diff --git a/packages/cisco_duo/_dev/build/docs/README.md b/packages/cisco_duo/_dev/build/docs/README.md index 2acee3a9f90..bd0bd767618 100644 --- a/packages/cisco_duo/_dev/build/docs/README.md +++ b/packages/cisco_duo/_dev/build/docs/README.md @@ -28,6 +28,7 @@ The Cisco Duo integration collects logs for the following types of events. - [**Summary**](https://duo.com/docs/adminapi#retrieve-summary) - [**Telephony Logs**](https://duo.com/docs/adminapi#telephony-logs) - [**Telephony Logs (legacy)**](https://duo.com/docs/adminapi#telephony-logs-(legacy-v1)) +- [**Trust Monitor**](https://duo.com/docs/adminapi#trust-monitor) ## V2 Handlers @@ -93,3 +94,11 @@ This is the `telephony_v2` dataset. {{event "telephony_v2"}} {{fields "telephony_v2"}} + +### Trust Monitor + +This is the `trust_monitor` dataset. + +{{event "trust_monitor"}} + +{{fields "trust_monitor"}} diff --git a/packages/cisco_duo/_dev/deploy/docker/files/config.yml b/packages/cisco_duo/_dev/deploy/docker/files/config.yml index 26a76616b2c..a6ac202988b 100644 --- a/packages/cisco_duo/_dev/deploy/docker/files/config.yml +++ b/packages/cisco_duo/_dev/deploy/docker/files/config.yml @@ -150,3 +150,156 @@ rules: } } } + - path: /admin/v1/trust_monitor/events + methods: ["GET"] + query_params: + offset: "31229" + responses: + - status_code: 200 + body: |- + { + "stat": "OK", + "response": { + "events": [ + { + "explanations": [ + { + "summary": "The registered device has an out-of-date version of the operating system installed.", + "type": "REGISTER_OS_OUTDATED" + } + ], + "from_new_user": false, + "priority_event": false, + "priority_reasons": [], + "sekey": "SEDOR9BP00L23C6YUH7", + "state": "new", + "state_updated_timestamp": null, + "surfaced_timestamp": 1675893605269, + "triaged_as_interesting": false, + "type": "device_registration" + } + ], + "metadata": {} + } + } + - path: /admin/v1/trust_monitor/events + methods: ["GET"] + responses: + - status_code: 200 + body: |- + { + "stat": "OK", + "response": { + "events": [ + { + "explanations": [ + { + "summary": "amanda_tucker has not logged in from this location recently.", + "type": "NEW_COUNTRY_CODE" + }, + { + "summary": "amanda_tucker has not logged in from this IP recently.", + "type": "NEW_NETBLOCK" + }, + { + "summary": "amanda_tucker has not accessed this application recently.", + "type": "NEW_IKEY" + } + ], + "from_common_netblock": true, + "from_new_user": false, + "low_risk_ip": false, + "priority_event": true, + "priority_reasons": [ + { + "label": "CN", + "type": "country" + } + ], + "sekey": "SEDOR9BP00L23C6YUH5", + "state": "new", + "state_updated_timestamp": null, + "surfaced_auth": { + "access_device": { + "browser": "Chrome", + "browser_version": "86.0.4240.198", + "epkey": "EP18JX1A10AB102M2T2X", + "flash_version": null, + "hostname": null, + "ip": "17.88.232.83", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "java_version": null, + "location": { + "city": "Shanghai", + "country": "China", + "state": "Shanghai" + }, + "os": "Windows", + "os_version": "10", + "security_agents": "unknown" + }, + "alias": "unknown", + "application": { + "key": "DIUD2X62LHMPDP00LXS3", + "name": "Microsoft Azure Active Directory" + }, + "auth_device": { + "ip": null, + "key": null, + "location": { + "city": null, + "country": null, + "state": null + }, + "name": null + }, + "email": "", + "event_type": null, + "factor": "not_available", + "isotimestamp": "2020-11-17T03:19:13.092+00:00", + "ood_software": "", + "reason": "location_restricted", + "result": "denied", + "timestamp": 1605583153, + "trusted_endpoint_status": null, + "txid": "436694ad-467c-4aed-b048-8ad--f58e04c", + "user": { + "groups": [ + "crazy" + ], + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + } + }, + "surfaced_timestamp": 1605602911680, + "triage_event_uri": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "triaged_as_interesting": false, + "type": "auth" + }, + { + "bypass_status_enabled": 1604337058989, + "enabled_by": { + "key": "DEWGH6P00LT2R0I60UI", + "name": "Ellery Munson" + }, + "enabled_for": { + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + }, + "priority_event": true, + "priority_reasons": [], + "sekey": "SEDOR9BP00L23C6YUH6", + "state": "new", + "state_updated_timestamp": null, + "surfaced_timestamp": 1605602911680, + "triaged_as_interesting": false, + "type": "bypass_status" + } + ], + "metadata": { + "next_offset": "31229" + } + } + } diff --git a/packages/cisco_duo/changelog.yml b/packages/cisco_duo/changelog.yml index 6703a70abfe..6b86a112ffc 100644 --- a/packages/cisco_duo/changelog.yml +++ b/packages/cisco_duo/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "2.1.0" + changes: + - description: Add support for Trust Monitor logs. + type: enhancement + link: https://github.com/elastic/integrations/pull/11327 - version: "2.0.5" changes: - description: Make the rate limit configurable. diff --git a/packages/cisco_duo/data_stream/auth/manifest.yml b/packages/cisco_duo/data_stream/auth/manifest.yml index 8225edec0a7..eebed5b025d 100644 --- a/packages/cisco_duo/data_stream/auth/manifest.yml +++ b/packages/cisco_duo/data_stream/auth/manifest.yml @@ -11,7 +11,7 @@ streams: show_user: false required: true default: 4320h - description: How far back to pull Telephony logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s. + description: How far back to pull authentication logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s. - name: limit type: integer title: Limit diff --git a/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs b/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs index a0b5e5d1075..764a424badf 100644 --- a/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs +++ b/packages/cisco_duo/data_stream/telephony_v2/agent/stream/cel.yml.hbs @@ -22,6 +22,7 @@ state: want_more: false redact: fields: + - integration_key - secret_key program: | @@ -91,11 +92,11 @@ program: | "maxtime": state.maxtime, "date": now.format(time_layout.RFC1123Z), "want_more": has(body.?response.?metadata.next_offset), - ?"next_offset": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? - optional.of(string(body.response.metadata.next_offset)) - : - optional.none(), - "next_url": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + ?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ? + optional.of(string(body.response.metadata.next_offset)) + : + optional.none(), + "next_url": (body.?response.metadata.next_offset.orValue(null) != null) ? ( state.url.trim_right("/") + "/admin/v2/logs/telephony?" + { "limit": [string(int(state.limit))], @@ -108,7 +109,7 @@ program: | : state.url, "cursor": { - ?"last_published": (has(body.?response.?metadata.next_offset) && body.response.metadata.next_offset != null) ? + ?"last_published": (body.?response.?metadata.next_offset.orValue(null) != null) ? optional.of(body.response.metadata.next_offset.re_find("next_offset_timestamp")) : optional.none(), @@ -128,17 +129,11 @@ program: | "error": { "code": has(body.code) ? string(body.code) : string(resp.StatusCode), "id": string(resp.Status), - "message": "GET: " + - ( - (has(body.message) && body.message != "") ? - string(body.message) + - (has(body.message_detail) ? - ": " + string(body.message_detail) - : - "" - ) + "message": "GET:"+( + size(resp.Body) != 0 ? + string(resp.Body) : - string(resp.Status) + " (" + string(resp.StatusCode) + ")" + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' ), }, }, diff --git a/packages/cisco_duo/data_stream/telephony_v2/manifest.yml b/packages/cisco_duo/data_stream/telephony_v2/manifest.yml index 3517d77bc8b..1671ba4e598 100644 --- a/packages/cisco_duo/data_stream/telephony_v2/manifest.yml +++ b/packages/cisco_duo/data_stream/telephony_v2/manifest.yml @@ -1,5 +1,5 @@ type: logs -title: Cisco Duo authentication logs +title: Cisco Duo telephony logs streams: - input: cel enabled: false diff --git a/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-common-config.yml b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4da22641654 --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,3 @@ +fields: + tags: + - preserve_original_event diff --git a/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log new file mode 100644 index 00000000000..6b91615b7b4 --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log @@ -0,0 +1,3 @@ +{"explanations":[{"summary":"amanda_tucker has not logged in from this location recently.","type":"NEW_COUNTRY_CODE"},{"summary":"amanda_tucker has not logged in from this IP recently.","type":"NEW_NETBLOCK"},{"summary":"amanda_tucker has not accessed this application recently.","type":"NEW_IKEY"}],"from_common_netblock":true,"from_new_user":false,"low_risk_ip":false,"priority_event":true,"priority_reasons":[{"label":"CN","type":"country"}],"sekey":"SEDOR9BP00L23C6YUH5","state":"new","state_updated_timestamp":null,"surfaced_auth":{"access_device":{"browser":"Chrome","browser_version":"86.0.4240.198","epkey":"EP18JX1A10AB102M2T2X","flash_version":null,"hostname":null,"ip":"17.88.232.83","is_encryption_enabled":"unknown","is_firewall_enabled":"unknown","is_password_set":"unknown","java_version":null,"location":{"city":"Shanghai","country":"China","state":"Shanghai"},"os":"Windows","os_version":"10","security_agents":"unknown"},"alias":"unknown","application":{"key":"DIUD2X62LHMPDP00LXS3","name":"Microsoft Azure Active Directory"},"auth_device":{"ip":null,"key":null,"location":{"city":null,"country":null,"state":null},"name":null},"email":"","event_type":null,"factor":"not_available","isotimestamp":"2020-11-17T03:19:13.092+00:00","ood_software":"","reason":"location_restricted","result":"denied","timestamp":1605583153,"trusted_endpoint_status":null,"txid":"436694ad-467c-4aed-b048-8ad--f58e04c","user":{"groups":["crazy"],"key":"DUN73JE5M92DP00L4ZYS","name":"amanda_tucker"}},"surfaced_timestamp":1605602911680,"triage_event_uri":"https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5","triaged_as_interesting":false,"type":"auth"} +{"bypass_status_enabled":1604337058989,"enabled_by":{"key":"DEWGH6P00LT2R0I60UI","name":"Ellery Munson"},"enabled_for":{"key":"DUN73JE5M92DP00L4ZYS","name":"amanda_tucker"},"priority_event":true,"priority_reasons":[],"sekey":"SEDOR9BP00L23C6YUH6","state":"new","state_updated_timestamp":null,"surfaced_timestamp":1605602911680,"triaged_as_interesting":false,"type":"bypass_status"} +{"explanations":[{"summary":"The registered device has an out-of-date version of the operating system installed.","type":"REGISTER_OS_OUTDATED"}],"from_new_user":false,"priority_event":false,"priority_reasons":[],"sekey":"SEDOR9BP00L23C6YUH7","state":"new","state_updated_timestamp":null,"surfaced_timestamp":1675893605269,"triaged_as_interesting":false,"type":"device_registration"} diff --git a/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log-expected.json b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log-expected.json new file mode 100644 index 00000000000..5a643d41979 --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/pipeline/test-trust-monitor.log-expected.json @@ -0,0 +1,157 @@ +{ + "expected": [ + { + "@timestamp": "2020-11-17T08:48:31.680Z", + "cisco_duo": { + "trust_monitor": { + "explanations": [ + { + "summary": "amanda_tucker has not logged in from this location recently.", + "type": "NEW_COUNTRY_CODE" + }, + { + "summary": "amanda_tucker has not logged in from this IP recently.", + "type": "NEW_NETBLOCK" + }, + { + "summary": "amanda_tucker has not accessed this application recently.", + "type": "NEW_IKEY" + } + ], + "from_common_netblock": true, + "from_new_user": false, + "low_risk_ip": false, + "priority_event": true, + "priority_reasons": [ + { + "label": "CN", + "type": "country" + } + ], + "sekey": "SEDOR9BP00L23C6YUH5", + "state": "new", + "surfaced_auth": { + "access_device": { + "browser": "Chrome", + "browser_version": "86.0.4240.198", + "epkey": "EP18JX1A10AB102M2T2X", + "ip": "17.88.232.83", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "location": { + "city": "Shanghai", + "country": "China", + "state": "Shanghai" + }, + "os": "Windows", + "os_version": "10", + "security_agents": "unknown" + }, + "alias": "unknown", + "application": { + "key": "DIUD2X62LHMPDP00LXS3", + "name": "Microsoft Azure Active Directory" + }, + "factor": "not_available", + "isotimestamp": "2020-11-17T03:19:13.092+00:00", + "reason": "location_restricted", + "result": "denied", + "timestamp": 1605583153, + "txid": "436694ad-467c-4aed-b048-8ad--f58e04c", + "user": { + "groups": [ + "crazy" + ], + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + } + }, + "triage_event_uri": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "triaged_as_interesting": false, + "type": "auth" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "SEDOR9BP00L23C6YUH5", + "kind": "event", + "original": "{\"explanations\":[{\"summary\":\"amanda_tucker has not logged in from this location recently.\",\"type\":\"NEW_COUNTRY_CODE\"},{\"summary\":\"amanda_tucker has not logged in from this IP recently.\",\"type\":\"NEW_NETBLOCK\"},{\"summary\":\"amanda_tucker has not accessed this application recently.\",\"type\":\"NEW_IKEY\"}],\"from_common_netblock\":true,\"from_new_user\":false,\"low_risk_ip\":false,\"priority_event\":true,\"priority_reasons\":[{\"label\":\"CN\",\"type\":\"country\"}],\"sekey\":\"SEDOR9BP00L23C6YUH5\",\"state\":\"new\",\"state_updated_timestamp\":null,\"surfaced_auth\":{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"86.0.4240.198\",\"epkey\":\"EP18JX1A10AB102M2T2X\",\"flash_version\":null,\"hostname\":null,\"ip\":\"17.88.232.83\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":null,\"location\":{\"city\":\"Shanghai\",\"country\":\"China\",\"state\":\"Shanghai\"},\"os\":\"Windows\",\"os_version\":\"10\",\"security_agents\":\"unknown\"},\"alias\":\"unknown\",\"application\":{\"key\":\"DIUD2X62LHMPDP00LXS3\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":null,\"key\":null,\"location\":{\"city\":null,\"country\":null,\"state\":null},\"name\":null},\"email\":\"\",\"event_type\":null,\"factor\":\"not_available\",\"isotimestamp\":\"2020-11-17T03:19:13.092+00:00\",\"ood_software\":\"\",\"reason\":\"location_restricted\",\"result\":\"denied\",\"timestamp\":1605583153,\"trusted_endpoint_status\":null,\"txid\":\"436694ad-467c-4aed-b048-8ad--f58e04c\",\"user\":{\"groups\":[\"crazy\"],\"key\":\"DUN73JE5M92DP00L4ZYS\",\"name\":\"amanda_tucker\"}},\"surfaced_timestamp\":1605602911680,\"triage_event_uri\":\"https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5\",\"triaged_as_interesting\":false,\"type\":\"auth\"}" + }, + "tags": [ + "preserve_original_event" + ], + "url": { + "domain": "admin-xxxxxxxx.duosecurity.com", + "original": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "path": "/trust-monitor", + "query": "sekey=SEDOR9BP00L23C6YUH5", + "scheme": "https" + } + }, + { + "@timestamp": "2020-11-17T08:48:31.680Z", + "cisco_duo": { + "trust_monitor": { + "bypass_status_enabled": 1604337058989, + "enabled_by": { + "key": "DEWGH6P00LT2R0I60UI", + "name": "Ellery Munson" + }, + "enabled_for": { + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + }, + "priority_event": true, + "sekey": "SEDOR9BP00L23C6YUH6", + "state": "new", + "triaged_as_interesting": false, + "type": "bypass_status" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "SEDOR9BP00L23C6YUH6", + "kind": "event", + "original": "{\"bypass_status_enabled\":1604337058989,\"enabled_by\":{\"key\":\"DEWGH6P00LT2R0I60UI\",\"name\":\"Ellery Munson\"},\"enabled_for\":{\"key\":\"DUN73JE5M92DP00L4ZYS\",\"name\":\"amanda_tucker\"},\"priority_event\":true,\"priority_reasons\":[],\"sekey\":\"SEDOR9BP00L23C6YUH6\",\"state\":\"new\",\"state_updated_timestamp\":null,\"surfaced_timestamp\":1605602911680,\"triaged_as_interesting\":false,\"type\":\"bypass_status\"}" + }, + "tags": [ + "preserve_original_event" + ] + }, + { + "@timestamp": "2023-02-08T22:00:05.269Z", + "cisco_duo": { + "trust_monitor": { + "explanations": [ + { + "summary": "The registered device has an out-of-date version of the operating system installed.", + "type": "REGISTER_OS_OUTDATED" + } + ], + "from_new_user": false, + "priority_event": false, + "sekey": "SEDOR9BP00L23C6YUH7", + "state": "new", + "triaged_as_interesting": false, + "type": "device_registration" + } + }, + "ecs": { + "version": "8.11.0" + }, + "event": { + "id": "SEDOR9BP00L23C6YUH7", + "kind": "event", + "original": "{\"explanations\":[{\"summary\":\"The registered device has an out-of-date version of the operating system installed.\",\"type\":\"REGISTER_OS_OUTDATED\"}],\"from_new_user\":false,\"priority_event\":false,\"priority_reasons\":[],\"sekey\":\"SEDOR9BP00L23C6YUH7\",\"state\":\"new\",\"state_updated_timestamp\":null,\"surfaced_timestamp\":1675893605269,\"triaged_as_interesting\":false,\"type\":\"device_registration\"}" + }, + "tags": [ + "preserve_original_event" + ] + } + ] +} \ No newline at end of file diff --git a/packages/cisco_duo/data_stream/trust_monitor/_dev/test/system/test-default-config.yml b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..86a63c6911c --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/_dev/test/system/test-default-config.yml @@ -0,0 +1,12 @@ +input: cel +service: cisco_duo +vars: + hostname: http://{{Hostname}}:{{Port}} + secret_key: 40_characters_long_secret_key + integration_key: temp_integration_key + enable_request_tracer: true +data_stream: + vars: + preserve_original_event: true +assert: + hit_count: 3 diff --git a/packages/cisco_duo/data_stream/trust_monitor/agent/stream/cel.yml.hbs b/packages/cisco_duo/data_stream/trust_monitor/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..2175ebb144d --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/agent/stream/cel.yml.hbs @@ -0,0 +1,162 @@ +config_version: 2 +interval: {{interval}} +resource.url: {{hostname}} +resource.rate_limit.burst: 1 +resource.rate_limit.limit: {{rate_limit}} + +{{#if enable_request_tracer}} +resource.tracer.filename: "../../logs/cel/http-request-trace-*.ndjson" +resource.tracer.maxbackups: 5 +resource.tracer.maxsize: 5 +{{/if}} + +state: + url: {{hostname}} + integration_key: {{integration_key}} + secret_key: {{secret_key}} + limit: {{limit}} + initial_interval: {{initial_interval}} + want_more: false +redact: + fields: + - integration_key + - secret_key + +program: | + ( + state.want_more ? + state + : + state.with({ + "mintime": state.?cursor.last_published.orValue(int(now - duration(state.initial_interval)) * 1000), + "maxtime": int(now - duration("2m")) * 1000, + "date": now.format(time_layout.RFC1123Z), + }) + ).as(state, state.with( + request( + "GET", + state.?want_more.orValue(false) ? + state.next_url + : + state.url.trim_right("/") + "/admin/v1/trust_monitor/events?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + }.format_query() + ).with( + { + "Header": { + "Content-Type": ["application/x-www-form-urlencoded"], + "Date": [state.date], + "Authorization": ["Basic " + ( + state.integration_key + ":" + ( + [ + state.date, + "GET", + state.url.trim_prefix("https://"), + "/admin/v1/trust_monitor/events", + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + ?"offset": has(state.next_offset) ? + optional.of([string(state.next_offset)]) + : + optional.none(), + }.format_query() + ].join("\n") + .hmac("sha1", bytes(state.secret_key)) + .hex() + ) + ).base64()], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200) ? + bytes(resp.Body).decode_json().as(body, has(body.?response.events) && size(body.response.events) > 0 ? + { + "events": body.response.events.map(event, + { + "message": event.encode_json(), + } + ), + "url": state.url, + "integration_key": state.integration_key, + "secret_key": state.secret_key, + "limit": state.limit, + "mintime": state.mintime, + "maxtime": state.maxtime, + "date": now.format(time_layout.RFC1123Z), + "want_more": has(body.?response.?metadata.next_offset), + ?"next_offset": (body.?response.metadata.next_offset.orValue(null) != null) ? + optional.of(string(body.response.metadata.next_offset)) + : + optional.none(), + "next_url": (body.?response.metadata.next_offset.orValue(null) != null) ? + ( + state.url.trim_right("/") + "/admin/v1/trust_monitor/events?" + { + "limit": [string(int(state.limit))], + "maxtime": [string(int(state.maxtime))], + "mintime": [string(int(state.mintime))], + "offset": [string(body.response.metadata.next_offset)], + }.format_query() + ) + : + state.url, + "cursor": { + ?"last_published": (has(body.?response.events) && size(body.response.events) > 0) ? + optional.of( + body.response.events.map(e, e.surfaced_timestamp).max().as(last_timestamp, + !has(state.?cursor.last_published) ? + last_timestamp + : (last_timestamp < state.cursor.last_published) ? + state.cursor.last_published + : + last_timestamp + ) + ) + : + state.?cursor.last_published, + } + } + : + { + "events":[], + "want_more": false, + } + + ) + : + bytes(resp.Body).decode_json().as(body, + { + "events": { + "error": { + "code": has(body.code) ? string(body.code) : string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET:"+( + size(resp.Body) != 0 ? + string(resp.Body) + : + string(resp.Status) + ' (' + string(resp.StatusCode) + ')' + ), + }, + }, + "want_more": false, + } + ) + ) + )) + +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/cisco_duo/data_stream/trust_monitor/elasticsearch/ingest_pipeline/default.yml b/packages/cisco_duo/data_stream/trust_monitor/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..d485a24f40d --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,170 @@ +--- +description: Pipeline for parsing cisco_duo trust monitor logs +processors: + - set: + field: ecs.version + value: '8.11.0' + - set: + field: event.kind + value: event + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + tag: rename_event_original + - json: + field: event.original + target_field: json + tag: json_event_original + on_failure: + - set: + field: event.kind + value: pipeline_error + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - date: + field: json.surfaced_timestamp + tag: date_surfaced_timestamp + formats: + - UNIX_MS + on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - fingerprint: + fields: + - json.sekey + - json.surfaced_timestamp + target_field: _id + ignore_missing: true + tag: fingerprint_id + + ## Custom fields + - rename: + field: json.bypass_status_enabled + target_field: cisco_duo.trust_monitor.bypass_status_enabled + ignore_missing: true + tag: rename_bypass_status_enabled + - rename: + field: json.enabled_by + target_field: cisco_duo.trust_monitor.enabled_by + ignore_missing: true + tag: rename_enabled_by + - rename: + field: json.enabled_for + target_field: cisco_duo.trust_monitor.enabled_for + ignore_missing: true + tag: rename_enabled_for + - rename: + field: json.explanations + target_field: cisco_duo.trust_monitor.explanations + ignore_missing: true + tag: rename_explanations + - rename: + field: json.from_common_netblock + target_field: cisco_duo.trust_monitor.from_common_netblock + ignore_missing: true + tag: rename_from_common_netblock + - rename: + field: json.from_new_user + target_field: cisco_duo.trust_monitor.from_new_user + ignore_missing: true + tag: rename_from_new_user + - rename: + field: json.low_risk_ip + target_field: cisco_duo.trust_monitor.low_risk_ip + ignore_missing: true + tag: rename_low_risk_ip + - rename: + field: json.priority_event + target_field: cisco_duo.trust_monitor.priority_event + ignore_missing: true + tag: rename_priority_event + - rename: + field: json.priority_reasons + target_field: cisco_duo.trust_monitor.priority_reasons + ignore_missing: true + tag: rename_priority_reasons + - rename: + field: json.sekey + target_field: cisco_duo.trust_monitor.sekey + ignore_missing: true + tag: rename_sekey + - rename: + field: json.state + target_field: cisco_duo.trust_monitor.state + ignore_missing: true + tag: rename_state + - rename: + field: json.state_updated_timestamp + target_field: cisco_duo.trust_monitor.state_updated_timestamp + ignore_missing: true + tag: rename_state_updated_timestamp + - rename: + field: json.surfaced_auth + target_field: cisco_duo.trust_monitor.surfaced_auth + ignore_missing: true + tag: rename_surfaced_auth + - rename: + field: json.triaged_as_interesting + target_field: cisco_duo.trust_monitor.triaged_as_interesting + ignore_missing: true + tag: rename_triaged_as_interesting + - rename: + field: json.triage_event_uri + target_field: cisco_duo.trust_monitor.triage_event_uri + ignore_missing: true + tag: rename_triage_event_uri + - rename: + field: json.type + target_field: cisco_duo.trust_monitor.type + ignore_missing: true + tag: rename_type + + ## ECS fields + - set: + field: event.id + copy_from: cisco_duo.trust_monitor.sekey + ignore_failure: true + tag: set_event_id + - uri_parts: + field: cisco_duo.trust_monitor.triage_event_uri + tag: uri_parts_event_uri + ignore_missing: true + ignore_failure: true + + ## Clean up + - script: + description: Drops null/empty values recursively + tag: drop_null_values + lang: painless + ignore_failure: true + source: | + boolean drop(Object o) { + if (o == null || o == "") { + return true; + } else if (o instanceof Map) { + ((Map) o).values().removeIf(v -> drop(v)); + return (((Map) o).size() == 0); + } else if (o instanceof List) { + ((List) o).removeIf(v -> drop(v)); + return (((List) o).length == 0); + } + return false; + } + drop(ctx); + - remove: + field: json + ignore_missing: true +on_failure: + - append: + field: error.message + value: |- + Processor "{{{ _ingest.on_failure_processor_type }}}" with tag "{{{ _ingest.on_failure_processor_tag }}}" in pipeline "{{{ _ingest.on_failure_pipeline }}}" failed with message "{{{ _ingest.on_failure_message }}}" + - set: + field: event.kind + value: pipeline_error diff --git a/packages/cisco_duo/data_stream/trust_monitor/fields/agent.yml b/packages/cisco_duo/data_stream/trust_monitor/fields/agent.yml new file mode 100644 index 00000000000..f833857d0fe --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/fields/agent.yml @@ -0,0 +1,36 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: "Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on." + type: group + fields: + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: host + title: Host + group: 2 + description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." + type: group + fields: + - name: containerized + type: boolean + description: >- + If the host is a container. + - name: os.build + type: keyword + example: "18D109" + description: >- + OS build information. + - name: os.codename + type: keyword + example: "stretch" + description: >- + OS codename, if any. +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/cisco_duo/data_stream/trust_monitor/fields/base-fields.yml b/packages/cisco_duo/data_stream/trust_monitor/fields/base-fields.yml new file mode 100644 index 00000000000..e1085260f2b --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: cisco_duo +- name: event.dataset + type: constant_keyword + description: Event dataset + value: cisco_duo.trust_monitor +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/cisco_duo/data_stream/trust_monitor/fields/fields.yml b/packages/cisco_duo/data_stream/trust_monitor/fields/fields.yml new file mode 100644 index 00000000000..4a5904e96bc --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/fields/fields.yml @@ -0,0 +1,95 @@ +- name: cisco_duo.trust_monitor + type: group + fields: + - name: bypass_status_enabled + type: long + description: | + The Unix timestamp in milliseconds when bypass status was enabled for the user or group. Returned for events with type=bypass_status. + - name: enabled_by + type: group + fields: + - name: name + type: keyword + description: | + Name of the application or the administrator that enabled bypass status. Returned for events with type=bypass_status. + - name: key + type: keyword + description: | + Key of the application or the administrator that enabled bypass status. Returned for events with type=bypass_status. + - name: enabled_for + type: group + fields: + - name: name + type: keyword + description: | + Name of the user or group with bypass status. Returned for events with type=bypass_status. + - name: key + type: keyword + description: | + Key of the user or group with bypass status. Returned for events with type=bypass_status. + - name: explanations + type: group + fields: + - name: summary + type: keyword + description: | + Description of why Trust Monitor surfaced the event. + - name: type + type: keyword + description: | + Type of reason why Trust Monitor surfaced the event. + - name: from_common_netblock + type: boolean + description: | + A boolean describing if this event was created from a common IP netblock. Returned for events with type=auth. + - name: from_new_user + type: boolean + description: | + A boolean describing if this event was created for a new user. Returned for events with type=auth or type=device_registration. + - name: low_risk_ip + type: boolean + description: | + A boolean describing if this event was created from an IP address identified in the Risk Profile configuration as a low risk IP address. Returned for events with type=auth. + - name: priority_event + type: boolean + description: | + A boolean describing if the event matches the Risk Profile configuration. + - name: priority_reasons + type: group + fields: + - name: label + type: keyword + description: | + The label of the priority reason describing how the event matches the Trust Monitor Risk Profile configuration for the event's match. Returned for events with type=auth or type=device_registration. + - name: type + type: keyword + description: | + The type of priority reason describing how the event matches the Trust Monitor Risk Profile configuration for the event's match. Returned for events with type=auth or type=device_registration. + - name: sekey + type: keyword + description: | + The unique identifier for this event as a 20 character string. This is unique across all different event types. + - name: state + type: keyword + description: | + A string describing the state of the event. One of statenew or stateprocessed. + - name: state_updated_timestamp + type: long + description: | + The Unix timestamp in milliseconds of the last change to the state of the event. + - name: surfaced_auth + type: flattened + description: | + An object which represents the actual authentication. Returned for events with type=auth. + - name: triage_event_uri + type: keyword + description: | + A string representing the URI of the security event, which a Duo administrator can use to view and process the surfaced event in the Duo Admin Panel. Returned for events with type=auth. + - name: triaged_as_interesting + type: boolean + description: | + A boolean describing if this event was triaged as being interesting or not interesting. + - name: type + type: keyword + description: | + The type of event, as a string. One of auth, bypass_status, or device_registration. diff --git a/packages/cisco_duo/data_stream/trust_monitor/manifest.yml b/packages/cisco_duo/data_stream/trust_monitor/manifest.yml new file mode 100644 index 00000000000..71708fcd7a3 --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/manifest.yml @@ -0,0 +1,49 @@ +type: logs +title: Cisco Duo trust monitor logs +streams: + - input: cel + enabled: false + vars: + - name: initial_interval + type: text + title: Initial Interval + multi: false + show_user: false + required: true + default: 4320h + description: How far back to pull Trust Monitor logs from the Cisco Duo API. Maximum interval is 180 days (4320 hours). Supported units for this parameter are h/m/s. + - name: limit + type: integer + title: Limit + description: Maximum number of records to fetch on each request. Max is 200. + show_user: false + required: true + default: 50 + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - cisco_duo-trust_monitor + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + template_path: cel.yml.hbs + title: Cisco Duo Trust Monitor logs + description: Collect Cisco Duo Trust Monitor logs. diff --git a/packages/cisco_duo/data_stream/trust_monitor/sample_event.json b/packages/cisco_duo/data_stream/trust_monitor/sample_event.json new file mode 100644 index 00000000000..448be89c055 --- /dev/null +++ b/packages/cisco_duo/data_stream/trust_monitor/sample_event.json @@ -0,0 +1,116 @@ +{ + "@timestamp": "2020-11-17T08:48:31.680Z", + "agent": { + "ephemeral_id": "6425e1a1-6171-4b20-ba87-65bf63231ef4", + "id": "a2c45cbf-69cf-4bf5-93e2-df91aa0f8eae", + "name": "elastic-agent-51366", + "type": "filebeat", + "version": "8.13.0" + }, + "cisco_duo": { + "trust_monitor": { + "explanations": [ + { + "summary": "amanda_tucker has not logged in from this location recently.", + "type": "NEW_COUNTRY_CODE" + }, + { + "summary": "amanda_tucker has not logged in from this IP recently.", + "type": "NEW_NETBLOCK" + }, + { + "summary": "amanda_tucker has not accessed this application recently.", + "type": "NEW_IKEY" + } + ], + "from_common_netblock": true, + "from_new_user": false, + "low_risk_ip": false, + "priority_event": true, + "priority_reasons": [ + { + "label": "CN", + "type": "country" + } + ], + "sekey": "SEDOR9BP00L23C6YUH5", + "state": "new", + "surfaced_auth": { + "access_device": { + "browser": "Chrome", + "browser_version": "86.0.4240.198", + "epkey": "EP18JX1A10AB102M2T2X", + "ip": "17.88.232.83", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "location": { + "city": "Shanghai", + "country": "China", + "state": "Shanghai" + }, + "os": "Windows", + "os_version": "10", + "security_agents": "unknown" + }, + "alias": "unknown", + "application": { + "key": "DIUD2X62LHMPDP00LXS3", + "name": "Microsoft Azure Active Directory" + }, + "factor": "not_available", + "isotimestamp": "2020-11-17T03:19:13.092+00:00", + "reason": "location_restricted", + "result": "denied", + "timestamp": 1605583153, + "txid": "436694ad-467c-4aed-b048-8ad--f58e04c", + "user": { + "groups": [ + "crazy" + ], + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + } + }, + "triage_event_uri": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "triaged_as_interesting": false, + "type": "auth" + } + }, + "data_stream": { + "dataset": "cisco_duo.trust_monitor", + "namespace": "54506", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "a2c45cbf-69cf-4bf5-93e2-df91aa0f8eae", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_duo.trust_monitor", + "id": "SEDOR9BP00L23C6YUH5", + "ingested": "2024-10-04T07:55:31Z", + "kind": "event", + "original": "{\"explanations\":[{\"summary\":\"amanda_tucker has not logged in from this location recently.\",\"type\":\"NEW_COUNTRY_CODE\"},{\"summary\":\"amanda_tucker has not logged in from this IP recently.\",\"type\":\"NEW_NETBLOCK\"},{\"summary\":\"amanda_tucker has not accessed this application recently.\",\"type\":\"NEW_IKEY\"}],\"from_common_netblock\":true,\"from_new_user\":false,\"low_risk_ip\":false,\"priority_event\":true,\"priority_reasons\":[{\"label\":\"CN\",\"type\":\"country\"}],\"sekey\":\"SEDOR9BP00L23C6YUH5\",\"state\":\"new\",\"state_updated_timestamp\":null,\"surfaced_auth\":{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"86.0.4240.198\",\"epkey\":\"EP18JX1A10AB102M2T2X\",\"flash_version\":null,\"hostname\":null,\"ip\":\"17.88.232.83\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":null,\"location\":{\"city\":\"Shanghai\",\"country\":\"China\",\"state\":\"Shanghai\"},\"os\":\"Windows\",\"os_version\":\"10\",\"security_agents\":\"unknown\"},\"alias\":\"unknown\",\"application\":{\"key\":\"DIUD2X62LHMPDP00LXS3\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":null,\"key\":null,\"location\":{\"city\":null,\"country\":null,\"state\":null},\"name\":null},\"email\":\"\",\"event_type\":null,\"factor\":\"not_available\",\"isotimestamp\":\"2020-11-17T03:19:13.092+00:00\",\"ood_software\":\"\",\"reason\":\"location_restricted\",\"result\":\"denied\",\"timestamp\":1605583153,\"trusted_endpoint_status\":null,\"txid\":\"436694ad-467c-4aed-b048-8ad--f58e04c\",\"user\":{\"groups\":[\"crazy\"],\"key\":\"DUN73JE5M92DP00L4ZYS\",\"name\":\"amanda_tucker\"}},\"surfaced_timestamp\":1605602911680,\"triage_event_uri\":\"https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5\",\"triaged_as_interesting\":false,\"type\":\"auth\"}" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-trust_monitor" + ], + "url": { + "domain": "admin-xxxxxxxx.duosecurity.com", + "original": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "path": "/trust-monitor", + "query": "sekey=SEDOR9BP00L23C6YUH5", + "scheme": "https" + } +} \ No newline at end of file diff --git a/packages/cisco_duo/docs/README.md b/packages/cisco_duo/docs/README.md index 725d27e4f19..95780f85299 100644 --- a/packages/cisco_duo/docs/README.md +++ b/packages/cisco_duo/docs/README.md @@ -28,6 +28,7 @@ The Cisco Duo integration collects logs for the following types of events. - [**Summary**](https://duo.com/docs/adminapi#retrieve-summary) - [**Telephony Logs**](https://duo.com/docs/adminapi#telephony-logs) - [**Telephony Logs (legacy)**](https://duo.com/docs/adminapi#telephony-logs-(legacy-v1)) +- [**Trust Monitor**](https://duo.com/docs/adminapi#trust-monitor) ## V2 Handlers @@ -676,3 +677,166 @@ An example event for `telephony_v2` looks as following: | input.type | Input type | keyword | | log.offset | Log offset | long | + +### Trust Monitor + +This is the `trust_monitor` dataset. + +An example event for `trust_monitor` looks as following: + +```json +{ + "@timestamp": "2020-11-17T08:48:31.680Z", + "agent": { + "ephemeral_id": "6425e1a1-6171-4b20-ba87-65bf63231ef4", + "id": "a2c45cbf-69cf-4bf5-93e2-df91aa0f8eae", + "name": "elastic-agent-51366", + "type": "filebeat", + "version": "8.13.0" + }, + "cisco_duo": { + "trust_monitor": { + "explanations": [ + { + "summary": "amanda_tucker has not logged in from this location recently.", + "type": "NEW_COUNTRY_CODE" + }, + { + "summary": "amanda_tucker has not logged in from this IP recently.", + "type": "NEW_NETBLOCK" + }, + { + "summary": "amanda_tucker has not accessed this application recently.", + "type": "NEW_IKEY" + } + ], + "from_common_netblock": true, + "from_new_user": false, + "low_risk_ip": false, + "priority_event": true, + "priority_reasons": [ + { + "label": "CN", + "type": "country" + } + ], + "sekey": "SEDOR9BP00L23C6YUH5", + "state": "new", + "surfaced_auth": { + "access_device": { + "browser": "Chrome", + "browser_version": "86.0.4240.198", + "epkey": "EP18JX1A10AB102M2T2X", + "ip": "17.88.232.83", + "is_encryption_enabled": "unknown", + "is_firewall_enabled": "unknown", + "is_password_set": "unknown", + "location": { + "city": "Shanghai", + "country": "China", + "state": "Shanghai" + }, + "os": "Windows", + "os_version": "10", + "security_agents": "unknown" + }, + "alias": "unknown", + "application": { + "key": "DIUD2X62LHMPDP00LXS3", + "name": "Microsoft Azure Active Directory" + }, + "factor": "not_available", + "isotimestamp": "2020-11-17T03:19:13.092+00:00", + "reason": "location_restricted", + "result": "denied", + "timestamp": 1605583153, + "txid": "436694ad-467c-4aed-b048-8ad--f58e04c", + "user": { + "groups": [ + "crazy" + ], + "key": "DUN73JE5M92DP00L4ZYS", + "name": "amanda_tucker" + } + }, + "triage_event_uri": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "triaged_as_interesting": false, + "type": "auth" + } + }, + "data_stream": { + "dataset": "cisco_duo.trust_monitor", + "namespace": "54506", + "type": "logs" + }, + "ecs": { + "version": "8.11.0" + }, + "elastic_agent": { + "id": "a2c45cbf-69cf-4bf5-93e2-df91aa0f8eae", + "snapshot": false, + "version": "8.13.0" + }, + "event": { + "agent_id_status": "verified", + "dataset": "cisco_duo.trust_monitor", + "id": "SEDOR9BP00L23C6YUH5", + "ingested": "2024-10-04T07:55:31Z", + "kind": "event", + "original": "{\"explanations\":[{\"summary\":\"amanda_tucker has not logged in from this location recently.\",\"type\":\"NEW_COUNTRY_CODE\"},{\"summary\":\"amanda_tucker has not logged in from this IP recently.\",\"type\":\"NEW_NETBLOCK\"},{\"summary\":\"amanda_tucker has not accessed this application recently.\",\"type\":\"NEW_IKEY\"}],\"from_common_netblock\":true,\"from_new_user\":false,\"low_risk_ip\":false,\"priority_event\":true,\"priority_reasons\":[{\"label\":\"CN\",\"type\":\"country\"}],\"sekey\":\"SEDOR9BP00L23C6YUH5\",\"state\":\"new\",\"state_updated_timestamp\":null,\"surfaced_auth\":{\"access_device\":{\"browser\":\"Chrome\",\"browser_version\":\"86.0.4240.198\",\"epkey\":\"EP18JX1A10AB102M2T2X\",\"flash_version\":null,\"hostname\":null,\"ip\":\"17.88.232.83\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":null,\"location\":{\"city\":\"Shanghai\",\"country\":\"China\",\"state\":\"Shanghai\"},\"os\":\"Windows\",\"os_version\":\"10\",\"security_agents\":\"unknown\"},\"alias\":\"unknown\",\"application\":{\"key\":\"DIUD2X62LHMPDP00LXS3\",\"name\":\"Microsoft Azure Active Directory\"},\"auth_device\":{\"ip\":null,\"key\":null,\"location\":{\"city\":null,\"country\":null,\"state\":null},\"name\":null},\"email\":\"\",\"event_type\":null,\"factor\":\"not_available\",\"isotimestamp\":\"2020-11-17T03:19:13.092+00:00\",\"ood_software\":\"\",\"reason\":\"location_restricted\",\"result\":\"denied\",\"timestamp\":1605583153,\"trusted_endpoint_status\":null,\"txid\":\"436694ad-467c-4aed-b048-8ad--f58e04c\",\"user\":{\"groups\":[\"crazy\"],\"key\":\"DUN73JE5M92DP00L4ZYS\",\"name\":\"amanda_tucker\"}},\"surfaced_timestamp\":1605602911680,\"triage_event_uri\":\"https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5\",\"triaged_as_interesting\":false,\"type\":\"auth\"}" + }, + "input": { + "type": "cel" + }, + "tags": [ + "preserve_original_event", + "forwarded", + "cisco_duo-trust_monitor" + ], + "url": { + "domain": "admin-xxxxxxxx.duosecurity.com", + "original": "https://admin-xxxxxxxx.duosecurity.com/trust-monitor?sekey=SEDOR9BP00L23C6YUH5", + "path": "/trust-monitor", + "query": "sekey=SEDOR9BP00L23C6YUH5", + "scheme": "https" + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cisco_duo.trust_monitor.bypass_status_enabled | The Unix timestamp in milliseconds when bypass status was enabled for the user or group. Returned for events with type=bypass_status. | long | +| cisco_duo.trust_monitor.enabled_by.key | Key of the application or the administrator that enabled bypass status. Returned for events with type=bypass_status. | keyword | +| cisco_duo.trust_monitor.enabled_by.name | Name of the application or the administrator that enabled bypass status. Returned for events with type=bypass_status. | keyword | +| cisco_duo.trust_monitor.enabled_for.key | Key of the user or group with bypass status. Returned for events with type=bypass_status. | keyword | +| cisco_duo.trust_monitor.enabled_for.name | Name of the user or group with bypass status. Returned for events with type=bypass_status. | keyword | +| cisco_duo.trust_monitor.explanations.summary | Description of why Trust Monitor surfaced the event. | keyword | +| cisco_duo.trust_monitor.explanations.type | Type of reason why Trust Monitor surfaced the event. | keyword | +| cisco_duo.trust_monitor.from_common_netblock | A boolean describing if this event was created from a common IP netblock. Returned for events with type=auth. | boolean | +| cisco_duo.trust_monitor.from_new_user | A boolean describing if this event was created for a new user. Returned for events with type=auth or type=device_registration. | boolean | +| cisco_duo.trust_monitor.low_risk_ip | A boolean describing if this event was created from an IP address identified in the Risk Profile configuration as a low risk IP address. Returned for events with type=auth. | boolean | +| cisco_duo.trust_monitor.priority_event | A boolean describing if the event matches the Risk Profile configuration. | boolean | +| cisco_duo.trust_monitor.priority_reasons.label | The label of the priority reason describing how the event matches the Trust Monitor Risk Profile configuration for the event's match. Returned for events with type=auth or type=device_registration. | keyword | +| cisco_duo.trust_monitor.priority_reasons.type | The type of priority reason describing how the event matches the Trust Monitor Risk Profile configuration for the event's match. Returned for events with type=auth or type=device_registration. | keyword | +| cisco_duo.trust_monitor.sekey | The unique identifier for this event as a 20 character string. This is unique across all different event types. | keyword | +| cisco_duo.trust_monitor.state | A string describing the state of the event. One of statenew or stateprocessed. | keyword | +| cisco_duo.trust_monitor.state_updated_timestamp | The Unix timestamp in milliseconds of the last change to the state of the event. | long | +| cisco_duo.trust_monitor.surfaced_auth | An object which represents the actual authentication. Returned for events with type=auth. | flattened | +| cisco_duo.trust_monitor.triage_event_uri | A string representing the URI of the security event, which a Duo administrator can use to view and process the surfaced event in the Duo Admin Panel. Returned for events with type=auth. | keyword | +| cisco_duo.trust_monitor.triaged_as_interesting | A boolean describing if this event was triaged as being interesting or not interesting. | boolean | +| cisco_duo.trust_monitor.type | The type of event, as a string. One of auth, bypass_status, or device_registration. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| host.containerized | If the host is a container. | boolean | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | + diff --git a/packages/cisco_duo/img/dashboard-trust-monitor.png b/packages/cisco_duo/img/dashboard-trust-monitor.png new file mode 100644 index 00000000000..f9176e51983 Binary files /dev/null and b/packages/cisco_duo/img/dashboard-trust-monitor.png differ diff --git a/packages/cisco_duo/kibana/dashboard/cisco_duo-0607d4a3-5322-41c1-b8fa-f0d29bcc2757.json b/packages/cisco_duo/kibana/dashboard/cisco_duo-0607d4a3-5322-41c1-b8fa-f0d29bcc2757.json new file mode 100644 index 00000000000..14aa7245262 --- /dev/null +++ b/packages/cisco_duo/kibana/dashboard/cisco_duo-0607d4a3-5322-41c1-b8fa-f0d29bcc2757.json @@ -0,0 +1,998 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "0c54f1bd-a9ff-431f-9c17-60b564c40208": { + "explicitInput": { + "enhancements": {}, + "fieldName": "cisco_duo.trust_monitor.priority_event", + "grow": true, + "id": "0c54f1bd-a9ff-431f-9c17-60b564c40208", + "title": "Priority event", + "width": "medium" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "9b8e4d2e-7da5-41c7-bfa9-35e024055d94": { + "explicitInput": { + "enhancements": {}, + "fieldName": "cisco_duo.trust_monitor.triaged_as_interesting", + "grow": true, + "id": "9b8e4d2e-7da5-41c7-bfa9-35e024055d94", + "title": "Triaged as interesting", + "width": "medium" + }, + "grow": true, + "order": 2, + "type": "optionsListControl", + "width": "medium" + }, + "f97378eb-4a9f-47dc-8402-9fd7e7be4a8c": { + "explicitInput": { + "enhancements": {}, + "fieldName": "cisco_duo.trust_monitor.type", + "grow": true, + "id": "f97378eb-4a9f-47dc-8402-9fd7e7be4a8c", + "searchTechnique": "prefix", + "title": "Event type", + "width": "medium" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + } + }, + "description": "This dashboard shows trust monitor logs collected by the Cisco Duo integration.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cisco_duo.trust_monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cisco_duo.trust_monitor" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "2895cd64-3005-4aa0-8806-aebfcec6337b": { + "columnOrder": [ + "9e1f961e-ec9b-4d87-b039-aee519938af0", + "df5605f4-cf9a-4300-a04e-0d27bd93403c" + ], + "columns": { + "9e1f961e-ec9b-4d87-b039-aee519938af0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "df5605f4-cf9a-4300-a04e-0d27bd93403c", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.type" + }, + "df5605f4-cf9a-4300-a04e-0d27bd93403c": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "2895cd64-3005-4aa0-8806-aebfcec6337b", + "layerType": "data", + "legendDisplay": "show", + "legendSize": "auto", + "metrics": [ + "df5605f4-cf9a-4300-a04e-0d27bd93403c" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "9e1f961e-ec9b-4d87-b039-aee519938af0" + ] + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "594c7f06-72c0-49a6-ba6c-54ff02003711", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "594c7f06-72c0-49a6-ba6c-54ff02003711", + "title": "[Cisco Duo] Trust Monitor Events by Type", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": { + "tsvb_ad_hoc_logs-*/@timestamp": { + "allowNoIndex": false, + "fieldAttrs": {}, + "fieldFormats": {}, + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "logs-*", + "runtimeFieldMap": {}, + "sourceFilters": [], + "timeFieldName": "@timestamp", + "title": "logs-*" + } + }, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "630bc72b-cd44-4c27-ba08-eb9bca4e3d58": { + "columnOrder": [ + "54965273-7ff5-4a94-a522-5ffb735a0e17", + "17e266b8-6643-4571-95cd-4314c2bdc4a4", + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + ], + "columns": { + "17e266b8-6643-4571-95cd-4314c2bdc4a4": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "54965273-7ff5-4a94-a522-5ffb735a0e17": { + "dataType": "string", + "isBucketed": true, + "label": "Top 3 values of cisco_duo.trust_monitor.type", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 3 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.type" + }, + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Events", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [ + { + "id": "tsvb_ad_hoc_logs-*/@timestamp", + "name": "indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fillOpacity": 0.5, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "layerType": "data", + "palette": { + "name": "default", + "type": "palette" + }, + "seriesType": "bar_stacked", + "splitAccessor": "54965273-7ff5-4a94-a522-5ffb735a0e17", + "xAccessor": "17e266b8-6643-4571-95cd-4314c2bdc4a4", + "yConfig": [ + { + "axisMode": "left", + "color": "#6092c0", + "forAccessor": "d5f7518a-47ce-40fc-a0fe-6cd0b3e316d2" + } + ] + } + ], + "legend": { + "isVisible": true, + "maxLines": 1, + "position": "right", + "shouldTruncate": true, + "showSingleSeries": true + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide", + "yLeftExtent": { + "mode": "full" + }, + "yLeftScale": "linear", + "yRightExtent": { + "mode": "full" + }, + "yRightScale": "linear" + } + }, + "title": "[Cisco Duo] Remaining telephony credits over time (converted)", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "509be40d-6f13-41ee-9d43-ce2cd844532c", + "w": 32, + "x": 16, + "y": 0 + }, + "panelIndex": "509be40d-6f13-41ee-9d43-ce2cd844532c", + "title": "[Cisco Duo] Trust Monitor Events Over Time", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Top 10 reasons why Trust Monitor surfaced the event.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7224da0b-df83-4990-91b5-c506ce7793e5": { + "columnOrder": [ + "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "03c4edda-8092-499a-b581-5b19d81c7b12" + ], + "columns": { + "03c4edda-8092-499a-b581-5b19d81c7b12": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c936e7bc-b258-4172-b5f8-e6a41231c7c4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Explanation type", + "operationType": "terms", + "params": { + "accuracyMode": false, + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.explanations.type" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "isMetric": true, + "isTransposed": false + }, + { + "alignment": "left", + "columnId": "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "hidden": false, + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true, + "width": 339 + } + ], + "headerRowHeight": "single", + "headerRowHeightLines": 1, + "layerId": "7224da0b-df83-4990-91b5-c506ce7793e5", + "layerType": "data", + "paging": { + "enabled": true, + "size": 10 + }, + "rowHeight": "single", + "rowHeightLines": 1 + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Top 10 reasons why Trust Monitor surfaced the event.", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2fd13350-3236-47a9-8815-7355270558d1", + "w": 12, + "x": 0, + "y": 15 + }, + "panelIndex": "2fd13350-3236-47a9-8815-7355270558d1", + "title": "[Cisco Duo] Top 10 Explanations", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7224da0b-df83-4990-91b5-c506ce7793e5": { + "columnOrder": [ + "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "03c4edda-8092-499a-b581-5b19d81c7b12" + ], + "columns": { + "03c4edda-8092-499a-b581-5b19d81c7b12": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c936e7bc-b258-4172-b5f8-e6a41231c7c4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event URI", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.triage_event_uri" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true, + "width": 318 + } + ], + "layerId": "7224da0b-df83-4990-91b5-c506ce7793e5", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "cb633267-a52a-4044-95e6-3e8c2683539c", + "w": 12, + "x": 12, + "y": 15 + }, + "panelIndex": "cb633267-a52a-4044-95e6-3e8c2683539c", + "title": "[Cisco Duo] Top 10 Event URI Count", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Top 10 names of the application or the administrator that enabled bypass status.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7224da0b-df83-4990-91b5-c506ce7793e5": { + "columnOrder": [ + "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "03c4edda-8092-499a-b581-5b19d81c7b12" + ], + "columns": { + "03c4edda-8092-499a-b581-5b19d81c7b12": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c936e7bc-b258-4172-b5f8-e6a41231c7c4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Enabled by (name)", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.enabled_by.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true, + "width": 343 + } + ], + "layerId": "7224da0b-df83-4990-91b5-c506ce7793e5", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Top 10 names of the application or the administrator that enabled bypass status.", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "f3930c0e-145f-4bdc-95f8-b9724d4405cc", + "w": 12, + "x": 24, + "y": 15 + }, + "panelIndex": "f3930c0e-145f-4bdc-95f8-b9724d4405cc", + "title": "[Cisco Duo] Top 10 Names (Enabled By)", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "description": "Top 10 names of the user or group with bypass status.", + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "7224da0b-df83-4990-91b5-c506ce7793e5": { + "columnOrder": [ + "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "03c4edda-8092-499a-b581-5b19d81c7b12" + ], + "columns": { + "03c4edda-8092-499a-b581-5b19d81c7b12": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c936e7bc-b258-4172-b5f8-e6a41231c7c4": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Enabled for (name)", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "cisco_duo.trust_monitor.enabled_for.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "03c4edda-8092-499a-b581-5b19d81c7b12", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "c936e7bc-b258-4172-b5f8-e6a41231c7c4", + "isMetric": false, + "isTransposed": false, + "oneClickFilter": true, + "width": 291 + } + ], + "layerId": "7224da0b-df83-4990-91b5-c506ce7793e5", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "description": "Top 10 names of the user or group with bypass status.", + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ab94cb3c-3cb1-4b9e-8ca3-3dba69a16854", + "w": 12, + "x": 36, + "y": 15 + }, + "panelIndex": "ab94cb3c-3cb1-4b9e-8ca3-3dba69a16854", + "title": "[Cisco Duo] Top 10 Names (Enabled For)", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 18, + "i": "33ee9a94-a532-4445-a7f2-0c56c9209445", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "33ee9a94-a532-4445-a7f2-0c56c9209445", + "panelRefName": "panel_33ee9a94-a532-4445-a7f2-0c56c9209445", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs Cisco Duo] Trust Monitor", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-10-04T07:38:56.056Z", + "id": "cisco_duo-0607d4a3-5322-41c1-b8fa-f0d29bcc2757", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "594c7f06-72c0-49a6-ba6c-54ff02003711:indexpattern-datasource-layer-2895cd64-3005-4aa0-8806-aebfcec6337b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "509be40d-6f13-41ee-9d43-ce2cd844532c:indexpattern-datasource-layer-630bc72b-cd44-4c27-ba08-eb9bca4e3d58", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2fd13350-3236-47a9-8815-7355270558d1:indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cb633267-a52a-4044-95e6-3e8c2683539c:indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f3930c0e-145f-4bdc-95f8-b9724d4405cc:indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ab94cb3c-3cb1-4b9e-8ca3-3dba69a16854:indexpattern-datasource-layer-7224da0b-df83-4990-91b5-c506ce7793e5", + "type": "index-pattern" + }, + { + "id": "cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0", + "name": "33ee9a94-a532-4445-a7f2-0c56c9209445:panel_33ee9a94-a532-4445-a7f2-0c56c9209445", + "type": "search" + }, + { + "id": "logs-*", + "name": "controlGroup_f97378eb-4a9f-47dc-8402-9fd7e7be4a8c:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_0c54f1bd-a9ff-431f-9c17-60b564c40208:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_9b8e4d2e-7da5-41c7-bfa9-35e024055d94:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "cisco_duo-security-solution-default", + "name": "tag-ref-cisco_duo-security-solution-default", + "type": "tag" + } + ], + "type": "dashboard", + "typeMigrationVersion": "8.9.0" +} \ No newline at end of file diff --git a/packages/cisco_duo/kibana/search/cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0.json b/packages/cisco_duo/kibana/search/cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0.json new file mode 100644 index 00000000000..87f724b7feb --- /dev/null +++ b/packages/cisco_duo/kibana/search/cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0.json @@ -0,0 +1,74 @@ +{ + "attributes": { + "columns": [ + "cisco_duo.trust_monitor.type", + "cisco_duo.trust_monitor.sekey", + "cisco_duo.trust_monitor.explanations.type", + "cisco_duo.trust_monitor.state" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "cisco_duo.trust_monitor" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "cisco_duo.trust_monitor" + } + } + } + ], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"cisco_duo.trust_monitor\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRestore": false, + "title": "[Cisco Duo] Trust Monitor Search", + "usesAdHocDataView": false + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-10-04T07:37:56.237Z", + "id": "cisco_duo-64869c89-8c44-4644-a84a-9815c0fddba0", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.2.0" +} \ No newline at end of file diff --git a/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json b/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json index 53fed78ee01..ea7d8ddbc95 100644 --- a/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json +++ b/packages/cisco_duo/kibana/tag/cisco_duo-security-solution-default.json @@ -5,7 +5,7 @@ "name": "Security Solution" }, "coreMigrationVersion": "8.8.0", - "created_at": "2024-09-20T13:51:50.048Z", + "created_at": "2024-10-04T07:09:27.379Z", "id": "cisco_duo-security-solution-default", "managed": true, "references": [], diff --git a/packages/cisco_duo/manifest.yml b/packages/cisco_duo/manifest.yml index a78f9b9d092..159e751925c 100644 --- a/packages/cisco_duo/manifest.yml +++ b/packages/cisco_duo/manifest.yml @@ -1,7 +1,7 @@ format_version: "3.0.2" name: cisco_duo title: Cisco Duo -version: "2.0.5" +version: "2.1.0" description: Collect logs from Cisco Duo with Elastic Agent. type: integration categories: @@ -11,6 +11,10 @@ conditions: kibana: version: "^8.13.0" screenshots: + - src: /img/dashboard-trust-monitor.png + title: Cisco Duo trust monitor logs dashboard + size: 1850x948 + type: image/png - src: /img/dashboard-telephony.png title: Cisco Duo administrator logs dashboard size: 1850x948 @@ -126,7 +130,7 @@ policy_templates: show_user: false description: The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-httpjson.html#_request_tracer_filename) for details. title: Collect Cisco Duo logs via API v2 - description: Collect Cisco Duo Authentication, and Telephony logs + description: Collect Cisco Duo Authentication, Telephony and Trust Monitor logs owner: github: elastic/security-service-integrations type: elastic diff --git a/packages/cisco_duo/validation.yml b/packages/cisco_duo/validation.yml new file mode 100644 index 00000000000..1189aa63c89 --- /dev/null +++ b/packages/cisco_duo/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00004 # References in dashboards.