Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Amazon Security Lake] - OCSF v1.1 update with major refactor & adding support for dynamic template and mappings & system tests #10405

Merged
merged 40 commits into from
Oct 23, 2024
Merged

[Amazon Security Lake] - OCSF v1.1 update with major refactor & adding support for dynamic template and mappings & system tests #10405

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
40 commits
Select commit Hold shift + click to select a range
66c9372
added support for new user inventory info event class and updated inc…
ShourieG Jun 7, 2024
fb78670
trying to make a working system test
ShourieG Jun 13, 2024
3902a02
merged with upstream
ShourieG Jun 17, 2024
6bec44b
initial working system tests added pending elastic-package changes to…
ShourieG Jun 21, 2024
64f285b
merged with upstream/main
ShourieG Jul 2, 2024
118b2d2
test commit to be reverted
ShourieG Jul 10, 2024
185e2f9
initial working test for dynamic template
ShourieG Jul 12, 2024
f784e75
updated root org templates
ShourieG Jul 12, 2024
4282225
reworked 'org' object mapping as tynamic template for all data streams
ShourieG Jul 12, 2024
e2f8457
Merge branch 'main' into security_lake/ocsf_1.1
ShourieG Jul 23, 2024
d4788f4
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Jul 30, 2024
32ed102
segregated process fields in 'findings', added 'actor' fields for new…
ShourieG Jul 30, 2024
78c1ea2
added fulnerability findings support and segregated 'resource' group …
ShourieG Jul 30, 2024
0656284
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Jul 30, 2024
8f7122d
added ntp activity event class, deprecated proxy event class, aded pr…
ShourieG Aug 1, 2024
5352aac
added os patch state event class, segregated device fields across all…
ShourieG Aug 2, 2024
ac66e6e
added datastore activity event class, segregated actor, user & metada…
ShourieG Aug 6, 2024
73b7be8
added support for detection finding event class, segregated and mappe…
ShourieG Aug 6, 2024
1236584
added support of compliance finding event class, segregated and updat…
ShourieG Aug 7, 2024
03b5099
segregated and expanded api object across all data streams, added sup…
ShourieG Aug 7, 2024
e99119c
added support for Device Config State Change event class, updated sch…
ShourieG Aug 8, 2024
7e5f687
added support for scan activity event class
ShourieG Aug 8, 2024
516b63b
segregated file fields across required data streams, added support fo…
ShourieG Aug 8, 2024
bf779a5
added cwe & epss objects as flattened to cve object
ShourieG Aug 8, 2024
97459f5
converted feature object to follow dynamic mapping rules across all d…
ShourieG Aug 8, 2024
bb88d57
added firewall rule object to respective event categories
ShourieG Aug 8, 2024
f0fdc32
added some missing fields after locally running system tests for disc…
ShourieG Aug 9, 2024
0b356dc
reworked terrform deployer to support multi-bucket based system tests
ShourieG Aug 9, 2024
19ffbf7
updated docs and changelog
ShourieG Aug 9, 2024
dd90df2
fixed timestamp issues across all data streams, added all system test…
ShourieG Aug 13, 2024
360c3d8
resolved merge conflicts
ShourieG Aug 14, 2024
2b1250d
resolved merge conflicts
ShourieG Aug 19, 2024
2261431
removed system test configs until respective elastic-package changes …
ShourieG Aug 19, 2024
5794401
updated with main, resolved merge conflicts
ShourieG Aug 26, 2024
6e5bc7c
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Aug 29, 2024
c204d18
Merge remote-tracking branch 'upstream/main' into security_lake/ocsf_1.1
ShourieG Oct 21, 2024
14bb1a5
updated docs, optimised timestamp conversion logic and changed *.type…
ShourieG Oct 21, 2024
3ec9e28
changed algorithm_id from integer to keyword type mapping
ShourieG Oct 21, 2024
06209ba
updated state_id mappings from integer to keyword
ShourieG Oct 21, 2024
69b2f19
addressed PR comments and updated pipelines, file names and field map…
ShourieG Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/actor-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -285,6 +288,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The name of the city.
Expand Down Expand Up @@ -383,6 +389,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -457,6 +466,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -782,6 +794,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -870,6 +885,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The name of the city.
Expand Down Expand Up @@ -967,6 +985,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -1040,6 +1061,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -1270,6 +1294,9 @@
- name: uuid
type: keyword
description: The universally unique identifier of the session.
- name: terminal
type: keyword
description: The Pseudo Terminal associated with the session. Ex, the tty or pts value.
- name: terminated_time
type: date
description: The time when the process was terminated.
Expand Down Expand Up @@ -1397,6 +1424,9 @@
- name: uuid
type: keyword
description: The universally unique identifier of the session.
- name: terminal
type: keyword
description: The Pseudo Terminal associated with the session. Ex, the tty or pts value.
- name: terminated_time
type: date
description: The time when the process was terminated.
Expand Down
3 changes: 3 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/device-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@
- name: desc
type: keyword
description: The group description.
- name: domain
type: keyword
description: The domain where the group is defined. For example, the LDAP or Active Directory domain.
- name: name
type: keyword
description: The group name.
Expand Down
1 change: 1 addition & 0 deletions packages/amazon_security_lake/data_stream/application_activity/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -257,6 +257,7 @@
fields:
- name: data
type: flattened
ignore_malformed: true
description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.
- name: name
type: keyword
Expand Down
6 changes: 6 additions & 0 deletions packages/amazon_security_lake/data_stream/application_activity/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,9 @@
title: Amazon Security Lake Application Activity Events
dataset: amazon_security_lake.application_activity
type: logs
elasticsearch:
dynamic_dataset: true
dynamic_namespace: true
chrisberkhout marked this conversation as resolved.
Show resolved Hide resolved
index_template:
mappings:
dynamic: true
30 changes: 30 additions & 0 deletions packages/amazon_security_lake/data_stream/discovery/fields/actor-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -285,6 +288,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The name of the city.
Expand Down Expand Up @@ -383,6 +389,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -457,6 +466,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -782,6 +794,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -870,6 +885,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The name of the city.
Expand Down Expand Up @@ -967,6 +985,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -1040,6 +1061,9 @@
- name: uid
type: keyword
description: The unique identifier of the group. For example, for Windows events this is the security identifier (SID) of the group.
- name: ldap_person
type: flattened
description: The LDAP attributes of the user.
- name: name
type: keyword
description: The username. For example, janedoe1.
Expand Down Expand Up @@ -1270,6 +1294,9 @@
- name: uuid
type: keyword
description: The universally unique identifier of the session.
- name: terminal
type: keyword
description: The Pseudo Terminal associated with the session. Ex, the tty or pts value.
- name: terminated_time
type: date
description: The time when the process was terminated.
Expand Down Expand Up @@ -1397,6 +1424,9 @@
- name: uuid
type: keyword
description: The universally unique identifier of the session.
- name: terminal
type: keyword
description: The Pseudo Terminal associated with the session. Ex, the tty or pts value.
- name: terminated_time
type: date
description: The time when the process was terminated.
Expand Down
3 changes: 3 additions & 0 deletions packages/amazon_security_lake/data_stream/discovery/fields/device-fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,9 @@
- name: desc
type: keyword
description: The group description.
- name: domain
type: keyword
description: The domain where the group is defined. For example, the LDAP or Active Directory domain.
- name: name
type: keyword
description: The group name.
Expand Down
1 change: 1 addition & 0 deletions packages/amazon_security_lake/data_stream/discovery/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@
fields:
- name: data
type: flattened
ignore_malformed: true
description: The enrichment data associated with the attribute and value. The meaning of this data depends on the type the enrichment record.
- name: name
type: keyword
Expand Down
Binary file added ...amazon_security_lake/data_stream/event/_dev/deploy/tf/files/application_lifecycle.parquet
View file
Open in desktop
Binary file not shown.
Binary file added ...security_lake/data_stream/event/_dev/deploy/tf/files/findings_compliance_findings.parquet
View file
Open in desktop
Binary file not shown.
Binary file removed ..._security_lake/data_stream/event/_dev/deploy/tf/files/findings_detection_findings.parquet
View file
Open in desktop
Binary file not shown.
Binary file added ...es/amazon_security_lake/data_stream/event/_dev/deploy/tf/files/iam_account_change.parquet
View file
Open in desktop
Binary file not shown.
Binary file added ...mazon_security_lake/data_stream/event/_dev/deploy/tf/files/network_email_activity.parquet
View file
Open in desktop
Binary file not shown.
Binary file added ..._security_lake/data_stream/event/_dev/deploy/tf/files/system_file_system_activity.parquet
View file
Open in desktop
Binary file not shown.
33 changes: 11 additions & 22 deletions packages/amazon_security_lake/data_stream/event/_dev/deploy/tf/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,36 +20,25 @@ provider "aws" {
}
}

# Define a list of file prefixes to be used for creating buckets
locals {
file_prefixes = ["discovery", "findings"]
}

# Create S3 buckets based on file prefixes
resource "aws_s3_bucket" "security_lake_logs" {
for_each = toset(local.file_prefixes)

bucket = "security-lake-logs-${each.key}-bucket-${var.TEST_RUN_ID}"
bucket = "security-lake-logs-bucket-${var.TEST_RUN_ID}"
}

# Upload files to corresponding buckets based on their file prefix
# Upload files to the single bucket with directory structures based on their file prefix
resource "aws_s3_object" "objects" {
for_each = { for file in fileset(var.files_path, "**") : file => file if contains(local.file_prefixes, split("_", file)[0]) }
for_each = fileset(var.files_path, "**")

bucket = aws_s3_bucket.security_lake_logs[split("_", each.value)[0]].id
bucket = aws_s3_bucket.security_lake_logs.id

# Create the directory structure based on the file prefix
key = "${split("_", each.value)[0]}/${each.value}"

key = each.value # The S3 object key will reflect the nested directory structure
source = "${var.files_path}/${each.value}" # Full path to the source file

etag = filemd5("${var.files_path}/${each.value}")
}

output "bucket_arn_discovery" {
value = aws_s3_bucket.security_lake_logs["discovery"].arn
description = "The ARN of the 'discovery' bucket"
}

output "bucket_arn_findings" {
value = aws_s3_bucket.security_lake_logs["findings"].arn
description = "The ARN of the 'findings' bucket"
}
output "bucket_arn" {
value = aws_s3_bucket.security_lake_logs.arn
description = "The ARN of the S3 bucket"
}
ShourieG marked this conversation as resolved.
Show resolved Hide resolved
Loading