Enhancement: Add beelzebub integration, resolve elastic#12910 (elastic#12914)

Add beelzebub integration to support log ingest from Beelzebub LLM enabled honeypots.

Ingest is available from file using filestream, as well as http_endpoint.

Author: colin-stubbs

.github/CODEOWNERS

@@ -126,6 +126,7 @@
 /packages/bbot @elastic/security-service-integrations
 /packages/beaconing @elastic/ml-ui @elastic/sec-applied-ml
 /packages/beat @elastic/stack-monitoring
+/packages/beelzebub @elastic/security-service-integrations
 /packages/beyondinsight_password_safe @elastic/security-service-integrations
 /packages/beyondtrust_pra @elastic/security-service-integrations
 /packages/bitdefender @elastic/security-service-integrations

packages/beelzebub/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+  ecs:
+    reference: [email protected]

packages/beelzebub/_dev/build/docs/README.md

@@ -0,0 +1,73 @@
+# Beelzebub Integration
+
+Beelzebub is an advanced honeypot framework designed to provide a highly secure environment for detecting and analysing cyber attacks. It offers a low code approach for easy implementation and uses AI LLM's to mimic the behaviour of a high-interaction honeypot.
+
+Beelzebub is available on GitHub via [https://github.com/mariocandela/beelzebub](https://github.com/mariocandela/beelzebub) or via [https://beelzebub-honeypot.com](https://beelzebub-honeypot.com)
+
+This integration provides multiple ingest source options including log files and via HTTP POST.
+
+This allows you to search, observe and visualize the Beelzebub logs through Elasticsearch and Kibana.
+
+This integration was last tested with Beelzebub `v3.3.6`.
+
+Please note that Beelzebub only produces NDJSON log files at this time, to ship logs to this integration via any other method you will require another component, such as [Logstash](https://www.elastic.co/logstash), which can perform this by reading the Beelzebub produced log files and transporting the content as it changes to an appropriately configured Elastic Agent input, an ingest location that can be utilised by an appropriately configured Elastic Agent, or directly into Elasticsearch.
+
+For more information, refer to:
+1. [GitHub](https://github.com/mariocandela/beelzebub)
+2. [Official Beelzebub Project Website](https://beelzebub-honeypot.com)
+
+## Compatability
+
+The package collects log events from file or by receiving HTTP POST requests.
+
+## Configuration
+
+### Enabling the integration in Elastic
+
+1. In Kibana go to **Management > Integrations**
+2. Ensure "Display beta integrations" is enabled beneath the category list to the left
+3. In "Search for integrations" search bar type **Beelzebub**
+4. Click on "Beelzebub" integration from the search results.
+5. Click on **Add Beelzebub** button to add the Beelzebub integration.
+6. Configure the integration as appropriate
+
+### Configure the Beelzebub integration
+
+1. Choose your ingest method, e.g. file or HTTP. If using HTTP you can enable HTTPS transport by providing an SSL certificate and private key.
+2. Choose to store the original event content in `event.original`, or not.
+3. Choose to redact passwords, or not.
+4. Configure advanced options if desired.
+
+### Example Beelzebub Logging Configuration
+
+Example `beelzebub.yaml` configuration.
+```
+core:
+  logging:
+    debug: false
+    debugReportCaller: false
+    logDisableTimestamp: false
+    logsPath: ./logs/beelzebub.log
+  tracings:
+    rabbit-mq:
+      enabled: false
+      uri: ""
+  prometheus:
+    path: "/metrics"
+    port: ":2112"
+  beelzebub-cloud:
+    enabled: false
+    uri: ""
+    auth-token: ""
+```
+
+## Logs
+
+The Beelzebub logs dataset provides logs from Beelzebub instances.
+
+All Beelzebub logs are available in the `beelzebub.logs` field group.
+
+{{fields "logs"}}
+
+{{event "logs"}}
+

packages/beelzebub/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+services:
+  test-filestream:
+    image: alpine
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+      - ${SERVICE_LOGS_DIR}:/var/log
+    command: /bin/sh -c "cp /sample_logs/* /var/log/"
+  test-http_endpoint:
+    image: docker.elastic.co/observability/stream:v0.17.1
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    environment:
+      - STREAM_PROTOCOL=webhook
+      - STREAM_ADDR=http://elastic-agent:10002/
+    command: log --start-signal=SIGHUP --delay=5s /sample_logs/logs-ndjson.log

packages/beelzebub/_dev/deploy/docker/sample_logs/logs-ndjson.log

@@ -0,0 +1,4 @@
+{"event":{"DateTime":"2025-02-13T01:08:26Z","RemoteAddr":"1.128.0.133:60748","Protocol":"SSH","Command":"","CommandOutput":"","Status":"Stateless","Msg":"New SSH attempt","ID":"1974e109-d6f8-4bb1-934c-180a163e1cb8","Environ":"","User":"root","Password":"test","Client":"SSH-2.0-dropbear","Headers":"","Cookies":"","UserAgent":"","HostHTTPRequest":"","Body":"","HTTPMethod":"","RequestURI":"","Description":"SSH interactive ChatGPT","SourceIp":"1.128.0.133","SourcePort":"60748"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-13T01:08:26Z"}
+{"event":{"DateTime":"2025-02-13T01:08:34Z","RemoteAddr":"1.128.0.133:60748","Protocol":"SSH","Command":"ps w","CommandOutput":"```\n    PID TTY      STAT   TIME COMMAND\n   2042 pts/0    Ss     0:00 bash\n   2106 pts/0    R+     0:00 ps w\n```","Status":"Interaction","Msg":"New SSH Terminal Session","ID":"1c18ad80-60bb-48f6-8e47-05e707ac93eb","Environ":"","User":"","Password":"","Client":"","Headers":"","Cookies":"","UserAgent":"","HostHTTPRequest":"","Body":"","HTTPMethod":"","RequestURI":"","Description":"SSH interactive ChatGPT","SourceIp":"1.128.0.133","SourcePort":"60748"},"level":"info","msg":"New Event","status":"Interaction","time":"2025-02-13T01:08:34Z"}
+{"event":{"DateTime":"2025-02-27T00:03:02Z","RemoteAddr":"1.128.0.215:55264","Protocol":"HTTP","Command":"","CommandOutput":"","Status":"Stateless","Msg":"HTTP New request","ID":"4df41014-e1e8-45c1-8868-11c750ffd2bc","Environ":"","User":"","Password":"","Client":"","Headers":"[Key: User-Agent, values: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46],[Key: Accept-Encoding, values: gzip, deflate],[Key: Accept-Encoding, values: gzip, deflate],[Key: Connection, values: keep-alive],[Key: X-Requested-With, values: XMLHttpRequest],[Key: Content-Type, values: application/x-www-form-urlencoded; charset=UTF-8],[Key: Accept-Language, values: en US,en;q=0.9,sv;q=0.8],[Key: Accept, values: */*],","Cookies":"","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46","HostHTTPRequest":"1.128.0.16:80","Body":"","HTTPMethod":"GET","RequestURI":"/","Description":"Wordpress 6.0","SourceIp":"1.128.0.215","SourcePort":"55264"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-27T00:03:02Z"}
+{"event":{"DateTime":"2025-02-19T07:48:34Z","RemoteAddr":"1.128.0.58:41654","Protocol":"HTTP","Command":"","CommandOutput":"","Status":"Stateless","Msg":"HTTP New request","ID":"1d4373f6-6dde-4b96-8f09-3ffb472de389","Environ":"","User":"","Password":"","Client":"","Headers":"[Key: User-Agent, values: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36],[Key: Content-Length, values: 314],[Key: Content-Type, values: application/xml],[Key: Accept-Encoding, values: gzip],[Key: Connection, values: close],","Cookies":"","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","HostHTTPRequest":"1.128.0.16:80","Body":"\u003c!DOCTYPE xxe [\n\u003c!ELEMENT name ANY \u003e\n\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e]\u003e\n\u003cAutodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\"\u003e\n\u003cRequest\u003e\n\u003cEMailAddress\u003eaaaaa\u003c/EMailAddress\u003e\n\u003cAcceptableResponseSchema\u003e\u0026xxe;\u003c/AcceptableResponseSchema\u003e\n\u003c/Request\u003e\n\u003c/Autodiscover\u003e","HTTPMethod":"POST","RequestURI":"/Autodiscover/Autodiscover.xml","Description":"Wordpress 6.0","SourceIp":"1.128.0.58","SourcePort":"41654"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-19T07:48:34Z"}

packages/beelzebub/changelog.yml

@@ -0,0 +1,11 @@
+# newer versions go on top
+- version: "0.1.0"
+  changes:
+    - description: Initial release of the package post review
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12914
+- version: "0.0.4"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/12914

packages/beelzebub/data_stream/logs/_dev/test/pipeline/test-common-config.yml

@@ -0,0 +1,4 @@
+fields:
+  tags:
+    - preserve_original_event
+    - redact_passwords

packages/beelzebub/data_stream/logs/_dev/test/pipeline/test-logs-ndjson.log

@@ -0,0 +1,4 @@
+{"event":{"DateTime":"2025-02-13T01:08:26Z","RemoteAddr":"1.128.0.133:60748","Protocol":"SSH","Command":"","CommandOutput":"","Status":"Stateless","Msg":"New SSH attempt","ID":"1974e109-d6f8-4bb1-934c-180a163e1cb8","Environ":"","User":"root","Password":"test","Client":"SSH-2.0-dropbear","Headers":"","Cookies":"","UserAgent":"","HostHTTPRequest":"","Body":"","HTTPMethod":"","RequestURI":"","Description":"SSH interactive ChatGPT","SourceIp":"1.128.0.133","SourcePort":"60748"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-13T01:08:26Z"}
+{"event":{"DateTime":"2025-02-13T01:08:34Z","RemoteAddr":"1.128.0.133:60748","Protocol":"SSH","Command":"ps w","CommandOutput":"```\n    PID TTY      STAT   TIME COMMAND\n   2042 pts/0    Ss     0:00 bash\n   2106 pts/0    R+     0:00 ps w\n```","Status":"Interaction","Msg":"New SSH Terminal Session","ID":"1c18ad80-60bb-48f6-8e47-05e707ac93eb","Environ":"","User":"","Password":"","Client":"","Headers":"","Cookies":"","UserAgent":"","HostHTTPRequest":"","Body":"","HTTPMethod":"","RequestURI":"","Description":"SSH interactive ChatGPT","SourceIp":"1.128.0.133","SourcePort":"60748"},"level":"info","msg":"New Event","status":"Interaction","time":"2025-02-13T01:08:34Z"}
+{"event":{"DateTime":"2025-02-27T00:03:02Z","RemoteAddr":"1.128.0.215:55264","Protocol":"HTTP","Command":"","CommandOutput":"","Status":"Stateless","Msg":"HTTP New request","ID":"4df41014-e1e8-45c1-8868-11c750ffd2bc","Environ":"","User":"","Password":"","Client":"","Headers":"[Key: User-Agent, values: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46],[Key: Accept-Encoding, values: gzip, deflate],[Key: Accept-Encoding, values: gzip, deflate],[Key: Connection, values: keep-alive],[Key: X-Requested-With, values: XMLHttpRequest],[Key: Content-Type, values: application/x-www-form-urlencoded; charset=UTF-8],[Key: Accept-Language, values: en US,en;q=0.9,sv;q=0.8],[Key: Accept, values: */*],","Cookies":"","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46","HostHTTPRequest":"1.128.0.16:80","Body":"","HTTPMethod":"GET","RequestURI":"/","Description":"Wordpress 6.0","SourceIp":"1.128.0.215","SourcePort":"55264"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-27T00:03:02Z"}
+{"event":{"DateTime":"2025-02-19T07:48:34Z","RemoteAddr":"1.128.0.58:41654","Protocol":"HTTP","Command":"","CommandOutput":"","Status":"Stateless","Msg":"HTTP New request","ID":"1d4373f6-6dde-4b96-8f09-3ffb472de389","Environ":"","User":"","Password":"","Client":"","Headers":"[Key: User-Agent, values: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36],[Key: Content-Length, values: 314],[Key: Content-Type, values: application/xml],[Key: Accept-Encoding, values: gzip],[Key: Connection, values: close],","Cookies":"","UserAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36","HostHTTPRequest":"1.128.0.16:80","Body":"\u003c!DOCTYPE xxe [\n\u003c!ELEMENT name ANY \u003e\n\u003c!ENTITY xxe SYSTEM \"file:///etc/passwd\"\u003e]\u003e\n\u003cAutodiscover xmlns=\"http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a\"\u003e\n\u003cRequest\u003e\n\u003cEMailAddress\u003eaaaaa\u003c/EMailAddress\u003e\n\u003cAcceptableResponseSchema\u003e\u0026xxe;\u003c/AcceptableResponseSchema\u003e\n\u003c/Request\u003e\n\u003c/Autodiscover\u003e","HTTPMethod":"POST","RequestURI":"/Autodiscover/Autodiscover.xml","Description":"Wordpress 6.0","SourceIp":"1.128.0.58","SourcePort":"41654"},"level":"info","msg":"New Event","status":"Stateless","time":"2025-02-19T07:48:34Z"}