Monitor security threats by analyzing and filtering Confluent Cloud audit logs

SET 'auto.offset.reset' = 'earliest';

CREATE STREAM audit_log_events (
  id VARCHAR,
  source VARCHAR,
  specversion VARCHAR,
  type VARCHAR,
  time VARCHAR,
  datacontenttype VARCHAR,
  subject VARCHAR,
  confluentRouting STRUCT<route VARCHAR>,
  data STRUCT<
    serviceName VARCHAR,
    methodName VARCHAR,
    resourceName VARCHAR,
    authenticationInfo STRUCT<principal VARCHAR>,
    authorizationInfo STRUCT<
        granted BOOLEAN,
        operation VARCHAR,
        resourceType VARCHAR,
        resourceName VARCHAR,
        patternType VARCHAR,
        superUserAuthorization BOOLEAN
        >,
    request STRUCT<
        correlation_id VARCHAR,
        client_id VARCHAR
        >,
    requestMetadata STRUCT<client_address VARCHAR>
    >
) WITH (
  KAFKA_TOPIC = 'confluent-audit-log-events',
  VALUE_FORMAT = 'JSON',
  TIMESTAMP = 'time',
  TIMESTAMP_FORMAT = 'yyyy-MM-dd''T''HH:mm:ss.SSSX',
  PARTITIONS = 6
);


-- Application logic
CREATE STREAM audit_log_topics WITH (KAFKA_TOPIC = 'topic-operations-audit-log') AS
SELECT
  time,
  data
FROM  audit_log_events
WHERE data->authorizationinfo->resourcetype = 'Topic'
EMIT CHANGES;

INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd208', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T16:15:48.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Topic', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd209', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T17:16:43.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Broker', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd206', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-25T18:17:32.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Delete', resourceType := 'Topic', resourceName := 'app4-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-8'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd205', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-25T19:18:21.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Topic', resourceName := 'app5-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd204', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-26T20:19:33.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Delete', resourceType := 'Topic', resourceName := 'app9-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-5'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd203', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-26T21:20:34.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Modify', resourceType := 'Topic', resourceName := 'app5-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd202', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T16:15:12.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Broker', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd201', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T16:15:16.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Broker', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd200', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T16:15:17.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Broker', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));
INSERT INTO audit_log_events (id, source, specversion, type, time, datacontenttype, subject, confluentrouting, data) VALUES('889bdcd9-a378-4bfe-8860-180ef8efd218', 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', '1.0', 'io.confluent.kafka.server/authorization', '2019-10-24T16:15:48.355Z', 'application/json',  'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic',  STRUCT(route := 'confluent-audit-log-events'),  STRUCT(serviceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q', methodName := 'kafka.CreateTopics', resourceName := 'crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic', authenticationInfo := STRUCT(principal := 'User:admin'), authorizationInfo := STRUCT(granted := true, operation := 'Create', resourceType := 'Broker', resourceName := 'app3-topic', patternType := 'LITERAL', superUserAuthorization := true), request := STRUCT(correlation_id := '3', client_id := 'adminclient-6'), requestMetadata := STRUCT(client_address := '/127.0.0.1')));

SELECT * FROM audit_log_topics EMIT CHANGES LIMIT 5;

+---------------------------------------------------------------------------+---------------------------------------------------------------------------+
|TIME                                                                       |DATA                                                                       |
+---------------------------------------------------------------------------+---------------------------------------------------------------------------+
|2019-10-24T16:15:48.355Z                                                   |{SERVICENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q, METHODNAME=kafka.CreateTo|
|                                                                           |pics, RESOURCENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic, AU|
|                                                                           |THENTICATIONINFO={PRINCIPAL=User:admin}, AUTHORIZATIONINFO={GRANTED=true, O|
|                                                                           |PERATION=Create, RESOURCETYPE=Topic, RESOURCENAME=app3-topic, PATTERNTYPE=L|
|                                                                           |ITERAL, SUPERUSERAUTHORIZATION=true}, REQUEST={CORRELATION_ID=3, CLIENT_ID=|
|                                                                           |adminclient-6}, REQUESTMETADATA={CLIENT_ADDRESS=/127.0.0.1}}               |
|2019-10-25T18:17:32.355Z                                                   |{SERVICENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q, METHODNAME=kafka.CreateTo|
|                                                                           |pics, RESOURCENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic, AU|
|                                                                           |THENTICATIONINFO={PRINCIPAL=User:admin}, AUTHORIZATIONINFO={GRANTED=true, O|
|                                                                           |PERATION=Delete, RESOURCETYPE=Topic, RESOURCENAME=app4-topic, PATTERNTYPE=L|
|                                                                           |ITERAL, SUPERUSERAUTHORIZATION=true}, REQUEST={CORRELATION_ID=3, CLIENT_ID=|
|                                                                           |adminclient-8}, REQUESTMETADATA={CLIENT_ADDRESS=/127.0.0.1}}               |
|2019-10-26T20:19:33.355Z                                                   |{SERVICENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q, METHODNAME=kafka.CreateTo|
|                                                                           |pics, RESOURCENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic, AU|
|                                                                           |THENTICATIONINFO={PRINCIPAL=User:admin}, AUTHORIZATIONINFO={GRANTED=true, O|
|                                                                           |PERATION=Delete, RESOURCETYPE=Topic, RESOURCENAME=app9-topic, PATTERNTYPE=L|
|                                                                           |ITERAL, SUPERUSERAUTHORIZATION=true}, REQUEST={CORRELATION_ID=3, CLIENT_ID=|
|                                                                           |adminclient-5}, REQUESTMETADATA={CLIENT_ADDRESS=/127.0.0.1}}               |
|2019-10-26T21:20:34.355Z                                                   |{SERVICENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q, METHODNAME=kafka.CreateTo|
|                                                                           |pics, RESOURCENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic, AU|
|                                                                           |THENTICATIONINFO={PRINCIPAL=User:admin}, AUTHORIZATIONINFO={GRANTED=true, O|
|                                                                           |PERATION=Modify, RESOURCETYPE=Topic, RESOURCENAME=app5-topic, PATTERNTYPE=L|
|                                                                           |ITERAL, SUPERUSERAUTHORIZATION=true}, REQUEST={CORRELATION_ID=3, CLIENT_ID=|
|                                                                           |adminclient-6}, REQUESTMETADATA={CLIENT_ADDRESS=/127.0.0.1}}               |
|2019-10-25T19:18:21.355Z                                                   |{SERVICENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q, METHODNAME=kafka.CreateTo|
|                                                                           |pics, RESOURCENAME=crn:///kafka=8caBa-0_Tu-2k3rKSxY64Q/topic=app3-topic, AU|
|                                                                           |THENTICATIONINFO={PRINCIPAL=User:admin}, AUTHORIZATIONINFO={GRANTED=true, O|
|                                                                           |PERATION=Create, RESOURCETYPE=Topic, RESOURCENAME=app5-topic, PATTERNTYPE=L|
|                                                                           |ITERAL, SUPERUSERAUTHORIZATION=true}, REQUEST={CORRELATION_ID=3, CLIENT_ID=|
|                                                                           |adminclient-6}, REQUESTMETADATA={CLIENT_ADDRESS=/127.0.0.1}}               |
Limit Reached
Query terminated

-- Send data to Splunk
CREATE SINK CONNECTOR IF NOT EXISTS recipe_splunk_filter_logs WITH (
  'connector.class'          = 'SplunkSink',
  'input.data.format'        = 'JSON',
  'kafka.api.key'            = '<my-kafka-api-key>',
  'kafka.api.secret'         = '<my-kafka-api-secret>',
  'topics'                   = 'topic-operations-audit-log',
  'splunk.hec.uri'           = '<splunk-indexers>',
  'splunk.hec.token'         = '<Splunk HTTP Event Collector token>',
  'tasks.max'                = '1'
);

DROP STREAM IF EXISTS <stream_name> DELETE TOPIC;
DROP TABLE IF EXISTS <table_name> DELETE TOPIC;

DROP CONNECTOR IF EXISTS <connector_name>;