HEX

File: //usr/share/filebeat/module/salesforce/login-rest/ingest/pipeline.yml
---
description: Pipeline for parsing Salesforce Login (REST) logs
processors:
- set:
    field: event.ingested
    value: '{{_ingest.timestamp}}'
- remove:
    field:
      - message
    ignore_missing: true

- set:
    field: salesforce.access_mode
    value: rest
    ignore_failure: true

- date:
    field: json.TIMESTAMP_DERIVED
    target_field: "@timestamp"
    formats:
    - ISO8601
    ignore_failure: true

- rename:
    field: json.API_TYPE
    target_field: salesforce.login.api_type
    ignore_missing: true
- rename:
    field: json.AUTHENTICATION_METHOD_REFERENCE
    target_field: salesforce.login.authentication_method_reference
    ignore_missing: true
- rename:
    field: json.REQUEST_STATUS
    target_field: salesforce.login.request_status
    ignore_missing: true
- rename:
    field: json.API_VERSION
    target_field: salesforce.login.api_version
    ignore_missing: true
- rename:
    field: json.USER_ID_DERIVED
    target_field: salesforce.login.user_id_derived
    ignore_missing: true
- rename:
    field: json.LOGIN_KEY
    target_field: salesforce.login.login_key
    ignore_missing: true
- rename:
    field: json.EVENT_TYPE
    target_field: salesforce.login.event_type
    ignore_missing: true
- rename:
    field: json.REQUEST_ID
    target_field: salesforce.login.request_id
    ignore_missing: true
- rename:
    field: json.ORGANIZATION_ID
    target_field: salesforce.login.organization_id
    ignore_missing: true
- rename:
    field: json.RUN_TIME
    target_field: salesforce.login.run_time
    ignore_missing: true
- rename:
    field: json.CPU_TIME
    target_field: salesforce.login.cpu_time
    ignore_missing: true
- rename:
    field: json.DB_TOTAL_TIME
    target_field: salesforce.login.db_total_time
    ignore_missing: true
- rename:
    field: json.CLIENT_IP
    target_field: salesforce.login.client_ip
    ignore_missing: true
- rename:
    field: json.URI_ID_DERIVED
    target_field: salesforce.login.uri_id_derived
    ignore_missing: true

#######################
## ECS Event Mapping ##
#######################

- rename:
    field: json.URI
    target_field: event.url
    ignore_missing: true
- set:
    field: event.outcome
    value: success
    if: 'ctx?.json?.LOGIN_STATUS == "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null'
    ignore_failure: true
- set:
    field: event.outcome
    value: failure
    if: 'ctx?.json?.LOGIN_STATUS != "LOGIN_NO_ERROR" && ctx?.json?.LOGIN_STATUS != null'
    ignore_failure: true
- set:
    field: event.type
    value: "info"
- set:
    field: event.kind
    value: "event"
- set:
    field: event.action
    value: "login-attempt"
- set:
    field: event.category
    value: "authentication"
- set:
    field: event.dataset
    value: "salesforce.login"
- set:
    field: event.module
    value: "salesforce"

######################
## ECS User Mapping ##
######################

# As per the following article, the username must be in the format of an email address.
# Reference: https://help.salesforce.com/s/articleView?language=en_US&type=5&id=sf.basics_intro_usernames_passwords.htm
- rename:
    field: json.USER_NAME
    target_field: user.email
    ignore_missing: true
- rename:
    field: json.USER_ID
    target_field: user.id
    ignore_missing: true
- rename:
    field: json.USER_TYPE
    target_field: user.roles
    ignore_missing: true

########################
## ECS Source Mapping ##
########################

- rename:
    field: json.SOURCE_IP
    target_field: source.ip
    ignore_missing: true
    if: 'ctx?.json?.SOURCE_IP != "Salesforce.com IP"'

############################
## ECS Source.Geo Mapping ##
############################

- geoip:
    field: source.ip
    target_field: source.geo
    ignore_missing: true

############################
## ECS Related.ip Mapping ##
############################

- append:
    field: related.ip
    value: "{{{source.ip}}}"
    if: ctx?.source?.ip != null
    allow_duplicates: false
    ignore_failure: true

- append:
    field: related.ip
    value: "{{{salesforce.login.client_ip}}}"
    if: 'ctx?.salesforce?.login?.client_ip != "Salesforce.com IP" && ctx?.salesforce?.login?.client_ip != null'
    allow_duplicates: false
    ignore_failure: true

############################
## ECS User Agent Mapping ##
############################

- rename:
    field: json.BROWSER_TYPE
    target_field: user_agent.name
    ignore_missing: true

#####################
## ECS TLS Mapping ##
#####################

- rename:
    field: json.CIPHER_SUITE
    target_field: tls.cipher
    ignore_missing: true
- dissect:
    pattern: "%{tls.version_protocol}v%{tls.version}"
    field: "json.TLS_PROTOCOL"
    ignore_failure: true

#############
## Cleanup ##
#############

- script:
    description: Drops null/empty values recursively
    lang: painless
    source: |
        boolean dropEmptyFields(Object object) {
            if (object == null || object == "") {
                return true;
            } else if (object instanceof Map) {
                ((Map) object).values().removeIf(value -> dropEmptyFields(value));
                return (((Map) object).size() == 0);
            } else if (object instanceof List) {
                ((List) object).removeIf(value -> dropEmptyFields(value));
                return (((List) object).length == 0);
            }
            return false;
        }
        dropEmptyFields(ctx);
- remove:
    field:
      - json
    ignore_missing: true
on_failure:
- set:
    field: error.message
    value: '{{_ingest.on_failure_message}}'