diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 2e95f999c78..aac51b05491 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -314,6 +314,7 @@ /packages/pfsense @elastic/sec-deployment-and-devices /packages/php_fpm @elastic/obs-infraobs-integrations /packages/ping_one @elastic/security-service-integrations +/packages/ping_federate @elastic/security-service-integrations /packages/platform_observability @elastic/stack-monitoring /packages/postgresql @elastic/obs-infraobs-integrations /packages/pps @elastic/security-service-integrations diff --git a/packages/ping_federate/_dev/build/build.yml b/packages/ping_federate/_dev/build/build.yml new file mode 100644 index 00000000000..c3e6b0e3bb3 --- /dev/null +++ b/packages/ping_federate/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.16.0 diff --git a/packages/ping_federate/_dev/build/docs/README.md b/packages/ping_federate/_dev/build/docs/README.md new file mode 100644 index 00000000000..97214e09f4b --- /dev/null +++ b/packages/ping_federate/_dev/build/docs/README.md @@ -0,0 +1,98 @@ +# PingFederate + +## Overview + +[PingFederate](https://www.pingidentity.com/en/platform/capabilities/authentication-authority/pingfederate.html) is a key component of the [PingIdentity](https://www.pingidentity.com/en.html) platform, which is a suite of solutions for identity and access management (IAM). Specifically, Ping Federate is an enterprise-grade federated identity server designed to enable secure single sign-on (SSO), identity federation, and access management for applications and services. + +## Compatibility + +This module has been tested with the latest version of PingFederate, **12.1.4(November 2024)**. +## Data streams + +The PingFederate integration collects two types of logs: + +**[Admin](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_admin_audit_loggin.html)** - Record actions performed within the PingFederate Administrative Console and via the Administrative API. + +**[Audit](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_security_audit_loggin.html)** - Provides a detailed record of authentication, authorization, and federation transactions. + +**Note**: + +1. In the Admin datastream, only logs from the admin.log file are supported via filestream in the pipe format. The log pattern is as follows: +``` +%d | %X{user} | %X{roles} | %X{ip} | %X{component} | %X{event} | %X{eventdetailid} | %m%n +``` +Sample Log: +``` +2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nxxxxyn6H4 | LICENSE | ROTATE | - Login was successful +``` + +2. Audit logs are supported through filestream, TCP, and UDP in the CEF format. The log pattern is as follows: +``` +%escape{CEF}{CEF:0|Ping Identity|PingFederate|%X{pfversion}|%X{event}|%X{event}|0|rt=%d{MMM dd yyyy HH:mm:ss.SSS} duid=%X{subject} src=%X{ip} msg=%X{status} cs1Label=Target Application URL cs1=%X{app} cs2Label=Connection ID cs2=%X{connectionid} cs3Label=Protocol cs3=%X{protocol} dvchost=%X{host} cs4Label=Role cs4=%X{role} externalId=%X{trackingid} cs5Label=SP Local User ID cs5=%X{localuserid} cs6Label=Attributes cs6=%X{attributes} %n} +``` +Sample Log: +``` +CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=89.160.20.112 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\=joe, ognl\=tom} +``` + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. +- Elastic Agent is required to stream data through the Filestream or TCP/UDP and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent. For more information, refer to the Elastic Agent [installation guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +## Setup + +1. For step-by-step instructions on how to configure log files in PingFederate instance, see the [Log4j 2 logging service and configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_log4j_2_loggin_service_and_config.html) guide. +2. To write the audit logs in cef format, see the [Writing audit log in CEF](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_writin_audit_log_cef.html) guide. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations. +2. In "Search for integrations" search bar, type PingFederate. +3. Click on the "PingFederate" integration from the search results. +4. Click on the "Add PingFederate" button to add the integration. +5. Select the toggle for the data stream for which you want to collect logs. +6. Enable the data collection mode from the following: Filestream, TCP, or UDP. (Admin logs are only supported through Filestream) +7. Add all the required configuration parameters, such as paths for the filestream or listen address and listen port for the TCP and UDP. +8. Click on "Save and Continue" to save the integration. + +## Logs Reference + +### Admin + +This is the `Admin` dataset. + +#### Example + +{{event "admin"}} + +{{fields "admin"}} + +### Audit + +This is the `Audit` dataset. + +#### Example + +{{event "audit"}} + +{{fields "audit"}} \ No newline at end of file diff --git a/packages/ping_federate/_dev/deploy/docker/docker-compose.yml b/packages/ping_federate/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7f25abf417a --- /dev/null +++ b/packages/ping_federate/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,29 @@ +version: '2.3' +services: + ping_federate-tcp-audit: + image: docker.elastic.co/observability/stream:v0.10.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9598 -p=tcp /sample_logs/test-audit.log + ping_federate-udp-audit: + image: docker.elastic.co/observability/stream:v0.10.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9599 -p=udp /sample_logs/test-audit.log + ping_federate-logfile-audit: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" + ping_federate-tls-audit: + image: docker.elastic.co/observability/stream:v0.10.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9598 -p=tls --insecure /sample_logs/test-audit.log + ping_federate-logfile-admin: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/* /var/log/" diff --git a/packages/ping_federate/_dev/deploy/docker/sample_logs/test-admin.log b/packages/ping_federate/_dev/deploy/docker/sample_logs/test-admin.log new file mode 100644 index 00000000000..3c84a8df755 --- /dev/null +++ b/packages/ping_federate/_dev/deploy/docker/sample_logs/test-admin.log @@ -0,0 +1 @@ +2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4 | LICENSE | ROTATE | - Login was successful diff --git a/packages/ping_federate/_dev/deploy/docker/sample_logs/test-audit.log b/packages/ping_federate/_dev/deploy/docker/sample_logs/test-audit.log new file mode 100644 index 00000000000..7d134ba73da --- /dev/null +++ b/packages/ping_federate/_dev/deploy/docker/sample_logs/test-audit.log @@ -0,0 +1 @@ +CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=192.168.6.130 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\=joe, ognl\=tom} diff --git a/packages/ping_federate/changelog.yml b/packages/ping_federate/changelog.yml new file mode 100644 index 00000000000..6aeb9d96ad7 --- /dev/null +++ b/packages/ping_federate/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial Release. + type: enhancement + link: https://github.com/elastic/integrations/pull/12113 diff --git a/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log new file mode 100644 index 00000000000..3c84a8df755 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log @@ -0,0 +1 @@ +2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4 | LICENSE | ROTATE | - Login was successful diff --git a/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json new file mode 100644 index 00000000000..58f62ffdc45 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-admin.log-expected.json @@ -0,0 +1,83 @@ +{ + "expected": [ + { + "@timestamp": "2024-11-28T16:58:55.832+11:00", + "ecs": { + "version": "8.16.0" + }, + "event": { + "action": "rotate", + "category": [ + "configuration" + ], + "id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "kind": "event", + "original": "2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4 | LICENSE | ROTATE | - Login was successful", + "timezone": "+11:00", + "type": [ + "change" + ] + }, + "message": "- Login was successful", + "observer": { + "product": "PingFederate", + "vendor": "Ping Identity" + }, + "ping_federate": { + "admin": { + "component": "LICENSE", + "event": { + "detail_id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "type": "ROTATE" + }, + "ip": "81.2.69.142", + "message": "- Login was successful", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ], + "timestamp": "2024-11-28T16:58:55.832+11:00", + "user": "Administrator" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "Administrator" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "Administrator", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-common-config.yml b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4bef7c76df3 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,6 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields + _conf: + tz_offset: "+11:00" diff --git a/packages/ping_federate/data_stream/admin/_dev/test/system/test-logfile-config.yml b/packages/ping_federate/data_stream/admin/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..befb3aebf86 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,15 @@ +service: ping_federate-logfile-admin +input: filestream +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*admin*.log" + tz_offset: "+11:00" + preserve_original_event: true + preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/ping_federate/data_stream/admin/agent/stream/filestream.yml.hbs b/packages/ping_federate/data_stream/admin/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..c50fb3411c0 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/agent/stream/filestream.yml.hbs @@ -0,0 +1,32 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: ['\.gz$'] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ping_federate/data_stream/admin/elasticsearch/ingest_pipeline/default.yml b/packages/ping_federate/data_stream/admin/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..b7450bd0a4f --- /dev/null +++ b/packages/ping_federate/data_stream/admin/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,310 @@ +--- +description: Pipeline for processing Admin logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.16.0 + - set: + field: observer.vendor + tag: set_observer_vendor + value: "Ping Identity" + - set: + field: observer.product + tag: set_observer_product + value: PingFederate + - rename: + field: _conf.tz_offset + target_field: event.timezone + if: ctx._conf?.tz_offset != null + tag: rename_tz_offset + ignore_missing: true + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - grok: + field: event.original + patterns: + - '%{DATA:ping_federate.admin.timestamp}\s\|\s%{WORD:ping_federate.admin.user}\s\|\s(%{DATA:ping_federate.admin.roles})?\s\|\s(%{IP:ping_federate.admin.ip})?\s\|\s(%{DATA:ping_federate.admin.event.detail_id})?\s\|\s(%{WORD:ping_federate.admin.component})\s\|\s(%{WORD:ping_federate.admin.event.type})?\s\|\s(%{GREEDYDATA:ping_federate.admin.message})?' + if: ctx.event?.original != null + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: event.kind + value: event + tag: set_event_kind + - append: + field: event.category + value: authentication + tag: append_event_category_authentication + if: >- + ctx.ping_federate?.admin?.event?.type != null && ( + ctx.ping_federate.admin.event.type == 'LOGIN_ATTEMPT' || + ctx.ping_federate.admin.event.type == 'LOGOUT' || + ctx.ping_federate.admin.event.type == 'PASSWORD_CHANGE' + ) + - append: + field: event.category + value: configuration + tag: append_event_category_configuration + if: >- + ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate?.admin?.component != null && ( + ctx.ping_federate.admin.event.type == 'IMPORT' || + ctx.ping_federate.admin.event.type == 'ROTATE' || + (ctx.ping_federate.admin.event.type == 'CREATE' && ctx.ping_federate.admin.component != 'USER') || + ctx.ping_federate.admin.event.type == 'DELETE' || + ctx.ping_federate.admin.event.type == 'MODIFY' + ) + - append: + field: event.category + value: iam + tag: append_event_category_iam + if: >- + ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate?.admin?.component != null && ( + (ctx.ping_federate.admin.event.type == 'CREATE' && ctx.ping_federate.admin.component == 'USER') || + ctx.ping_federate.admin.event.type == 'ROLE_CHANGE' || + ctx.ping_federate.admin.event.type == 'ACTIVATE' + ) + - append: + field: event.category + value: session + if: ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate.admin.event.type.contains('SESSION') + tag: append_event_category_session + - append: + field: event.type + value: info + tag: append_event_type_info + if: >- + ctx.ping_federate?.admin?.event?.type != null && ( + ctx.ping_federate.admin.event.type == 'PASSWORD_CHANGE' || + ctx.ping_federate.admin.event.type == 'IMPORT' + ) + - append: + field: event.type + value: end + tag: append_event_type_end + if: >- + ctx.ping_federate?.admin?.event?.type != null && ( + ctx.ping_federate.admin.event.type == 'SESSION_TIMEOUT' || + ctx.ping_federate.admin.event.type == 'LOGOUT' + ) + - append: + field: event.type + value: change + tag: append_event_type_change + if: >- + ctx.ping_federate?.admin?.event?.type != null && ( + ctx.ping_federate.admin.event.type == 'ROLE_CHANGE' || + ctx.ping_federate.admin.event.type == 'MODIFY' || + ctx.ping_federate.admin.event.type == 'ROTATE' + ) + - append: + field: event.type + value: user + tag: append_event_type_user + if: >- + ctx.ping_federate?.admin?.event?.type != null && ( + ctx.ping_federate.admin.event.type == 'ROLE_CHANGE' || + ctx.ping_federate.admin.event.type == 'ACTIVATE' + ) + - append: + field: event.type + value: start + tag: append_event_type_start + if: >- + ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate.admin.event.type == 'LOGIN_ATTEMPT' + - append: + field: event.type + value: deletion + tag: append_event_type_deletion + if: >- + ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate.admin.event.type == 'DELETE' + - append: + field: event.type + value: creation + tag: append_event_type_creation + if: >- + ctx.ping_federate?.admin?.event?.type != null && ctx.ping_federate.admin.event.type == 'CREATE' + - date: + field: ping_federate.admin.timestamp + tag: date_ping_federate_admin_timestamp + target_field: ping_federate.admin.timestamp + formats: + - yyyy-MM-dd HH:mm:ss,SSS + - yyyy-MM-dd H:mm:ss,SSS + if: ctx.ping_federate?.admin?.timestamp != null && ctx.ping_federate.admin.timestamp != '' + on_failure: + - remove: + field: ping_federate.admin.timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' +# The timezone doesn't function as expected with custom date formats like yyyy-MM-dd HH:mm:ss,SSS, +# Hence, first converted the date to ISO8601 format and then applied the event.timezone to the ISO8601 formatted date. +# An issue has been raised for this scenario here: https://github.com/elastic/beats/issues/42133 + - date: + field: ping_federate.admin.timestamp + tag: date_ping_federate_admin_timestamp_timezone + target_field: ping_federate.admin.timestamp + timezone: '{{{event.timezone}}}' + formats: + - ISO8601 + if: ctx.ping_federate?.admin?.timestamp != null && ctx.ping_federate.admin.timestamp != '' && ctx.event?.timezone != null + on_failure: + - remove: + field: ping_federate.admin.timestamp + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: ping_federate.admin.timestamp + ignore_empty_value: true + - set: + field: user.name + copy_from: ping_federate.admin.user + tag: set_user_name + ignore_empty_value: true + - append: + field: related.user + tag: append_user_name_to_related_user + value: '{{{ping_federate.admin.user}}}' + allow_duplicates: false + if: ctx.ping_federate?.admin?.user != null + - split: + field: ping_federate.admin.roles + tag: split_admin_roles + if: ctx.ping_federate?.admin?.roles != null && ctx.ping_federate.admin.roles.contains(',') + separator: ',' + on_failure: + - remove: + field: ping_federate.admin.roles + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: ping_federate.admin.roles + if: ctx.ping_federate?.admin?.roles instanceof List + ignore_failure: true + processor: + append: + field: user.roles + tag: append_list_to_user_roles + value: '{{{_ingest._value}}}' + allow_duplicates: false + if: ctx.ping_federate?.admin?.roles != null + - append: + field: user.roles + tag: append_to_user_roles + value: '{{{ping_federate.admin.roles}}}' + allow_duplicates: false + if: ctx.ping_federate?.admin?.roles != null && ctx.user?.roles == null + - set: + field: event.action + copy_from: ping_federate.admin.event.type + tag: set_event_action + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - set: + field: event.id + copy_from: ping_federate.admin.event.detail_id + tag: set_event_id + ignore_empty_value: true + - set: + field: message + copy_from: ping_federate.admin.message + tag: set_message + ignore_empty_value: true + - convert: + field: ping_federate.admin.ip + tag: convert_ping_federate_admin_ip_to_ip + type: ip + ignore_missing: true + if: ctx.ping_federate?.admin?.ip != '' + on_failure: + - remove: + field: ping_federate.admin.ip + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip + copy_from: ping_federate.admin.ip + ignore_empty_value: true + - geoip: + field: source.ip + target_field: source.geo + tag: geoip_proc + ignore_missing: true + - append: + field: related.ip + tag: append_ping_federate_admin_ip_to_related_ip + value: '{{{ping_federate.admin.ip}}}' + allow_duplicates: false + if: ctx.ping_federate?.admin?.ip != null + - remove: + field: + - ping_federate.admin.timestamp + - ping_federate.admin.user + - ping_federate.admin.roles + - ping_federate.admin.ip + - ping_federate.admin.event.type + - ping_federate.admin.event.detail_id + - ping_federate.admin.message + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/ping_federate/data_stream/admin/fields/base-fields.yml b/packages/ping_federate/data_stream/admin/fields/base-fields.yml new file mode 100644 index 00000000000..e4fc446886e --- /dev/null +++ b/packages/ping_federate/data_stream/admin/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: ping_federate +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: ping_federate.admin +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ping_federate/data_stream/admin/fields/beats.yml b/packages/ping_federate/data_stream/admin/fields/beats.yml new file mode 100644 index 00000000000..9eff736e678 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/fields/beats.yml @@ -0,0 +1,30 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/ping_federate/data_stream/admin/fields/fields.yml b/packages/ping_federate/data_stream/admin/fields/fields.yml new file mode 100644 index 00000000000..478d1837940 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/fields/fields.yml @@ -0,0 +1,29 @@ +- name: ping_federate.admin + type: group + fields: + - name: component + type: keyword + description: The PingFederate system component processing the request (e.g., SSO, OAuth). + - name: event + type: group + fields: + - name: type + type: keyword + description: Describes the type of event (e.g., authentication attempt, token issuance). + - name: detail_id + type: keyword + description: A unique identifier for specific event details or associated sub-transactions. + - name: ip + type: ip + description: The IP address of the client initiating the request. + - name: message + type: keyword + description: The main message or details of the log entry. + - name: roles + type: keyword + description: Lists the roles or permissions associated with the user. + - name: timestamp + type: date + - name: user + type: keyword + description: Represents the username or user identifier involved in the transaction. diff --git a/packages/ping_federate/data_stream/admin/manifest.yml b/packages/ping_federate/data_stream/admin/manifest.yml new file mode 100644 index 00000000000..ccc9161079f --- /dev/null +++ b/packages/ping_federate/data_stream/admin/manifest.yml @@ -0,0 +1,57 @@ +title: Admin logs +type: logs +streams: + - input: filestream + enabled: false + template_path: filestream.yml.hbs + title: Admin logs + description: Collect PingFederate admin logs via Filestream. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + description: A list of glob-based paths that will be crawled and fetched. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - ping_federate-admin + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve ping_federate.admin fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ping_federate/data_stream/admin/sample_event.json b/packages/ping_federate/data_stream/admin/sample_event.json new file mode 100644 index 00000000000..d11e58fb979 --- /dev/null +++ b/packages/ping_federate/data_stream/admin/sample_event.json @@ -0,0 +1,112 @@ +{ + "@timestamp": "2024-11-28T16:58:55.832+11:00", + "agent": { + "ephemeral_id": "cc3c0dc0-25b3-472f-8434-111714ef6bcb", + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.0" + }, + "data_stream": { + "dataset": "ping_federate.admin", + "namespace": "75079", + "type": "logs" + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "snapshot": false, + "version": "8.14.0" + }, + "event": { + "action": "rotate", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "ping_federate.admin", + "id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "ingested": "2024-12-19T12:19:22Z", + "kind": "event", + "original": "2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4 | LICENSE | ROTATE | - Login was successful", + "timezone": "+11:00", + "type": [ + "change" + ] + }, + "input": { + "type": "filestream" + }, + "log": { + "file": { + "device_id": "64768", + "inode": "8692415", + "path": "/tmp/service_logs/test-admin.log" + }, + "offset": 0 + }, + "message": "- Login was successful", + "observer": { + "product": "PingFederate", + "vendor": "Ping Identity" + }, + "ping_federate": { + "admin": { + "component": "LICENSE", + "event": { + "detail_id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "type": "ROTATE" + }, + "ip": "81.2.69.142", + "message": "- Login was successful", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ], + "timestamp": "2024-11-28T16:58:55.832+11:00", + "user": "Administrator" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "Administrator" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "ping_federate-admin" + ], + "user": { + "name": "Administrator", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ] + } +} \ No newline at end of file diff --git a/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json new file mode 100644 index 00000000000..3023a33699f --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json @@ -0,0 +1,79 @@ +{ + "events": [{ + "agent": { + "name": "docker-fleet-agent", + "id": "ef463cd2-6fb1-4dce-b6d5-8d91577bfcb0", + "ephemeral_id": "439c1553-7391-4f08-84eb-bf451e322489", + "type": "filebeat", + "version": "8.16.0" + }, + "log": { + "source": { + "address": "192.168.251.1:36962" + } + }, + "cef": { + "severity": "0", + "extensions": { + "deviceCustomString3Label": "Protocol", + "deviceCustomString1": "http://www.google.ca&landingpage=pageA", + "externalId": "tid:ae14b5ce8", + "deviceCustomString3": "SAML20", + "sourceAddress":"81.2.69.142", + "deviceCustomString1Label": "Target Application URL", + "deviceCustomString2": "sp:cloud:saml2", + "deviceReceiptTime": "2012-05-18T11:41:48.452Z", + "message": "failure", + "deviceCustomString4": "IdP", + "deviceCustomString6Label": "Attributes", + "deviceCustomString6": "{SAML_SUBJECT=joe, ognl=tom}", + "deviceCustomString5Label": "SP Local User ID", + "deviceCustomString5": "idlocal", + "deviceCustomString4Label": "Role", + "deviceHostName": "hello", + "destinationUserId": "joe", + "deviceCustomString2Label": "Connection ID" + }, + "name": "AUTHN_SESSION_DELETED", + "version": "0", + "device": { + "product": "PingFederate", + "event_class_id": "AUTHN_SESSION_DELETED", + "vendor": "Ping Identity", + "version": "6.4" + } + }, + "elastic_agent": { + "id": "ef463cd2-6fb1-4dce-b6d5-8d91577bfcb0", + "version": "8.16.0", + "snapshot": false + }, + "destination": { + "user": { + "id": "joe" + } + }, + "message": "failure", + "observer": { + "product": "PingFederate", + "hostname": "hello", + "vendor": "Ping Identity", + "version": "6.4" + }, + "input": { + "type": "tcp" + }, + "@timestamp": "2012-05-18T11:41:48.452Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "severity": 0, + "agent_id_status": "verified", + "ingested": "2024-12-06T09:22:50Z", + "original": "CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=81.2.69.142 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\\=joe, ognl\\=tom}", + "code": "AUTHN_SESSION_DELETED", + "dataset": "ping_federate.audit" + } + } +]} \ No newline at end of file diff --git a/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json-expected.json b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json-expected.json new file mode 100644 index 00000000000..30e6c8232ec --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-audit.json-expected.json @@ -0,0 +1,116 @@ +{ + "expected": [ + { + "@timestamp": "2012-05-18T22:41:48.452+11:00", + "agent": { + "ephemeral_id": "439c1553-7391-4f08-84eb-bf451e322489", + "id": "ef463cd2-6fb1-4dce-b6d5-8d91577bfcb0", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.16.0" + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "ef463cd2-6fb1-4dce-b6d5-8d91577bfcb0", + "snapshot": false, + "version": "8.16.0" + }, + "event": { + "action": "authn_session_deleted", + "agent_id_status": "verified", + "category": [ + "session" + ], + "code": "AUTHN_SESSION_DELETED", + "dataset": "ping_federate.audit", + "ingested": "2024-12-06T09:22:50Z", + "kind": "event", + "original": "CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=81.2.69.142 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\\=joe, ognl\\=tom}", + "outcome": "failure", + "severity": 0, + "timezone": "+11:00", + "type": [ + "end" + ] + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "192.168.251.1:36962" + } + }, + "observer": { + "hostname": "hello", + "product": "PingFederate", + "vendor": "Ping Identity", + "version": "6.4" + }, + "ping_federate": { + "audit": { + "app": "http://www.google.ca&landingpage=pageA", + "attributes": "{SAML_SUBJECT=joe, ognl=tom}", + "connection_id": "sp:cloud:saml2", + "event": "AUTHN_SESSION_DELETED", + "host": { + "name": "hello" + }, + "ip": "81.2.69.142", + "local_user_id": "idlocal", + "protocol": "SAML20", + "response_time": "2012-05-18T22:41:48.452+11:00", + "role": "IdP", + "severity": 0, + "status": "failure", + "subject": "joe", + "tracking_id": "tid:ae14b5ce8" + } + }, + "related": { + "hosts": [ + "hello" + ], + "ip": [ + "81.2.69.142" + ], + "user": [ + "idlocal", + "joe" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "url": { + "full": "http://www.google.ca&landingpage=pageA", + "original": "http://www.google.ca&landingpage=pageA", + "scheme": "http" + }, + "user": { + "name": "joe", + "roles": [ + "IdP" + ] + } + } + ] +} \ No newline at end of file diff --git a/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..4bef7c76df3 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,6 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields + _conf: + tz_offset: "+11:00" diff --git a/packages/ping_federate/data_stream/audit/_dev/test/system/test-logfile-config.yml b/packages/ping_federate/data_stream/audit/_dev/test/system/test-logfile-config.yml new file mode 100644 index 00000000000..46ba70fa913 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/system/test-logfile-config.yml @@ -0,0 +1,15 @@ +service: ping_federate-logfile-audit +input: filestream +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*audit*.log" + tz_offset: "+11:00" + preserve_original_event: true + preserve_duplicate_custom_fields: true +numeric_keyword_fields: + - log.file.device_id + - log.file.inode + - log.file.idxhi + - log.file.idxlo + - log.file.vol diff --git a/packages/ping_federate/data_stream/audit/_dev/test/system/test-tcp-config.yml b/packages/ping_federate/data_stream/audit/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..be5c96f6e6f --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,10 @@ +service: ping_federate-tcp-audit +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9598 + tz_offset: "+11:00" + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/ping_federate/data_stream/audit/_dev/test/system/test-tls-config.yml b/packages/ping_federate/data_stream/audit/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..e673b2f8fde --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/system/test-tls-config.yml @@ -0,0 +1,62 @@ +service: ping_federate-tls-audit +service_notify_signal: SIGHUP +input: tcp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9598 + tz_offset: "+10:00" + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/ping_federate/data_stream/audit/_dev/test/system/test-udp-config.yml b/packages/ping_federate/data_stream/audit/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..55172eee787 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/_dev/test/system/test-udp-config.yml @@ -0,0 +1,10 @@ +service: ping_federate-udp-audit +service_notify_signal: SIGHUP +input: udp +data_stream: + vars: + listen_address: 0.0.0.0 + listen_port: 9599 + tz_offset: "+13:00" + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/ping_federate/data_stream/audit/agent/stream/filestream.yml.hbs b/packages/ping_federate/data_stream/audit/agent/stream/filestream.yml.hbs new file mode 100644 index 00000000000..1f94f8c26ab --- /dev/null +++ b/packages/ping_federate/data_stream/audit/agent/stream/filestream.yml.hbs @@ -0,0 +1,34 @@ +paths: +{{#each paths as |path|}} + - {{path}} +{{/each}} +exclude_files: ['\.gz$'] +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ping_federate/data_stream/audit/agent/stream/tcp.yml.hbs b/packages/ping_federate/data_stream/audit/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..1d6e910022a --- /dev/null +++ b/packages/ping_federate/data_stream/audit/agent/stream/tcp.yml.hbs @@ -0,0 +1,35 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/ping_federate/data_stream/audit/agent/stream/udp.yml.hbs b/packages/ping_federate/data_stream/audit/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..8c6b02ff412 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/agent/stream/udp.yml.hbs @@ -0,0 +1,33 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- rename: + fields: + - {from: "message", to: "event.original"} +- decode_cef: + field: event.original +{{#if tz_offset}} +fields_under_root: true +fields: + _conf: + tz_offset: "{{tz_offset}}" +{{/if}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..80d2f10b734 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,388 @@ +--- +description: Pipeline for processing Audit logs. +processors: + - set: + field: ecs.version + tag: set_ecs_version + value: 8.16.0 + - set: + field: event.kind + value: event + tag: set_event_kind + - rename: + field: _conf.tz_offset + target_field: event.timezone + if: ctx._conf?.tz_offset != null + tag: rename_tz_offset + ignore_missing: true + - rename: + field: message + tag: rename_message_to_event_original + target_field: event.original + ignore_missing: true + description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document. + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + - remove: + field: + - observer.hostname + - '@timestamp' + tag: remove_observer_hostname_and_timestamp_to_add_later_on_cond + ignore_missing: true + - rename: + field: cef.name + tag: rename_cef_name + target_field: ping_federate.audit.event + ignore_missing: true + - set: + field: event.action + tag: set_event_action + copy_from: ping_federate.audit.event + ignore_empty_value: true + - lowercase: + field: event.action + tag: lowercase_event_action + ignore_missing: true + - append: + field: event.category + value: authentication + tag: append_event_category_authentication + if: >- + ctx.ping_federate?.audit?.event != null && ( + ctx.ping_federate.audit.event == 'SLO' || + ctx.ping_federate.audit.event == 'SSO' || + ctx.ping_federate.audit.event == 'OAuth' || + ctx.ping_federate.audit.event == 'AUTHN_ATTEMPT' || + ctx.ping_federate.audit.event == 'AUTHN_REQUEST' + ) + - append: + field: event.category + value: session + tag: append_event_category_session + if: >- + ctx.ping_federate?.audit?.event != null && ( + ctx.ping_federate.audit.event == 'AUTHN_SESSION_CREATED' || + ctx.ping_federate.audit.event == 'AUTHN_SESSION_USED' || + ctx.ping_federate.audit.event == 'AUTHN_SESSION_DELETED' || + ctx.ping_federate.audit.event == 'SRI_REVOKED' + ) + - append: + field: event.type + value: info + tag: append_event_type_info + if: >- + ctx.ping_federate?.audit?.event != null && ( + ctx.ping_federate.audit.event == 'OAuth' || + ctx.ping_federate.audit.event == 'AUTHN_SESSION_USED' + ) + - append: + field: event.type + value: start + tag: append_event_type_start + if: >- + ctx.ping_federate?.audit?.event != null && ( + ctx.ping_federate.audit.event == 'SSO' || + ctx.ping_federate.audit.event == 'AUTHN_ATTEMPT' || + ctx.ping_federate.audit.event == 'AUTHN_REQUEST' || + ctx.ping_federate.audit.event == 'AUTHN_SESSION_CREATED' + ) + - append: + field: event.type + value: end + tag: append_event_type_end + if: >- + ctx.ping_federate?.audit?.event != null && ( + ctx.ping_federate.audit.event == 'SLO' || + ctx.ping_federate.audit.event == 'SRI_REVOKED' || + ctx.ping_federate.audit.event == 'AUTHN_SESSION_DELETED' + ) + - convert: + field: cef.severity + tag: convert_severity_to_long + target_field: ping_federate.audit.severity + type: long + ignore_missing: true + if: ctx.ping_federate?.audit?.severity != '' + on_failure: + - remove: + field: ping_federate.audit.severity + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - convert: + field: cef.extensions.deviceHostName + tag: convert_deviceHostName_to_ip + target_field: ping_federate.audit.host.ip + type: ip + ignore_missing: true + if: ctx.ping_federate?.audit?.host?.ip != '' + on_failure: + - rename: + field: cef.extensions.deviceHostName + tag: set_device_host_name + target_field: ping_federate.audit.host.name + - append: + field: observer.ip + value: '{{{ping_federate.audit.host.ip}}}' + allow_duplicates: false + tag: append_observer_ip + if: ctx.ping_federate?.audit?.host?.ip != null + - append: + field: related.ip + value: '{{{ping_federate.audit.host.ip}}}' + allow_duplicates: false + tag: append_related_ip + if: ctx.ping_federate?.audit?.host?.ip != null + - set: + field: observer.hostname + copy_from: ping_federate.audit.host.name + tag: set_observer_name + ignore_empty_value: true + - append: + field: related.hosts + value: '{{{ping_federate.audit.host.name}}}' + allow_duplicates: false + tag: append_related_hosts + if: ctx.ping_federate?.audit?.host?.name != null + - date: + field: cef.extensions.deviceReceiptTime + tag: date_ping_federate_audit_response_time + target_field: ping_federate.audit.response_time + formats: + - ISO8601 + if: ctx.cef?.extensions?.deviceReceiptTime != null && ctx.cef.extensions.deviceReceiptTime != '' && ctx.event?.timezone == null + on_failure: + - remove: + field: ping_federate.audit.response_time + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - date: + field: cef.extensions.deviceReceiptTime + tag: date_ping_federate_audit_response_time_timezone + target_field: ping_federate.audit.response_time + timezone: '{{{event.timezone}}}' + formats: + - ISO8601 + if: ctx.cef?.extensions?.deviceReceiptTime != null && ctx.cef.extensions.deviceReceiptTime != '' && ctx.event?.timezone != null + on_failure: + - remove: + field: ping_federate.audit.response_time + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: ping_federate.audit.response_time + ignore_empty_value: true + - set: + field: ping_federate.audit.app + tag: set_app_value_from_deviceCustomString1 + copy_from: cef.extensions.deviceCustomString1 + ignore_empty_value: true + - uri_parts: + field: ping_federate.audit.app + tag: uri_parts + ignore_missing: true + on_failure: + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: url.full + tag: set_url_full + copy_from: ping_federate.audit.app + ignore_empty_value: true + - set: + field: ping_federate.audit.connection_id + tag: set_connection_id_from_deviceCustomString2 + copy_from: cef.extensions.deviceCustomString2 + ignore_empty_value: true + - set: + field: ping_federate.audit.protocol + tag: set_protocol_from_deviceCustomString3 + copy_from: cef.extensions.deviceCustomString3 + ignore_empty_value: true + - set: + field: ping_federate.audit.local_user_id + tag: set_local_user_id_from_deviceCustomString5 + copy_from: cef.extensions.deviceCustomString5 + ignore_empty_value: true + - append: + field: related.user + tag: append_local_user_id_to_related_user + value: '{{{ping_federate.audit.local_user_id}}}' + allow_duplicates: false + if: ctx.ping_federate?.audit?.local_user_id != null + - set: + field: ping_federate.audit.subject + tag: set_subject_from_destinationUserId + copy_from: cef.extensions.destinationUserId + ignore_empty_value: true + - set: + field: user.name + tag: set_user_name_from_subject + copy_from: ping_federate.audit.subject + ignore_empty_value: true + - append: + field: related.user + tag: append_local_user_id_to_related_user + value: '{{{ping_federate.audit.subject}}}' + allow_duplicates: false + if: ctx.ping_federate?.audit?.subject != null + - set: + field: ping_federate.audit.attributes + tag: set_attributes_from_deviceCustomString6 + copy_from: cef.extensions.deviceCustomString6 + ignore_empty_value: true + - rename: + field: cef.extensions.externalId + tag: rename_externalId_to_tracking_id + target_field: ping_federate.audit.tracking_id + ignore_missing: true + - rename: + field: cef.extensions.message + tag: rename_message_to_status + target_field: ping_federate.audit.status + ignore_missing: true + - set: + field: event.outcome + tag: set_event_outcome_unknown + value: unknown + ignore_empty_value: true + - set: + field: event.outcome + tag: set_event_outcome_success + value: success + if: ctx.ping_federate?.audit?.status?.toLowerCase().contains("success") + - set: + field: event.outcome + tag: set_event_outcome_failure + value: failure + if: ctx.ping_federate?.audit?.status?.toLowerCase().contains("fail") + - set: + field: ping_federate.audit.role + tag: set_role_from_deviceCustomString4 + copy_from: cef.extensions.deviceCustomString4 + ignore_empty_value: true + - split: + field: ping_federate.audit.role + if: ctx.ping_federate?.audit?.role != null && ctx.ping_federate.audit.role.contains(',') + tag: split_audit_role + separator: ',' + on_failure: + - remove: + field: ping_federate.audit.role + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - foreach: + field: ping_federate.audit.role + if: ctx.ping_federate?.audit?.role instanceof List + ignore_failure: true + processor: + append: + field: user.roles + tag: append_list_to_user_roles + value: '{{{_ingest._value}}}' + allow_duplicates: false + if: ctx.ping_federate?.audit?.role != null + - append: + field: user.roles + tag: append_to_user_roles + value: '{{{ping_federate.audit.role}}}' + allow_duplicates: false + if: ctx.ping_federate?.audit?.role != null && ctx.user?.roles == null + - convert: + field: cef.extensions.sourceAddress + tag: convert_sourceAddress_to_ip + target_field: ping_federate.audit.ip + type: ip + ignore_missing: true + if: ctx.ping_federate?.audit?.ip != '' + on_failure: + - remove: + field: ping_federate.audit.ip + - append: + field: error.message + value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}' + - set: + field: source.ip + tag: set_source_ip + copy_from: ping_federate.audit.ip + ignore_empty_value: true + - geoip: + field: source.ip + target_field: source.geo + tag: geoip_proc + ignore_missing: true + - append: + field: related.ip + tag: append_ping_federate_audit_ip_to_related_ip + value: '{{{ping_federate.audit.ip}}}' + allow_duplicates: false + if: ctx.ping_federate?.audit?.ip != null + - remove: + field: + - ping_federate.audit.event + - ping_federate.audit.subject + - ping_federate.audit.ip + - ping_federate.audit.app + - ping_federate.audit.host.ip + - ping_federate.audit.host.name + - ping_federate.audit.role + - ping_federate.audit.status + - ping_federate.audit.response_time + - ping_federate.audit.severity + tag: remove_custom_duplicate_fields + ignore_missing: true + if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields') + - remove: + field: + - cef + - destination.user.id + tag: remove_cef_and_destination_user_id + ignore_missing: true + - script: + tag: script_to_drop_null_values + lang: painless + description: Drops null/empty values recursively. + source: |- + boolean drop(Object object) { + if (object == null || object == '') { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(v -> drop(v)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(v -> drop(v)); + return (((List) object).length == 0); + } + return false; + } + drop(ctx); + - set: + field: event.kind + tag: set_pipeline_error_into_event_kind + value: pipeline_error + if: ctx.error?.message != null +on_failure: + - append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' + - set: + field: event.kind + tag: set_pipeline_error_to_event_kind + value: pipeline_error + - append: + field: tags + value: preserve_original_event + allow_duplicates: false diff --git a/packages/ping_federate/data_stream/audit/fields/base-fields.yml b/packages/ping_federate/data_stream/audit/fields/base-fields.yml new file mode 100644 index 00000000000..5c3387da6b3 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,23 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: ping_federate +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: ping_federate.audit +- name: log.source.address + description: Source address from which the log event was read / sent from. + type: keyword +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/ping_federate/data_stream/audit/fields/beats.yml b/packages/ping_federate/data_stream/audit/fields/beats.yml new file mode 100644 index 00000000000..9eff736e678 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/fields/beats.yml @@ -0,0 +1,30 @@ +- name: input.type + type: keyword + description: Type of filebeat input. +- name: log.offset + type: long + description: Log offset. +- name: log.file + type: group + fields: + - name: device_id + type: keyword + description: ID of the device containing the filesystem where the file resides. + - name: fingerprint + type: keyword + description: The sha256 fingerprint identity of the file when fingerprinting is enabled. + - name: inode + type: keyword + description: Inode number of the log file. + - name: idxhi + type: keyword + description: The high-order part of a unique identifier that is associated with a file. (Windows-only) + - name: idxlo + type: keyword + description: The low-order part of a unique identifier that is associated with a file. (Windows-only) + - name: vol + type: keyword + description: The serial number of the volume that contains a file. (Windows-only) +- name: tags + type: keyword + description: User defined tags. diff --git a/packages/ping_federate/data_stream/audit/fields/fields.yml b/packages/ping_federate/data_stream/audit/fields/fields.yml new file mode 100644 index 00000000000..160d97850f3 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/fields/fields.yml @@ -0,0 +1,49 @@ +- name: ping_federate.audit + type: group + fields: + - name: app + type: keyword + description: Target application URL. + - name: attributes + type: keyword + description: A list of all attributes. + - name: connection_id + type: keyword + description: Partner ID. + - name: event + type: keyword + description: Event. + - name: host + type: group + fields: + - name: ip + type: ip + description: Device host IP. + - name: name + type: keyword + description: Device hostname. + - name: ip + type: ip + description: Client source IP. + - name: local_user_id + type: keyword + description: SP local user ID (available only when account linking is used). + - name: protocol + type: keyword + description: Protocol (e.g. SAML20). + - name: response_time + type: date + - name: role + type: keyword + description: Role (IdP, SP). + - name: severity + type: long + - name: status + type: keyword + description: The status of the SSO request (success, failure, authn_attempt). + - name: subject + type: keyword + description: User name. + - name: tracking_id + type: keyword + description: Tracking ID which is unique for a user session. It is used for debugging purposes in the server log. diff --git a/packages/ping_federate/data_stream/audit/manifest.yml b/packages/ping_federate/data_stream/audit/manifest.yml new file mode 100644 index 00000000000..7028377194d --- /dev/null +++ b/packages/ping_federate/data_stream/audit/manifest.yml @@ -0,0 +1,232 @@ +title: Audit logs +type: logs +streams: + - input: tcp + enabled: false + template_path: tcp.yml.hbs + title: Audit logs + description: Collect PingFederate audit logs via syslog over TCP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9598 + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #max_connections: 1 + description: Specify custom configuration options for the TCP input. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - ping_federate-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve ping_federate.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + enabled: false + template_path: udp.yml.hbs + title: Audit logs + description: Collect PingFederate audit logs via syslog over UDP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9599 + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + #max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - ping_federate-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve ping_federate.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: filestream + enabled: false + template_path: filestream.yml.hbs + title: Audit logs + description: Collect PingFederate audit logs via Filestream. + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + description: A list of glob-based paths that will be crawled and fetched. + - name: tz_offset + type: text + title: Timezone Offset + multi: false + required: false + show_user: true + description: >- + When interpreting syslog timestamps without a time zone, use this timezone offset. Datetimes recorded in logs are by default interpreted in relation to the timezone set up on the host where the agent is operating. Use this parameter to adjust the timezone offset when importing logs from a host in a different timezone so that datetimes are appropriately interpreted. Both a canonical ID (such as "Europe/Amsterdam") and an HH:mm differential (such as "-05:00") are acceptable timezone formats. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - ping_federate-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: false + title: Preserve duplicate custom fields + description: Preserve ping_federate.audit fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/ping_federate/data_stream/audit/sample_event.json b/packages/ping_federate/data_stream/audit/sample_event.json new file mode 100644 index 00000000000..ec3789a1929 --- /dev/null +++ b/packages/ping_federate/data_stream/audit/sample_event.json @@ -0,0 +1,107 @@ +{ + "@timestamp": "2012-05-19T00:41:48.452+13:00", + "agent": { + "ephemeral_id": "f21cd0a8-ed07-4f2a-a1b7-c3a61d93dc64", + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.0" + }, + "data_stream": { + "dataset": "ping_federate.audit", + "namespace": "99086", + "type": "logs" + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "snapshot": false, + "version": "8.14.0" + }, + "event": { + "action": "authn_session_deleted", + "agent_id_status": "verified", + "category": [ + "session" + ], + "code": "AUTHN_SESSION_DELETED", + "dataset": "ping_federate.audit", + "ingested": "2024-12-19T12:23:19Z", + "kind": "event", + "original": "CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=192.168.6.130 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\\=joe, ognl\\=tom}", + "outcome": "failure", + "severity": 0, + "timezone": "+13:00", + "type": [ + "end" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.246.7:58730" + } + }, + "observer": { + "hostname": "hello", + "product": "PingFederate", + "vendor": "Ping Identity", + "version": "6.4" + }, + "ping_federate": { + "audit": { + "app": "http://www.google.ca&landingpage=pageA", + "attributes": "{SAML_SUBJECT=joe, ognl=tom}", + "connection_id": "sp:cloud:saml2", + "event": "AUTHN_SESSION_DELETED", + "host": { + "name": "hello" + }, + "ip": "192.168.6.130", + "local_user_id": "idlocal", + "protocol": "SAML20", + "response_time": "2012-05-19T00:41:48.452+13:00", + "role": "IdP", + "severity": 0, + "status": "failure", + "subject": "joe", + "tracking_id": "tid:ae14b5ce8" + } + }, + "related": { + "hosts": [ + "hello" + ], + "ip": [ + "192.168.6.130" + ], + "user": [ + "idlocal", + "joe" + ] + }, + "source": { + "ip": "192.168.6.130" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "ping_federate-audit" + ], + "url": { + "full": "http://www.google.ca&landingpage=pageA", + "original": "http://www.google.ca&landingpage=pageA", + "scheme": "http" + }, + "user": { + "name": "joe", + "roles": [ + "IdP" + ] + } +} \ No newline at end of file diff --git a/packages/ping_federate/docs/README.md b/packages/ping_federate/docs/README.md new file mode 100644 index 00000000000..a278793f671 --- /dev/null +++ b/packages/ping_federate/docs/README.md @@ -0,0 +1,385 @@ +# PingFederate + +## Overview + +[PingFederate](https://www.pingidentity.com/en/platform/capabilities/authentication-authority/pingfederate.html) is a key component of the [PingIdentity](https://www.pingidentity.com/en.html) platform, which is a suite of solutions for identity and access management (IAM). Specifically, Ping Federate is an enterprise-grade federated identity server designed to enable secure single sign-on (SSO), identity federation, and access management for applications and services. + +## Compatibility + +This module has been tested with the latest version of PingFederate, **12.1.4(November 2024)**. +## Data streams + +The PingFederate integration collects two types of logs: + +**[Admin](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_admin_audit_loggin.html)** - Record actions performed within the PingFederate Administrative Console and via the Administrative API. + +**[Audit](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_security_audit_loggin.html)** - Provides a detailed record of authentication, authorization, and federation transactions. + +**Note**: + +1. In the Admin datastream, only logs from the admin.log file are supported via filestream in the pipe format. The log pattern is as follows: +``` +%d | %X{user} | %X{roles} | %X{ip} | %X{component} | %X{event} | %X{eventdetailid} | %m%n +``` +Sample Log: +``` +2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nxxxxyn6H4 | LICENSE | ROTATE | - Login was successful +``` + +2. Audit logs are supported through filestream, TCP, and UDP in the CEF format. The log pattern is as follows: +``` +%escape{CEF}{CEF:0|Ping Identity|PingFederate|%X{pfversion}|%X{event}|%X{event}|0|rt=%d{MMM dd yyyy HH:mm:ss.SSS} duid=%X{subject} src=%X{ip} msg=%X{status} cs1Label=Target Application URL cs1=%X{app} cs2Label=Connection ID cs2=%X{connectionid} cs3Label=Protocol cs3=%X{protocol} dvchost=%X{host} cs4Label=Role cs4=%X{role} externalId=%X{trackingid} cs5Label=SP Local User ID cs5=%X{localuserid} cs6Label=Attributes cs6=%X{attributes} %n} +``` +Sample Log: +``` +CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=89.160.20.112 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\=joe, ognl\=tom} +``` + +## Requirements + +- Elastic Agent must be installed. +- You can install only one Elastic Agent per host. +- Elastic Agent is required to stream data through the Filestream or TCP/UDP and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. + +### Installing and managing an Elastic Agent: + +You have a few options for installing and managing an Elastic Agent: + +### Install a Fleet-managed Elastic Agent (recommended): + +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. + +### Install Elastic Agent in standalone mode (advanced users): + +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. + +### Install Elastic Agent in a containerized environment: + +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry, and we provide deployment manifests for running on Kubernetes. + +There are some minimum requirements for running Elastic Agent. For more information, refer to the Elastic Agent [installation guide](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). + +## Setup + +1. For step-by-step instructions on how to configure log files in PingFederate instance, see the [Log4j 2 logging service and configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_log4j_2_loggin_service_and_config.html) guide. +2. To write the audit logs in cef format, see the [Writing audit log in CEF](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_writin_audit_log_cef.html) guide. + +### Enabling the integration in Elastic: + +1. In Kibana go to Management > Integrations. +2. In "Search for integrations" search bar, type PingFederate. +3. Click on the "PingFederate" integration from the search results. +4. Click on the "Add PingFederate" button to add the integration. +5. Select the toggle for the data stream for which you want to collect logs. +6. Enable the data collection mode from the following: Filestream, TCP, or UDP. (Admin logs are only supported through Filestream) +7. Add all the required configuration parameters, such as paths for the filestream or listen address and listen port for the TCP and UDP. +8. Click on "Save and Continue" to save the integration. + +## Logs Reference + +### Admin + +This is the `Admin` dataset. + +#### Example + +An example event for `admin` looks as following: + +```json +{ + "@timestamp": "2024-11-28T16:58:55.832+11:00", + "agent": { + "ephemeral_id": "cc3c0dc0-25b3-472f-8434-111714ef6bcb", + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.0" + }, + "data_stream": { + "dataset": "ping_federate.admin", + "namespace": "75079", + "type": "logs" + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "snapshot": false, + "version": "8.14.0" + }, + "event": { + "action": "rotate", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "ping_federate.admin", + "id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "ingested": "2024-12-19T12:19:22Z", + "kind": "event", + "original": "2024-11-28 5:58:55,832 | Administrator | UserAdmin,Admin,CryptoAdmin,ExpressionAdmin | 81.2.69.142 | A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4 | LICENSE | ROTATE | - Login was successful", + "timezone": "+11:00", + "type": [ + "change" + ] + }, + "input": { + "type": "filestream" + }, + "log": { + "file": { + "device_id": "64768", + "inode": "8692415", + "path": "/tmp/service_logs/test-admin.log" + }, + "offset": 0 + }, + "message": "- Login was successful", + "observer": { + "product": "PingFederate", + "vendor": "Ping Identity" + }, + "ping_federate": { + "admin": { + "component": "LICENSE", + "event": { + "detail_id": "A-rBnNPcJffxBiizBWDOWxq_Ek8cYxg3nef5uKyn6H4", + "type": "ROTATE" + }, + "ip": "81.2.69.142", + "message": "- Login was successful", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ], + "timestamp": "2024-11-28T16:58:55.832+11:00", + "user": "Administrator" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "Administrator" + ] + }, + "source": { + "geo": { + "city_name": "London", + "continent_name": "Europe", + "country_iso_code": "GB", + "country_name": "United Kingdom", + "location": { + "lat": 51.5142, + "lon": -0.0931 + }, + "region_iso_code": "GB-ENG", + "region_name": "England" + }, + "ip": "81.2.69.142" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "ping_federate-admin" + ], + "user": { + "name": "Administrator", + "roles": [ + "UserAdmin", + "Admin", + "CryptoAdmin", + "ExpressionAdmin" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | +| log.offset | Log offset. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| ping_federate.admin.component | The PingFederate system component processing the request (e.g., SSO, OAuth). | keyword | +| ping_federate.admin.event.detail_id | A unique identifier for specific event details or associated sub-transactions. | keyword | +| ping_federate.admin.event.type | Describes the type of event (e.g., authentication attempt, token issuance). | keyword | +| ping_federate.admin.ip | The IP address of the client initiating the request. | ip | +| ping_federate.admin.message | The main message or details of the log entry. | keyword | +| ping_federate.admin.roles | Lists the roles or permissions associated with the user. | keyword | +| ping_federate.admin.timestamp | | date | +| ping_federate.admin.user | Represents the username or user identifier involved in the transaction. | keyword | +| tags | User defined tags. | keyword | + + +### Audit + +This is the `Audit` dataset. + +#### Example + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2012-05-19T00:41:48.452+13:00", + "agent": { + "ephemeral_id": "f21cd0a8-ed07-4f2a-a1b7-c3a61d93dc64", + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.14.0" + }, + "data_stream": { + "dataset": "ping_federate.audit", + "namespace": "99086", + "type": "logs" + }, + "ecs": { + "version": "8.16.0" + }, + "elastic_agent": { + "id": "7cd150d8-eab1-4974-b83f-990dbb737cb8", + "snapshot": false, + "version": "8.14.0" + }, + "event": { + "action": "authn_session_deleted", + "agent_id_status": "verified", + "category": [ + "session" + ], + "code": "AUTHN_SESSION_DELETED", + "dataset": "ping_federate.audit", + "ingested": "2024-12-19T12:23:19Z", + "kind": "event", + "original": "CEF:0|Ping Identity|PingFederate|6.4|AUTHN_SESSION_DELETED|AUTHN_SESSION_DELETED|0|rt=May 18 2012 11:41:48.452 duid=joe src=192.168.6.130 msg=failure cs1Label=Target Application URL cs1=http://www.google.ca&landingpage\\=pageA cs2Label=Connection ID cs2=sp:cloud:saml2 cs3Label=Protocol cs3=SAML20 dvchost=hello cs4Label=Role cs4=IdP externalId=tid:ae14b5ce8 cs5Label=SP Local User ID cs5=idlocal cs6Label=Attributes cs6={SAML_SUBJECT\\=joe, ognl\\=tom}", + "outcome": "failure", + "severity": 0, + "timezone": "+13:00", + "type": [ + "end" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "192.168.246.7:58730" + } + }, + "observer": { + "hostname": "hello", + "product": "PingFederate", + "vendor": "Ping Identity", + "version": "6.4" + }, + "ping_federate": { + "audit": { + "app": "http://www.google.ca&landingpage=pageA", + "attributes": "{SAML_SUBJECT=joe, ognl=tom}", + "connection_id": "sp:cloud:saml2", + "event": "AUTHN_SESSION_DELETED", + "host": { + "name": "hello" + }, + "ip": "192.168.6.130", + "local_user_id": "idlocal", + "protocol": "SAML20", + "response_time": "2012-05-19T00:41:48.452+13:00", + "role": "IdP", + "severity": 0, + "status": "failure", + "subject": "joe", + "tracking_id": "tid:ae14b5ce8" + } + }, + "related": { + "hosts": [ + "hello" + ], + "ip": [ + "192.168.6.130" + ], + "user": [ + "idlocal", + "joe" + ] + }, + "source": { + "ip": "192.168.6.130" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "ping_federate-audit" + ], + "url": { + "full": "http://www.google.ca&landingpage=pageA", + "original": "http://www.google.ca&landingpage=pageA", + "scheme": "http" + }, + "user": { + "name": "joe", + "roles": [ + "IdP" + ] + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| event.dataset | Event dataset. | constant_keyword | +| event.module | Event module. | constant_keyword | +| input.type | Type of filebeat input. | keyword | +| log.file.device_id | ID of the device containing the filesystem where the file resides. | keyword | +| log.file.fingerprint | The sha256 fingerprint identity of the file when fingerprinting is enabled. | keyword | +| log.file.idxhi | The high-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.idxlo | The low-order part of a unique identifier that is associated with a file. (Windows-only) | keyword | +| log.file.inode | Inode number of the log file. | keyword | +| log.file.vol | The serial number of the volume that contains a file. (Windows-only) | keyword | +| log.offset | Log offset. | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| ping_federate.audit.app | Target application URL. | keyword | +| ping_federate.audit.attributes | A list of all attributes. | keyword | +| ping_federate.audit.connection_id | Partner ID. | keyword | +| ping_federate.audit.event | Event. | keyword | +| ping_federate.audit.host.ip | Device host IP. | ip | +| ping_federate.audit.host.name | Device hostname. | keyword | +| ping_federate.audit.ip | Client source IP. | ip | +| ping_federate.audit.local_user_id | SP local user ID (available only when account linking is used). | keyword | +| ping_federate.audit.protocol | Protocol (e.g. SAML20). | keyword | +| ping_federate.audit.response_time | | date | +| ping_federate.audit.role | Role (IdP, SP). | keyword | +| ping_federate.audit.severity | | long | +| ping_federate.audit.status | The status of the SSO request (success, failure, authn_attempt). | keyword | +| ping_federate.audit.subject | User name. | keyword | +| ping_federate.audit.tracking_id | Tracking ID which is unique for a user session. It is used for debugging purposes in the server log. | keyword | +| tags | User defined tags. | keyword | diff --git a/packages/ping_federate/img/ping_federate-admin-dashboard.png b/packages/ping_federate/img/ping_federate-admin-dashboard.png new file mode 100644 index 00000000000..94bffc016fa Binary files /dev/null and b/packages/ping_federate/img/ping_federate-admin-dashboard.png differ diff --git a/packages/ping_federate/img/ping_federate-audit-dashboard.png b/packages/ping_federate/img/ping_federate-audit-dashboard.png new file mode 100644 index 00000000000..d278e81f2a8 Binary files /dev/null and b/packages/ping_federate/img/ping_federate-audit-dashboard.png differ diff --git a/packages/ping_federate/img/ping_federate-logo.svg b/packages/ping_federate/img/ping_federate-logo.svg new file mode 100644 index 00000000000..3cf3e86df60 --- /dev/null +++ b/packages/ping_federate/img/ping_federate-logo.svg @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/packages/ping_federate/kibana/dashboard/ping_federate-4e1a3b90-8da8-4d5d-89e7-5c49fb4a3541.json b/packages/ping_federate/kibana/dashboard/ping_federate-4e1a3b90-8da8-4d5d-89e7-5c49fb4a3541.json new file mode 100644 index 00000000000..b46fa40ba99 --- /dev/null +++ b/packages/ping_federate/kibana/dashboard/ping_federate-4e1a3b90-8da8-4d5d-89e7-5c49fb4a3541.json @@ -0,0 +1,939 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "6b464533-9f62-498d-819a-013676836e68": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.action", + "id": "6b464533-9f62-498d-819a-013676836e68", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Event" + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + }, + "893eda0a-f046-44f0-9e45-240ccb0ba654": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "ping_federate.admin.component", + "id": "893eda0a-f046-44f0-9e45-240ccb0ba654", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + }, + "title": "Component" + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "This dashboard shows Admin events collected by the PingFederate integration.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ping_federate.admin" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ping_federate.admin" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[**PingFederate**](/app/integrations/detail/ping_federate/overview)\n\n- [Audit](#/dashboard/ping_federate-c975ed3a-3c11-4352-830e-84f1efaf9e92)\n- **Admin**\n\n**Overview**\n\nThe admin dashboard includes metrics such as the Top 10 Users by Roles, total number of users, and admin events over time. It also shows the distribution of components, the Top 10 countries, and events categorized by type.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 15, + "i": "06b771ed-d575-42c3-824c-91471f1a6714", + "w": 11, + "x": 0, + "y": 0 + }, + "panelIndex": "06b771ed-d575-42c3-824c-91471f1a6714", + "title": "Table of Content", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-edd3babe-f6ee-4818-98ec-97b53d3b9e56", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "edd3babe-f6ee-4818-98ec-97b53d3b9e56": { + "columnOrder": [ + "ca661567-e7d7-4cbd-8d0b-1c8618a3a679" + ], + "columns": { + "ca661567-e7d7-4cbd-8d0b-1c8618a3a679": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Users", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "edd3babe-f6ee-4818-98ec-97b53d3b9e56", + "layerType": "data", + "metricAccessor": "ca661567-e7d7-4cbd-8d0b-1c8618a3a679" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 15, + "i": "f74847a9-a198-46c7-84d7-1f29c2948a30", + "w": 9, + "x": 11, + "y": 0 + }, + "panelIndex": "f74847a9-a198-46c7-84d7-1f29c2948a30", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-68d647f5-1c6a-428c-a015-256c2813c9a5", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "68d647f5-1c6a-428c-a015-256c2813c9a5": { + "columnOrder": [ + "ba855d19-7853-416f-bce6-5d3cb0e899e8", + "c2d66e8e-aa98-439f-a025-725c983b59b5" + ], + "columns": { + "ba855d19-7853-416f-bce6-5d3cb0e899e8": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "c2d66e8e-aa98-439f-a025-725c983b59b5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c2d66e8e-aa98-439f-a025-725c983b59b5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "68d647f5-1c6a-428c-a015-256c2813c9a5", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "ba855d19-7853-416f-bce6-5d3cb0e899e8" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "ff596a3d-1bfc-4f75-805f-3aeaf7e46f4f", + "w": 14, + "x": 20, + "y": 0 + }, + "panelIndex": "ff596a3d-1bfc-4f75-805f-3aeaf7e46f4f", + "title": "Admin Events over Time [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b3caba54-ab0b-427a-a18d-ef328dc245e2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b3caba54-ab0b-427a-a18d-ef328dc245e2": { + "columnOrder": [ + "a38589fc-c33f-4255-84d2-ceb1abbac012", + "ee22074a-1832-4b79-95fe-b63cb9dcf171", + "dabfd8fc-9675-4052-b353-7f3aa4a86932" + ], + "columns": { + "a38589fc-c33f-4255-84d2-ceb1abbac012": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "dabfd8fc-9675-4052-b353-7f3aa4a86932", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "dabfd8fc-9675-4052-b353-7f3aa4a86932": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "ee22074a-1832-4b79-95fe-b63cb9dcf171": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Roles", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "dabfd8fc-9675-4052-b353-7f3aa4a86932", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.roles" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "dabfd8fc-9675-4052-b353-7f3aa4a86932", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "a38589fc-c33f-4255-84d2-ceb1abbac012", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "ee22074a-1832-4b79-95fe-b63cb9dcf171", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "b3caba54-ab0b-427a-a18d-ef328dc245e2", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "1dfbdfa3-266c-47b0-a2c0-7639c89fb7fe", + "w": 14, + "x": 34, + "y": 0 + }, + "panelIndex": "1dfbdfa3-266c-47b0-a2c0-7639c89fb7fe", + "title": "Top 10 Users by Roles [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b6c6ef26-0de3-46f3-9661-387d5be425d1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b6c6ef26-0de3-46f3-9661-387d5be425d1": { + "columnOrder": [ + "e2ecd8b5-89ea-4539-9d19-7e73269fc9c8", + "a6bef3a4-6c9f-4cb9-9ca1-88de0cd503b5" + ], + "columns": { + "a6bef3a4-6c9f-4cb9-9ca1-88de0cd503b5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "e2ecd8b5-89ea-4539-9d19-7e73269fc9c8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Components", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "a6bef3a4-6c9f-4cb9-9ca1-88de0cd503b5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "ping_federate.admin.component" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "a6bef3a4-6c9f-4cb9-9ca1-88de0cd503b5" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "b6c6ef26-0de3-46f3-9661-387d5be425d1", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "e2ecd8b5-89ea-4539-9d19-7e73269fc9c8" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "c44e9016-c293-4537-b796-dbb1e2d66715", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "c44e9016-c293-4537-b796-dbb1e2d66715", + "title": "Distribution of Components [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-ead4d8d1-33e4-4a06-b7df-1cf85295eb76", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "ead4d8d1-33e4-4a06-b7df-1cf85295eb76": { + "columnOrder": [ + "5b9c3e26-f64f-449a-bdc9-0448df9b8061", + "c107119c-ccc0-423e-82b1-e79000a94a34" + ], + "columns": { + "5b9c3e26-f64f-449a-bdc9-0448df9b8061": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Types", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c107119c-ccc0-423e-82b1-e79000a94a34", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + }, + "c107119c-ccc0-423e-82b1-e79000a94a34": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "c107119c-ccc0-423e-82b1-e79000a94a34" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "ead4d8d1-33e4-4a06-b7df-1cf85295eb76", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "5b9c3e26-f64f-449a-bdc9-0448df9b8061" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "2b14af11-c357-48c8-85a0-5b576867383e", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "2b14af11-c357-48c8-85a0-5b576867383e", + "title": "Event by Types [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-4bc383b2-d344-4359-96a8-a68514880bad", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "4bc383b2-d344-4359-96a8-a68514880bad": { + "columnOrder": [ + "a6e29696-2109-47dc-932f-d8fc5b8c129f", + "e8275496-7efe-4c49-934d-4e772bb8179d" + ], + "columns": { + "a6e29696-2109-47dc-932f-d8fc5b8c129f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Country ISO Code", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "e8275496-7efe-4c49-934d-4e772bb8179d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.geo.country_iso_code" + }, + "e8275496-7efe-4c49-934d-4e772bb8179d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layerId": "4bc383b2-d344-4359-96a8-a68514880bad", + "layerType": "data", + "regionAccessor": "a6e29696-2109-47dc-932f-d8fc5b8c129f", + "valueAccessor": "e8275496-7efe-4c49-934d-4e772bb8179d" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsChoropleth" + }, + "enhancements": {} + }, + "gridData": { + "h": 27, + "i": "0420a621-acc7-4c52-b37c-50a21abc66e0", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "0420a621-acc7-4c52-b37c-50a21abc66e0", + "title": "Top 10 Countries [Logs PingFederate]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs PingFederate] Admin", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-13T09:00:27.421Z", + "id": "ping_federate-4e1a3b90-8da8-4d5d-89e7-5c49fb4a3541", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "f74847a9-a198-46c7-84d7-1f29c2948a30:indexpattern-datasource-layer-edd3babe-f6ee-4818-98ec-97b53d3b9e56", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ff596a3d-1bfc-4f75-805f-3aeaf7e46f4f:indexpattern-datasource-layer-68d647f5-1c6a-428c-a015-256c2813c9a5", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1dfbdfa3-266c-47b0-a2c0-7639c89fb7fe:indexpattern-datasource-layer-b3caba54-ab0b-427a-a18d-ef328dc245e2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c44e9016-c293-4537-b796-dbb1e2d66715:indexpattern-datasource-layer-b6c6ef26-0de3-46f3-9661-387d5be425d1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "2b14af11-c357-48c8-85a0-5b576867383e:indexpattern-datasource-layer-ead4d8d1-33e4-4a06-b7df-1cf85295eb76", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0420a621-acc7-4c52-b37c-50a21abc66e0:indexpattern-datasource-layer-4bc383b2-d344-4359-96a8-a68514880bad", + "type": "index-pattern" + }, + { + "id": "ping_federate-security-solution-default", + "name": "tag-ref-ping_federate-security-solution-default", + "type": "tag" + }, + { + "id": "ping_federate-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, + { + "id": "logs-*", + "name": "controlGroup_893eda0a-f046-44f0-9e45-240ccb0ba654:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_6b464533-9f62-498d-819a-013676836e68:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/ping_federate/kibana/dashboard/ping_federate-c975ed3a-3c11-4352-830e-84f1efaf9e92.json b/packages/ping_federate/kibana/dashboard/ping_federate-c975ed3a-3c11-4352-830e-84f1efaf9e92.json new file mode 100644 index 00000000000..206fd6c8c96 --- /dev/null +++ b/packages/ping_federate/kibana/dashboard/ping_federate-c975ed3a-3c11-4352-830e-84f1efaf9e92.json @@ -0,0 +1,1410 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": { + "b95b9a3e-7368-49e5-b004-31bb32524eeb": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.action", + "id": "b95b9a3e-7368-49e5-b004-31bb32524eeb", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + } + }, + "grow": true, + "order": 0, + "type": "optionsListControl", + "width": "medium" + }, + "ffdfc282-f4bc-408e-929d-63e3fe2f5f9c": { + "explicitInput": { + "dataViewId": "logs-*", + "fieldName": "event.outcome", + "id": "ffdfc282-f4bc-408e-929d-63e3fe2f5f9c", + "searchTechnique": "prefix", + "selectedOptions": [], + "sort": { + "by": "_count", + "direction": "desc" + } + }, + "grow": true, + "order": 1, + "type": "optionsListControl", + "width": "medium" + } + }, + "showApplySelections": false + }, + "description": "This dashboard shows Audit events collected by the PingFederate integration.", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ping_federate.audit" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ping_federate.audit" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "syncCursor": true, + "syncTooltips": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 12, + "markdown": "**Navigation**\n\n[**PingFederate**](/app/integrations/detail/ping_federate/overview)\n\n- **Audit**\n- [Admin](#/dashboard/ping_federate-4e1a3b90-8da8-4d5d-89e7-5c49fb4a3541)\n\n**Overview**\n\nThe audit dashboard features various metrics, including the Top 10 Users by Roles, Top 10 Hosts, Top 10 Sources, and traffic categorized by event type. It also displays events over time, the Top 10 IPs with failed login attempts, and the Top 10 Clients. Additionally, it provides an overview of the total number of users, total audit events, and a comparison of SSO success versus failures.", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 17, + "i": "2927cc88-ae06-42f2-bd7f-cb4fe9950d87", + "w": 11, + "x": 0, + "y": 0 + }, + "panelIndex": "2927cc88-ae06-42f2-bd7f-cb4fe9950d87", + "title": "Table of Content", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6ab233f1-4293-4e30-ba19-2b008e387eaa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6ab233f1-4293-4e30-ba19-2b008e387eaa": { + "columnOrder": [ + "050847e0-3dbb-43ae-99c5-4c6d87b22e0c" + ], + "columns": { + "050847e0-3dbb-43ae-99c5-4c6d87b22e0c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Audit Events", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "6ab233f1-4293-4e30-ba19-2b008e387eaa", + "layerType": "data", + "metricAccessor": "050847e0-3dbb-43ae-99c5-4c6d87b22e0c" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 17, + "i": "1bbd625a-e630-4182-912e-ae20606d9754", + "w": 10, + "x": 11, + "y": 0 + }, + "panelIndex": "1bbd625a-e630-4182-912e-ae20606d9754", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6ab233f1-4293-4e30-ba19-2b008e387eaa", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "6ab233f1-4293-4e30-ba19-2b008e387eaa": { + "columnOrder": [ + "050847e0-3dbb-43ae-99c5-4c6d87b22e0c" + ], + "columns": { + "050847e0-3dbb-43ae-99c5-4c6d87b22e0c": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Total Users", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "user.name" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "layerId": "6ab233f1-4293-4e30-ba19-2b008e387eaa", + "layerType": "data", + "metricAccessor": "050847e0-3dbb-43ae-99c5-4c6d87b22e0c" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": true + }, + "gridData": { + "h": 17, + "i": "e605625c-2831-4581-95ba-7caf892349d2", + "w": 10, + "x": 21, + "y": 0 + }, + "panelIndex": "e605625c-2831-4581-95ba-7caf892349d2", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-056f96e8-4b0a-4b22-8981-d2814182b5a8", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "056f96e8-4b0a-4b22-8981-d2814182b5a8": { + "columnOrder": [ + "3462e324-5e34-4007-8ca0-54deb1e584bc", + "9bc03e4b-443c-4d48-a47a-9dde47c2932b" + ], + "columns": { + "3462e324-5e34-4007-8ca0-54deb1e584bc": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Status", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "9bc03e4b-443c-4d48-a47a-9dde47c2932b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "event.outcome" + }, + "9bc03e4b-443c-4d48-a47a-9dde47c2932b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "056f96e8-4b0a-4b22-8981-d2814182b5a8", + "layerType": "data", + "legendDisplay": "show", + "metrics": [ + "9bc03e4b-443c-4d48-a47a-9dde47c2932b" + ], + "nestedLegend": false, + "numberDisplay": "percent", + "primaryGroups": [ + "3462e324-5e34-4007-8ca0-54deb1e584bc" + ], + "truncateLegend": false + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {} + }, + "gridData": { + "h": 17, + "i": "6e3e0495-26b8-4b41-940f-8022d0033a61", + "w": 17, + "x": 31, + "y": 0 + }, + "panelIndex": "6e3e0495-26b8-4b41-940f-8022d0033a61", + "title": "SSO Success vs Failures [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-91439072-e095-462a-a7eb-21c91c25ce1b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "91439072-e095-462a-a7eb-21c91c25ce1b": { + "columnOrder": [ + "a1099943-f1c7-43eb-9f06-1556f49bce48", + "16fd231d-4fff-4c6c-9c28-b5a140132bdd", + "d836947e-6c73-4ab3-a5ed-2c3ae84c798d" + ], + "columns": { + "16fd231d-4fff-4c6c-9c28-b5a140132bdd": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Roles", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d836947e-6c73-4ab3-a5ed-2c3ae84c798d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.roles" + }, + "a1099943-f1c7-43eb-9f06-1556f49bce48": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Username", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "d836947e-6c73-4ab3-a5ed-2c3ae84c798d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "user.name" + }, + "d836947e-6c73-4ab3-a5ed-2c3ae84c798d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "d836947e-6c73-4ab3-a5ed-2c3ae84c798d", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "a1099943-f1c7-43eb-9f06-1556f49bce48", + "isMetric": false, + "isTransposed": false + }, + { + "columnId": "16fd231d-4fff-4c6c-9c28-b5a140132bdd", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "91439072-e095-462a-a7eb-21c91c25ce1b", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "baf3f8a0-7414-42a6-bf24-c814f11f52e2", + "w": 16, + "x": 0, + "y": 17 + }, + "panelIndex": "baf3f8a0-7414-42a6-bf24-c814f11f52e2", + "title": "Top 10 Users by Roles [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-20a4313a-a2ce-4ec8-958e-25d2b866f18d", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "20a4313a-a2ce-4ec8-958e-25d2b866f18d": { + "columnOrder": [ + "85789966-fca2-4ad1-9a74-dc7bd3e98bd0", + "c794939d-47c6-4751-aa78-c09fd759706a" + ], + "columns": { + "85789966-fca2-4ad1-9a74-dc7bd3e98bd0": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hosts", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c794939d-47c6-4751-aa78-c09fd759706a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "observer.hostname" + }, + "c794939d-47c6-4751-aa78-c09fd759706a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "c794939d-47c6-4751-aa78-c09fd759706a", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "85789966-fca2-4ad1-9a74-dc7bd3e98bd0", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "20a4313a-a2ce-4ec8-958e-25d2b866f18d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "abd520a6-3cef-460f-8332-94c99e234692", + "w": 15, + "x": 16, + "y": 17 + }, + "panelIndex": "abd520a6-3cef-460f-8332-94c99e234692", + "title": "Top 10 Hosts [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b72dbeb2-fdf4-409f-9c20-32978a6c88a1", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b72dbeb2-fdf4-409f-9c20-32978a6c88a1": { + "columnOrder": [ + "d263a394-2bc8-4628-8071-84018c756894", + "e65a46ce-7c16-46a2-95bf-61fc2239515b" + ], + "columns": { + "d263a394-2bc8-4628-8071-84018c756894": { + "dataType": "date", + "isBucketed": true, + "label": "@timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e65a46ce-7c16-46a2-95bf-61fc2239515b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "e65a46ce-7c16-46a2-95bf-61fc2239515b" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "b72dbeb2-fdf4-409f-9c20-32978a6c88a1", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "d263a394-2bc8-4628-8071-84018c756894" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false, + "showSingleSeries": false + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "a3c3b46d-a232-4846-8121-8e51bd3fe146", + "w": 17, + "x": 31, + "y": 17 + }, + "panelIndex": "a3c3b46d-a232-4846-8121-8e51bd3fe146", + "title": "Events over Time [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-48680c83-258f-4894-8764-36108ee6fab2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "48680c83-258f-4894-8764-36108ee6fab2": { + "columnOrder": [ + "242b9e66-33bf-4763-9197-7a7ddd97dcce", + "27ab87de-119f-4bd2-a81e-5f81171ff9bd" + ], + "columns": { + "242b9e66-33bf-4763-9197-7a7ddd97dcce": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Source IPs", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "27ab87de-119f-4bd2-a81e-5f81171ff9bd", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "27ab87de-119f-4bd2-a81e-5f81171ff9bd": { + "customLabel": true, + "dataType": "number", + "filter": { + "language": "kuery", + "query": "event.outcome : \"failure\" " + }, + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "27ab87de-119f-4bd2-a81e-5f81171ff9bd" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "48680c83-258f-4894-8764-36108ee6fab2", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "242b9e66-33bf-4763-9197-7a7ddd97dcce" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "92fa2483-8165-412c-ad99-563f9ca2965d", + "w": 24, + "x": 0, + "y": 32 + }, + "panelIndex": "92fa2483-8165-412c-ad99-563f9ca2965d", + "title": "Top 10 IP with Failed Login Attempts [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0fe44019-a79f-4b6f-bc0e-9783d980a73c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "0fe44019-a79f-4b6f-bc0e-9783d980a73c": { + "columnOrder": [ + "1c910343-875d-4d28-accd-b6f4fdcc9801", + "02902ea8-4da6-4c20-b438-06753e495332" + ], + "columns": { + "02902ea8-4da6-4c20-b438-06753e495332": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "1c910343-875d-4d28-accd-b6f4fdcc9801": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Event Types", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "02902ea8-4da6-4c20-b438-06753e495332", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "02902ea8-4da6-4c20-b438-06753e495332" + ], + "colorMapping": { + "assignments": [], + "colorMode": { + "type": "categorical" + }, + "paletteId": "eui_amsterdam_color_blind", + "specialAssignments": [ + { + "color": { + "type": "loop" + }, + "rule": { + "type": "other" + }, + "touched": false + } + ] + }, + "layerId": "0fe44019-a79f-4b6f-bc0e-9783d980a73c", + "layerType": "data", + "position": "top", + "seriesType": "bar", + "showGridlines": false, + "xAccessor": "1c910343-875d-4d28-accd-b6f4fdcc9801" + } + ], + "legend": { + "isVisible": true, + "position": "right", + "shouldTruncate": false + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {} + }, + "gridData": { + "h": 14, + "i": "c307f9db-fef9-427f-847d-84a2c435c647", + "w": 24, + "x": 24, + "y": 32 + }, + "panelIndex": "c307f9db-fef9-427f-847d-84a2c435c647", + "title": "Traffic by Event Type [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9cf803dd-cf0a-40cb-808d-91526ee9e2ae", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "9cf803dd-cf0a-40cb-808d-91526ee9e2ae": { + "columnOrder": [ + "57bf7472-dbd7-4fac-b4ba-c6663fe71bae", + "c6413dec-2a03-44f5-ba52-86f9bc167c31" + ], + "columns": { + "57bf7472-dbd7-4fac-b4ba-c6663fe71bae": { + "customLabel": true, + "dataType": "ip", + "isBucketed": true, + "label": "Sources", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "c6413dec-2a03-44f5-ba52-86f9bc167c31", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "source.ip" + }, + "c6413dec-2a03-44f5-ba52-86f9bc167c31": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "c6413dec-2a03-44f5-ba52-86f9bc167c31", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "57bf7472-dbd7-4fac-b4ba-c6663fe71bae", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "9cf803dd-cf0a-40cb-808d-91526ee9e2ae", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "d6a9b89f-a380-403b-9c38-8a46a608aa24", + "w": 24, + "x": 0, + "y": 46 + }, + "panelIndex": "d6a9b89f-a380-403b-9c38-8a46a608aa24", + "title": "Top 10 Sources [Logs PingFederate]", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-53444e4d-3bee-43b1-99fb-4bf12b982edb", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "53444e4d-3bee-43b1-99fb-4bf12b982edb": { + "columnOrder": [ + "c9980e63-a26c-4f64-8be6-bae2486c2ede", + "6abdc620-fb3d-44fc-a405-3209e41853da" + ], + "columns": { + "6abdc620-fb3d-44fc-a405-3209e41853da": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c9980e63-a26c-4f64-8be6-bae2486c2ede": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Connection ID", + "operationType": "terms", + "params": { + "exclude": [], + "excludeIsRegex": false, + "include": [], + "includeIsRegex": false, + "missingBucket": false, + "orderBy": { + "columnId": "6abdc620-fb3d-44fc-a405-3209e41853da", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "ping_federate.audit.connection_id" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "columns": [ + { + "columnId": "6abdc620-fb3d-44fc-a405-3209e41853da", + "isMetric": true, + "isTransposed": false + }, + { + "columnId": "c9980e63-a26c-4f64-8be6-bae2486c2ede", + "isMetric": false, + "isTransposed": false + } + ], + "layerId": "53444e4d-3bee-43b1-99fb-4bf12b982edb", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {} + }, + "gridData": { + "h": 15, + "i": "00afe63c-b197-4b6a-97d9-300df9596801", + "w": 24, + "x": 24, + "y": 46 + }, + "panelIndex": "00afe63c-b197-4b6a-97d9-300df9596801", + "title": "Top 10 Clients [Logs PingFederate]", + "type": "lens" + } + ], + "timeRestore": false, + "title": "[Logs PingFederate] Audit", + "version": 2 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-13T09:00:27.993Z", + "id": "ping_federate-c975ed3a-3c11-4352-830e-84f1efaf9e92", + "managed": false, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1bbd625a-e630-4182-912e-ae20606d9754:indexpattern-datasource-layer-6ab233f1-4293-4e30-ba19-2b008e387eaa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e605625c-2831-4581-95ba-7caf892349d2:indexpattern-datasource-layer-6ab233f1-4293-4e30-ba19-2b008e387eaa", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6e3e0495-26b8-4b41-940f-8022d0033a61:indexpattern-datasource-layer-056f96e8-4b0a-4b22-8981-d2814182b5a8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "baf3f8a0-7414-42a6-bf24-c814f11f52e2:indexpattern-datasource-layer-91439072-e095-462a-a7eb-21c91c25ce1b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "abd520a6-3cef-460f-8332-94c99e234692:indexpattern-datasource-layer-20a4313a-a2ce-4ec8-958e-25d2b866f18d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "a3c3b46d-a232-4846-8121-8e51bd3fe146:indexpattern-datasource-layer-b72dbeb2-fdf4-409f-9c20-32978a6c88a1", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "92fa2483-8165-412c-ad99-563f9ca2965d:indexpattern-datasource-layer-48680c83-258f-4894-8764-36108ee6fab2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c307f9db-fef9-427f-847d-84a2c435c647:indexpattern-datasource-layer-0fe44019-a79f-4b6f-bc0e-9783d980a73c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "d6a9b89f-a380-403b-9c38-8a46a608aa24:indexpattern-datasource-layer-9cf803dd-cf0a-40cb-808d-91526ee9e2ae", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "00afe63c-b197-4b6a-97d9-300df9596801:indexpattern-datasource-layer-53444e4d-3bee-43b1-99fb-4bf12b982edb", + "type": "index-pattern" + }, + { + "id": "ping_federate-security-solution-default", + "name": "tag-ref-ping_federate-security-solution-default", + "type": "tag" + }, + { + "id": "ping_federate-security-solution-default", + "name": "tag-ref-security-solution-default", + "type": "tag" + }, + { + "id": "logs-*", + "name": "controlGroup_b95b9a3e-7368-49e5-b004-31bb32524eeb:optionsListDataView", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "controlGroup_ffdfc282-f4bc-408e-929d-63e3fe2f5f9c:optionsListDataView", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/ping_federate/kibana/tag/ping_federate-security-solution-default.json b/packages/ping_federate/kibana/tag/ping_federate-security-solution-default.json new file mode 100644 index 00000000000..b59a400db85 --- /dev/null +++ b/packages/ping_federate/kibana/tag/ping_federate-security-solution-default.json @@ -0,0 +1,14 @@ +{ + "attributes": { + "color": "#AAA8A5", + "description": "Tag defined in package-spec", + "name": "Security Solution" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2024-12-12T06:53:40.865Z", + "id": "ping_federate-security-solution-default", + "managed": true, + "references": [], + "type": "tag", + "typeMigrationVersion": "8.0.0" +} \ No newline at end of file diff --git a/packages/ping_federate/kibana/tags.yml b/packages/ping_federate/kibana/tags.yml new file mode 100644 index 00000000000..47f20a8f551 --- /dev/null +++ b/packages/ping_federate/kibana/tags.yml @@ -0,0 +1,4 @@ +- text: Security Solution + asset_types: + - dashboard + - search diff --git a/packages/ping_federate/manifest.yml b/packages/ping_federate/manifest.yml new file mode 100644 index 00000000000..36f5110ffb0 --- /dev/null +++ b/packages/ping_federate/manifest.yml @@ -0,0 +1,45 @@ +format_version: 3.2.1 +name: ping_federate +title: PingFederate +version: 0.1.0 +description: Collect logs from PingFederate with Elastic Agent. +type: integration +categories: + - security + - authentication +conditions: + kibana: + version: ^8.16.0 + elastic: + subscription: basic +screenshots: + - src: /img/ping_federate-admin-dashboard.png + title: Admin Dashboard + size: 600x600 + type: image/png + - src: /img/ping_federate-audit-dashboard.png + title: Audit Dashboard + size: 600x600 + type: image/png +icons: + - src: /img/ping_federate-logo.svg + title: PingFederate logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: ping_federate + title: PingFederate logs + description: Collect PingFederate logs from syslog or a file. + inputs: + - type: tcp + title: Collect PingFederate logs via TCP + description: Collecting logs from PingFederate via TCP. + - type: udp + title: Collect PingFederate logs via UDP + description: Collecting logs from PingFederate via UDP. + - type: filestream + title: Collect PingFederate logs via Filestream + description: Collecting logs from PingFederate via File. +owner: + github: elastic/security-service-integrations + type: elastic diff --git a/packages/ping_federate/validation.yml b/packages/ping_federate/validation.yml new file mode 100644 index 00000000000..a81cfab704f --- /dev/null +++ b/packages/ping_federate/validation.yml @@ -0,0 +1,3 @@ +errors: + exclude_checks: + - SVR00002 # References in dashboards.