From 60207e4c63777ad5018c3cbe673bfa6fcc321995 Mon Sep 17 00:00:00 2001 From: Alex Resnick Date: Tue, 14 Dec 2021 10:05:16 -0600 Subject: [PATCH] [Mattermost] Add Mattermost package (#2315) * inital commit * updated pipeline and sample logs * update mattermost pipeline * update changelog * update to 7.16.0 --- packages/mattermost/_dev/build/build.yml | 3 + packages/mattermost/_dev/build/docs/README.md | 13 + .../_dev/deploy/docker/docker-compose.yml | 8 + .../_dev/deploy/docker/sample_logs/audit.log | 5 + packages/mattermost/changelog.yml | 6 + .../audit/_dev/test/pipeline/test-audit.log | 32 + .../pipeline/test-audit.log-expected.json | 2941 +++++++++++++++++ .../_dev/test/pipeline/test-common-config.yml | 5 + .../_dev/test/system/test-default-config.yml | 7 + .../audit/agent/stream/stream.yml.hbs | 24 + .../elasticsearch/ingest_pipeline/default.yml | 451 +++ .../data_stream/audit/fields/agent.yml | 198 ++ .../data_stream/audit/fields/base-fields.yml | 20 + .../data_stream/audit/fields/beats.yml | 12 + .../data_stream/audit/fields/ecs.yml | 76 + .../data_stream/audit/fields/fields.yml | 86 + .../mattermost/data_stream/audit/manifest.yml | 36 + .../data_stream/audit/sample_event.json | 117 + packages/mattermost/docs/README.md | 233 ++ packages/mattermost/img/mattermost-logo.svg | 1 + packages/mattermost/manifest.yml | 28 + 21 files changed, 4302 insertions(+) create mode 100644 packages/mattermost/_dev/build/build.yml create mode 100644 packages/mattermost/_dev/build/docs/README.md create mode 100644 packages/mattermost/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/mattermost/_dev/deploy/docker/sample_logs/audit.log create mode 100644 packages/mattermost/changelog.yml create mode 100644 packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log create mode 100644 packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json create mode 100644 packages/mattermost/data_stream/audit/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml create mode 100644 packages/mattermost/data_stream/audit/agent/stream/stream.yml.hbs create mode 100644 packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/mattermost/data_stream/audit/fields/agent.yml create mode 100644 packages/mattermost/data_stream/audit/fields/base-fields.yml create mode 100644 packages/mattermost/data_stream/audit/fields/beats.yml create mode 100644 packages/mattermost/data_stream/audit/fields/ecs.yml create mode 100644 packages/mattermost/data_stream/audit/fields/fields.yml create mode 100644 packages/mattermost/data_stream/audit/manifest.yml create mode 100644 packages/mattermost/data_stream/audit/sample_event.json create mode 100644 packages/mattermost/docs/README.md create mode 100644 packages/mattermost/img/mattermost-logo.svg create mode 100644 packages/mattermost/manifest.yml diff --git a/packages/mattermost/_dev/build/build.yml b/packages/mattermost/_dev/build/build.yml new file mode 100644 index 000000000000..08d85edcf9a4 --- /dev/null +++ b/packages/mattermost/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@1.12 diff --git a/packages/mattermost/_dev/build/docs/README.md b/packages/mattermost/_dev/build/docs/README.md new file mode 100644 index 000000000000..fce614b27f67 --- /dev/null +++ b/packages/mattermost/_dev/build/docs/README.md @@ -0,0 +1,13 @@ +# Mattermost Integration + +The Mattermost integration collects logs from Mattermost servers. This integration has been tested with Mattermost version 5.31.9 but is expected to work with other versions. + +## Logs + +### Audit + +All access to the Mattermost REST API or CLI is audited. + +{{fields "audit"}} + +{{event "audit"}} diff --git a/packages/mattermost/_dev/deploy/docker/docker-compose.yml b/packages/mattermost/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 000000000000..13df077cff0a --- /dev/null +++ b/packages/mattermost/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,8 @@ +version: '2.3' +services: + mattermost: + image: alpine + volumes: + - ./sample_logs:/sample_logs:ro + - ${SERVICE_LOGS_DIR}:/var/log + command: /bin/sh -c "cp /sample_logs/*.log /var/log/" diff --git a/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log b/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log new file mode 100644 index 000000000000..80e2d366a558 --- /dev/null +++ b/packages/mattermost/_dev/deploy/docker/sample_logs/audit.log @@ -0,0 +1,5 @@ +{"timestamp":"2021-12-04 23:19:32.051 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"172.19.0.1","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:48.599 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"172.19.0.1","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:51.324 Z","event":"Logout","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"172.19.0.1","api_path":"/api/v4/users/logout","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:58.729 Z","event":"login","status":"success","user_id":"","session_id":"","ip_address":"172.19.0.1","api_path":"/api/v4/users/login","device_id":"","login_id":"admin","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"172.19.0.1","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} \ No newline at end of file diff --git a/packages/mattermost/changelog.yml b/packages/mattermost/changelog.yml new file mode 100644 index 000000000000..035901acd98d --- /dev/null +++ b/packages/mattermost/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "1.0.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/2315 diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log new file mode 100644 index 000000000000..828456aad584 --- /dev/null +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log @@ -0,0 +1,32 @@ +{"timestamp":"2021-12-04 23:19:32.051 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:48.599 Z","event":"updateConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:51.324 Z","event":"Logout","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"pjh4n69j3p883k7hhzippskcba","ip_address":"55.33.6.7","api_path":"/api/v4/users/logout","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:19:58.729 Z","event":"login","status":"success","user_id":"","session_id":"","ip_address":"55.33.6.7","api_path":"/api/v4/users/login","device_id":"","login_id":"admin","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:33.027 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:37.771 Z","event":"patchUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:20:53.063 Z","event":"updatePassword","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:28:18.032 Z","event":"updatePreferences","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-04 23:28:19.342 Z","event":"createPost","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/posts","post":{"id":"gbuu48qc17bbjq4xdg5ciq4iao","channel_id":"hkmb8e53ijdkbc8agbpuxe8qxc","type":"","pinned":false},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:23.974 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:48.946 Z","event":"patchChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"patch":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:01:52.914 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:01.482 Z","event":"deleteChannel","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe","channeld":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"api.channel.delete_channel.deleted.app_error","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:09.835 Z","event":"convertChannelToPrivate","status":"fail","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"code":400,"err":"app.channel.update.bad_id","user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:25.202 Z","event":"restoreChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:31.485 Z","event":"convertChannelToPrivate","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:02:56.786 Z","event":"removeChannelMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y","channel":{"id":"cje83zmowjds9ywg6m4jf8w7oe","name":"public-channel","type":"P"},"remove_user_id":"ag99yu4i1if63jrui63tsmq57y","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:03:01.043 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:03:13.849 Z","event":"createChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels","channel":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:04:01.294 Z","event":"deleteChannel","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha","channeld":{"id":"j3g9ysx6q3nh3q5kiyh3wrugha","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:11.211 Z","event":"getConfig","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/config","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:23.085 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:29.655 Z","event":"patchTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch","patched":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:12:46.044 Z","event":"createTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:18:13.183 Z","event":"removeTeamMember","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y","team":{"id":"dqpybz1o3pbuzf7876u834nura","name":"another-team","type":"O"},"user":{"id":"ag99yu4i1if63jrui63tsmq57y","name":"admin","roles":"system_admin system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 00:18:17.907 Z","event":"revokeAllSessionsForUser","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"mbz8h4gkxp8g3yzanizcpg43dc","ip_address":"55.33.6.7","api_path":"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:02:56.163 Z","event":"patchUser","status":"success","user_id":"cuk45yubk3nq8g7udrhojbk8ty","session_id":"6s4sy7p1b3fqdc3fktsh4yznhr","ip_address":"55.33.6.7","api_path":"/api/v4/users/me/patch","patch":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other1","roles":"system_user system_admin"},"user":{"id":"cuk45yubk3nq8g7udrhojbk8ty","name":"other","roles":"system_user system_admin"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:13:26.358 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:13:08.904 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":1,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 01:20:06.246 Z","event":"addTeamMembers","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"f57d8pkf7iyg8xo6ttq73ggcnr","ip_address":"55.33.6.7","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch","count":2,"errors":"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"user_ids":"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]","cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} +{"timestamp":"2021-12-05 17:21:36.724 Z","event":"deleteTeam","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"5timirrr5785mb3q1wutb5unrr","ip_address":"127.0.0.1","api_path":"/api/v4/teams/knrndtys13rzzk48ugm7mssnke","team":{"id":"knrndtys13rzzk48ugm7mssnke","name":"test","type":"O"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"mmctl/5.31.0 (linux)"} +{"timestamp":"2021-12-05 17:24:33.077 Z","event":"updateUserActive","status":"success","user_id":"ag99yu4i1if63jrui63tsmq57y","session_id":"jnqqnh3onjympe4u8pa5mgtexw","ip_address":"55.33.6.7","active":false,"api_path":"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active","user":{"id":"z63ehbxy47fwpc8bmz9ouuh7fe","name":"other2","roles":"system_user"},"cluster_id":"jq3utry71f8a7q9qgebmjccf4r","client":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"} \ No newline at end of file diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json new file mode 100644 index 000000000000..6c66544f3ac1 --- /dev/null +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-audit.log-expected.json @@ -0,0 +1,2941 @@ +{ + "expected": [ + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/config", + "session": { + "id": "pjh4n69j3p883k7hhzippskcba" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:19:32.051Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209438182Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "updateConfig", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/config", + "session": { + "id": "pjh4n69j3p883k7hhzippskcba" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:19:48.599Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209464858Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:48.599 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "updateConfig", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/logout", + "session": { + "id": "pjh4n69j3p883k7hhzippskcba" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/logout", + "original": "/api/v4/users/logout" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:19:51.324Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209471639Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:51.324 Z\",\"event\":\"Logout\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/logout\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "Logout", + "category": [ + "authentication", + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/login" + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/login", + "original": "/api/v4/users/login" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:19:58.729Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209477057Z", + "original": "{\"timestamp\":\"2021-12-04 23:19:58.729 Z\",\"event\":\"login\",\"status\":\"success\",\"user_id\":\"\",\"session_id\":\"\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/login\",\"device_id\":\"\",\"login_id\":\"admin\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "login", + "category": [ + "authentication", + "session" + ], + "type": [ + "start" + ], + "outcome": "success" + }, + "user": { + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "admin", + "roles": "system_admin system_user", + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/me/patch", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:20:33.027Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209482533Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:33.027 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchUser", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "admin", + "roles": "system_admin system_user", + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/me/patch", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:20:37.771Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209487988Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:37.771 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchUser", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:20:53.063Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209493245Z", + "original": "{\"timestamp\":\"2021-12-04 23:20:53.063 Z\",\"event\":\"updatePassword\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/password\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "updatePassword", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:28:18.032Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209498456Z", + "original": "{\"timestamp\":\"2021-12-04 23:28:18.032 Z\",\"event\":\"updatePreferences\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/preferences\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "updatePreferences", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "post": { + "channel": { + "id": "hkmb8e53ijdkbc8agbpuxe8qxc" + }, + "pinned": false, + "id": "gbuu48qc17bbjq4xdg5ciq4iao" + }, + "related": { + "channel": [ + "hkmb8e53ijdkbc8agbpuxe8qxc" + ] + }, + "api_path": "/api/v4/posts", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/posts", + "original": "/api/v4/posts" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-04T23:28:19.342Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209503901Z", + "original": "{\"timestamp\":\"2021-12-04 23:28:19.342 Z\",\"event\":\"createPost\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/posts\",\"post\":{\"id\":\"gbuu48qc17bbjq4xdg5ciq4iao\",\"channel_id\":\"hkmb8e53ijdkbc8agbpuxe8qxc\",\"type\":\"\",\"pinned\":false},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "createPost", + "category": [ + "configuration" + ], + "type": [ + "creation" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels", + "original": "/api/v4/channels" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:01:23.974Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209509119Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:23.974 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "createChannel", + "category": [ + "configuration" + ], + "type": [ + "creation" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:01:48.946Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209544031Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:48.946 Z\",\"event\":\"patchChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/patch\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"patch\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchChannel", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:01:52.914Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209552229Z", + "original": "{\"timestamp\":\"2021-12-05 00:01:52.914 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "deleteChannel", + "category": [ + "configuration" + ], + "type": [ + "deletion" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "error": { + "code": "api.channel.delete_channel.deleted.app_error" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:02:01.482Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "http": { + "response": { + "status_code": 400 + } + }, + "event": { + "ingested": "2021-12-08T15:26:55.209557854Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:01.482 Z\",\"event\":\"deleteChannel\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe\",\"channeld\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"api.channel.delete_channel.deleted.app_error\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "deleteChannel", + "category": [ + "configuration" + ], + "type": [ + "deletion" + ], + "outcome": "failure" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "error": { + "code": "app.channel.update.bad_id" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:02:09.835Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "http": { + "response": { + "status_code": 400 + } + }, + "event": { + "ingested": "2021-12-08T15:26:55.209563426Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:09.835 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"fail\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"code\":400,\"err\":\"app.channel.update.bad_id\",\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "convertChannelToPrivate", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "failure" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:02:25.202Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209568764Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:25.202 Z\",\"event\":\"restoreChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/restore\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "restoreChannel", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "O", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:02:31.485Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209574037Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:31.485 Z\",\"event\":\"convertChannelToPrivate\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/convert\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "convertChannelToPrivate", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "roles": [ + "system_admin", + "system_user" + ], + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "public-channel", + "type": "P", + "id": "cje83zmowjds9ywg6m4jf8w7oe" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "cje83zmowjds9ywg6m4jf8w7oe" + ] + }, + "api_path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y", + "original": "/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:02:56.786Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209585637Z", + "original": "{\"timestamp\":\"2021-12-05 00:02:56.786 Z\",\"event\":\"removeChannelMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/cje83zmowjds9ywg6m4jf8w7oe/members/ag99yu4i1if63jrui63tsmq57y\",\"channel\":{\"id\":\"cje83zmowjds9ywg6m4jf8w7oe\",\"name\":\"public-channel\",\"type\":\"P\"},\"remove_user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "removeChannelMember", + "category": [ + "configuration" + ], + "type": [ + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "id": "ag99yu4i1if63jrui63tsmq57y" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/config", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:03:01.043Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209591224Z", + "original": "{\"timestamp\":\"2021-12-05 00:03:01.043 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "getConfig", + "category": [ + "configuration" + ], + "type": [ + "admin", + "info" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "test", + "type": "O", + "id": "j3g9ysx6q3nh3q5kiyh3wrugha" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "j3g9ysx6q3nh3q5kiyh3wrugha" + ] + }, + "api_path": "/api/v4/channels", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels", + "original": "/api/v4/channels" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:03:13.849Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209596718Z", + "original": "{\"timestamp\":\"2021-12-05 00:03:13.849 Z\",\"event\":\"createChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels\",\"channel\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "createChannel", + "category": [ + "configuration" + ], + "type": [ + "creation" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "channel": { + "name": "test", + "type": "O", + "id": "j3g9ysx6q3nh3q5kiyh3wrugha" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "related": { + "channel": [ + "j3g9ysx6q3nh3q5kiyh3wrugha" + ] + }, + "api_path": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha", + "original": "/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:04:01.294Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209604404Z", + "original": "{\"timestamp\":\"2021-12-05 00:04:01.294 Z\",\"event\":\"deleteChannel\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/channels/j3g9ysx6q3nh3q5kiyh3wrugha\",\"channeld\":{\"id\":\"j3g9ysx6q3nh3q5kiyh3wrugha\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "deleteChannel", + "category": [ + "configuration" + ], + "type": [ + "deletion" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/config", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/config", + "original": "/api/v4/config" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:12:11.211Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209609882Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:11.211 Z\",\"event\":\"getConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "getConfig", + "category": [ + "configuration" + ], + "type": [ + "admin", + "info" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:12:23.085Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209615329Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:23.085 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchTeam", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + }, + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:12:29.655Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209620519Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:29.655 Z\",\"event\":\"patchTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/patch\",\"patched\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchTeam", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + }, + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "another-team", + "type": "O", + "id": "dqpybz1o3pbuzf7876u834nura" + }, + "related": { + "team": [ + "dqpybz1o3pbuzf7876u834nura" + ] + }, + "api_path": "/api/v4/teams", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams", + "original": "/api/v4/teams" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:12:46.044Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209626076Z", + "original": "{\"timestamp\":\"2021-12-05 00:12:46.044 Z\",\"event\":\"createTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "createTeam", + "category": [ + "iam" + ], + "type": [ + "group", + "creation" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + }, + "group": { + "name": "another-team", + "id": "dqpybz1o3pbuzf7876u834nura" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "another-team", + "type": "O", + "id": "dqpybz1o3pbuzf7876u834nura" + }, + "related": { + "team": [ + "dqpybz1o3pbuzf7876u834nura" + ] + }, + "api_path": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y", + "original": "/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:18:13.183Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209631447Z", + "original": "{\"timestamp\":\"2021-12-05 00:18:13.183 Z\",\"event\":\"removeTeamMember\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/dqpybz1o3pbuzf7876u834nura/members/ag99yu4i1if63jrui63tsmq57y\",\"team\":{\"id\":\"dqpybz1o3pbuzf7876u834nura\",\"name\":\"another-team\",\"type\":\"O\"},\"user\":{\"id\":\"ag99yu4i1if63jrui63tsmq57y\",\"name\":\"admin\",\"roles\":\"system_admin system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "removeTeamMember", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "admin", + "id": "ag99yu4i1if63jrui63tsmq57y", + "roles": [ + "system_admin", + "system_user" + ], + "group": { + "name": "another-team", + "id": "dqpybz1o3pbuzf7876u834nura" + } + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all", + "session": { + "id": "mbz8h4gkxp8g3yzanizcpg43dc" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all", + "original": "/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T00:18:17.907Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209636796Z", + "original": "{\"timestamp\":\"2021-12-05 00:18:17.907 Z\",\"event\":\"revokeAllSessionsForUser\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"mbz8h4gkxp8g3yzanizcpg43dc\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/ag99yu4i1if63jrui63tsmq57y/sessions/revoke/all\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "revokeAllSessionsForUser", + "category": [ + "session" + ], + "type": [ + "end" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "patch": { + "name": "other1", + "roles": "system_user system_admin", + "id": "cuk45yubk3nq8g7udrhojbk8ty" + }, + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/me/patch", + "session": { + "id": "6s4sy7p1b3fqdc3fktsh4yznhr" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/me/patch", + "original": "/api/v4/users/me/patch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T01:02:56.163Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "other1", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209641989Z", + "original": "{\"timestamp\":\"2021-12-05 01:02:56.163 Z\",\"event\":\"patchUser\",\"status\":\"success\",\"user_id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"session_id\":\"6s4sy7p1b3fqdc3fktsh4yznhr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/users/me/patch\",\"patch\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other1\",\"roles\":\"system_user system_admin\"},\"user\":{\"id\":\"cuk45yubk3nq8g7udrhojbk8ty\",\"name\":\"other\",\"roles\":\"system_user system_admin\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "patchUser", + "category": [ + "iam" + ], + "type": [ + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "changes": { + "name": "other1" + }, + "id": "cuk45yubk3nq8g7udrhojbk8ty", + "target": { + "name": "other", + "roles": [ + "system_user", + "system_admin" + ], + "id": "cuk45yubk3nq8g7udrhojbk8ty" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "session": { + "id": "f57d8pkf7iyg8xo6ttq73ggcnr" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T01:13:26.358Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209647234Z", + "original": "{\"timestamp\":\"2021-12-05 01:13:26.358 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "addTeamMembers", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "id": [ + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "error": { + "message": [ + "cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details." + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "session": { + "id": "f57d8pkf7iyg8xo6ttq73ggcnr" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T01:13:08.904Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209652346Z", + "original": "{\"timestamp\":\"2021-12-05 01:13:08.904 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":1,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "addTeamMembers", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "failure" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "id": [ + "cuk45yubk3nq8g7udrhojbk8ty" + ], + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "error": { + "message": [ + "cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details.", + "z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details." + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "session": { + "id": "f57d8pkf7iyg8xo6ttq73ggcnr" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T01:20:06.246Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "cuk45yubk3nq8g7udrhojbk8ty", + "z63ehbxy47fwpc8bmz9ouuh7fe" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209658600Z", + "original": "{\"timestamp\":\"2021-12-05 01:20:06.246 Z\",\"event\":\"addTeamMembers\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"f57d8pkf7iyg8xo6ttq73ggcnr\",\"ip_address\":\"55.33.6.7\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke/members/batch\",\"count\":2,\"errors\":\"[cuk45yubk3nq8g7udrhojbk8ty:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., z63ehbxy47fwpc8bmz9ouuh7fe:JoinUserToTeam: The user cannot be added as the domain associated with the account is not permitted. Contact your System Administrator for additional details., ]\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"user_ids\":\"[cuk45yubk3nq8g7udrhojbk8ty z63ehbxy47fwpc8bmz9ouuh7fe]\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "addTeamMembers", + "category": [ + "iam" + ], + "type": [ + "group", + "change" + ], + "outcome": "failure" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "id": [ + "cuk45yubk3nq8g7udrhojbk8ty", + "z63ehbxy47fwpc8bmz9ouuh7fe" + ], + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "team": { + "name": "test", + "type": "O", + "id": "knrndtys13rzzk48ugm7mssnke" + }, + "related": { + "team": [ + "knrndtys13rzzk48ugm7mssnke" + ] + }, + "api_path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke", + "session": { + "id": "5timirrr5785mb3q1wutb5unrr" + } + } + }, + "source": { + "address": "127.0.0.1", + "ip": "127.0.0.1" + }, + "url": { + "path": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke", + "original": "/api/v4/teams/knrndtys13rzzk48ugm7mssnke" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T17:21:36.724Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ], + "ip": [ + "127.0.0.1" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209664049Z", + "original": "{\"timestamp\":\"2021-12-05 17:21:36.724 Z\",\"event\":\"deleteTeam\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"5timirrr5785mb3q1wutb5unrr\",\"ip_address\":\"127.0.0.1\",\"api_path\":\"/api/v4/teams/knrndtys13rzzk48ugm7mssnke\",\"team\":{\"id\":\"knrndtys13rzzk48ugm7mssnke\",\"name\":\"test\",\"type\":\"O\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"mmctl/5.31.0 (linux)\"}", + "kind": "event", + "action": "deleteTeam", + "category": [ + "iam" + ], + "type": [ + "group", + "deletion" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "name": "Other", + "original": "mmctl/5.31.0 (linux)", + "os": { + "name": "Linux" + }, + "device": { + "name": "Other" + } + }, + "group": { + "name": "test", + "id": "knrndtys13rzzk48ugm7mssnke" + } + }, + { + "mattermost": { + "audit": { + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "api_path": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active", + "session": { + "id": "jnqqnh3onjympe4u8pa5mgtexw" + } + } + }, + "source": { + "geo": { + "continent_name": "North America", + "country_name": "United States", + "location": { + "lon": -97.822, + "lat": 37.751 + }, + "country_iso_code": "US" + }, + "as": { + "number": 721, + "organization": { + "name": "DoD Network Information Center" + } + }, + "address": "55.33.6.7", + "ip": "55.33.6.7" + }, + "url": { + "path": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active", + "original": "/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active" + }, + "tags": [ + "preserve_original_event" + ], + "@timestamp": "2021-12-05T17:24:33.077Z", + "ecs": { + "version": "1.12" + }, + "related": { + "user": [ + "ag99yu4i1if63jrui63tsmq57y", + "z63ehbxy47fwpc8bmz9ouuh7fe" + ], + "ip": [ + "55.33.6.7" + ] + }, + "event": { + "ingested": "2021-12-08T15:26:55.209669419Z", + "original": "{\"timestamp\":\"2021-12-05 17:24:33.077 Z\",\"event\":\"updateUserActive\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"jnqqnh3onjympe4u8pa5mgtexw\",\"ip_address\":\"55.33.6.7\",\"active\":false,\"api_path\":\"/api/v4/users/z63ehbxy47fwpc8bmz9ouuh7fe/active\",\"user\":{\"id\":\"z63ehbxy47fwpc8bmz9ouuh7fe\",\"name\":\"other2\",\"roles\":\"system_user\"},\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "kind": "event", + "action": "updateUserActive", + "category": [ + "iam" + ], + "type": [ + "admin", + "user", + "change" + ], + "outcome": "success" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y", + "target": { + "name": "other2", + "roles": [ + "system_user" + ], + "id": "z63ehbxy47fwpc8bmz9ouuh7fe" + } + }, + "user_agent": { + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "name": "Windows", + "version": "10", + "full": "Windows 10" + }, + "device": { + "name": "Other" + }, + "version": "96.0.4664.45" + } + } + ] +} \ No newline at end of file diff --git a/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-common-config.yml b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 000000000000..a09fe07263c9 --- /dev/null +++ b/packages/mattermost/data_stream/audit/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,5 @@ +fields: + tags: + - preserve_original_event +dynamic_fields: + event.ingested: "^.*$" diff --git a/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml b/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml new file mode 100644 index 000000000000..4752c5f892f2 --- /dev/null +++ b/packages/mattermost/data_stream/audit/_dev/test/system/test-default-config.yml @@ -0,0 +1,7 @@ +service: mattermost +input: logfile +data_stream: + vars: + paths: + - "{{SERVICE_LOGS_DIR}}/*.log" + preserve_original_event: true diff --git a/packages/mattermost/data_stream/audit/agent/stream/stream.yml.hbs b/packages/mattermost/data_stream/audit/agent/stream/stream.yml.hbs new file mode 100644 index 000000000000..58c6d8be7556 --- /dev/null +++ b/packages/mattermost/data_stream/audit/agent/stream/stream.yml.hbs @@ -0,0 +1,24 @@ +paths: +{{#each paths as |path i|}} + - {{path}} +{{/each}} +exclude_files: [".gz$"] +{{#if tags.length}} +tags: +{{else if preserve_original_event}} +tags: +{{/if}} +{{#each tags as |tag i|}} + - {{tag}} +{{/each}} +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} + +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 000000000000..c7ccff044071 --- /dev/null +++ b/packages/mattermost/data_stream/audit/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,451 @@ +--- +description: Pipeline for processing Mattermost audit logs +processors: +- set: + field: event.ingested + value: '{{_ingest.timestamp}}' +- set: + field: ecs.version + value: "1.12" +- rename: + field: message + target_field: event.original +- json: + field: event.original + target_field: json +- date: + field: json.timestamp + formats: + - yyyy-MM-dd HH:mm:ss.SSS 'Z' + timezone: UTC + target_field: "@timestamp" +- rename: + field: json.event + target_field: event.action + ignore_missing: true +- rename: + field: json.err + target_field: error.code + ignore_missing: true +- rename: + field: json.errors + target_field: mattermost.audit.error.message + ignore_missing: true + if: ctx.json?.errors != "[]" +- gsub: + field: mattermost.audit.error.message + pattern: "(\\[|\\])" + replacement: "" + ignore_missing: true +- split: + field: mattermost.audit.error.message + separator: ",\\s+" + ignore_missing: true + ignore_failure: true +- set: + field: event.outcome + value: success + if: ctx.json?.status == "success" +- set: + field: event.outcome + value: failure + if: ctx.json?.status == "fail" || ctx.mattermost?.audit?.error?.message != null +- set: + field: event.outcome + value: unknown + if: ctx.event?.outcome == null +- rename: + field: json.user_id + target_field: user.id + ignore_missing: true +- rename: + field: json.user_id + target_field: user.id + ignore_missing: true +- rename: + field: json.login_id + target_field: user.id + ignore_missing: true + if: ctx.user?.id == null +- rename: + field: json.ip_address + target_field: source.address + ignore_missing: true +- convert: + field: source.address + target_field: source.ip + type: ip + ignore_missing: true + ignore_failure: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- user_agent: + field: json.client + target_field: user_agent + ignore_missing: true +- rename: + field: json.api_path + target_field: mattermost.audit.api_path + ignore_missing: true +- uri_parts: + field: mattermost.audit.api_path + ignore_failure: true +- rename: + field: json.session_id + target_field: mattermost.audit.session.id + ignore_missing: true +- rename: + field: json.device_id + target_field: mattermost.audit.device.id + ignore_missing: true +- rename: + field: json.cluster_id + target_field: mattermost.audit.cluster.id + ignore_missing: true +- rename: + field: json.user.id + target_field: user.target.id + ignore_missing: true +- rename: + field: json.user.name + target_field: user.target.name + ignore_missing: true +- rename: + field: json.user.roles + target_field: user.target.roles + ignore_missing: true +- split: + field: user.target.roles + separator: \s+ + ignore_missing: true +- rename: + field: json.remove_user_id + target_field: user.target.id + ignore_missing: true +- gsub: + field: json.user_ids + pattern: "(\\[|\\])" + replacement: "" + ignore_missing: true +- split: + field: json.user_ids + separator: \s+ + ignore_missing: true + ignore_failure: true +- rename: + field: json.user_ids + target_field: user.target.id + ignore_missing: true +- rename: + field: json.team + target_field: mattermost.audit.team + ignore_missing: true +- rename: + field: json.code + target_field: http.response.status_code + ignore_missing: true +- rename: + field: json.post + target_field: mattermost.audit.post + ignore_missing: true +- rename: + field: mattermost.audit.post.channel_id + target_field: mattermost.audit.post.channel.id + ignore_missing: true +- rename: + field: json.patch + target_field: mattermost.audit.patch + ignore_missing: true +- rename: + field: json.patched + target_field: mattermost.audit.patch + ignore_missing: true +- rename: + field: json.channel + target_field: mattermost.audit.channel + ignore_missing: true +- rename: + field: json.channeld + target_field: mattermost.audit.channel + ignore_missing: true +- script: + lang: painless + tag: Add ECS categorization + params: + login: + category: + - authentication + - session + type: + - start + Logout: + category: + - authentication + - session + type: + - end + revokeAllSessionsForUser: + category: + - session + type: + - end + getConfig: + category: + - configuration + type: + - admin + - info + updateConfig: + category: + - configuration + type: + - change + updatePassword: + category: + - iam + type: + - user + - change + updatePreferences: + category: + - iam + type: + - user + - change + updateUserActive: + category: + - iam + type: + - admin + - user + - change + patchUser: + category: + - iam + type: + - user + - change + createPost: + category: + - configuration + type: + - creation + createChannel: + category: + - configuration + type: + - creation + patchChannel: + category: + - configuration + type: + - change + deleteChannel: + category: + - configuration + type: + - deletion + convertChannelToPrivate: + category: + - configuration + type: + - change + restoreChannel: + category: + - configuration + type: + - change + removeChannelMember: + category: + - configuration + type: + - change + createTeam: + category: + - iam + type: + - group + - creation + patchTeam: + category: + - iam + type: + - group + - change + deleteTeam: + category: + - iam + type: + - group + - deletion + addTeamMembers: + category: + - iam + type: + - group + - change + removeTeamMember: + category: + - iam + type: + - group + - change + + source: >- + ctx.event.kind = 'event'; + ctx.event.category = ['configuration']; + ctx.event.type = ['info']; + if (ctx?.event?.action == null) { + return; + } + if (params.get(ctx.event.action) == null) { + return; + } + def hm = new HashMap(params.get(ctx.event.action)); + hm.forEach((k, v) -> ctx.event[k] = v); +- script: + lang: painless + description: Add ECS User fields + if: "ctx.event?.category.contains('iam')" + source: >- + if (ctx?.event?.action == null) { + return; + } + if (ctx.group == null) { + Map map = new HashMap(); + ctx.put("group", map); + } + if (ctx.user == null) { + Map map = new HashMap(); + ctx.put("user", map); + } + if (ctx.user?.target == null) { + Map map = new HashMap(); + ctx.user.put("target", map); + } + if (ctx.user?.changes == null) { + Map map = new HashMap(); + ctx.user.put("changes", map); + } + if (ctx.user?.target?.group == null) { + Map map = new HashMap(); + ctx.user.target.put("group", map); + } + if(['patchUser'].contains(ctx.event.action)) { + if(ctx.user?.target?.name != ctx.mattermost?.audit?.patch?.name) { + ctx.user.changes.put("name", ctx.mattermost?.audit?.patch?.name); + } + } + if(['createTeam','patchTeam','deleteTeam'].contains(ctx.event.action)) { + ctx.group.put("name", ctx.mattermost?.audit?.team?.name); + ctx.group.put("id", ctx.mattermost?.audit?.team?.id); + } + if(['addTeamMembers','removeTeamMember'].contains(ctx.event.action)) { + ctx.user.target.group.put("name", ctx.mattermost?.audit?.team?.name); + ctx.user.target.group.put("id", ctx.mattermost?.audit?.team?.id); + } +- append: + field: related.user + value: '{{user.name}}' + allow_duplicates: false + if: ctx.user?.name != null +- append: + field: related.user + value: '{{user.changes.name}}' + allow_duplicates: false + if: ctx.user?.changes?.name != null +- append: + field: related.user + value: '{{user.id}}' + allow_duplicates: false + if: ctx.user?.id != null +- append: + field: related.user + value: '{{user.target.id}}' + allow_duplicates: false + if: ctx.user?.target?.id != null && ctx.user.target.id instanceof String +- foreach: + field: user.target.id + processor: + append: + field: related.user + value: '{{_ingest._value}}' + allow_duplicates: false + ignore_missing: true + if: ctx.user?.target?.id != null && ctx.user.target.id instanceof List +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: ctx.source?.ip != null +- append: + field: mattermost.audit.related.channel + value: '{{mattermost.audit.post.channel.id}}' + allow_duplicates: false + if: ctx.mattermost?.audit?.post?.channel?.id != null +- append: + field: mattermost.audit.related.channel + value: '{{mattermost.audit.channel.id}}' + allow_duplicates: false + if: ctx.mattermost?.audit?.channel?.id != null +- append: + field: mattermost.audit.related.team + value: '{{mattermost.audit.team.id}}' + allow_duplicates: false + if: ctx.mattermost?.audit?.team?.id != null +- remove: + field: + - json + ignore_missing: true +- remove: + field: event.original + if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))" + ignore_failure: true + ignore_missing: true +- script: + lang: painless + description: This script processor iterates over the whole document to remove fields with null values. + source: | + void handleMap(Map map) { + for (def x : map.values()) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + map.values().removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + void handleList(List list) { + for (def x : list) { + if (x instanceof Map) { + handleMap(x); + } else if (x instanceof List) { + handleList(x); + } + } + list.removeIf(v -> v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)); + } + handleMap(ctx); +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' \ No newline at end of file diff --git a/packages/mattermost/data_stream/audit/fields/agent.yml b/packages/mattermost/data_stream/audit/fields/agent.yml new file mode 100644 index 000000000000..da4e652c53b8 --- /dev/null +++ b/packages/mattermost/data_stream/audit/fields/agent.yml @@ -0,0 +1,198 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. + + These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. + + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. + + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. + + It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. + + As hostname is not always unique, use values that are meaningful in your environment. + + Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. + + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. + + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + diff --git a/packages/mattermost/data_stream/audit/fields/base-fields.yml b/packages/mattermost/data_stream/audit/fields/base-fields.yml new file mode 100644 index 000000000000..f420124bd00c --- /dev/null +++ b/packages/mattermost/data_stream/audit/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset name. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module + value: mattermost +- name: event.dataset + type: constant_keyword + description: Event dataset + value: mattermost.audit +- name: "@timestamp" + type: date + description: Event timestamp. diff --git a/packages/mattermost/data_stream/audit/fields/beats.yml b/packages/mattermost/data_stream/audit/fields/beats.yml new file mode 100644 index 000000000000..cb44bb29442a --- /dev/null +++ b/packages/mattermost/data_stream/audit/fields/beats.yml @@ -0,0 +1,12 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + type: keyword + description: Path to the log file. diff --git a/packages/mattermost/data_stream/audit/fields/ecs.yml b/packages/mattermost/data_stream/audit/fields/ecs.yml new file mode 100644 index 000000000000..e51142dc94ef --- /dev/null +++ b/packages/mattermost/data_stream/audit/fields/ecs.yml @@ -0,0 +1,76 @@ +- name: user_agent.device.name + external: ecs +- name: user_agent.name + external: ecs +- name: user_agent.original + external: ecs +- name: user_agent.os.name + external: ecs +- name: user_agent.os.version + external: ecs +- name: user_agent.os.full + external: ecs +- name: user_agent.version + external: ecs +- name: url.path + external: ecs +- name: url.original + external: ecs +- name: source.address + external: ecs +- name: source.as.number + external: ecs +- name: source.as.organization.name + external: ecs +- name: source.bytes + external: ecs +- name: source.geo.city_name + external: ecs +- name: source.geo.continent_name + external: ecs +- name: source.geo.country_iso_code + external: ecs +- name: source.geo.country_name + external: ecs +- name: source.geo.location + description: Longitude and latitude. + example: '{ "lon": -73.614830, "lat": 45.505918 }' + type: geo_point +- name: source.geo.name + external: ecs +- name: source.geo.region_iso_code + external: ecs +- name: source.geo.region_name + external: ecs +- name: source.ip + external: ecs +- name: tags + external: ecs +- name: ecs.version + external: ecs +- name: error.code + external: ecs +- name: group.id + external: ecs +- name: group.name + external: ecs +- name: http.response.status_code + external: ecs +- name: user.id + external: ecs +- name: user.target.id + external: ecs +- name: user.target.name + external: ecs +- name: user.target.roles + external: ecs +- name: user.target.group.id + external: ecs +- name: user.target.group.name + external: ecs +- name: user.changes.name + external: ecs +- name: related.user + external: ecs +- name: related.ip + external: ecs diff --git a/packages/mattermost/data_stream/audit/fields/fields.yml b/packages/mattermost/data_stream/audit/fields/fields.yml new file mode 100644 index 000000000000..ef12410ec03a --- /dev/null +++ b/packages/mattermost/data_stream/audit/fields/fields.yml @@ -0,0 +1,86 @@ +- name: mattermost.audit + type: group + description: > + Fields for Mattermost audit logs + + fields: + - name: api_path + type: keyword + description: >- + REST API endpoint + - name: channel.id + type: keyword + description: >- + ID of affected channel + - name: channel.name + type: keyword + description: >- + Name of affected channel + - name: channel.type + type: keyword + description: >- + Type of affected channel + - name: cluster.id + type: keyword + description: >- + Mattermost cluster ID + - name: team.id + type: keyword + description: >- + ID of affected team + - name: team.name + type: keyword + description: >- + Name of affected team + - name: team.type + type: keyword + description: >- + Type of affected team + - name: status + type: keyword + description: >- + Outcome of action/event, ex. success, fail, attempt... + - name: session.id + type: keyword + description: >- + ID of session used to call the API + - name: post.channel.id + type: keyword + description: >- + Channel ID of post + - name: post.id + type: keyword + description: >- + Post ID + - name: post.pinned + type: boolean + description: >- + Whether or not the post was pinned to the channel + - name: related.channel + type: keyword + description: >- + List of channels realted to the event + - name: related.team + type: keyword + description: >- + List of channels realted to the event + - name: patch.id + type: keyword + description: >- + ID of patched channel/team/user... + - name: patch.name + type: keyword + description: >- + Name of patched channel/team/user... + - name: patch.type + type: keyword + description: >- + Type of patched channel/team/user... + - name: patch.roles + type: keyword + description: >- + Roles of patched user + - name: error.message + type: keyword + description: >- + Mattermost error message diff --git a/packages/mattermost/data_stream/audit/manifest.yml b/packages/mattermost/data_stream/audit/manifest.yml new file mode 100644 index 000000000000..ec6a496cbb51 --- /dev/null +++ b/packages/mattermost/data_stream/audit/manifest.yml @@ -0,0 +1,36 @@ +title: "Audit Logs" +type: logs +streams: + - input: logfile + title: Audit Logs + description: Collect audit logs from Mattermost server + vars: + - name: paths + type: text + title: Paths + multi: true + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: true + default: + - mattermost-audit + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original` + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: "Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. \nThis executes in the agent before the logs are parsed. \nSee [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.\n" diff --git a/packages/mattermost/data_stream/audit/sample_event.json b/packages/mattermost/data_stream/audit/sample_event.json new file mode 100644 index 000000000000..d82b183d4dc6 --- /dev/null +++ b/packages/mattermost/data_stream/audit/sample_event.json @@ -0,0 +1,117 @@ +{ + "@timestamp": "2021-12-04T23:19:32.051Z", + "agent": { + "ephemeral_id": "8d391088-8441-4b12-a162-5f62e284b76c", + "hostname": "docker-fleet-agent", + "id": "4683a8e0-c081-4d5f-88dc-30811cc8be6a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.0" + }, + "data_stream": { + "dataset": "mattermost.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12" + }, + "elastic_agent": { + "id": "4683a8e0-c081-4d5f-88dc-30811cc8be6a", + "snapshot": true, + "version": "7.16.0" + }, + "event": { + "action": "updateConfig", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "mattermost.audit", + "ingested": "2021-12-08T15:27:53Z", + "kind": "event", + "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "83a5cd10d1960dd73f42bd2801d238c3", + "ip": [ + "172.30.0.4" + ], + "mac": [ + "02:42:ac:1e:00:04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "Core", + "family": "redhat", + "kernel": "5.4.0-90-generic", + "name": "CentOS Linux", + "platform": "centos", + "type": "linux", + "version": "7 (Core)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 0 + }, + "mattermost": { + "audit": { + "api_path": "/api/v4/config", + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "session": { + "id": "pjh4n69j3p883k7hhzippskcba" + } + } + }, + "related": { + "ip": [ + "172.19.0.1" + ], + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ] + }, + "source": { + "address": "172.19.0.1", + "ip": "172.19.0.1" + }, + "tags": [ + "mattermost-audit", + "preserve_original_event" + ], + "url": { + "original": "/api/v4/config", + "path": "/api/v4/config" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "96.0.4664.45" + } +} \ No newline at end of file diff --git a/packages/mattermost/docs/README.md b/packages/mattermost/docs/README.md new file mode 100644 index 000000000000..525f6de2eaed --- /dev/null +++ b/packages/mattermost/docs/README.md @@ -0,0 +1,233 @@ +# Mattermost Integration + +The Mattermost integration collects logs from Mattermost servers. This integration has been tested with Mattermost version 5.31.9 but is expected to work with other versions. + +## Logs + +### Audit + +All access to the Mattermost REST API or CLI is audited. + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset name. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| event.dataset | Event dataset | constant_keyword | +| event.module | Event module | constant_keyword | +| group.id | Unique identifier for the group on the system/platform. | keyword | +| group.name | Name of the group. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| http.response.status_code | HTTP response status code. | long | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Path to the log file. | keyword | +| log.flags | Flags for the log file. | keyword | +| log.offset | Offset of the entry in the log file. | long | +| mattermost.audit.api_path | REST API endpoint | keyword | +| mattermost.audit.channel.id | ID of affected channel | keyword | +| mattermost.audit.channel.name | Name of affected channel | keyword | +| mattermost.audit.channel.type | Type of affected channel | keyword | +| mattermost.audit.cluster.id | Mattermost cluster ID | keyword | +| mattermost.audit.error.message | Mattermost error message | keyword | +| mattermost.audit.patch.id | ID of patched channel/team/user... | keyword | +| mattermost.audit.patch.name | Name of patched channel/team/user... | keyword | +| mattermost.audit.patch.roles | Roles of patched user | keyword | +| mattermost.audit.patch.type | Type of patched channel/team/user... | keyword | +| mattermost.audit.post.channel.id | Channel ID of post | keyword | +| mattermost.audit.post.id | Post ID | keyword | +| mattermost.audit.post.pinned | Whether or not the post was pinned to the channel | boolean | +| mattermost.audit.related.channel | List of channels realted to the event | keyword | +| mattermost.audit.related.team | List of channels realted to the event | keyword | +| mattermost.audit.session.id | ID of session used to call the API | keyword | +| mattermost.audit.status | Outcome of action/event, ex. success, fail, attempt... | keyword | +| mattermost.audit.team.id | ID of affected team | keyword | +| mattermost.audit.team.name | Name of affected team | keyword | +| mattermost.audit.team.type | Type of affected team | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.ip | IP address of the source (IPv4 or IPv6). | ip | +| tags | List of keywords used to tag each event. | keyword | +| url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | +| url.path | Path of the request, such as "/search". | wildcard | +| user.changes.name | Short name or login of the user. | keyword | +| user.id | Unique identifier of the user. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.roles | Array of user roles at the time of the event. | keyword | +| user_agent.device.name | Name of the device. | keyword | +| user_agent.name | Name of the user agent. | keyword | +| user_agent.original | Unparsed user_agent string. | keyword | +| user_agent.os.full | Operating system name, including the version or code name. | keyword | +| user_agent.os.name | Operating system name, without the version. | keyword | +| user_agent.os.version | Operating system version as a raw string. | keyword | +| user_agent.version | Version of the user agent. | keyword | + + +An example event for `audit` looks as following: + +```json +{ + "@timestamp": "2021-12-04T23:19:32.051Z", + "agent": { + "ephemeral_id": "8d391088-8441-4b12-a162-5f62e284b76c", + "hostname": "docker-fleet-agent", + "id": "4683a8e0-c081-4d5f-88dc-30811cc8be6a", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "7.16.0" + }, + "data_stream": { + "dataset": "mattermost.audit", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "1.12" + }, + "elastic_agent": { + "id": "4683a8e0-c081-4d5f-88dc-30811cc8be6a", + "snapshot": true, + "version": "7.16.0" + }, + "event": { + "action": "updateConfig", + "agent_id_status": "verified", + "category": [ + "configuration" + ], + "dataset": "mattermost.audit", + "ingested": "2021-12-08T15:27:53Z", + "kind": "event", + "original": "{\"timestamp\":\"2021-12-04 23:19:32.051 Z\",\"event\":\"updateConfig\",\"status\":\"success\",\"user_id\":\"ag99yu4i1if63jrui63tsmq57y\",\"session_id\":\"pjh4n69j3p883k7hhzippskcba\",\"ip_address\":\"172.19.0.1\",\"api_path\":\"/api/v4/config\",\"cluster_id\":\"jq3utry71f8a7q9qgebmjccf4r\",\"client\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36\"}", + "outcome": "success", + "type": [ + "change" + ] + }, + "host": { + "architecture": "x86_64", + "containerized": true, + "hostname": "docker-fleet-agent", + "id": "83a5cd10d1960dd73f42bd2801d238c3", + "ip": [ + "172.30.0.4" + ], + "mac": [ + "02:42:ac:1e:00:04" + ], + "name": "docker-fleet-agent", + "os": { + "codename": "Core", + "family": "redhat", + "kernel": "5.4.0-90-generic", + "name": "CentOS Linux", + "platform": "centos", + "type": "linux", + "version": "7 (Core)" + } + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/tmp/service_logs/audit.log" + }, + "offset": 0 + }, + "mattermost": { + "audit": { + "api_path": "/api/v4/config", + "cluster": { + "id": "jq3utry71f8a7q9qgebmjccf4r" + }, + "session": { + "id": "pjh4n69j3p883k7hhzippskcba" + } + } + }, + "related": { + "ip": [ + "172.19.0.1" + ], + "user": [ + "ag99yu4i1if63jrui63tsmq57y" + ] + }, + "source": { + "address": "172.19.0.1", + "ip": "172.19.0.1" + }, + "tags": [ + "mattermost-audit", + "preserve_original_event" + ], + "url": { + "original": "/api/v4/config", + "path": "/api/v4/config" + }, + "user": { + "id": "ag99yu4i1if63jrui63tsmq57y" + }, + "user_agent": { + "device": { + "name": "Other" + }, + "name": "Chrome", + "original": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", + "os": { + "full": "Windows 10", + "name": "Windows", + "version": "10" + }, + "version": "96.0.4664.45" + } +} +``` diff --git a/packages/mattermost/img/mattermost-logo.svg b/packages/mattermost/img/mattermost-logo.svg new file mode 100644 index 000000000000..2905ca74ac1d --- /dev/null +++ b/packages/mattermost/img/mattermost-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/mattermost/manifest.yml b/packages/mattermost/manifest.yml new file mode 100644 index 000000000000..bc7a868e1197 --- /dev/null +++ b/packages/mattermost/manifest.yml @@ -0,0 +1,28 @@ +format_version: 1.0.0 +name: mattermost +title: "Mattermost" +version: 1.0.0 +license: basic +description: Collect and parse logs from Mattermost with Elastic Agent. +type: integration +categories: + - security + - web +release: ga +conditions: + kibana.version: "^7.16.0 || ^8.0.0" +icons: + - src: /img/mattermost-logo.svg + title: Mattermost logo + size: 537x535 + type: image/svg+xml +policy_templates: + - name: logs + title: Mattermost Logs + description: Collect logs from Mattermost + inputs: + - type: logfile + title: Collect logs from Mattermost servers + description: Collect logs from Mattermost servers +owner: + github: elastic/security-external-integrations