[sentinel_one_cloud_funnel] Add system test for aws-s3 input (#8386)

* Add system test for aws-s3 input

* Fix fields and bump version

Author: bhapas

packages/sentinel_one_cloud_funnel/_dev/deploy/tf/env.yml

@@ -0,0 +1,9 @@
+version: '2.3'
+services:
+  terraform:
+    environment:
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY}
+      - AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN}
+      - AWS_PROFILE=${AWS_PROFILE}
+      - AWS_REGION=${AWS_REGION:-us-east-1}

packages/sentinel_one_cloud_funnel/_dev/deploy/tf/files/test-command-script.log

@@ -0,0 +1 @@
+{"timestamp":"10:47:24.180","src.process.parent.isStoryline™Root":false,"event.category":"command_script","src.process.parent.image.sha1":"134fd2ad04cf59b0c10596230da5daf6fc711bd1","site.id":"123456789123456789","src.process.image.binaryIsExecutable":true,"src.process.parent.displayName":"MicrosoftCompatibilityTelemetry","src.process.user":"NTAUTHORITY\\SYSTEM","src.process.parent.subsystem":"SYS_WIN32","src.process.indicatorRansomwareCount":0,"src.process.crossProcessDupRemoteProcessHandleCount":0,"src.process.activeContent.signedStatus":"unsigned","src.process.tgtFileCreationCount":0,"src.process.indicatorInjectionCount":0,"src.process.moduleCount":284,"src.process.parent.name":"CompatTelRunner.exe","i.version":"preprocess-lib-1.0","src.process.activeContentType":"CLI","sca:atlantisIngestTime":1666684057507,"src.process.image.md5":"7353f60b1739074eb17c5f4dddefe239","src.process.indicatorReconnaissanceCount":8,"src.process.Storyline™.id":"87EE3C19E0250305","src.process.childProcCount":1,"mgmt.url":"asdf-123.sentinelone.org","src.process.crossProcessOpenProcessCount":0,"cmdScript.isComplete":true,"src.process.subsystem":"SYS_WIN32","meta.event.name":"SCRIPTS","src.process.parent.integrityLevel":"SYSTEM","src.process.indicatorExploitationCount":0,"src.process.parent.Storyline™.id":"87EE3C19E0250305","i.scheme":"edr","src.process.integrityLevel":"SYSTEM","site.name":"ASDF","src.process.netConnInCount":0,"event.time":1666684044180,"account.id":"123456789123456789","dataSource.name":"SentinelOne","endpoint.name":"asdf1","src.process.image.sha1":"6cbce4a295c163791b60fc23d285e6d84f28ee4c","src.process.isStoryline™Root":false,"cmdScript.applicationName":"PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.17763.1","src.process.parent.image.path":"C:\\Windows\\System32\\CompatTelRunner.exe","src.process.pid":5912,"tgt.file.isSigned":"signed","sca:ingestTime":1666684063,"dataSource.category":"security","src.process.cmdline":"powershell.exe-ExecutionPolicyRestricted-CommandWrite-Host'Finalresult:1';","src.process.publisher":"MICROSOFTWINDOWS","src.process.crossProcessThreadCreateCount":0,"src.process.parent.isNative64Bit":false,"src.process.parent.isRedirectCmdProcessor":false,"src.process.signedStatus":"signed","src.process.crossProcessCount":0,"event.id":"01GG71RXEEHZQFY6XZ1WGS2BAE_168","src.process.parent.cmdline":"C:\\Windows\\system32\\CompatTelRunner.exe-m:appraiser.dll-f:DoScheduledTelemetryRun-cv:1DRRwZous0W15sCL.2","cmdScript.content":"$global:?","src.process.image.path":"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe","src.process.tgtFileModificationCount":4,"src.process.indicatorEvasionCount":1,"src.process.netConnOutCount":0,"cmdScript.sha256":"feb60de98632d9f666e16e89bd1c99174801c761115d4a9f52f05ef41e397d2d","src.process.crossProcessDupThreadHandleCount":0,"endpoint.os":"windows","src.process.tgtFileDeletionCount":0,"src.process.startTime":1666684041917,"mgmt.id":"1337","os.name":"WindowsServer2019Standard","src.process.activeContent.id":"3EFA3EFA3EFA3EFA","src.process.displayName":"WindowsPowerShell","src.process.activeContent.path":"\\\\Unknowndevice\\Unknownfile","src.process.isNative64Bit":false,"src.process.parent.sessionId":0,"src.process.uid":"230B188E26085676","src.process.parent.image.md5":"47dd94d79d9bac54a2c3a1cf502770c6","src.process.indicatorInfostealerCount":0,"src.process.indicatorBootConfigurationUpdateCount":0,"process.unique.key":"230B188E26085676","cmdScript.originalSize":18,"agent.version":"22.1.4.10010","src.process.parent.uid":"8608188E26085676","src.process.parent.image.sha256":"046f009960f70981597cd7b3a1e44cbb4ba5893cc1407734366aa55fbeda5d66","src.process.sessionId":0,"src.process.netConnCount":0,"mgmt.osRevision":"17763","group.id":"asdf","src.process.isRedirectCmdProcessor":false,"src.process.verifiedStatus":"verified","src.process.parent.publisher":"MICROSOFTWINDOWS","src.process.parent.startTime":1666683971590,"src.process.dnsCount":0,"endpoint.type":"server","trace.id":"01GG71RXEEHZQFY6XZ1WGS2BAE","src.process.name":"powershell.exe","agent.uuid":"asdf356783457dfds4456d65","src.process.activeContent.hash":"a8ae2c841e3f0f39d494a45370815a90cf00421e","src.process.image.sha256":"de96a6e69944335375dc1ac238336066889d9ffc7d73628ef4fe1b1b160ab32c","src.process.indicatorGeneralCount":49,"src.process.crossProcessOutOfStoryline™Count":0,"src.process.registryChangeCount":0,"packet.id":"9CB6AC4F10C34F5BB0A2788760E870F5","src.process.indicatorPersistenceCount":0,"src.process.parent.signedStatus":"signed","src.process.parent.user":"NTAUTHORITY\\SYSTEM","event.type":"CommandScript","src.process.indicatorPostExploitationCount":0,"src.process.parent.pid":6008}

packages/sentinel_one_cloud_funnel/_dev/deploy/tf/main.tf

@@ -0,0 +1,57 @@
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      environment  = var.ENVIRONMENT
+      repo         = var.REPO
+      branch       = var.BRANCH
+      build        = var.BUILD_ID
+      created_date = var.CREATED_DATE
+    }
+  }
+}
+
+resource "aws_s3_bucket" "bucket" {
+  bucket = "elastic-package-sentinel-one-bucket-${var.TEST_RUN_ID}"
+}
+
+resource "aws_sqs_queue" "queue" {
+  name       = "elastic-package-sentinel-one-queue-${var.TEST_RUN_ID}"
+  policy     = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": "*",
+      "Action": "sqs:SendMessage",
+      "Resource": "arn:aws:sqs:*:*:elastic-package-sentinel-one-queue-${var.TEST_RUN_ID}",
+      "Condition": {
+        "ArnEquals": { "aws:SourceArn": "${aws_s3_bucket.bucket.arn}" }
+      }
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_s3_bucket_notification" "bucket_notification" {
+  bucket = aws_s3_bucket.bucket.id
+
+  queue {
+    queue_arn = aws_sqs_queue.queue.arn
+    events    = ["s3:ObjectCreated:*"]
+  }
+}
+
+resource "aws_s3_object" "object" {
+  bucket = aws_s3_bucket.bucket.id
+  key    = "command_script.log"
+  source = "./files/test-command-script.log"
+
+  depends_on = [aws_sqs_queue.queue]
+}
+
+output "queue_url" {
+  value = aws_sqs_queue.queue.url
+}

packages/sentinel_one_cloud_funnel/_dev/deploy/tf/variables.tf

@@ -0,0 +1,26 @@
+variable "BRANCH" {
+  description = "Branch name or pull request for tagging purposes"
+  default     = "unknown-branch"
+}
+
+variable "BUILD_ID" {
+  description = "Build ID in the CI for tagging purposes"
+  default     = "unknown-build"
+}
+
+variable "CREATED_DATE" {
+  description = "Creation date in epoch time for tagging purposes"
+  default     = "unknown-date"
+}
+
+variable "ENVIRONMENT" {
+  default = "unknown-environment"
+}
+
+variable "REPO" {
+  default = "unknown-repo-name"
+}
+
+variable "TEST_RUN_ID" {
+  default = "detached"
+}

packages/sentinel_one_cloud_funnel/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.7.1"
+  changes:
+    - description: Add missing fields from beats input
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/8386
 - version: "0.7.0"
   changes:
     - description: Improve 'event.original' check to avoid errors if set.

packages/sentinel_one_cloud_funnel/data_stream/event/_dev/test/system/test-default-config.yml

@@ -0,0 +1,12 @@
+input: aws-s3
+wait_for_data_timeout: 20m
+vars:
+  access_key_id: "{{AWS_ACCESS_KEY_ID}}"
+  secret_access_key: "{{AWS_SECRET_ACCESS_KEY}}"
+  session_token: "{{AWS_SESSION_TOKEN}}"
+  queue_url: "{{TF_OUTPUT_queue_url}}"
+data_stream:
+  vars:
+    preserve_original_event: true
+    file_selectors: |
+      - regex: '^(.+?)\.log'

packages/sentinel_one_cloud_funnel/data_stream/event/fields/beats.yml

@@ -7,3 +7,18 @@
 - name: tags
   type: keyword
   description: User defined tags.
+- name: aws.s3
+  type: group
+  fields:
+    - name: bucket
+      type: group
+      fields:
+        - name: name
+          type: keyword
+        - name: arn
+          type: keyword
+    - name: object
+      type: group
+      fields:
+        - name: key
+          type: keyword