Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Amazon Security Lake] - OCSF v1.1 update with major refactor & adding support for dynamic template and mappings & system tests #10405

Merged
merged 40 commits into from
Oct 23, 2024
+34,099 −20,744
Merged

[Amazon Security Lake] - OCSF v1.1 update with major refactor & adding support for dynamic template and mappings & system tests #10405

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
66c9372
added support for new user inventory info event class and updated inc…
ShourieG Jun 7, 2024
fb78670
trying to make a working system test
ShourieG Jun 13, 2024
3902a02
merged with upstream
ShourieG Jun 17, 2024
6bec44b
initial working system tests added pending elastic-package changes to…
ShourieG Jun 21, 2024
64f285b
merged with upstream/main
ShourieG Jul 2, 2024
118b2d2
test commit to be reverted
ShourieG Jul 10, 2024
185e2f9
initial working test for dynamic template
ShourieG Jul 12, 2024
f784e75
updated root org templates
ShourieG Jul 12, 2024
4282225
reworked 'org' object mapping as tynamic template for all data streams
ShourieG Jul 12, 2024
e2f8457
Merge branch 'main' into security_lake/ocsf_1.1
ShourieG Jul 23, 2024
d4788f4
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Jul 30, 2024
32ed102
segregated process fields in 'findings', added 'actor' fields for new…
ShourieG Jul 30, 2024
78c1ea2
added fulnerability findings support and segregated 'resource' group …
ShourieG Jul 30, 2024
0656284
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Jul 30, 2024
8f7122d
added ntp activity event class, deprecated proxy event class, aded pr…
ShourieG Aug 1, 2024
5352aac
added os patch state event class, segregated device fields across all…
ShourieG Aug 2, 2024
ac66e6e
added datastore activity event class, segregated actor, user & metada…
ShourieG Aug 6, 2024
73b7be8
added support for detection finding event class, segregated and mappe…
ShourieG Aug 6, 2024
1236584
added support of compliance finding event class, segregated and updat…
ShourieG Aug 7, 2024
03b5099
segregated and expanded api object across all data streams, added sup…
ShourieG Aug 7, 2024
e99119c
added support for Device Config State Change event class, updated sch…
ShourieG Aug 8, 2024
7e5f687
added support for scan activity event class
ShourieG Aug 8, 2024
516b63b
segregated file fields across required data streams, added support fo…
ShourieG Aug 8, 2024
bf779a5
added cwe & epss objects as flattened to cve object
ShourieG Aug 8, 2024
97459f5
converted feature object to follow dynamic mapping rules across all d…
ShourieG Aug 8, 2024
bb88d57
added firewall rule object to respective event categories
ShourieG Aug 8, 2024
f0fdc32
added some missing fields after locally running system tests for disc…
ShourieG Aug 9, 2024
0b356dc
reworked terrform deployer to support multi-bucket based system tests
ShourieG Aug 9, 2024
19ffbf7
updated docs and changelog
ShourieG Aug 9, 2024
dd90df2
fixed timestamp issues across all data streams, added all system test…
ShourieG Aug 13, 2024
360c3d8
resolved merge conflicts
ShourieG Aug 14, 2024
2b1250d
resolved merge conflicts
ShourieG Aug 19, 2024
2261431
removed system test configs until respective elastic-package changes …
ShourieG Aug 19, 2024
5794401
updated with main, resolved merge conflicts
ShourieG Aug 26, 2024
6e5bc7c
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Aug 29, 2024
c204d18
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Oct 21, 2024
14bb1a5
updated docs, optimised timestamp conversion logic and changed *.type…
ShourieG Oct 21, 2024
3ec9e28
changed algorithm_id from integer to keyword type mapping
ShourieG Oct 21, 2024
06209ba
updated state_id mappings from integer to keyword
ShourieG Oct 21, 2024
69b2f19
addressed PR comments and updated pipelines, file names and field map…
ShourieG Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1,796 changes: 1,796 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml
View file
Open in desktop

Large diffs are not rendered by default.

3 changes: 3 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,3 +340,6 @@
- name: vpc_uid
type: keyword
description: The unique identifier of the Virtual Private Cloud (VPC).
- name: zone
type: keyword
description: The network zone or LAN segment.
1,845 changes: 189 additions & 1,656 deletions packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml
View file
Open in desktop

Large diffs are not rendered by default.

129 changes: 129 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/metadata-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
- name: ocsf
type: group
fields:
- name: metadata
type: group
fields:
- name: tenant_uid
type: keyword
description: The audit level at which an event was generated.
- name: correlation_uid
type: keyword
description: The unique identifier used to correlate events.
- name: event_code
type: keyword
description: The Event ID or Code that the product uses to describe the event.
- name: extension
type: group
fields:
- name: name
type: keyword
description: 'The schema extension name. For example: dev.'
- name: uid
type: keyword
description: 'The schema extension unique identifier. For example: 999.'
- name: version
type: keyword
description: 'The schema extension version. For example: 1.0.0-alpha.2.'
- name: extensions
type: group
fields:
- name: name
type: keyword
description: 'The schema extension name. For example: dev.'
- name: uid
type: keyword
description: 'The schema extension unique identifier. For example: 999.'
- name: version
type: keyword
description: 'The schema extension version. For example: 1.0.0-alpha.2.'
- name: labels
type: keyword
description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
- name: log_level
type: keyword
description: The log level of the event.
- name: loggers
type: flattened
description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination.
- name: log_name
type: keyword
description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.'
- name: log_provider
type: keyword
description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
- name: log_version
type: keyword
description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
- name: logged_time
type: date
description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
- name: logged_time_dt
type: date
description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
- name: modified_time
type: date
description: The time when the event was last modified or enriched.
- name: modified_time_dt
type: date
description: The time when the event was last modified or enriched.
- name: original_time
type: keyword
description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
- name: processed_time
type: date
description: The event processed time, such as an ETL operation.
- name: processed_time_dt
type: date
description: The event processed time, such as an ETL operation.
- name: product
type: group
fields:
- name: feature
type: group
fields:
- name: name
type: keyword
description: The name of the feature.
- name: uid
type: keyword
description: The unique identifier of the feature.
- name: version
type: keyword
description: The version of the feature.
- name: lang
type: keyword
description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
- name: name
type: keyword
description: The name of the product.
- name: path
type: keyword
description: The installation path of the product.
- name: uid
type: keyword
description: The unique identifier of the product.
- name: url_string
type: keyword
description: The URL pointing towards the product.
- name: vendor_name
type: keyword
description: The name of the vendor of the product.
- name: version
type: keyword
description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
- name: cpe_name
type: keyword
description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2.
- name: profiles
type: keyword
description: The list of profiles used to create the event.
- name: sequence
type: long
description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
- name: uid
type: keyword
description: The logging system-assigned unique identifier of an event instance.
- name: version
type: keyword
description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.'
56 changes: 41 additions & 15 deletions packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
- name: group
type: group
fields:
- name: domain
type: keyword
description: The domain where the group is defined. For example, the LDAP or Active Directory domain.
- name: desc
type: keyword
description: The group description.
Expand Down Expand Up @@ -507,6 +510,9 @@
- name: uid
type: keyword
description: The unique identifier of the feature.
- name: url_string
type: keyword
description: The URL pointing towards the product.
- name: vendor_name
type: keyword
description: The name of the vendor of the product.
Expand Down Expand Up @@ -1090,6 +1096,9 @@
- name: uid
type: keyword
description: The unique identifier of the feature.
- name: url_string
type: keyword
description: The URL pointing towards the product.
- name: vendor_name
type: keyword
description: The name of the vendor of the product.
Expand Down Expand Up @@ -1192,6 +1201,9 @@
- name: group
type: group
fields:
- name: domain
type: keyword
description: The domain where the group is defined. For example, the LDAP or Active Directory domain.
- name: desc
type: keyword
description: The group description.
Expand Down Expand Up @@ -1352,6 +1364,9 @@
- name: uid_alt
type: keyword
description: The alternate user identifier. For example, the Active Directory user GUID or AWS user Principal ID.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: xattributes
type: flattened
description: An unordered collection of zero or more name/value pairs that represent a process extended attribute.
Expand Down Expand Up @@ -1582,21 +1597,11 @@
- name: name
type: keyword
description: The username. For example, janedoe1.
- name: org
type: group
fields:
- name: name
type: keyword
description: The name of the organization. For example, Widget, Inc.
- name: ou_name
type: keyword
description: The name of the organizational unit, within an organization. For example, Finance, IT, R&D.
- name: ou_uid
type: keyword
description: The alternate identifier for an entity's unique identifier. For example, its Active Directory OU DN or AWS OU ID.
- name: uid
type: keyword
description: The unique identifier of the organization. For example, its Active Directory or AWS Org ID.
- name: org.*
type: object
object_type: keyword
object_type_mapping_type: "*"
description: Organization and org unit related to the user.
- name: type
type: keyword
description: The type of the user. For example, System, AWS IAM User, etc.
Expand All @@ -1619,10 +1624,16 @@
type: date
format: epoch_second
description: The timestamp when the user was created.
- name: created_time_dt
type: date
description: The date when the user was created.
- name: deleted_time
type: date
format: epoch_second
description: The timestamp when the user was deleted.
- name: deleted_time_dt
type: date
description: The date when the user was deleted.
- name: email_addrs
type: keyword
description: A list of additional email addresses for the user.
Expand All @@ -1636,6 +1647,9 @@
type: date
format: epoch_second
description: The timestamp when the user was or will be hired by the organization.
- name: hire_time_dt
type: date
description: The date when the user was or will be hired by the organization.
- name: job_title
type: keyword
description: The user's job title.
Expand All @@ -1646,6 +1660,9 @@
type: date
format: epoch_second
description: The last time when the user logged in.
- name: last_login_time_dt
type: date
description: The last date when the user logged in.
- name: ldap_cn
type: keyword
description: The LDAP and X.500 commonName attribute, typically the full name of the person. For example, John Doe.
Expand All @@ -1656,10 +1673,16 @@
type: date
format: epoch_second
description: The timestamp when the user left or will be leaving the organization.
- name: leave_time_dt
type: date
description: The date when the user left or will be leaving the organization.
- name: modified_time
type: date
format: epoch_second
description: The timestamp when the user entry was last modified.
- name: modified_time_dt
type: date
description: The date when the user entry was last modified.
- name: office_location
type: keyword
description: The primary office location associated with the user. This could be any string and isn't a specific address.
Expand Down Expand Up @@ -1733,6 +1756,9 @@
- name: groups
type: group
fields:
- name: domain
type: keyword
description: The domain where the group is defined. For example, the LDAP or Active Directory domain.
- name: desc
type: keyword
description: The group description.
Expand Down
114 changes: 0 additions & 114 deletions packages/amazon_security_lake/data_stream/discovery/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,120 +227,6 @@
- name: message
type: keyword
description: The description of the event, as defined by the event source.
- name: metadata
type: group
fields:
- name: tenant_uid
type: keyword
description: The audit level at which an event was generated.
- name: log_level
type: keyword
description: The log level of the event.
- name: correlation_uid
type: keyword
description: The unique identifier used to correlate events.
- name: event_code
type: keyword
description: The Event ID or Code that the product uses to describe the event.
- name: extension
type: group
fields:
- name: name
type: keyword
description: 'The schema extension name. For example: dev.'
- name: uid
type: keyword
description: 'The schema extension unique identifier. For example: 999.'
- name: version
type: keyword
description: 'The schema extension version. For example: 1.0.0-alpha.2.'
- name: labels
type: keyword
description: The list of category labels attached to the event or specific attributes. Labels are user defined tags or aliases added at normalization time.
- name: log_name
type: keyword
description: 'The event log name. For example, syslog file name or Windows logging subsystem: Security.'
- name: log_provider
type: keyword
description: The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.
- name: log_version
type: keyword
description: The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.
- name: logged_time
type: date
description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
- name: logged_time_dt
type: date
description: The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.
- name: loggers
type: flattened
description: An array of Logger objects that describe the devices and logging products between the event source and its eventual destination.
- name: modified_time
type: date
description: The time when the event was last modified or enriched.
- name: modified_time_dt
type: date
description: The time when the event was last modified or enriched.
- name: original_time
type: keyword
description: The original event time as reported by the event source. For example, the time in the original format from system event log such as Syslog on Unix/Linux and the System event file on Windows. Omit if event is generated instead of collected via logs.
- name: processed_time
type: date
description: The event processed time, such as an ETL operation.
- name: processed_time_dt
type: date
description: The event processed time, such as an ETL operation.
- name: product
type: group
fields:
- name: feature
type: group
fields:
- name: name
type: keyword
description: The name of the feature.
- name: uid
type: keyword
description: The unique identifier of the feature.
- name: version
type: keyword
description: The version of the feature.
- name: lang
type: keyword
description: 'The two letter lowercase language codes, as defined by ISO 639-1. For example: en (English), de (German), or fr (French).'
- name: name
type: keyword
description: The name of the product.
- name: path
type: keyword
description: The installation path of the product.
- name: uid
type: keyword
description: The unique identifier of the product.
- name: vendor_name
type: keyword
description: The name of the vendor of the product.
- name: url_string
type: keyword
description: The URL pointing towards the product.
- name: version
type: keyword
description: 'The version of the product, as defined by the event source. For example: 2013.1.3-beta.'
- name: cpe_name
type: keyword
description: The Common Platform Enumeration (CPE) name as described by (NIST) For example, cpe:/a:apple:safari:16.2.
- name: profiles
type: keyword
description: The list of profiles used to create the event.
- name: sequence
type: long
description: Sequence number of the event. The sequence number is a value available in some events, to make the exact ordering of events unambiguous, regardless of the event time precision.
- name: uid
type: keyword
description: The logging system-assigned unique identifier of an event instance.
- name: version
type: keyword
description: 'The version of the OCSF schema, using Semantic Versioning Specification (SemVer). For example: 1.0.0. Event consumers use the version to determine the available event attributes.'
- name: observables
type: group
fields:
Expand Down
Loading