httpjson" ], "data_stream.type": [ "logs" ], "related.user": [ "radsectec", "imays11" ], "tags": [ "forwarded", "github-audit", "preserve_original_event" ], "user.target.name": [ "imays11" ], "cloud.machine.type": [ "t2.micro" ], "cloud.provider": [ "openstack" ], "event.action": [ "org.add_member" ], "event.ingested": [ "2023-08-21T22:12:59.000Z" ], "@timestamp": [ "2023-08-21T21:56:43.441Z" ], "agent.id": [ "" ], "cloud.service.name": [ "Nova" ], "ecs.version": [ "8.9.0" ], "data_stream.dataset": [ "github.audit" ], "event.created": [ "2023-08-21T22:12:58.469Z" ], "event.type": [ "group", "user", "creation" ], "agent.ephemeral_id": [ "" ], "agent.version": [ "8.9.1" ], "event.id": [ "l-qlCkgECpbC74A-ELsoJA" ], "event.dataset": [ "github.audit" ], "cloud.instance.name": [ "" ], "user.name.text": [ "radsectec" ] } } ```repository_public
``` { "_index": ".ds-logs-github.audit-default-2023.08.21-000001", "_id": "VEEmLooBfUToQhciW1lg", "_version": 1, "_score": 0, "_source": { "cloud": { "availability_zone": "us-west-2b", "instance": { "name": "", "id": "" }, "provider": "openstack", "service": { "name": "Nova" }, "machine": { "type": "t2.micro" } }, "input": { "type": "httpjson" }, "agent": { "name": "", "id": "", "type": "filebeat", "ephemeral_id": "", "version": "8.9.1" }, "github": { "org": "onyxsectec", "repo": "onyxsectec/4", "category": "git" }, "@timestamp": "2023-08-25T18:45:48.721Z", "ecs": { "version": "8.9.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "github.audit" }, "elastic_agent": { "id": "", "version": "8.9.1", "snapshot": false }, "event": { "agent_id_status": "verified", "ingested": "2023-08-25T19:23:00Z", "original": "{\"@timestamp\":1692989148721,\"action\":\"git.clone\",\"business\":\"rad-sec-tec\",\"business_id\":67609,\"org\":\"onyxsectec\",\"org_id\":142831595,\"repo\":\"onyxsectec/4\",\"repository\":\"onyxsectec/4\",\"repository_public\":true,\"transport_protocol\":1,\"transport_protocol_name\":\"http\",\"user_id\":0}", "created": "2023-08-25T19:22:58.786Z", "kind": "event", "action": "git.clone", "category": [ "configuration", "web" ], "type": [ "change" ], "dataset": "github.audit" }, "tags": [ "forwarded", "github-audit", "preserve_original_event" ] }, "fields": { "elastic_agent.version": [ "8.9.1" ], "event.category": [ "configuration", "web" ], "github.org": [ "onyxsectec" ], "github.repo": [ "onyxsectec/4" ], "cloud.availability_zone": [ "us-west-2b" ], "cloud.instance.id": [ "" ], "agent.type": [ "filebeat" ], "github.category": [ "git" ], "event.module": [ "github" ], "agent.name": [ "" ], "elastic_agent.snapshot": [ false ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "event.original": [ "{\"@timestamp\":1692989148721,\"action\":\"git.clone\",\"business\":\"rad-sec-tec\",\"business_id\":67609,\"org\":\"onyxsectec\",\"org_id\":142831595,\"repo\":\"onyxsectec/4\",\"repository\":\"onyxsectec/4\",\"repository_public\":true,\"transport_protocol\":1,\"transport_protocol_name\":\"http\",\"user_id\":0}" ], "elastic_agent.id": [ "" ], "data_stream.namespace": [ "default" ], "input.type": [ "httpjson" ], "data_stream.type": [ "logs" ], "tags": [ "forwarded", "github-audit", "preserve_original_event" ], "cloud.machine.type": [ "t2.micro" ], "cloud.provider": [ "openstack" ], "event.action": [ "git.clone" ], "event.ingested": [ "2023-08-25T19:23:00.000Z" ], "@timestamp": [ "2023-08-25T18:45:48.721Z" ], "agent.id": [ "" ], "cloud.service.name": [ "Nova" ], "ecs.version": [ "8.9.0" ], "data_stream.dataset": [ "github.audit" ], "event.created": [ "2023-08-25T19:22:58.786Z" ], "event.type": [ "change" ], "agent.ephemeral_id": [ "" ], "agent.version": [ "8.9.1" ], "event.dataset": [ "github.audit" ], "cloud.instance.name": [ "" ] } } ```