maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[SIEM] Updates process and TLS tables to use ECS 1.5 fields (#60854)

Browse source 
* Added new process filter
* Use new ECS TLS fields
This commit is contained in:
Tudor Golubenco 2020-03-24 08:10:10 +01:00 committed by GitHub
parent 3e26777965
commit e6dbc3fc21
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
17 changed files with 9739 additions and 377 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
x-pack/legacy/plugins/siem/public/components/page/network/tls_table/__snapshots__/index.test.tsx.snap generated
View file

@ -10,14 +10,7 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
},
"node": Object {
"_id": "2fe3bdf168af35b9e0ce5dc583bab007c40d47de",
"alternativeNames": Array [
"*.elastic.co",
"elastic.co",
],
"commonNames": Array [
"*.elastic.co",
],
"issuerNames": Array [
"issuers": Array [
"DigiCert SHA2 Secure Server CA",
],
"ja3": Array [
@ -27,6 +20,9 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
"notAfter": Array [
"2021-04-22T12:00:00.000Z",
],
"subjects": Array [
"*.elastic.co",
],
},
},
Object {
@ -35,13 +31,7 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
},
"node": Object {
"_id": "61749734b3246f1584029deb4f5276c64da00ada",
"alternativeNames": Array [
"api.snapcraft.io",
],
"commonNames": Array [
"api.snapcraft.io",
],
"issuerNames": Array [
"issuers": Array [
"DigiCert SHA2 Secure Server CA",
],
"ja3": Array [
@ -50,6 +40,9 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
"notAfter": Array [
"2019-05-22T12:00:00.000Z",
],
"subjects": Array [
"api.snapcraft.io",
],
},
},
Object {
@ -58,14 +51,7 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
},
"node": Object {
"_id": "6560d3b7dd001c989b85962fa64beb778cdae47a",
"alternativeNames": Array [
"changelogs.ubuntu.com",
"manpages.ubuntu.com",
],
"commonNames": Array [
"changelogs.ubuntu.com",
],
"issuerNames": Array [
"issuers": Array [
"Let's Encrypt Authority X3",
],
"ja3": Array [
@ -74,6 +60,9 @@ exports[`Tls Table Component Rendering it renders the default Domains table 1`]
"notAfter": Array [
"2019-06-27T01:09:59.000Z",
],
"subjects": Array [
"changelogs.ubuntu.com",
],
},
},
]

26
x-pack/legacy/plugins/siem/public/components/page/network/tls_table/columns.tsx
View file

@ -32,11 +32,11 @@ export const getTlsColumns = (tableId: string): TlsColumns => [
truncateText: false,
hideForMobile: false,
sortable: false,
render: ({ _id, issuerNames }) =>
render: ({ _id, issuers }) =>
getRowItemDraggables({
rowItems: issuerNames,
attrName: 'tls.server_certificate.issuer.common_name',
idPrefix: `${tableId}-${_id}-table-issuerNames`,
rowItems: issuers,
attrName: 'tls.server.issuer',
idPrefix: `${tableId}-${_id}-table-issuers`,
}),
},
{
@ -45,18 +45,12 @@ export const getTlsColumns = (tableId: string): TlsColumns => [
truncateText: false,
hideForMobile: false,
sortable: false,
render: ({ _id, alternativeNames, commonNames }) =>
alternativeNames != null && alternativeNames.length > 0
? getRowItemDraggables({
rowItems: alternativeNames,
attrName: 'tls.server_certificate.alternative_names',
idPrefix: `${tableId}-${_id}-table-alternative-name`,
})
: getRowItemDraggables({
rowItems: commonNames,
attrName: 'tls.server_certificate.subject.common_name',
idPrefix: `${tableId}-${_id}-table-common-name`,
}),
render: ({ _id, subjects }) =>
getRowItemDraggables({
rowItems: subjects,
attrName: 'tls.server.subject',
idPrefix: `${tableId}-${_id}-table-subjects`,
}),
},
{
field: 'node._id',

15
x-pack/legacy/plugins/siem/public/components/page/network/tls_table/mock.ts
View file

@ -12,10 +12,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '2fe3bdf168af35b9e0ce5dc583bab007c40d47de',
alternativeNames: ['*.elastic.co', 'elastic.co'],
commonNames: ['*.elastic.co'],
subjects: ['*.elastic.co'],
ja3: ['7851693188210d3b271aa1713d8c68c2', 'fb4726d465c5f28b84cd6d14cedd13a7'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
issuers: ['DigiCert SHA2 Secure Server CA'],
notAfter: ['2021-04-22T12:00:00.000Z'],
},
cursor: {
@ -25,10 +24,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '61749734b3246f1584029deb4f5276c64da00ada',
alternativeNames: ['api.snapcraft.io'],
commonNames: ['api.snapcraft.io'],
subjects: ['api.snapcraft.io'],
ja3: ['839868ad711dc55bde0d37a87f14740d'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
issuers: ['DigiCert SHA2 Secure Server CA'],
notAfter: ['2019-05-22T12:00:00.000Z'],
},
cursor: {
@ -38,10 +36,9 @@ export const mockTlsData: TlsData = {
{
node: {
_id: '6560d3b7dd001c989b85962fa64beb778cdae47a',
alternativeNames: ['changelogs.ubuntu.com', 'manpages.ubuntu.com'],
commonNames: ['changelogs.ubuntu.com'],
subjects: ['changelogs.ubuntu.com'],
ja3: ['da12c94da8021bbaf502907ad086e7bc'],
issuerNames: ["Let's Encrypt Authority X3"],
issuers: ["Let's Encrypt Authority X3"],
notAfter: ['2019-06-27T01:09:59.000Z'],
},
cursor: {

2
x-pack/legacy/plugins/siem/public/components/page/network/tls_table/translations.ts
View file

@ -16,7 +16,7 @@ export const TRANSPORT_LAYER_SECURITY = i18n.translate(
export const UNIT = (totalCount: number) =>
i18n.translate('xpack.siem.network.ipDetails.tlsTable.unit', {
values: { totalCount },
defaultMessage: `{totalCount, plural, =1 {issuer} other {issuers}}`,
defaultMessage: `{totalCount, plural, =1 {server certificate} other {server certificates}}`,
});
// Columns

5
x-pack/legacy/plugins/siem/public/containers/tls/index.gql_query.ts
View file

@ -33,10 +33,9 @@ export const tlsQuery = gql`
edges {
node {
_id
alternativeNames
commonNames
subjects
ja3
issuerNames
issuers
notAfter
}
cursor {

20
x-pack/legacy/plugins/siem/public/graphql/introspection.json
View file

@ -9213,22 +9213,6 @@
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "alternativeNames",
"description": "",
"args": [],
"type": {
"kind": "LIST",
"name": null,
"ofType": {
"kind": "NON_NULL",
"name": null,
"ofType": { "kind": "SCALAR", "name": "String", "ofType": null }
}
},
"isDeprecated": false,
"deprecationReason": null
},
{
"name": "notAfter",
"description": "",
@ -9246,7 +9230,7 @@
"deprecationReason": null
},
{
"name": "commonNames",
"name": "subjects",
"description": "",
"args": [],
"type": {
@ -9278,7 +9262,7 @@
"deprecationReason": null
},
{
"name": "issuerNames",
"name": "issuers",
"description": "",
"args": [],
"type": {

12
x-pack/legacy/plugins/siem/public/graphql/types.ts
View file

@ -1859,15 +1859,13 @@ export interface TlsNode {
timestamp?: Maybe<string>;
alternativeNames?: Maybe<string[]>;
notAfter?: Maybe<string[]>;
commonNames?: Maybe<string[]>;
subjects?: Maybe<string[]>;
ja3?: Maybe<string[]>;
issuerNames?: Maybe<string[]>;
issuers?: Maybe<string[]>;
}
export interface UncommonProcessesData {
@ -5679,13 +5677,11 @@ export namespace GetTlsQuery {
_id: Maybe<string>;
alternativeNames: Maybe<string[]>;
commonNames: Maybe<string[]>;
subjects: Maybe<string[]>;
ja3: Maybe<string[]>;
issuerNames: Maybe<string[]>;
issuers: Maybe<string[]>;
notAfter: Maybe<string[]>;
};

5
x-pack/legacy/plugins/siem/server/graphql/tls/schema.gql.ts
View file

@ -13,11 +13,10 @@ export const tlsSchema = gql`
type TlsNode {
_id: String
timestamp: Date
alternativeNames: [String!]
notAfter: [String!]
commonNames: [String!]
subjects: [String!]
ja3: [String!]
issuerNames: [String!]
issuers: [String!]
}
input TlsSortField {
field: TlsFields!

21
x-pack/legacy/plugins/siem/server/graphql/types.ts
View file

@ -1861,15 +1861,13 @@ export interface TlsNode {
timestamp?: Maybe<string>;
alternativeNames?: Maybe<string[]>;
notAfter?: Maybe<string[]>;
commonNames?: Maybe<string[]>;
subjects?: Maybe<string[]>;
ja3?: Maybe<string[]>;
issuerNames?: Maybe<string[]>;
issuers?: Maybe<string[]>;
}
export interface UncommonProcessesData {
@ -7824,15 +7822,13 @@ export namespace TlsNodeResolvers {
timestamp?: TimestampResolver<Maybe<string>, TypeParent, TContext>;
alternativeNames?: AlternativeNamesResolver<Maybe<string[]>, TypeParent, TContext>;
notAfter?: NotAfterResolver<Maybe<string[]>, TypeParent, TContext>;
commonNames?: CommonNamesResolver<Maybe<string[]>, TypeParent, TContext>;
subjects?: SubjectsResolver<Maybe<string[]>, TypeParent, TContext>;
ja3?: Ja3Resolver<Maybe<string[]>, TypeParent, TContext>;
issuerNames?: IssuerNamesResolver<Maybe<string[]>, TypeParent, TContext>;
issuers?: IssuersResolver<Maybe<string[]>, TypeParent, TContext>;
}
export type _IdResolver<R = Maybe<string>, Parent = TlsNode, TContext = SiemContext> = Resolver<
@ -7845,17 +7841,12 @@ export namespace TlsNodeResolvers {
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type AlternativeNamesResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type NotAfterResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
> = Resolver<R, Parent, TContext>;
export type CommonNamesResolver<
export type SubjectsResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext
@ -7865,7 +7856,7 @@ export namespace TlsNodeResolvers {
Parent,
TContext
>;
export type IssuerNamesResolver<
export type IssuersResolver<
R = Maybe<string[]>,
Parent = TlsNode,
TContext = SiemContext

5
x-pack/legacy/plugins/siem/server/lib/tls/elasticsearch_adapter.ts
View file

@ -66,10 +66,9 @@ export const formatTlsEdges = (buckets: TlsBuckets[]): TlsEdges[] => {
const edge: TlsEdges = {
node: {
_id: bucket.key,
alternativeNames: bucket.alternative_names.buckets.map(({ key }) => key),
commonNames: bucket.common_names.buckets.map(({ key }) => key),
subjects: bucket.subjects.buckets.map(({ key }) => key),
ja3: bucket.ja3.buckets.map(({ key }) => key),
issuerNames: bucket.issuer_names.buckets.map(({ key }) => key),
issuers: bucket.issuers.buckets.map(({ key }) => key),
// eslint-disable-next-line @typescript-eslint/camelcase
notAfter: bucket.not_after.buckets.map(({ key_as_string }) => key_as_string),
},

274
x-pack/legacy/plugins/siem/server/lib/tls/mock.ts
View file

@ -20,11 +20,10 @@ export const mockTlsQuery = {
order: { _key: 'desc' },
},
aggs: {
issuer_names: { terms: { field: 'tls.server_certificate.issuer.common_name' } },
common_names: { terms: { field: 'tls.server_certificate.subject.common_name' } },
alternative_names: { terms: { field: 'tls.server_certificate.alternative_names' } },
not_after: { terms: { field: 'tls.server_certificate.not_after' } },
ja3: { terms: { field: 'tls.fingerprints.ja3.hash' } },
issuers: { terms: { field: 'tls.server.issuer' } },
subjects: { terms: { field: 'tls.server.subject' } },
not_after: { terms: { field: 'tls.server.not_after' } },
ja3: { terms: { field: 'tls.server.ja3s' } },
},
},
},
@ -44,16 +43,8 @@ export const expectedTlsEdges = [
},
node: {
_id: 'fff8dc95436e0e25ce46b1526a1a547e8cf3bb82',
alternativeNames: [
'*.1.nflxso.net',
'*.a.nflxso.net',
'assets.nflxext.com',
'cast.netflix.com',
'codex.nflxext.com',
'tvui.netflix.com',
],
commonNames: ['*.1.nflxso.net'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
subjects: ['*.1.nflxso.net'],
issuers: ['DigiCert SHA2 Secure Server CA'],
ja3: ['95d2dd53a89b334cddd5c22e81e7fe61'],
notAfter: ['2019-10-27T12:00:00.000Z'],
},
@ -65,9 +56,8 @@ export const expectedTlsEdges = [
},
node: {
_id: 'fd8440c4b20978b173e0910e2639d114f0d405c5',
alternativeNames: ['*.cogocast.net', 'cogocast.net'],
commonNames: ['cogocast.net'],
issuerNames: ['Amazon'],
subjects: ['cogocast.net'],
issuers: ['Amazon'],
ja3: ['a111d93cdf31f993c40a8a9ef13e8d7e'],
notAfter: ['2020-02-01T12:00:00.000Z'],
},
@ -76,12 +66,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fcdc16645ebb3386adc96e7ba735c4745709b9dd' },
node: {
_id: 'fcdc16645ebb3386adc96e7ba735c4745709b9dd',
alternativeNames: [
'player-devintever2-imperva.mountain.siriusxm.com',
'player-devintever2.mountain.siriusxm.com',
],
commonNames: ['player-devintever2.mountain.siriusxm.com'],
issuerNames: ['Trustwave Organization Validation SHA256 CA, Level 1'],
subjects: ['player-devintever2.mountain.siriusxm.com'],
issuers: ['Trustwave Organization Validation SHA256 CA, Level 1'],
ja3: ['6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2020-03-06T21:57:09.000Z'],
},
@ -90,15 +76,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fccf375789cb7e671502a7b0cc969f218a4b2c70' },
node: {
_id: 'fccf375789cb7e671502a7b0cc969f218a4b2c70',
alternativeNames: [
'appleid-nc-s.apple.com',
'appleid-nwk-s.apple.com',
'appleid-prn-s.apple.com',
'appleid-rno-s.apple.com',
'appleid.apple.com',
],
commonNames: ['appleid.apple.com'],
issuerNames: ['DigiCert SHA2 Extended Validation Server CA'],
subjects: ['appleid.apple.com'],
issuers: ['DigiCert SHA2 Extended Validation Server CA'],
ja3: ['6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2020-07-04T12:00:00.000Z'],
},
@ -107,20 +86,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fc4a296b706fa18ac50b96f5c0327c69db4a8981' },
node: {
_id: 'fc4a296b706fa18ac50b96f5c0327c69db4a8981',
alternativeNames: [
'api.itunes.apple.com',
'appsto.re',
'ax.init.itunes.apple.com',
'bag.itunes.apple.com',
'bookkeeper.itunes.apple.com',
'c.itunes.apple.com',
'carrierbundle.itunes.apple.com',
'client-api.itunes.apple.com',
'cma.itunes.apple.com',
'courses.apple.com',
],
commonNames: ['itunes.apple.com'],
issuerNames: ['DigiCert SHA2 Extended Validation Server CA'],
subjects: ['itunes.apple.com'],
issuers: ['DigiCert SHA2 Extended Validation Server CA'],
ja3: ['a441a33aaee795f498d6b764cc78989a'],
notAfter: ['2020-03-24T12:00:00.000Z'],
},
@ -129,20 +96,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fc2cbc41f6a0e9c0118de4fe40f299f7207b797e' },
node: {
_id: 'fc2cbc41f6a0e9c0118de4fe40f299f7207b797e',
alternativeNames: [
'*.adlercasino.com',
'*.allaustraliancasino.com',
'*.alletf.com',
'*.appareldesignpartners.com',
'*.atmosfir.net',
'*.cityofboston.gov',
'*.cp.mytoyotaentune.com',
'*.decathlon.be',
'*.decathlon.co.uk',
'*.decathlon.de',
],
commonNames: ['incapsula.com'],
issuerNames: ['GlobalSign CloudSSL CA - SHA256 - G3'],
subjects: ['incapsula.com'],
issuers: ['GlobalSign CloudSSL CA - SHA256 - G3'],
ja3: ['6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2020-04-04T14:05:06.000Z'],
},
@ -151,9 +106,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fb70d78ffa663a3a4374d841b3288d2de9759566' },
node: {
_id: 'fb70d78ffa663a3a4374d841b3288d2de9759566',
alternativeNames: ['*.siriusxm.com', 'siriusxm.com'],
commonNames: ['*.siriusxm.com'],
issuerNames: ['DigiCert Baltimore CA-2 G2'],
subjects: ['*.siriusxm.com'],
issuers: ['DigiCert Baltimore CA-2 G2'],
ja3: ['535aca3d99fc247509cd50933cd71d37', '6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2021-10-27T12:00:00.000Z'],
},
@ -162,16 +116,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'fb59038dcec33ab3a01a6ae60d0835ad0e04ccf0' },
node: {
_id: 'fb59038dcec33ab3a01a6ae60d0835ad0e04ccf0',
alternativeNames: [
'photos.amazon.co.uk',
'photos.amazon.de',
'photos.amazon.es',
'photos.amazon.eu',
'photos.amazon.fr',
'photos.amazon.it',
],
commonNames: ['photos.amazon.eu'],
issuerNames: ['Amazon'],
subjects: ['photos.amazon.eu'],
issuers: ['Amazon'],
ja3: ['6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2020-04-23T12:00:00.000Z'],
},
@ -180,20 +126,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'f9815293c883a6006f0b2d95a4895bdc501fd174' },
node: {
_id: 'f9815293c883a6006f0b2d95a4895bdc501fd174',
alternativeNames: [
'*.api.cdn.hbo.com',
'*.artist.cdn.hbo.com',
'*.cdn.hbo.com',
'*.lv3.cdn.hbo.com',
'artist.api.cdn.hbo.com',
'artist.api.lv3.cdn.hbo.com',
'artist.staging.cdn.hbo.com',
'artist.staging.hurley.lv3.cdn.hbo.com',
'atv.api.lv3.cdn.hbo.com',
'atv.staging.hurley.lv3.cdn.hbo.com',
],
commonNames: ['cdn.hbo.com'],
issuerNames: ['Sectigo RSA Organization Validation Secure Server CA'],
subjects: ['cdn.hbo.com'],
issuers: ['Sectigo RSA Organization Validation Secure Server CA'],
ja3: ['6fa3244afc6bb6f9fad207b6b52af26b'],
notAfter: ['2021-02-10T23:59:59.000Z'],
},
@ -202,9 +136,8 @@ export const expectedTlsEdges = [
cursor: { tiebreaker: null, value: 'f8db6a69797e383dca2529727369595733123386' },
node: {
_id: 'f8db6a69797e383dca2529727369595733123386',
alternativeNames: ['www.google.com'],
commonNames: ['www.google.com'],
issuerNames: ['GTS CA 1O1'],
subjects: ['www.google.com'],
issuers: ['GTS CA 1O1'],
ja3: ['a111d93cdf31f993c40a8a9ef13e8d7e'],
notAfter: ['2019-12-10T13:32:54.000Z'],
},
@ -226,7 +159,7 @@ export const mockRequest = {
timerange: { interval: '12h', from: 1570716261267, to: 1570802661267 },
},
query:
'query GetTlsQuery($sourceId: ID!, $filterQuery: String, $flowTarget: FlowTarget!, $ip: String!, $pagination: PaginationInputPaginated!, $sort: TlsSortField!, $timerange: TimerangeInput!, $defaultIndex: [String!]!, $inspect: Boolean!) {\n source(id: $sourceId) {\n id\n Tls(filterQuery: $filterQuery, flowTarget: $flowTarget, ip: $ip, pagination: $pagination, sort: $sort, timerange: $timerange, defaultIndex: $defaultIndex) {\n totalCount\n edges {\n node {\n _id\n alternativeNames\n commonNames\n ja3\n issuerNames\n notAfter\n __typename\n }\n cursor {\n value\n __typename\n }\n __typename\n }\n pageInfo {\n activePage\n fakeTotalCount\n showMorePagesIndicator\n __typename\n }\n inspect @include(if: $inspect) {\n dsl\n response\n __typename\n }\n __typename\n }\n __typename\n }\n}\n',
'query GetTlsQuery($sourceId: ID!, $filterQuery: String, $flowTarget: FlowTarget!, $ip: String!, $pagination: PaginationInputPaginated!, $sort: TlsSortField!, $timerange: TimerangeInput!, $defaultIndex: [String!]!, $inspect: Boolean!) {\n source(id: $sourceId) {\n id\n Tls(filterQuery: $filterQuery, flowTarget: $flowTarget, ip: $ip, pagination: $pagination, sort: $sort, timerange: $timerange, defaultIndex: $defaultIndex) {\n totalCount\n edges {\n node {\n _id\n subjects\n ja3\n issuers\n notAfter\n __typename\n }\n cursor {\n value\n __typename\n }\n __typename\n }\n pageInfo {\n activePage\n fakeTotalCount\n showMorePagesIndicator\n __typename\n }\n inspect @include(if: $inspect) {\n dsl\n response\n __typename\n }\n __typename\n }\n __typename\n }\n}\n',
},
};
@ -250,28 +183,16 @@ export const mockResponse = {
{ key: 1572177600000, key_as_string: '2019-10-27T12:00:00.000Z', doc_count: 1 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'DigiCert SHA2 Secure Server CA', doc_count: 1 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: '*.1.nflxso.net', doc_count: 1 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: '*.1.nflxso.net', doc_count: 1 },
{ key: '*.a.nflxso.net', doc_count: 1 },
{ key: 'assets.nflxext.com', doc_count: 1 },
{ key: 'cast.netflix.com', doc_count: 1 },
{ key: 'codex.nflxext.com', doc_count: 1 },
{ key: 'tvui.netflix.com', doc_count: 1 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -288,24 +209,16 @@ export const mockResponse = {
{ key: 1580558400000, key_as_string: '2020-02-01T12:00:00.000Z', doc_count: 1 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'Amazon', doc_count: 1 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'cogocast.net', doc_count: 1 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: '*.cogocast.net', doc_count: 1 },
{ key: 'cogocast.net', doc_count: 1 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -322,26 +235,18 @@ export const mockResponse = {
{ key: 1583531829000, key_as_string: '2020-03-06T21:57:09.000Z', doc_count: 1 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: 'Trustwave Organization Validation SHA256 CA, Level 1', doc_count: 1 },
],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'player-devintever2.mountain.siriusxm.com', doc_count: 1 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: 'player-devintever2-imperva.mountain.siriusxm.com', doc_count: 1 },
{ key: 'player-devintever2.mountain.siriusxm.com', doc_count: 1 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -358,27 +263,16 @@ export const mockResponse = {
{ key: 1593864000000, key_as_string: '2020-07-04T12:00:00.000Z', doc_count: 1 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'DigiCert SHA2 Extended Validation Server CA', doc_count: 1 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'appleid.apple.com', doc_count: 1 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: 'appleid-nc-s.apple.com', doc_count: 1 },
{ key: 'appleid-nwk-s.apple.com', doc_count: 1 },
{ key: 'appleid-prn-s.apple.com', doc_count: 1 },
{ key: 'appleid-rno-s.apple.com', doc_count: 1 },
{ key: 'appleid.apple.com', doc_count: 1 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -395,32 +289,16 @@ export const mockResponse = {
{ key: 1585051200000, key_as_string: '2020-03-24T12:00:00.000Z', doc_count: 2 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'DigiCert SHA2 Extended Validation Server CA', doc_count: 2 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'itunes.apple.com', doc_count: 2 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 156,
buckets: [
{ key: 'api.itunes.apple.com', doc_count: 2 },
{ key: 'appsto.re', doc_count: 2 },
{ key: 'ax.init.itunes.apple.com', doc_count: 2 },
{ key: 'bag.itunes.apple.com', doc_count: 2 },
{ key: 'bookkeeper.itunes.apple.com', doc_count: 2 },
{ key: 'c.itunes.apple.com', doc_count: 2 },
{ key: 'carrierbundle.itunes.apple.com', doc_count: 2 },
{ key: 'client-api.itunes.apple.com', doc_count: 2 },
{ key: 'cma.itunes.apple.com', doc_count: 2 },
{ key: 'courses.apple.com', doc_count: 2 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -437,32 +315,16 @@ export const mockResponse = {
{ key: 1586009106000, key_as_string: '2020-04-04T14:05:06.000Z', doc_count: 1 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'GlobalSign CloudSSL CA - SHA256 - G3', doc_count: 1 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'incapsula.com', doc_count: 1 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 110,
buckets: [
{ key: '*.adlercasino.com', doc_count: 1 },
{ key: '*.allaustraliancasino.com', doc_count: 1 },
{ key: '*.alletf.com', doc_count: 1 },
{ key: '*.appareldesignpartners.com', doc_count: 1 },
{ key: '*.atmosfir.net', doc_count: 1 },
{ key: '*.cityofboston.gov', doc_count: 1 },
{ key: '*.cp.mytoyotaentune.com', doc_count: 1 },
{ key: '*.decathlon.be', doc_count: 1 },
{ key: '*.decathlon.co.uk', doc_count: 1 },
{ key: '*.decathlon.de', doc_count: 1 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -479,24 +341,16 @@ export const mockResponse = {
{ key: 1635336000000, key_as_string: '2021-10-27T12:00:00.000Z', doc_count: 325 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'DigiCert Baltimore CA-2 G2', doc_count: 325 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: '*.siriusxm.com', doc_count: 325 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: '*.siriusxm.com', doc_count: 325 },
{ key: 'siriusxm.com', doc_count: 325 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -516,28 +370,16 @@ export const mockResponse = {
{ key: 1587643200000, key_as_string: '2020-04-23T12:00:00.000Z', doc_count: 5 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'Amazon', doc_count: 5 }],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'photos.amazon.eu', doc_count: 5 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: 'photos.amazon.co.uk', doc_count: 5 },
{ key: 'photos.amazon.de', doc_count: 5 },
{ key: 'photos.amazon.es', doc_count: 5 },
{ key: 'photos.amazon.eu', doc_count: 5 },
{ key: 'photos.amazon.fr', doc_count: 5 },
{ key: 'photos.amazon.it', doc_count: 5 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -554,34 +396,18 @@ export const mockResponse = {
{ key: 1613001599000, key_as_string: '2021-02-10T23:59:59.000Z', doc_count: 29 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [
{ key: 'Sectigo RSA Organization Validation Secure Server CA', doc_count: 29 },
],
},
common_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'cdn.hbo.com', doc_count: 29 }],
},
alternative_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 29,
buckets: [
{ key: '*.api.cdn.hbo.com', doc_count: 29 },
{ key: '*.artist.cdn.hbo.com', doc_count: 29 },
{ key: '*.cdn.hbo.com', doc_count: 29 },
{ key: '*.lv3.cdn.hbo.com', doc_count: 29 },
{ key: 'artist.api.cdn.hbo.com', doc_count: 29 },
{ key: 'artist.api.lv3.cdn.hbo.com', doc_count: 29 },
{ key: 'artist.staging.cdn.hbo.com', doc_count: 29 },
{ key: 'artist.staging.hurley.lv3.cdn.hbo.com', doc_count: 29 },
{ key: 'atv.api.lv3.cdn.hbo.com', doc_count: 29 },
{ key: 'atv.staging.hurley.lv3.cdn.hbo.com', doc_count: 29 },
],
},
ja3: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
@ -598,17 +424,12 @@ export const mockResponse = {
{ key: 1575984774000, key_as_string: '2019-12-10T13:32:54.000Z', doc_count: 5 },
],
},
issuer_names: {
issuers: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'GTS CA 1O1', doc_count: 5 }],
},
common_names: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'www.google.com', doc_count: 5 }],
},
alternative_names: {
subjects: {
doc_count_error_upper_bound: 0,
sum_other_doc_count: 0,
buckets: [{ key: 'www.google.com', doc_count: 5 }],
@ -643,10 +464,9 @@ export const mockOptions = {
fields: [
'totalCount',
'_id',
'alternativeNames',
'commonNames',
'subjects',
'ja3',
'issuerNames',
'issuers',
'notAfter',
'edges.cursor.value',
'pageInfo.activePage',

21
x-pack/legacy/plugins/siem/server/lib/tls/query_tls.dsl.ts
View file

@ -12,41 +12,36 @@ import { TlsSortField, Direction, TlsFields } from '../../graphql/types';
const getAggs = (querySize: number, sort: TlsSortField) => ({
count: {
cardinality: {
field: 'tls.server_certificate.fingerprint.sha1',
field: 'tls.server.hash.sha1',
},
},
sha1: {
terms: {
field: 'tls.server_certificate.fingerprint.sha1',
field: 'tls.server.hash.sha1',
size: querySize,
order: {
...getQueryOrder(sort),
},
},
aggs: {
issuer_names: {
issuers: {
terms: {
field: 'tls.server_certificate.issuer.common_name',
field: 'tls.server.issuer',
},
},
common_names: {
subjects: {
terms: {
field: 'tls.server_certificate.subject.common_name',
},
},
alternative_names: {
terms: {
field: 'tls.server_certificate.alternative_names',
field: 'tls.server.subject',
},
},
not_after: {
terms: {
field: 'tls.server_certificate.not_after',
field: 'tls.server.not_after',
},
},
ja3: {
terms: {
field: 'tls.fingerprints.ja3.hash',
field: 'tls.server.ja3s',
},
},
},

8
x-pack/legacy/plugins/siem/server/lib/tls/types.ts
View file

@ -18,11 +18,7 @@ export interface TlsBuckets {
value_as_string: string;
};
alternative_names: {
buckets: Readonly<Array<{ key: string; doc_count: number }>>;
};
common_names: {
subjects: {
buckets: Readonly<Array<{ key: string; doc_count: number }>>;
};
@ -30,7 +26,7 @@ export interface TlsBuckets {
buckets: Readonly<Array<{ key: string; doc_count: number }>>;
};
issuer_names: {
issuers: {
buckets: Readonly<Array<{ key: string; doc_count: number }>>;
};

16
x-pack/legacy/plugins/siem/server/lib/uncommon_processes/query.dsl.ts
View file

@ -191,6 +191,22 @@ export const buildQuery = ({
],
},
},
{
bool: {
filter: [
{
term: {
'event.category': 'process',
},
},
{
term: {
'event.type': 'start',
},
},
],
},
},
],
minimum_should_match: 1,
filter,

68
x-pack/test/api_integration/apis/siem/tls.ts
View file

@ -16,17 +16,16 @@ import { FtrProviderContext } from '../../ftr_provider_context';
const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
const SOURCE_IP = '157.230.208.30';
const DESTINATION_IP = '91.189.92.20';
const SOURCE_IP = '10.128.0.35';
const DESTINATION_IP = '74.125.129.95';
const expectedResult = {
__typename: 'TlsNode',
_id: '61749734b3246f1584029deb4f5276c64da00ada',
alternativeNames: ['api.snapcraft.io'],
commonNames: ['api.snapcraft.io'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
ja3: ['839868ad711dc55bde0d37a87f14740d'],
notAfter: ['2019-05-22T12:00:00.000Z'],
_id: '16989191B1A93ECECD5FE9E63EBD4B5C3B606D26',
subjects: ['CN=edgecert.googleapis.com,O=Google LLC,L=Mountain View,ST=California,C=US'],
issuers: ['CN=GTS CA 1O1,O=Google Trust Services,C=US'],
ja3: [],
notAfter: ['2020-05-06T11:52:15.000Z'],
};
const expectedOverviewDestinationResult = {
@ -36,27 +35,29 @@ const expectedOverviewDestinationResult = {
__typename: 'TlsEdges',
cursor: {
__typename: 'CursorType',
value: '61749734b3246f1584029deb4f5276c64da00ada',
value: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
},
node: {
__typename: 'TlsNode',
_id: '61749734b3246f1584029deb4f5276c64da00ada',
alternativeNames: ['api.snapcraft.io'],
commonNames: ['api.snapcraft.io'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
ja3: ['839868ad711dc55bde0d37a87f14740d'],
notAfter: ['2019-05-22T12:00:00.000Z'],
_id: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
subjects: [
'CN=*.cdn.mozilla.net,OU=Cloud Services,O=Mozilla Corporation,L=Mountain View,ST=California,C=US',
],
issuers: ['CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'],
ja3: [],
notAfter: ['2020-12-09T12:00:00.000Z'],
},
},
],
pageInfo: {
__typename: 'PageInfoPaginated',
activePage: 0,
fakeTotalCount: 1,
fakeTotalCount: 3,
showMorePagesIndicator: false,
},
totalCount: 1,
totalCount: 3,
};
const expectedOverviewSourceResult = {
__typename: 'TlsData',
edges: [
@ -64,26 +65,27 @@ const expectedOverviewSourceResult = {
__typename: 'TlsEdges',
cursor: {
__typename: 'CursorType',
value: '61749734b3246f1584029deb4f5276c64da00ada',
value: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
},
node: {
__typename: 'TlsNode',
_id: '61749734b3246f1584029deb4f5276c64da00ada',
alternativeNames: ['api.snapcraft.io'],
commonNames: ['api.snapcraft.io'],
issuerNames: ['DigiCert SHA2 Secure Server CA'],
ja3: ['839868ad711dc55bde0d37a87f14740d'],
notAfter: ['2019-05-22T12:00:00.000Z'],
_id: 'EB4E81DD7C55BA9715652ECF5647FB8877E55A8F',
subjects: [
'CN=*.cdn.mozilla.net,OU=Cloud Services,O=Mozilla Corporation,L=Mountain View,ST=California,C=US',
],
issuers: ['CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US'],
ja3: [],
notAfter: ['2020-12-09T12:00:00.000Z'],
},
},
],
pageInfo: {
__typename: 'PageInfoPaginated',
activePage: 0,
fakeTotalCount: 1,
fakeTotalCount: 3,
showMorePagesIndicator: false,
},
totalCount: 1,
totalCount: 3,
};
export default function({ getService }: FtrProviderContext) {
@ -91,8 +93,8 @@ export default function({ getService }: FtrProviderContext) {
const client = getService('siemGraphQLClient');
describe('Tls Test with Packetbeat', () => {
describe('Tls Test', () => {
before(() => esArchiver.load('packetbeat/default'));
after(() => esArchiver.unload('packetbeat/default'));
before(() => esArchiver.load('packetbeat/tls'));
after(() => esArchiver.unload('packetbeat/tls'));
it('Ensure data is returned for FlowTarget.Source', () => {
return client
@ -160,8 +162,8 @@ export default function({ getService }: FtrProviderContext) {
});
describe('Tls Overview Test', () => {
before(() => esArchiver.load('packetbeat/default'));
after(() => esArchiver.unload('packetbeat/default'));
before(() => esArchiver.load('packetbeat/tls'));
after(() => esArchiver.unload('packetbeat/tls'));
it('Ensure data is returned for FlowTarget.Source', () => {
return client
@ -189,7 +191,8 @@ export default function({ getService }: FtrProviderContext) {
})
.then(resp => {
const tls = resp.data.source.Tls;
expect(tls).to.eql(expectedOverviewSourceResult);
expect(tls.pageInfo).to.eql(expectedOverviewSourceResult.pageInfo);
expect(tls.edges[0]).to.eql(expectedOverviewSourceResult.edges[0]);
});
});
@ -219,7 +222,8 @@ export default function({ getService }: FtrProviderContext) {
})
.then(resp => {
const tls = resp.data.source.Tls;
expect(tls).to.eql(expectedOverviewDestinationResult);
expect(tls.pageInfo).to.eql(expectedOverviewDestinationResult.pageInfo);
expect(tls.edges[0]).to.eql(expectedOverviewDestinationResult.edges[0]);
});
});
});

BIN
x-pack/test/functional/es_archives/packetbeat/tls/data.json.gz Normal file
View file

Binary file not shown.

9583
x-pack/test/functional/es_archives/packetbeat/tls/mappings.json Normal file
View file

File diff suppressed because it is too large Load diff