Teleport Access Plane¶
About¶
Teleport Access Plane is an open-source platform that combines authentication, authorization, connectivity, and audit into one place for infrastructure access
Product Details¶
Vendor URL: Teleport
Product Type: Identity/Access platform
Product Tier: Tier III
Integration Method: Syslog
Parser Details¶
Log Format: JSON/KV
Expected Normalization Rate: 100%
Data Label: TELEPORT_ACCESS_PLANE
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| addr.local | principal.ip |
| addr.local | principal.port |
| addr.remote | target.ip |
| addr.remote | target.port |
| app_name | principal.application |
| app_public_addr | principal.url |
| app_uri | network.http.referral_url |
| attributes.groups | principal.user.group_identifiers |
| cluster_name | target.resource.attribute.labels |
| code | metadata.product_deployment_id |
| db_name | target.resource.name |
| db_origin | target.resource.attribute.labels |
| db_protocol | additional.fields |
| db_query | additional.fields |
| db_service | target.application |
| db_type | target.resource.resource_subtype |
| db_uri | target.url |
| db_user | target.user.userid |
| error | security_result.summary |
| event_type | metadata.product_event_type |
| host_id | principal.asset_id |
| identity.client_ip | principal.ip |
| identity.expires | network.tls.server.certificate.not_after |
| identity.impersonator | principal.user.userid |
| identity.roles | principal.user.attribute.roles |
| identity.traits.groups | target.group.attribute.labels |
| identity.user | target.user.userid |
| kubernetes_groups | principal.user.group_identifiers |
| kubernetes_labels.env | principal.resource.attribute.labels |
| kubernetes_labels.idp/cluster-role | principal.resource.attribute.labels |
| kubernetes_labels.stack | principal.resource.attribute.labels |
| method | extensions.auth.auth_details |
| name | target.user.userid |
| namespace | principal.namespace |
| node_name | target.resource.name |
| pid | principal.asset.product_object_id |
| proto | principal.application |
| request_path | target.url |
| resource_api_group | target.resource.attribute.labels |
| resource_kind | target.resource.resource_subtype |
| resource_namespace | target.namespace |
| response_code | network.http.response_code |
| role | target.asset.attribute.roles |
| route_to_cluster | security_result.detection_fields |
| server_hostname | principal.user.userid |
| server_id | target.domain.whois_server |
| sid | network.session_id |
| sid | principal.user.userid |
| sid | target.domain.whois_server |
| success | security_result.action |
| uid | metadata.product_log_id |
| uid | principal.user.userid |
| url | target.url |
| user | target.user.userid |
| user | principal.user.userid |
| user_agent | network.http.user_agent |
| verb | network.http.method |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| app.session.chunk | USER_UNCATEGORIZED |
| app.session.leave | USER_UNCATEGORIZED |
| app.session.start | USER_UNCATEGORIZED |
| cert.create | USER_UNCATEGORIZED |
| db.session.query | RESOURCE_READ |
| kube.request | USER_RESOURCE_ACCESS |
| port | NETWORK_UNCATEGORIZED |
| session.leave | USER_UNCATEGORIZED |
| session.start | USER_UNCATEGORIZED |
| user.create | USER_CREATION |
| user.login | USER_LOGIN |
| user.update | USER_CHANGE_PERMISSIONS |
Log Sample¶
{"date":"2024-08-28T02:29:47.519885Z","cluster_name":"example.teleport.sh","code":"TDB02I","db_name":"admin","db_origin":"config-file","db_protocol":"mongodb","db_query":"OpQuery(FullCollectionName=admin.$cmd, Query={\"ismaster\": {\"$numberInt\":\"1\"},\"helloOk\": true,\"client\": {\"application\": {\"name\": \"mongosh 2.1.1\"},\"driver\": {\"name\": \"nodejs|mongosh\",\"version\": \"6.3.0|2.1.1\"},\"platform\": \"Node.js v21.4.0, LE\",\"os\": {\"name\": \"darwin\",\"architecture\": \"arm64\",\"version\": \"23.5.0\",\"type\": \"Darwin\"}},\"compression\": [\"none\"]}, ReturnFieldsSelector=, NumberToSkip=0, NumberToReturn=-1, Flags=[])","db_service":"dvc-protect-asne3-uat","db_type":"mongo-atlas","db_uri":"mongodb+srv://dvc-protect-asne3-uat.5vpiz.mongodb.net","db_user":"teleport-db-admin","ei":1,"event":"db.session.query","private_key_policy":"none","sid":"123abcde-1234-1abc-1a12-123a12a1234a","success":true,"time":"2024-08-28T02:29:04.764Z","uid":"25134069-5c6d-4c38-b3b5-0fd28996ae30","user":"jane.doe@example.io","user_kind":1}
Sample Parsing¶
additional.fields["db_protocol"] = "mongodb"
additional.fields["db_query"] = "OpQuery(FullCollectionName=admin.$cmd, Query={\"ismaster\": {\"$numberInt\":\"1\"},\"helloOk\": true,\"client\": {\"application\": {\"name\": \"mongosh 2.1.1\"},\"driver\": {\"name\": \"nodejs|mongosh\",\"version\": \"6.3.0|2.1.1\"},\"platform\": \"Node.js v21.4.0, LE\",\"os\": {\"name\": \"darwin\",\"architecture\": \"arm64\",\"version\": \"23.5.0\",\"type\": \"Darwin\"}},\"compression\": [\"none\"]}, ReturnFieldsSelector=, NumberToSkip=0, NumberToReturn=-1, Flags=[])"
metadata.event_type = "RESOURCE_READ"
metadata.log_type = "TELEPORT_ACCESS_PLANE"
metadata.product_deployment_id = "TDB02I"
metadata.product_event_type = "db.session.query"
metadata.product_log_id = "25134069-5c6d-4c38-b3b5-0fd28996ae30"
metadata.product_name = "TELEPORT_ACCESS_PLANE"
metadata.vendor_name = "Teleport"
network.session_id = "123abcde-1234-1abc-1a12-123a12a1234a"
principal.domain.name = "example.io"
principal.namespace = "Teleport"
principal.user.userid = "jane.doe@example.io"
security_result.action = "ALLOW"
target.application = "dvc-protect-asne3-uat"
target.namespace = "Teleport"
target.resource.attribute.labels.key = "db_origin"
target.resource.attribute.labels.value = "config-file"
target.resource.attribute.labels.key = "cluster_name"
target.resource.attribute.labels.value = "example.teleport.sh"
target.resource.name = "admin"
target.resource.resource_subtype = "mongo-atlas"
target.url = "mongodb+srv://dvc-protect-asne3-uat.5vpiz.mongodb.net"
target.user.userid = "teleport-db-admin"