Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[eset_protect] Update grant type to password #9600

Merged
merged 5 commits into from
Apr 18, 2024
+67 −56
Merged

[eset_protect] Update grant type to password #9600

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
fd6a219
Update grant type to password
janvi-elastic Apr 15, 2024
265c653
Update changelog entry
janvi-elastic Apr 15, 2024
8422ad8
resolve review comments
janvi-elastic Apr 16, 2024
c6b46aa
Give a reason for the change
andrewkroh Apr 17, 2024
6c03b6c
added a comment in cel.yml.hbs files explainig why client credentials…
janvi-elastic Apr 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/eset_protect/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.5.0"
changes:
- description: Update OAuth grant type to password because ESET is deprecating the client_credentials grant type.
type: enhancement
link: https://github.com/elastic/integrations/pull/9600
- version: "0.4.0"
changes:
- description: Lowercase related hash and indicator hash to support indicator rule matching. Fixed grok parse error when object_uri equals 'script'.
Expand Down
7 changes: 5 additions & 2 deletions packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: https://{{region}}.incident-management.eset.systems
auth.oauth2:
client.id: {{username}}
client.secret: {{password}}
client.id: ' '
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are these empty strings?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without empty string it is not working.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify what is not working? Can you share the error message? Is it some kind of validation problem from the Agent side? Or is a something from the API service?

If you view the request tracer logs, is the input POSTing client_id=%20&client_secret=%20 and the API is accepting that?

At a minimum we need a comment explaining why the empty strings exists so that future maintainers understand.

Copy link
Contributor

@efd6 efd6 Apr 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue here is over zealous validation in the auth config code for the cel package (the same issue will exist in the httpjson package which is the origin of this code). When password auth was added, the token auth logic in the validation was not updated to allow a fallthrough.

https://github.com/elastic/beats/blob/11bc06ca1f0f82510a38e88f978b9aed577a3e5e/x-pack/filebeat/input/cel/config_auth.go#L266-L268

I'm putting together a change to fix this.

Copy link
Contributor Author

@janvi-elastic janvi-elastic Apr 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was facing below error:
both token_url and client credentials must be provided accessing 'auth.oauth2'

Additionally, it does not function with an empty string. It requires one space to work properly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, elastic/beats#38962 will fix that, but for the moment you'll need to do what you have done. A comment explaining it and giving a time frame for removal would be good (I expect the PR for the fix would get in to v8.14.0).

TBH I'm amazed that his has gone unnoticed for so long. The bug was introduced in to HTTPJSON when password grant auth was added. I guess no-one has ever had password-only uses.

Copy link
Member

@andrewkroh andrewkroh Apr 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment explaining it and giving a time frame for removal would be good (I expect the PR for the fix would get in to v8.14.0).

@janvi-elastic Can you please add a comment to the two cel.yml.hbs files.

client.secret: ' '
# Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0.
user: {{escape_string username}}
password: {{escape_string password}}
token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token
state:
page_size: {{batch_size}}
Expand Down
8 changes: 4 additions & 4 deletions packages/eset_protect/data_stream/detection/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
{
"@timestamp": "2023-10-26T13:36:53.000Z",
"agent": {
"ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc",
"id": "78166295-0693-4726-a27f-cd8722896c22",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.0"
Expand Down Expand Up @@ -38,7 +38,7 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "78166295-0693-4726-a27f-cd8722896c22",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.0"
},
Expand Down Expand Up @@ -75,7 +75,7 @@
"intrusion_detection"
],
"dataset": "eset_protect.detection",
"ingested": "2024-03-18T21:48:09Z",
"ingested": "2024-04-16T05:41:07Z",
"kind": "alert",
"original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}",
"type": [
Expand Down
7 changes: 5 additions & 2 deletions packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: https://{{region}}.automation.eset.systems
auth.oauth2:
client.id: {{username}}
client.secret: {{password}}
client.id: ' '
client.secret: ' '
# Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0.
user: {{escape_string username}}
password: {{escape_string password}}
token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token
state:
page_size: {{batch_size}}
Expand Down
14 changes: 7 additions & 7 deletions packages/eset_protect/data_stream/device_task/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2024-03-27T16:00:29.582Z",
"@timestamp": "2024-04-16T05:41:49.641Z",
"agent": {
"ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.device_task",
Expand All @@ -16,9 +16,9 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"device_task": {
Expand Down Expand Up @@ -58,7 +58,7 @@
"action": "Shutdown computer",
"agent_id_status": "verified",
"dataset": "eset_protect.device_task",
"ingested": "2024-03-27T16:00:39Z",
"ingested": "2024-04-16T05:41:59Z",
"kind": "event",
"original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}",
"type": [
Expand Down
30 changes: 15 additions & 15 deletions packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,12 +49,12 @@
"file": {
"directory": "/Users/Administrator/Downloads/xls/",
"drive_letter": "C",
"name": "YICT080714.xls",
"path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls",
"type": "file",
"hash": {
"sha1": "5b97884a45c6c05f93b22c4059f3d9189e88e8b7"
}
},
"name": "YICT080714.xls",
"path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls",
"type": "file"
},
"group": {
"name": "All/Lost & found"
Expand Down Expand Up @@ -656,12 +656,12 @@
"file": {
"directory": "/Users/Administrator/Downloads/",
"drive_letter": "C",
"name": "malicious.exe",
"path": "C:/Users/Administrator/Downloads/malicious.exe",
"type": "file",
"hash": {
"sha1": "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9"
}
},
"name": "malicious.exe",
"path": "C:/Users/Administrator/Downloads/malicious.exe",
"type": "file"
},
"group": {
"name": "All/Lost & found"
Expand Down Expand Up @@ -2114,12 +2114,12 @@
"file": {
"directory": "/",
"drive_letter": "E",
"name": "Removable Drive (1GB).lnk",
"path": "E:/Removable Drive (1GB).lnk",
"type": "file",
"hash": {
"sha1": "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2"
}
},
"name": "Removable Drive (1GB).lnk",
"path": "E:/Removable Drive (1GB).lnk",
"type": "file"
},
"host": {
"hostname": "machine5",
Expand Down Expand Up @@ -2213,11 +2213,11 @@
]
},
"file": {
"path": "script",
"type": "file",
"hash": {
"sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc"
}
},
"path": "script",
"type": "file"
},
"group": {
"name": "All"
Expand Down
14 changes: 7 additions & 7 deletions packages/eset_protect/data_stream/event/sample_event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"@timestamp": "2021-06-21T03:56:20.000Z",
"agent": {
"ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.event",
Expand Down Expand Up @@ -37,9 +37,9 @@
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"event": {
Expand Down Expand Up @@ -72,7 +72,7 @@
"web"
],
"dataset": "eset_protect.event",
"ingested": "2024-03-27T16:01:32Z",
"ingested": "2024-04-16T05:42:56Z",
"kind": "alert",
"original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}",
"type": [
Expand All @@ -98,7 +98,7 @@
},
"log": {
"source": {
"address": "172.19.0.11:48112"
"address": "192.168.247.8:59824"
},
"syslog": {
"appname": "ERAServer",
Expand Down
36 changes: 18 additions & 18 deletions packages/eset_protect/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,8 +77,8 @@ An example event for `detection` looks as following:
{
"@timestamp": "2023-10-26T13:36:53.000Z",
"agent": {
"ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc",
"id": "78166295-0693-4726-a27f-cd8722896c22",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.0"
Expand Down Expand Up @@ -114,7 +114,7 @@ An example event for `detection` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "78166295-0693-4726-a27f-cd8722896c22",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.0"
},
Expand Down Expand Up @@ -151,7 +151,7 @@ An example event for `detection` looks as following:
"intrusion_detection"
],
"dataset": "eset_protect.detection",
"ingested": "2024-03-18T21:48:09Z",
"ingested": "2024-04-16T05:41:07Z",
"kind": "alert",
"original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}",
"type": [
Expand Down Expand Up @@ -265,13 +265,13 @@ An example event for `device_task` looks as following:

```json
{
"@timestamp": "2024-03-27T16:00:29.582Z",
"@timestamp": "2024-04-16T05:41:49.641Z",
"agent": {
"ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.device_task",
Expand All @@ -282,9 +282,9 @@ An example event for `device_task` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"device_task": {
Expand Down Expand Up @@ -324,7 +324,7 @@ An example event for `device_task` looks as following:
"action": "Shutdown computer",
"agent_id_status": "verified",
"dataset": "eset_protect.device_task",
"ingested": "2024-03-27T16:00:39Z",
"ingested": "2024-04-16T05:41:59Z",
"kind": "event",
"original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}",
"type": [
Expand Down Expand Up @@ -401,11 +401,11 @@ An example event for `event` looks as following:
{
"@timestamp": "2021-06-21T03:56:20.000Z",
"agent": {
"ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd",
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.12.2"
"version": "8.12.0"
},
"data_stream": {
"dataset": "eset_protect.event",
Expand Down Expand Up @@ -437,9 +437,9 @@ An example event for `event` looks as following:
"version": "8.11.0"
},
"elastic_agent": {
"id": "e270d8a1-0a98-417c-a79f-840c446ad79a",
"id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880",
"snapshot": false,
"version": "8.12.2"
"version": "8.12.0"
},
"eset_protect": {
"event": {
Expand Down Expand Up @@ -472,7 +472,7 @@ An example event for `event` looks as following:
"web"
],
"dataset": "eset_protect.event",
"ingested": "2024-03-27T16:01:32Z",
"ingested": "2024-04-16T05:42:56Z",
"kind": "alert",
"original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}",
"type": [
Expand All @@ -498,7 +498,7 @@ An example event for `event` looks as following:
},
"log": {
"source": {
"address": "172.19.0.11:48112"
"address": "192.168.247.8:59824"
},
"syslog": {
"appname": "ERAServer",
Expand Down
2 changes: 1 addition & 1 deletion packages/eset_protect/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.3
name: eset_protect
title: ESET PROTECT
version: 0.4.0
version: 0.5.0
description: Collect logs from ESET PROTECT with Elastic Agent.
type: integration
categories:
Expand Down