Skip to content

Commit

Permalink
[eset_protect] Update grant type to password (#9600)
Browse files Browse the repository at this point in the history 
As per https://eu.esetconnect.eset.systems/swagger/

    Grant type client_credentials is deprecated and will be removed on Apr 15th 2024
  • Loading branch information
@janvi-elastic
janvi-elastic authored Apr 18, 2024
1 parent 9817e96 commit cdeaa8a
Show file tree
Hide file tree
Showing 9 changed files with 67 additions and 56 deletions.
5 changes: 5 additions & 0 deletions packages/eset_protect/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.5.0"
changes:
- description: Update OAuth grant type to password because ESET is deprecating the client_credentials grant type.
type: enhancement
link: https://github.com/elastic/integrations/pull/9600
- version: "0.4.0"
changes:
- description: Lowercase related hash and indicator hash to support indicator rule matching. Fixed grok parse error when object_uri equals 'script'.
Expand Down
7 changes: 5 additions & 2 deletions packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: https://{{region}}.incident-management.eset.systems
auth.oauth2:
client.id: {{username}}
client.secret: {{password}}
client.id: ' '
client.secret: ' '
# Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0.
user: {{escape_string username}}
password: {{escape_string password}}
token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token
state:
page_size: {{batch_size}}
Expand Down
8 changes: 4 additions & 4 deletions packages/eset_protect/data_stream/detection/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"@timestamp": "2023-10-26T13:36:53.000Z",
"agent": {
"ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc",
"id": "78166295-0693-4726-a27f-cd8722896c22",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.0"
Expand Down Expand Up @@ -38,7 +38,7 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "78166295-0693-4726-a27f-cd8722896c22",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.0"
},
Expand Down Expand Up @@ -75,7 +75,7 @@
"intrusion_detection"
],
"dataset": "eset_protect.detection",
"ingested": "2024-03-18T21:48:09Z",
"ingested": "2024-04-16T05:41:07Z",
"kind": "alert",
"original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}",
"type": [
Expand Down
7 changes: 5 additions & 2 deletions packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: https://{{region}}.automation.eset.systems
auth.oauth2:
client.id: {{username}}
client.secret: {{password}}
client.id: ' '
client.secret: ' '
# Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0.
user: {{escape_string username}}
password: {{escape_string password}}
token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token
state:
page_size: {{batch_size}}
Expand Down
14 changes: 7 additions & 7 deletions packages/eset_protect/data_stream/device_task/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2024-03-27T16:00:29.582Z",
"@timestamp": "2024-04-16T05:41:49.641Z",
"agent": {
"ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.device_task",
Expand All @@ -16,9 +16,9 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"device_task": {
Expand Down Expand Up @@ -58,7 +58,7 @@
"action": "Shutdown computer",
"agent_id_status": "verified",
"dataset": "eset_protect.device_task",
"ingested": "2024-03-27T16:00:39Z",
"ingested": "2024-04-16T05:41:59Z",
"kind": "event",
"original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}",
"type": [
Expand Down
30 changes: 15 additions & 15 deletions packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,12 @@
"file": {
"directory": "/Users/Administrator/Downloads/xls/",
"drive_letter": "C",
"name": "YICT080714.xls",
"path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls",
"type": "file",
"hash": {
"sha1": "5b97884a45c6c05f93b22c4059f3d9189e88e8b7"
}
},
"name": "YICT080714.xls",
"path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls",
"type": "file"
},
"group": {
"name": "All/Lost & found"
Expand Down Expand Up @@ -656,12 +656,12 @@
"file": {
"directory": "/Users/Administrator/Downloads/",
"drive_letter": "C",
"name": "malicious.exe",
"path": "C:/Users/Administrator/Downloads/malicious.exe",
"type": "file",
"hash": {
"sha1": "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9"
}
},
"name": "malicious.exe",
"path": "C:/Users/Administrator/Downloads/malicious.exe",
"type": "file"
},
"group": {
"name": "All/Lost & found"
Expand Down Expand Up @@ -2114,12 +2114,12 @@
"file": {
"directory": "/",
"drive_letter": "E",
"name": "Removable Drive (1GB).lnk",
"path": "E:/Removable Drive (1GB).lnk",
"type": "file",
"hash": {
"sha1": "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2"
}
},
"name": "Removable Drive (1GB).lnk",
"path": "E:/Removable Drive (1GB).lnk",
"type": "file"
},
"host": {
"hostname": "machine5",
Expand Down Expand Up @@ -2213,11 +2213,11 @@
]
},
"file": {
"path": "script",
"type": "file",
"hash": {
"sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc"
}
},
"path": "script",
"type": "file"
},
"group": {
"name": "All"
Expand Down
14 changes: 7 additions & 7 deletions packages/eset_protect/data_stream/event/sample_event.json
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2021-06-21T03:56:20.000Z",
"agent": {
"ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.event",
Expand Down Expand Up @@ -37,9 +37,9 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"event": {
Expand Down Expand Up @@ -72,7 +72,7 @@
"web"
],
"dataset": "eset_protect.event",
"ingested": "2024-03-27T16:01:32Z",
"ingested": "2024-04-16T05:42:56Z",
"kind": "alert",
"original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}",
"type": [
Expand All @@ -98,7 +98,7 @@
},
"log": {
"source": {
"address": "172.19.0.11:48112"
"address": "192.168.247.8:59824"
},
"syslog": {
"appname": "ERAServer",
Expand Down
36 changes: 18 additions & 18 deletions packages/eset_protect/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ An example event for `detection` looks as following:
{
"@timestamp": "2023-10-26T13:36:53.000Z",
"agent": {
"ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc",
"id": "78166295-0693-4726-a27f-cd8722896c22",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.0"
Expand Down Expand Up @@ -114,7 +114,7 @@ An example event for `detection` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "78166295-0693-4726-a27f-cd8722896c22",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.0"
},
Expand Down Expand Up @@ -151,7 +151,7 @@ An example event for `detection` looks as following:
"intrusion_detection"
],
"dataset": "eset_protect.detection",
"ingested": "2024-03-18T21:48:09Z",
"ingested": "2024-04-16T05:41:07Z",
"kind": "alert",
"original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}",
"type": [
Expand Down Expand Up @@ -265,13 +265,13 @@ An example event for `device_task` looks as following:

```json
{
"@timestamp": "2024-03-27T16:00:29.582Z",
"@timestamp": "2024-04-16T05:41:49.641Z",
"agent": {
"ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.device_task",
Expand All @@ -282,9 +282,9 @@ An example event for `device_task` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"device_task": {
Expand Down Expand Up @@ -324,7 +324,7 @@ An example event for `device_task` looks as following:
"action": "Shutdown computer",
"agent_id_status": "verified",
"dataset": "eset_protect.device_task",
"ingested": "2024-03-27T16:00:39Z",
"ingested": "2024-04-16T05:41:59Z",
"kind": "event",
"original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}",
"type": [
Expand Down Expand Up @@ -401,11 +401,11 @@ An example event for `event` looks as following:
{
"@timestamp": "2021-06-21T03:56:20.000Z",
"agent": {
"ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.event",
Expand Down Expand Up @@ -437,9 +437,9 @@ An example event for `event` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"event": {
Expand Down Expand Up @@ -472,7 +472,7 @@ An example event for `event` looks as following:
"web"
],
"dataset": "eset_protect.event",
"ingested": "2024-03-27T16:01:32Z",
"ingested": "2024-04-16T05:42:56Z",
"kind": "alert",
"original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}",
"type": [
Expand All @@ -498,7 +498,7 @@ An example event for `event` looks as following:
},
"log": {
"source": {
"address": "172.19.0.11:48112"
"address": "192.168.247.8:59824"
},
"syslog": {
"appname": "ERAServer",
Expand Down
2 changes: 1 addition & 1 deletion packages/eset_protect/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.3
name: eset_protect
title: ESET PROTECT
version: 0.4.0
version: 0.5.0
description: Collect logs from ESET PROTECT with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit cdeaa8a

Please sign in to comment.