slack: add audit.context.session_id (#6193)

efd6 · web-flow · commit 248dabba9d23 · 2023-05-19T06:46:32.000+09:30
diff --git a/packages/slack/changelog.yml b/packages/slack/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.3.0"
+  changes:
+    - description: Add `slack.audit.context.session_id` field.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/6193
 - version: "1.2.0"
   changes:
     - description: Add a new flag to enable request tracing
diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log
@@ -1,2 +1,3 @@
 {"id":"0123a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1521214343,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"bird@slack.com"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}}
-{"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}}
+{"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"aaron@demo.com"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"jbob@example.com","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}}
+{"action":"file_downloaded","actor":{"type":"user","user":{"email":"user.mcuser@abcd.co","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836275,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28060-1659-4b27-ad55-fdba12e3a7b1"}
diff --git a/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/slack/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json
@@ -164,6 +164,87 @@
                 },
                 "version": "23.0."
             }
+        },
+        {
+            "@timestamp": "2023-05-11T20:17:55.000Z",
+            "ecs": {
+                "version": "8.7.0"
+            },
+            "event": {
+                "action": "file_downloaded",
+                "category": [
+                    "file"
+                ],
+                "id": "2db28060-1659-4b27-ad55-fdba12e3a7b1",
+                "kind": "event",
+                "original": "{\"action\":\"file_downloaded\",\"actor\":{\"type\":\"user\",\"user\":{\"email\":\"user.mcuser@abcd.co\",\"id\":\"2f52269c-4f38-4f08-b56d-c2b968681dbd\",\"name\":\"User McUser\",\"team\":\"user-team\"}},\"context\":{\"ip_address\":\"81.2.69.144\",\"location\":{\"domain\":\"domain.tld\",\"id\":\"eedd1a7d-1a92-418d-8b01-51a4c809d0fb\",\"name\":\"The Place\",\"type\":\"workspace\"},\"session_id\":913888259765,\"ua\":\"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)\"},\"date_create\":1683836275,\"details\":{\"url_private\":\"https://example.com/\"},\"entity\":{\"file\":{\"filetype\":\"image/png\",\"id\":\"7edc4c42-f925-47af-979a-22c10e1fefed\",\"name\":\"image.png\",\"title\":\"image.png\"},\"type\":\"file\"},\"id\":\"2db28060-1659-4b27-ad55-fdba12e3a7b1\"}",
+                "type": [
+                    "allowed"
+                ]
+            },
+            "related": {
+                "ip": [
+                    "81.2.69.144"
+                ],
+                "user": [
+                    "2f52269c-4f38-4f08-b56d-c2b968681dbd",
+                    "user.mcuser@abcd.co"
+                ]
+            },
+            "slack": {
+                "audit": {
+                    "context": {
+                        "domain": "domain.tld",
+                        "id": "eedd1a7d-1a92-418d-8b01-51a4c809d0fb",
+                        "name": "The Place",
+                        "session_id": "913888259765",
+                        "type": "workspace"
+                    },
+                    "entity": {
+                        "entity_type": "file",
+                        "filetype": "image/png",
+                        "id": "7edc4c42-f925-47af-979a-22c10e1fefed",
+                        "name": "image.png",
+                        "title": "image.png"
+                    }
+                }
+            },
+            "source": {
+                "address": "81.2.69.144",
+                "geo": {
+                    "city_name": "London",
+                    "continent_name": "Europe",
+                    "country_iso_code": "GB",
+                    "country_name": "United Kingdom",
+                    "location": {
+                        "lat": 51.5142,
+                        "lon": -0.0931
+                    },
+                    "region_iso_code": "GB-ENG",
+                    "region_name": "England"
+                },
+                "ip": "81.2.69.144"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "email": "user.mcuser@abcd.co",
+                "full_name": "User McUser",
+                "id": "2f52269c-4f38-4f08-b56d-c2b968681dbd"
+            },
+            "user_agent": {
+                "device": {
+                    "name": "iPhone"
+                },
+                "name": "Mobile Safari UI/WKWebView",
+                "original": "com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)",
+                "os": {
+                    "full": "iOS 1.4.1",
+                    "name": "iOS",
+                    "version": "1.4.1"
+                }
+            }
         }
     ]
 }
diff --git a/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/slack/data_stream/audit/elasticsearch/ingest_pipeline/default.yml
@@ -149,6 +149,14 @@ processors:
     field: json.context.location
     target_field: slack.audit.context
     ignore_missing: true
+- rename:
+    field: json.context.session_id
+    target_field: slack.audit.context.session_id
+    ignore_missing: true
+- convert:
+    field: slack.audit.context.session_id
+    type: string
+    ignore_missing: true
 - append:
     field: related.user
     value: "{{user.id}}"
diff --git a/packages/slack/data_stream/audit/fields/fields.yml b/packages/slack/data_stream/audit/fields/fields.yml
@@ -1,7 +1,7 @@
 - name: slack.audit
   type: group
   description: >
-    Fields for Cloudflare Audit Logs
+    Fields for Slack Audit Logs
 
   fields:
     - name: context.domain
@@ -24,6 +24,11 @@
       description: >
         The type of account.  Either `Workspace` or `Enterprise`
 
+    - name: context.session_id
+      type: keyword
+      description: >
+        The identifier that is unique to each authenticated session.
+
     - name: entity
       type: group
       description: >
diff --git a/packages/slack/docs/README.md b/packages/slack/docs/README.md
@@ -93,6 +93,7 @@ Audit logs summarize the history of changes made within the Slack Enterprise.
 | slack.audit.context.domain | The domain of the Workspace or Enterprise | keyword |
 | slack.audit.context.id | The ID of the workspace or enterprise | keyword |
 | slack.audit.context.name | The name of the workspace or enterprise | keyword |
+| slack.audit.context.session_id | The identifier that is unique to each authenticated session. | keyword |
 | slack.audit.context.type | The type of account.  Either `Workspace` or `Enterprise` | keyword |
 | slack.audit.entity.barriered_from_usergroup | The user group barrier when entity_type is barrier | keyword |
 | slack.audit.entity.channel | The channel the entity is within when entity_type is message | keyword |
diff --git a/packages/slack/manifest.yml b/packages/slack/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 1.0.0
 name: slack
 title: "Slack Logs"
-version: "1.2.0"
+version: "1.3.0"
 license: basic
 release: ga
 description: "Slack Logs Integration"

-Original file line number
+Diff line change
@@ @@ -1,2 +1,3 @@ @@
 {"id":"0123a45b-6c7d-8900-e12f-3456789gh0i1","date_create":1521214343,"action":"user_login","actor":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"[email protected]"}},"entity":{"type":"user","user":{"id":"W123AB456","name":"Charlie Parker","email":"[email protected]"}},"context":{"location":{"type":"enterprise","id":"E1701NCCA","name":"Birdland","domain":"birdland"},"ua":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36","ip_address":"81.2.69.143"}}
 -{"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"[email protected]"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"[email protected]","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}}
 +{"id":"bdcb13e3-28a3-41f0-9ace-a20952def3a0","date_create":1566215192,"action":"user_created","actor":{"type":"user","user":{"id":"e65b0f5c","name":"roy","email":"[email protected]"}},"entity":{"type":"user","user":{"id":"asdfasdf","name":"Joe Bob","email":"[email protected]","team":"T234SAH2"}},"context":{"location":{"type":"workspace","id":"e65b11aa","name":"Docker","domain":"Docker"},"ua":"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:23.0) Gecko/20131011 Firefox/23.0","ip_address":"81.2.69.143"}}
 +{"action":"file_downloaded","actor":{"type":"user","user":{"email":"[email protected]","id":"2f52269c-4f38-4f08-b56d-c2b968681dbd","name":"User McUser","team":"user-team"}},"context":{"ip_address":"81.2.69.144","location":{"domain":"domain.tld","id":"eedd1a7d-1a92-418d-8b01-51a4c809d0fb","name":"The Place","type":"workspace"},"session_id":913888259765,"ua":"com.tinyspeck.chatlyio/23.04.40 (iPhone; iOS 1.4.1; Scale/3.00)"},"date_create":1683836275,"details":{"url_private":"https://example.com/"},"entity":{"file":{"filetype":"image/png","id":"7edc4c42-f925-47af-979a-22c10e1fefed","name":"image.png","title":"image.png"},"type":"file"},"id":"2db28060-1659-4b27-ad55-fdba12e3a7b1"}