From b31ad613da3ba5e863ccc65155db39202bd282fc Mon Sep 17 00:00:00 2001 From: Leonardo Grasso Date: Mon, 17 Jun 2024 12:27:52 +0200 Subject: [PATCH] docs(plugins): update README.md Signed-off-by: Leonardo Grasso --- plugins/cloudtrail/README.md | 136 ++++++++++++++++----------------- plugins/k8saudit-eks/README.md | 4 + plugins/k8saudit/README.md | 6 +- plugins/okta/README.md | 2 +- 4 files changed, 77 insertions(+), 71 deletions(-) diff --git a/plugins/cloudtrail/README.md b/plugins/cloudtrail/README.md index a0755adf..f25e6424 100644 --- a/plugins/cloudtrail/README.md +++ b/plugins/cloudtrail/README.md @@ -19,74 +19,74 @@ The event source for cloudtrail events is `aws_cloudtrail`. Here is the current set of supported fields: -| NAME | TYPE | ARG | DESCRIPTION | -|-------------------------------|----------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------| -| `ct.id` | `string` | None | the unique ID of the cloudtrail event (eventID in the json). | -| `ct.error` | `string` | None | The error code from the event. Will be "" (e.g. the NULL/empty/none value) if there was no error. | -| `ct.errormessage` | `string` | None | The description of an error. Will be \"\" (e.g. the NULL/empty/none value) if there was no error. | -| `ct.time` | `string` | None | the timestamp of the cloudtrail event (eventTime in the json). | -| `ct.src` | `string` | None | the source of the cloudtrail event (eventSource in the json). | -| `ct.shortsrc` | `string` | None | the source of the cloudtrail event (eventSource in the json, without the '.amazonaws.com' trailer). | -| `ct.name` | `string` | None | the name of the cloudtrail event (eventName in the json). | -| `ct.user` | `string` | None | the user of the cloudtrail event (userIdentity.userName in the json). | -| `ct.user.accountid` | `string` | None | the account id of the user of the cloudtrail event. | -| `ct.user.identitytype` | `string` | None | the kind of user identity (e.g. Root, IAMUser,AWSService, etc.) | -| `ct.user.principalid` | `string` | None | A unique identifier for the user that made the request. | -| `ct.user.arn` | `string` | None | the Amazon Resource Name (ARN) of the user that made the request. | -| `ct.region` | `string` | None | the region of the cloudtrail event (awsRegion in the json). | -| `ct.response.subnetid` | `string` | None | the subnet ID included in the response. | -| `ct.response.reservationid` | `string` | None | the reservation ID included in the response. | -| `ct.response` | `string` | None | All response elements. | -| `ct.request.availabilityzone` | `string` | None | the availability zone included in the request. | -| `ct.request.cluster` | `string` | None | the cluster included in the request. | -| `ct.request.functionname` | `string` | None | the function name included in the request. | -| `ct.request.groupname` | `string` | None | the group name included in the request. | -| `ct.request.host` | `string` | None | the host included in the request | -| `ct.request.name` | `string` | None | the name of the entity being acted on in the request. | -| `ct.request.policy` | `string` | None | the policy included in the request | -| `ct.request.serialnumber` | `string` | None | the serial number provided in the request. | -| `ct.request.servicename` | `string` | None | the service name provided in the request. | -| `ct.request.subnetid` | `string` | None | the subnet ID provided in the request. | -| `ct.request.taskdefinition` | `string` | None | the task definition prrovided in the request. | -| `ct.request.username` | `string` | None | the username provided in the request. | -| `ct.request` | `string` | None | All request parameters. | -| `ct.srcip` | `string` | None | the IP address generating the event (sourceIPAddress in the json). | -| `ct.useragent` | `string` | None | the user agent generating the event (userAgent in the json). | -| `ct.info` | `string` | None | summary information about the event. This varies depending on the event type and, for some events, it contains event-specific details. | -| `ct.managementevent` | `string` | None | 'true' if the event is a management event (AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, or AwsServiceEvent), 'false' otherwise. | -| `ct.readonly` | `string` | None | 'true' if the event only reads information (e.g. DescribeInstances), 'false' if the event modifies the state (e.g. RunInstances, CreateLoadBalancer...). | -| `ct.requestid` | `string` | None | The value that identifies the request. | -| `ct.eventtype` | `string` | None | Identifies the type of event that generated the event record. | -| `ct.apiversion` | `string` | None | The API version associated with the AwsApiCall eventType value. | -| `ct.resources` | `string` | None | A list of resources accessed in the event. | -| `ct.recipientaccountid` | `string` | None | The account ID that received this event. | -| `ct.serviceeventdetails` | `string` | None | Identifies the service event, including what triggered the event and the result. | -| `ct.sharedeventid` | `string` | None | GUID generated by CloudTrail to uniquely identify CloudTrail events. | -| `ct.vpcendpointid` | `string` | None | Identifies the VPC endpoint in which requests were made. | -| `ct.eventcategory` | `string` | None | Shows the event category that is used in LookupEvents calls. | -| `ct.addendum.reason` | `string` | None | reason that the event or some of its contents were missing. | -| `ct.addendum.updatedfields` | `string` | None | The event record fields that are updated by the addendum. | -| `ct.addendum.originalrequestid` | `string` | None | The original unique ID of the request. | -| `ct.addendum.originaleventid` | `string` | None | The original event ID. | -| `ct.sessioncredentialfromconsole` | `string` | None | Shows whether or not an event originated from an AWS Management Console session. | -| `ct.edgedevicedetails` | `string` | None | Information about edge devices that are targets of a request. | -| `ct.tlsdetails.tlsversion` | `string` | None | The TLS version of a request. | -| `ct.tlsdetails.ciphersuite` | `string` | None | The cipher suite (combination of security algorithms used) of a request. | -| `ct.tlsdetails.clientprovidedhostheader` | `string` | None | The client-provided host name used in the service API call. | -| `ct.additionaleventdata` | `string` | None | All additonal event data attributes. | -| `s3.uri` | `string` | None | the s3 URI (s3:///). | -| `s3.bucket` | `string` | None | the bucket name for s3 events. | -| `s3.key` | `string` | None | the S3 key name. | -| `s3.bytes` | `uint64` | None | the size of an s3 download or upload, in bytes. | -| `s3.bytes.in` | `uint64` | None | the size of an s3 upload, in bytes. | -| `s3.bytes.out` | `uint64` | None | the size of an s3 download, in bytes. | -| `s3.cnt.get` | `uint64` | None | the number of get operations. This field is 1 for GetObject events, 0 otherwise. | -| `s3.cnt.put` | `uint64` | None | the number of put operations. This field is 1 for PutObject events, 0 otherwise. | -| `s3.cnt.other` | `uint64` | None | the number of non I/O operations. This field is 0 for GetObject and PutObject events, 1 for all the other events. | -| `ec2.name` | `string` | None | the name of the ec2 instances, typically stored in the instance tags. | -| `ec2.imageid` | `string` | None | the ID for the image used to run the ec2 instance in the response. | -| `ecr.repository` | `string` | None | the name of the ecr Repository specified in the request. | -| `ecr.imagetag` | `string` | None | the tag of the image specified in the request. | +| NAME | TYPE | ARG | DESCRIPTION | +|------------------------------------------|----------|------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `ct.id` | `string` | None | the unique ID of the cloudtrail event (eventID in the json). | +| `ct.error` | `string` | None | The error code from the event. Will be "" (e.g. the NULL/empty/none value) if there was no error. | +| `ct.errormessage` | `string` | None | The description of an error. Will be "" (e.g. the NULL/empty/none value) if there was no error. | +| `ct.time` | `string` | None | the timestamp of the cloudtrail event (eventTime in the json). | +| `ct.src` | `string` | None | the source of the cloudtrail event (eventSource in the json). | +| `ct.shortsrc` | `string` | None | the source of the cloudtrail event (eventSource in the json, without the '.amazonaws.com' trailer). | +| `ct.name` | `string` | None | the name of the cloudtrail event (eventName in the json). | +| `ct.user` | `string` | None | the user of the cloudtrail event (userIdentity.userName in the json). | +| `ct.user.accountid` | `string` | None | the account id of the user of the cloudtrail event. | +| `ct.user.identitytype` | `string` | None | the kind of user identity (e.g. Root, IAMUser,AWSService, etc.) | +| `ct.user.principalid` | `string` | None | A unique identifier for the user that made the request. | +| `ct.user.arn` | `string` | None | the Amazon Resource Name (ARN) of the user that made the request. | +| `ct.region` | `string` | None | the region of the cloudtrail event (awsRegion in the json). | +| `ct.response.subnetid` | `string` | None | the subnet ID included in the response. | +| `ct.response.reservationid` | `string` | None | the reservation ID included in the response. | +| `ct.response` | `string` | None | All response elements. | +| `ct.request.availabilityzone` | `string` | None | the availability zone included in the request. | +| `ct.request.cluster` | `string` | None | the cluster included in the request. | +| `ct.request.functionname` | `string` | None | the function name included in the request. | +| `ct.request.groupname` | `string` | None | the group name included in the request. | +| `ct.request.host` | `string` | None | the host included in the request | +| `ct.request.name` | `string` | None | the name of the entity being acted on in the request. | +| `ct.request.policy` | `string` | None | the policy included in the request | +| `ct.request.serialnumber` | `string` | None | the serial number provided in the request. | +| `ct.request.servicename` | `string` | None | the service name provided in the request. | +| `ct.request.subnetid` | `string` | None | the subnet ID provided in the request. | +| `ct.request.taskdefinition` | `string` | None | the task definition prrovided in the request. | +| `ct.request.username` | `string` | None | the username provided in the request. | +| `ct.request` | `string` | None | All request parameters. | +| `ct.srcip` | `string` | None | the IP address generating the event (sourceIPAddress in the json). | +| `ct.useragent` | `string` | None | the user agent generating the event (userAgent in the json). | +| `ct.info` | `string` | None | summary information about the event. This varies depending on the event type and, for some events, it contains event-specific details. | +| `ct.managementevent` | `string` | None | 'true' if the event is a management event (AwsApiCall, AwsConsoleAction, AwsConsoleSignIn, or AwsServiceEvent), 'false' otherwise. | +| `ct.readonly` | `string` | None | 'true' if the event only reads information (e.g. DescribeInstances), 'false' if the event modifies the state (e.g. RunInstances, CreateLoadBalancer...). | +| `ct.requestid` | `string` | None | The value that identifies the request. | +| `ct.eventtype` | `string` | None | Identifies the type of event that generated the event record. | +| `ct.apiversion` | `string` | None | The API version associated with the AwsApiCall eventType value. | +| `ct.resources` | `string` | None | A list of resources accessed in the event. | +| `ct.recipientaccountid` | `string` | None | The account ID that received this event. | +| `ct.serviceeventdetails` | `string` | None | Identifies the service event, including what triggered the event and the result. | +| `ct.sharedeventid` | `string` | None | GUID generated by CloudTrail to uniquely identify CloudTrail events. | +| `ct.vpcendpointid` | `string` | None | Identifies the VPC endpoint in which requests were made. | +| `ct.eventcategory` | `string` | None | Shows the event category that is used in LookupEvents calls. | +| `ct.addendum.reason` | `string` | None | The reason that the event or some of its contents were missing. | +| `ct.addendum.updatedfields` | `string` | None | The event record fields that are updated by the addendum. | +| `ct.addendum.originalrequestid` | `string` | None | The original unique ID of the request. | +| `ct.addendum.originaleventid` | `string` | None | The original event ID. | +| `ct.sessioncredentialfromconsole` | `string` | None | Shows whether or not an event originated from an AWS Management Console session. | +| `ct.edgedevicedetails` | `string` | None | Information about edge devices that are targets of a request. | +| `ct.tlsdetails.tlsversion` | `string` | None | The TLS version of a request. | +| `ct.tlsdetails.ciphersuite` | `string` | None | The cipher suite (combination of security algorithms used) of a request. | +| `ct.tlsdetails.clientprovidedhostheader` | `string` | None | The client-provided host name used in the service API call. | +| `ct.additionaleventdata` | `string` | None | All additional event data attributes. | +| `s3.uri` | `string` | None | the s3 URI (s3:///). | +| `s3.bucket` | `string` | None | the bucket name for s3 events. | +| `s3.key` | `string` | None | the S3 key name. | +| `s3.bytes` | `uint64` | None | the size of an s3 download or upload, in bytes. | +| `s3.bytes.in` | `uint64` | None | the size of an s3 upload, in bytes. | +| `s3.bytes.out` | `uint64` | None | the size of an s3 download, in bytes. | +| `s3.cnt.get` | `uint64` | None | the number of get operations. This field is 1 for GetObject events, 0 otherwise. | +| `s3.cnt.put` | `uint64` | None | the number of put operations. This field is 1 for PutObject events, 0 otherwise. | +| `s3.cnt.other` | `uint64` | None | the number of non I/O operations. This field is 0 for GetObject and PutObject events, 1 for all the other events. | +| `ec2.name` | `string` | None | the name of the ec2 instances, typically stored in the instance tags. | +| `ec2.imageid` | `string` | None | the ID for the image used to run the ec2 instance in the response. | +| `ecr.repository` | `string` | None | the name of the ecr Repository specified in the request. | +| `ecr.imagetag` | `string` | None | the tag of the image specified in the request. | ## Handling AWS Authentication diff --git a/plugins/k8saudit-eks/README.md b/plugins/k8saudit-eks/README.md index 665c5785..444da42c 100644 --- a/plugins/k8saudit-eks/README.md +++ b/plugins/k8saudit-eks/README.md @@ -28,6 +28,8 @@ Here is the current set of supported fields (from `k8saudit` plugin's extractor) | `ka.stage` | `string` | None | Stage of the request (e.g. RequestReceived, ResponseComplete, etc.) | | `ka.auth.decision` | `string` | None | The authorization decision | | `ka.auth.reason` | `string` | None | The authorization reason | +| `ka.auth.openshift.decision` | `string` | None | The authentication decision of the openshfit apiserver extention. Only available on openshift clusters | +| `ka.auth.openshift.username` | `string` | None | The user name performing the openshift authentication operation. Only available on openshift clusters | | `ka.user.name` | `string` | None | The user name performing the request | | `ka.user.groups` | `string (list)` | None | The groups to which the user belongs | | `ka.impuser.name` | `string` | None | The impersonated user name | @@ -38,6 +40,7 @@ Here is the current set of supported fields (from `k8saudit` plugin's extractor) | `ka.target.namespace` | `string` | None | The target object namespace | | `ka.target.resource` | `string` | None | The target object resource | | `ka.target.subresource` | `string` | None | The target object subresource | +| `ka.target.pod.name` | `string` | None | The target pod name | | `ka.req.binding.subjects` | `string (list)` | None | When the request object refers to a cluster role binding, the subject (e.g. account/users) being linked by the binding | | `ka.req.binding.role` | `string` | None | When the request object refers to a cluster role binding, the role being linked by the binding | | `ka.req.binding.subject.has_name` | `string` | Key, Required | Deprecated, always returns "N/A". Only provided for backwards compatibility | @@ -82,6 +85,7 @@ Here is the current set of supported fields (from `k8saudit` plugin's extractor) | `ka.response.reason` | `string` | None | The response reason (usually present only for failures) | | `ka.useragent` | `string` | None | The useragent of the client who made the request to the apiserver | | `ka.sourceips` | `string (list)` | Index | The IP addresses of the client who made the request to the apiserver | +| `ka.cluster.name` | `string` | None | The name of the k8s cluster | ## Usage diff --git a/plugins/k8saudit/README.md b/plugins/k8saudit/README.md index 1a022175..77e43df9 100644 --- a/plugins/k8saudit/README.md +++ b/plugins/k8saudit/README.md @@ -32,8 +32,8 @@ The event source for Kubernetes Audit Events is `k8s_audit`. | `ka.stage` | `string` | None | Stage of the request (e.g. RequestReceived, ResponseComplete, etc.) | | `ka.auth.decision` | `string` | None | The authorization decision | | `ka.auth.reason` | `string` | None | The authorization reason | -| `ka.auth.openshift.decision` | `string` | None | The authentication decision of the openshfit apiserver extention. Only available on openshift clusters | -| `ka.auth.openshift.username` | `string` | None | The user name performing the openshift authentication operation. Only available on openshift clusters | +| `ka.auth.openshift.decision` | `string` | None | The authentication decision of the openshfit apiserver extention. Only available on openshift clusters | +| `ka.auth.openshift.username` | `string` | None | The user name performing the openshift authentication operation. Only available on openshift clusters | | `ka.user.name` | `string` | None | The user name performing the request | | `ka.user.groups` | `string (list)` | None | The groups to which the user belongs | | `ka.impuser.name` | `string` | None | The impersonated user name | @@ -44,6 +44,7 @@ The event source for Kubernetes Audit Events is `k8s_audit`. | `ka.target.namespace` | `string` | None | The target object namespace | | `ka.target.resource` | `string` | None | The target object resource | | `ka.target.subresource` | `string` | None | The target object subresource | +| `ka.target.pod.name` | `string` | None | The target pod name | | `ka.req.binding.subjects` | `string (list)` | None | When the request object refers to a cluster role binding, the subject (e.g. account/users) being linked by the binding | | `ka.req.binding.role` | `string` | None | When the request object refers to a cluster role binding, the role being linked by the binding | | `ka.req.binding.subject.has_name` | `string` | Key, Required | Deprecated, always returns "N/A". Only provided for backwards compatibility | @@ -88,6 +89,7 @@ The event source for Kubernetes Audit Events is `k8s_audit`. | `ka.response.reason` | `string` | None | The response reason (usually present only for failures) | | `ka.useragent` | `string` | None | The useragent of the client who made the request to the apiserver | | `ka.sourceips` | `string (list)` | Index | The IP addresses of the client who made the request to the apiserver | +| `ka.cluster.name` | `string` | None | The name of the k8s cluster | ## Usage diff --git a/plugins/okta/README.md b/plugins/okta/README.md index 9442a6ac..76e7299d 100644 --- a/plugins/okta/README.md +++ b/plugins/okta/README.md @@ -64,13 +64,13 @@ The event source for `okta` events is `okta`. | `okta.security.asorg` | `string` | None | Security AS Org | | `okta.security.isp` | `string` | None | Security ISP | | `okta.security.domain` | `string` | None | Security Domain | -| `okta.target.app.alternateid` | `string` | None | Target Application Alternate ID | | `okta.target.user.id` | `string` | None | Target User ID | | `okta.target.user.alternateid` | `string` | None | Target User Alternate ID | | `okta.target.user.name` | `string` | None | Target User Name | | `okta.target.group.id` | `string` | None | Target Group ID | | `okta.target.group.alternateid` | `string` | None | Target Group Alternate ID | | `okta.target.group.name` | `string` | None | Target Group Name | +| `okta.target.app.alternateid` | `string` | None | Target App Alternate ID | | `okta.mfa.failure.countlast` | `uint64` | Index, Required | Count of MFA failures in last seconds | | `okta.mfa.deny.countlast` | `uint64` | Index, Required | Count of MFA denies in last seconds |