diff --git a/packages/eset_protect/changelog.yml b/packages/eset_protect/changelog.yml index 66eb2d62b9..0ac0fc934d 100644 --- a/packages/eset_protect/changelog.yml +++ b/packages/eset_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.5.0" + changes: + - description: Update OAuth grant type to password because ESET is deprecating the client_credentials grant type. + type: enhancement + link: https://github.com/elastic/integrations/pull/9600 - version: "0.4.0" changes: - description: Lowercase related hash and indicator hash to support indicator rule matching. Fixed grok parse error when object_uri equals 'script'. diff --git a/packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs b/packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs index ffeb5c5337..272acd7c9e 100644 --- a/packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs +++ b/packages/eset_protect/data_stream/detection/agent/stream/cel.yml.hbs @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}} {{/if}} resource.url: https://{{region}}.incident-management.eset.systems auth.oauth2: - client.id: {{username}} - client.secret: {{password}} + client.id: ' ' + client.secret: ' ' + # Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0. + user: {{escape_string username}} + password: {{escape_string password}} token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token state: page_size: {{batch_size}} diff --git a/packages/eset_protect/data_stream/detection/sample_event.json b/packages/eset_protect/data_stream/detection/sample_event.json index 20db63b13a..f974de3cb0 100644 --- a/packages/eset_protect/data_stream/detection/sample_event.json +++ b/packages/eset_protect/data_stream/detection/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2023-10-26T13:36:53.000Z", "agent": { - "ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc", - "id": "78166295-0693-4726-a27f-cd8722896c22", + "ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.12.0" @@ -38,7 +38,7 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "78166295-0693-4726-a27f-cd8722896c22", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, "version": "8.12.0" }, @@ -75,7 +75,7 @@ "intrusion_detection" ], "dataset": "eset_protect.detection", - "ingested": "2024-03-18T21:48:09Z", + "ingested": "2024-04-16T05:41:07Z", "kind": "alert", "original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}", "type": [ diff --git a/packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs b/packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs index a54eb8b52a..0a5f0c7985 100644 --- a/packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs +++ b/packages/eset_protect/data_stream/device_task/agent/stream/cel.yml.hbs @@ -15,8 +15,11 @@ resource.timeout: {{http_client_timeout}} {{/if}} resource.url: https://{{region}}.automation.eset.systems auth.oauth2: - client.id: {{username}} - client.secret: {{password}} + client.id: ' ' + client.secret: ' ' + # Client Credentials are required in the password grant type due to an oversight in the token authentication logic. This issue is set to be resolved in version 8.14.0. + user: {{escape_string username}} + password: {{escape_string password}} token_url: https://{{region}}.business-account.iam.eset.systems/oauth/token state: page_size: {{batch_size}} diff --git a/packages/eset_protect/data_stream/device_task/sample_event.json b/packages/eset_protect/data_stream/device_task/sample_event.json index 5e87d6dc64..4486d1f49f 100644 --- a/packages/eset_protect/data_stream/device_task/sample_event.json +++ b/packages/eset_protect/data_stream/device_task/sample_event.json @@ -1,11 +1,11 @@ { - "@timestamp": "2024-03-27T16:00:29.582Z", + "@timestamp": "2024-04-16T05:41:49.641Z", "agent": { - "ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d", - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.12.0" }, "data_stream": { "dataset": "eset_protect.device_task", @@ -16,9 +16,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, - "version": "8.12.2" + "version": "8.12.0" }, "eset_protect": { "device_task": { @@ -58,7 +58,7 @@ "action": "Shutdown computer", "agent_id_status": "verified", "dataset": "eset_protect.device_task", - "ingested": "2024-03-27T16:00:39Z", + "ingested": "2024-04-16T05:41:59Z", "kind": "event", "original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}", "type": [ diff --git a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json index eeddfd561a..5f00d7d9a8 100644 --- a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json @@ -49,12 +49,12 @@ "file": { "directory": "/Users/Administrator/Downloads/xls/", "drive_letter": "C", - "name": "YICT080714.xls", - "path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls", - "type": "file", "hash": { "sha1": "5b97884a45c6c05f93b22c4059f3d9189e88e8b7" - } + }, + "name": "YICT080714.xls", + "path": "C:/Users/Administrator/Downloads/xls/YICT080714.xls", + "type": "file" }, "group": { "name": "All/Lost & found" @@ -656,12 +656,12 @@ "file": { "directory": "/Users/Administrator/Downloads/", "drive_letter": "C", - "name": "malicious.exe", - "path": "C:/Users/Administrator/Downloads/malicious.exe", - "type": "file", "hash": { "sha1": "8f765a7d2b0e4d11bc0e79313a8f8e0019f317d9" - } + }, + "name": "malicious.exe", + "path": "C:/Users/Administrator/Downloads/malicious.exe", + "type": "file" }, "group": { "name": "All/Lost & found" @@ -2114,12 +2114,12 @@ "file": { "directory": "/", "drive_letter": "E", - "name": "Removable Drive (1GB).lnk", - "path": "E:/Removable Drive (1GB).lnk", - "type": "file", "hash": { "sha1": "1a45eba0f9ef909e6f3c87b0d5cedad27bdb6cf2" - } + }, + "name": "Removable Drive (1GB).lnk", + "path": "E:/Removable Drive (1GB).lnk", + "type": "file" }, "host": { "hostname": "machine5", @@ -2213,11 +2213,11 @@ ] }, "file": { - "path": "script", - "type": "file", "hash": { "sha1": "22b9b35a804a7a3739cbd007e00959075aecf0fc" - } + }, + "path": "script", + "type": "file" }, "group": { "name": "All" diff --git a/packages/eset_protect/data_stream/event/sample_event.json b/packages/eset_protect/data_stream/event/sample_event.json index 1232a4204f..432397f8b5 100644 --- a/packages/eset_protect/data_stream/event/sample_event.json +++ b/packages/eset_protect/data_stream/event/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-06-21T03:56:20.000Z", "agent": { - "ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd", - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.12.0" }, "data_stream": { "dataset": "eset_protect.event", @@ -37,9 +37,9 @@ "version": "8.11.0" }, "elastic_agent": { - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, - "version": "8.12.2" + "version": "8.12.0" }, "eset_protect": { "event": { @@ -72,7 +72,7 @@ "web" ], "dataset": "eset_protect.event", - "ingested": "2024-03-27T16:01:32Z", + "ingested": "2024-04-16T05:42:56Z", "kind": "alert", "original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}", "type": [ @@ -98,7 +98,7 @@ }, "log": { "source": { - "address": "172.19.0.11:48112" + "address": "192.168.247.8:59824" }, "syslog": { "appname": "ERAServer", diff --git a/packages/eset_protect/docs/README.md b/packages/eset_protect/docs/README.md index 632fb44108..9f9d7424bd 100644 --- a/packages/eset_protect/docs/README.md +++ b/packages/eset_protect/docs/README.md @@ -77,8 +77,8 @@ An example event for `detection` looks as following: { "@timestamp": "2023-10-26T13:36:53.000Z", "agent": { - "ephemeral_id": "96cc7ee0-ede2-46a4-9b0e-4104dead04cc", - "id": "78166295-0693-4726-a27f-cd8722896c22", + "ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.12.0" @@ -114,7 +114,7 @@ An example event for `detection` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "78166295-0693-4726-a27f-cd8722896c22", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, "version": "8.12.0" }, @@ -151,7 +151,7 @@ An example event for `detection` looks as following: "intrusion_detection" ], "dataset": "eset_protect.detection", - "ingested": "2024-03-18T21:48:09Z", + "ingested": "2024-04-16T05:41:07Z", "kind": "alert", "original": "{\"category\":\"DETECTION_CATEGORY_NETWORK_INTRUSION\",\"context\":{\"circumstances\":\"Eicar\",\"deviceUuid\":\"xxx-xxxx-1234-5678-xxxxxxxxxxxx\",\"process\":{\"path\":\"C:\\\\Windows\\\\chrome.exe\"},\"userName\":\"testingpc\\\\example\"},\"networkCommunication\":{\"protocolName\":\"0\",\"remoteIpAddress\":\"89.160.20.112\",\"remotePort\":443},\"objectHashSha1\":\"AAF4C61DDCC5E8A2DABEDE0F3B4820123456789D\",\"objectTypeName\":\"File\",\"objectUrl\":\"C:\\\\Temp\\\\06516f11-xxxx-xxxx-xxxx-37da66b5de99_ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8.zip.e99\\\\ccf7464ba6e2e12e984514f694bfb10d03de77358d8a3afd7a2ffed150ec1df8\",\"occurTime\":\"2023-10-26T13:36:53Z\",\"responses\":[{}],\"severityLevel\":\"SEVERITY_LEVEL_MEDIUM\",\"typeName\":\"TCP Port scanning attack\",\"uuid\":\"xxx-xxxx-xxxx-1234-xxxxxxxxxxxx\"}", "type": [ @@ -265,13 +265,13 @@ An example event for `device_task` looks as following: ```json { - "@timestamp": "2024-03-27T16:00:29.582Z", + "@timestamp": "2024-04-16T05:41:49.641Z", "agent": { - "ephemeral_id": "c5a8ca66-614e-438e-b69a-9e12cb12aa7d", - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "ephemeral_id": "a2da59f5-382d-41e2-be5e-0b06df998911", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.12.0" }, "data_stream": { "dataset": "eset_protect.device_task", @@ -282,9 +282,9 @@ An example event for `device_task` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, - "version": "8.12.2" + "version": "8.12.0" }, "eset_protect": { "device_task": { @@ -324,7 +324,7 @@ An example event for `device_task` looks as following: "action": "Shutdown computer", "agent_id_status": "verified", "dataset": "eset_protect.device_task", - "ingested": "2024-03-27T16:00:39Z", + "ingested": "2024-04-16T05:41:59Z", "kind": "event", "original": "{\"action\":{\"name\":\"Shutdown computer\",\"params\":{\"@type\":\"type.googleapis.com/Era.Common.DataDefinition.Task.ESS.OnDemandScan\",\"cleaningEnabled\":true,\"customProfileName\":\"DefaultProfile\",\"scanProfile\":\"InDepth\",\"scanTargets\":[\"eset://AllTargets\"]}},\"description\":\"Automatically created via context menu\",\"displayName\":\"Reboot Computer - via context menu\",\"targets\":{\"devicesUuids\":[\"0205321e-XXXX-XXXX-1234-feeb35010ea7\",\"0205321e-XXXX-XXXX-5678-feeb35010ea7\",\"0205321e-XXXX-1234-5678-feeb35010ea7\"]},\"triggers\":[{\"manual\":{\"expireTime\":\"2023-12-01T01:30:00Z\"}}],\"uuid\":\"c93070e0-XXXX-1234-5678-c48f0e5e0b7e\",\"versionId\":\"1511\"}", "type": [ @@ -401,11 +401,11 @@ An example event for `event` looks as following: { "@timestamp": "2021-06-21T03:56:20.000Z", "agent": { - "ephemeral_id": "c8765a56-3694-4bf7-aada-7f979a9581cd", - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "ephemeral_id": "fe2f9827-1823-4a86-8826-b6789530f104", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.12.2" + "version": "8.12.0" }, "data_stream": { "dataset": "eset_protect.event", @@ -437,9 +437,9 @@ An example event for `event` looks as following: "version": "8.11.0" }, "elastic_agent": { - "id": "e270d8a1-0a98-417c-a79f-840c446ad79a", + "id": "930b36c5-0fd6-41c4-83bc-d8547e3fa880", "snapshot": false, - "version": "8.12.2" + "version": "8.12.0" }, "eset_protect": { "event": { @@ -472,7 +472,7 @@ An example event for `event` looks as following: "web" ], "dataset": "eset_protect.event", - "ingested": "2024-03-27T16:01:32Z", + "ingested": "2024-04-16T05:42:56Z", "kind": "alert", "original": "{\"event_type\":\"FilteredWebsites_Event\",\"ipv4\":\"192.168.30.30\",\"hostname\":\"win-test\",\"group_name\":\"All/Lost & found\",\"os_name\":\"Microsoft Windows 11 Pro\",\"group_description\":\"Lost & found static group\",\"source_uuid\":\"d9477661-8fa4-4144-b8d4-e37b983bcd69\",\"occured\":\"21-Jun-2021 03:56:20\",\"severity\":\"Warning\",\"event\":\"An attempt to connect to URL\",\"target_address\":\"89.160.20.128\",\"target_address_type\":\"IPv4\",\"scanner_id\":\"HTTP filter\",\"action_taken\":\"blocked\",\"object_uri\":\"https://test.com\",\"hash\":\"ABCDAA625E6961037B8904E113FD0C232A7D0EDC\",\"username\":\"WIN-TEST\\\\Administrator\",\"processname\":\"C:\\\\Program Files\\\\Web browser\\\\brwser.exe\",\"rule_id\":\"Blocked by PUA blacklist\"}", "type": [ @@ -498,7 +498,7 @@ An example event for `event` looks as following: }, "log": { "source": { - "address": "172.19.0.11:48112" + "address": "192.168.247.8:59824" }, "syslog": { "appname": "ERAServer", diff --git a/packages/eset_protect/manifest.yml b/packages/eset_protect/manifest.yml index ca754af2d8..c18e8a4d0b 100644 --- a/packages/eset_protect/manifest.yml +++ b/packages/eset_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: eset_protect title: ESET PROTECT -version: 0.4.0 +version: 0.5.0 description: Collect logs from ESET PROTECT with Elastic Agent. type: integration categories: