Skip to content

Commit

Permalink
[Cisco Duo] New data stream for Trust Monitor logs (elastic#11327)
Browse files Browse the repository at this point in the history 
Added new data stream trust_monitor to collect Trust Monitor logs from Cisco Duo.
  • Loading branch information
@chemamartinez
chemamartinez authored Oct 21, 2024
1 parent f057d3a commit c425e2f
Show file tree
Hide file tree
Showing 24 changed files with 2,249 additions and 21 deletions.
9 changes: 9 additions & 0 deletions packages/cisco_duo/_dev/build/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ The Cisco Duo integration collects logs for the following types of events.
- [**Summary**](https://duo.com/docs/adminapi#retrieve-summary)
- [**Telephony Logs**](https://duo.com/docs/adminapi#telephony-logs)
- [**Telephony Logs (legacy)**](https://duo.com/docs/adminapi#telephony-logs-(legacy-v1))
- [**Trust Monitor**](https://duo.com/docs/adminapi#trust-monitor)

## V2 Handlers

Expand Down Expand Up @@ -93,3 +94,11 @@ This is the `telephony_v2` dataset.
{{event "telephony_v2"}}

{{fields "telephony_v2"}}

### Trust Monitor

This is the `trust_monitor` dataset.

{{event "trust_monitor"}}

{{fields "trust_monitor"}}
153 changes: 153 additions & 0 deletions packages/cisco_duo/_dev/deploy/docker/files/config.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,156 @@ rules:
}
}
}
- path: /admin/v1/trust_monitor/events
methods: ["GET"]
query_params:
offset: "31229"
responses:
- status_code: 200
body: |-
{
"stat": "OK",
"response": {
"events": [
{
"explanations": [
{
"summary": "The registered device has an out-of-date version of the operating system installed.",
"type": "REGISTER_OS_OUTDATED"
}
],
"from_new_user": false,
"priority_event": false,
"priority_reasons": [],
"sekey": "SEDOR9BP00L23C6YUH7",
"state": "new",
"state_updated_timestamp": null,
"surfaced_timestamp": 1675893605269,
"triaged_as_interesting": false,
"type": "device_registration"
}
],
"metadata": {}
}
}
- path: /admin/v1/trust_monitor/events
methods: ["GET"]
responses:
- status_code: 200
body: |-
{
"stat": "OK",
"response": {
"events": [
{
"explanations": [
{
"summary": "amanda_tucker has not logged in from this location recently.",
"type": "NEW_COUNTRY_CODE"
},
{
"summary": "amanda_tucker has not logged in from this IP recently.",
"type": "NEW_NETBLOCK"
},
{
"summary": "amanda_tucker has not accessed this application recently.",
"type": "NEW_IKEY"
}
],
"from_common_netblock": true,
"from_new_user": false,
"low_risk_ip": false,
"priority_event": true,
"priority_reasons": [
{
"label": "CN",
"type": "country"
}
],
"sekey": "SEDOR9BP00L23C6YUH5",
"state": "new",
"state_updated_timestamp": null,
"surfaced_auth": {
"access_device": {
"browser": "Chrome",
"browser_version": "86.0.4240.198",
"epkey": "EP18JX1A10AB102M2T2X",
"flash_version": null,
"hostname": null,
"ip": "17.88.232.83",
"is_encryption_enabled": "unknown",
"is_firewall_enabled": "unknown",
"is_password_set": "unknown",
"java_version": null,
"location": {
"city": "Shanghai",
"country": "China",
"state": "Shanghai"
},
"os": "Windows",
"os_version": "10",
"security_agents": "unknown"
},
"alias": "unknown",
"application": {
"key": "DIUD2X62LHMPDP00LXS3",
"name": "Microsoft Azure Active Directory"
},
"auth_device": {
"ip": null,
"key": null,
"location": {
"city": null,
"country": null,
"state": null
},
"name": null
},
"email": "",
"event_type": null,
"factor": "not_available",
"isotimestamp": "2020-11-17T03:19:13.092+00:00",
"ood_software": "",
"reason": "location_restricted",
"result": "denied",
"timestamp": 1605583153,
"trusted_endpoint_status": null,
"txid": "436694ad-467c-4aed-b048-8ad--f58e04c",
"user": {
"groups": [
"crazy"
],
"key": "DUN73JE5M92DP00L4ZYS",
"name": "amanda_tucker"
}
},
"surfaced_timestamp": 1605602911680,
"triage_event_uri": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5",
"triaged_as_interesting": false,
"type": "auth"
},
{
"bypass_status_enabled": 1604337058989,
"enabled_by": {
"key": "DEWGH6P00LT2R0I60UI",
"name": "Ellery Munson"
},
"enabled_for": {
"key": "DUN73JE5M92DP00L4ZYS",
"name": "amanda_tucker"
},
"priority_event": true,
"priority_reasons": [],
"sekey": "SEDOR9BP00L23C6YUH6",
"state": "new",
"state_updated_timestamp": null,
"surfaced_timestamp": 1605602911680,
"triaged_as_interesting": false,
"type": "bypass_status"
}
],
"metadata": {
"next_offset": "31229"
}
}
}
5 changes: 5 additions & 0 deletions packages/cisco_duo/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.1.0"
changes:
- description: Add support for Trust Monitor logs.
type: enhancement
link: https://github.com/elastic/integrations/pull/11327
- version: "2.0.5"
changes:
- description: Make the rate limit configurable.
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_duo/data_stream/auth/manifest.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ streams:
show_user: false
required: true
default: 4320h
description: How far back to pull Telephony logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s.
description: How far back to pull authentication logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s.
- name: limit
type: integer
title: Limit
Expand Down
27 changes: 11 additions & 16 deletions packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ state:
want_more: false
redact:
fields:
- integration_key
- secret_key

program: |
Expand Down Expand Up @@ -91,11 +92,11 @@ program: |
"maxtime": state.maxtime,
"date": now.format(time_layout.RFC1123Z),
"want_more": has(body.?response.?metadata.next_offset),
?"next_offset": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ?
optional.of(string(body.response.metadata.next_offset))
:
optional.none(),
"next_url": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ?
?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ?
optional.of(string(body.response.metadata.next_offset))
:
optional.none(),
"next_url": (body.?response.metadata.next_offset.orValue(null) != null) ?
(
state.url.trim_right("/") + "/admin/v2/logs/telephony?" + {
"limit": [string(int(state.limit))],
Expand All @@ -108,7 +109,7 @@ program: |
:
state.url,
"cursor": {
?"last_published": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ?
?"last_published": (body.?response.?metadata.next_offset.orValue(null) != null) ?
optional.of(body.response.metadata.next_offset.re_find("next_offset_timestamp"))
:
optional.none(),
Expand All @@ -128,17 +129,11 @@ program: |
"error": {
"code": has(body.code) ? string(body.code) : string(resp.StatusCode),
"id": string(resp.Status),
"message": "GET: " +
(
(has(body.message) && body.message != "") ?
string(body.message) +
(has(body.message_detail) ?
": " + string(body.message_detail)
:
""
)
"message": "GET:"+(
size(resp.Body) != 0 ?
string(resp.Body)
:
string(resp.Status) + " (" + string(resp.StatusCode) + ")"
string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
),
},
},
Expand Down
2 changes: 1 addition & 1 deletion packages/cisco_duo/data_stream/telephony_v2/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
type: logs
title: Cisco Duo authentication logs
title: Cisco Duo telephony logs
streams:
- input: cel
enabled: false
Expand Down
3 changes: 3 additions & 0 deletions packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-common-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
fields:
tags:
- preserve_original_event
3 changes: 3 additions & 0 deletions packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
{"explanations":[{"summary":"amanda_tucker has not logged in from this location recently.","type":"NEW_COUNTRY_CODE"},{"summary":"amanda_tucker has not logged in from this IP recently.","type":"NEW_NETBLOCK"},{"summary":"amanda_tucker has not accessed this application recently.","type":"NEW_IKEY"}],"from_common_netblock":true,"from_new_user":false,"low_risk_ip":false,"priority_event":true,"priority_reasons":[{"label":"CN","type":"country"}],"sekey":"SEDOR9BP00L23C6YUH5","state":"new","state_updated_timestamp":null,"surfaced_auth":{"access_device":{"browser":"Chrome","browser_version":"86.0.4240.198","epkey":"EP18JX1A10AB102M2T2X","flash_version":null,"hostname":null,"ip":"17.88.232.83","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Shanghai","country":"China","state":"Shanghai"},"os":"Windows","os_version":"10","security_agents":"unknown"},"alias":"unknown","application":{"key":"DIUD2X62LHMPDP00LXS3","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":null,"key":null,"location":{"city":null,"country":null,"state":null},"name":null},"email":"","event_type":null,"factor":"not_available","isotimestamp":"2020-11-17T03:19:13.092+00:00","ood_software":"","reason":"location_restricted","result":"denied","timestamp":1605583153,"trusted_endpoint_status":null,"txid":"436694ad-467c-4aed-b048-8ad--f58e04c","user":{"groups":["crazy"],"key":"DUN73JE5M92DP00L4ZYS","name":"amanda_tucker"}},"surfaced_timestamp":1605602911680,"triage_event_uri":"https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5","triaged_as_interesting":false,"type":"auth"}
{"bypass_status_enabled":1604337058989,"enabled_by":{"key":"DEWGH6P00LT2R0I60UI","name":"Ellery Munson"},"enabled_for":{"key":"DUN73JE5M92DP00L4ZYS","name":"amanda_tucker"},"priority_event":true,"priority_reasons":[],"sekey":"SEDOR9BP00L23C6YUH6","state":"new","state_updated_timestamp":null,"surfaced_timestamp":1605602911680,"triaged_as_interesting":false,"type":"bypass_status"}
{"explanations":[{"summary":"The registered device has an out-of-date version of the operating system installed.","type":"REGISTER_OS_OUTDATED"}],"from_new_user":false,"priority_event":false,"priority_reasons":[],"sekey":"SEDOR9BP00L23C6YUH7","state":"new","state_updated_timestamp":null,"surfaced_timestamp":1675893605269,"triaged_as_interesting":false,"type":"device_registration"}
Loading

0 comments on commit c425e2f

Please sign in to comment.