Catalog

Teleport

Version: 1.0.0Vendor: TeleportCapabilities: Parser · Rules · Dashboard

Teleport

Version: 1.0.0
Vendor: Teleport
Capabilities: Parser · Rules · Dashboard


Overview

The Teleport provides comprehensive security monitoring for Teleport Privileged Access Management (PAM) audit logs. Teleport controls and records access to SSH servers, Kubernetes clusters, databases, and internal web applications via a unified gateway.

This pack parses Teleport audit events delivered as JSON via Kafka, applies detection rules for anomalous privileged access patterns, and provides a security operations dashboard with full audit visibility.


Log Source

FieldValue
Kafka Topicteleport-audit-events
Log FormatJSON (double-encoded — inner payload in .message)
Event Typescert.create, session.upload, app.session.chunk
Cluster Nameteleport

Log Structure

Teleport events arrive in a Vector Kafka sink envelope:

{
  "file_name": "",
  "file_path": "",
  "headers": {},
  "message": "{\"ei\":0,\"event\":\"cert.create\",\"uid\":\"a1b2c3d4-0000-0000-0000-000000000001\",\"time\":\"2026-06-23T08:30:00.000Z\", ...}",
  "message_key": null,
  "time_unix_nano": 1750668600000000000,
  "timestamp": "2026-06-23T08:30:00.000Z"
}

The .message field contains the actual Teleport audit event as an escaped JSON string that the parser decodes with parse_json().


Parser

Event Type Mapping

Teleport Eventevent.actionevent.categoryevent.type
cert.createcert_createauthenticationstart
session.uploadsession_uploadsessionend
app.session.chunkapp_session_chunknetworkconnection
(other)<event_name_with_underscores>host

ECS Field Mapping

Source (Inner JSON)ECS Output FieldNotes
inner.uidevent.idUUID of the Teleport event
inner.codeevent.codeTeleport code (e.g. TC000I)
inner.eventevent.actionDots replaced with underscores
inner.cluster_nameobserver.hostnameTeleport cluster name
inner.identity.useruser.nameLogin user (cert.create only)
inner.identity.client_ipsource.ipStripped of ::ffff: prefix
inner.useruser.nameLogin user (app.session.chunk)
inner.app_nameservice.nameApplication name
inner.app_public_addrurl.domainPublic hostname of app
inner.identity.roles[0]labels.user_roleFirst assigned role
inner.cert_typelabels.cert_typeCertificate type (user)
inner.identity.expireslabels.cert_expiresCertificate expiry time
inner.sidlabels.session_idSession UUID
inner.cluster_namelabels.cluster_nameCluster name in labels
event.moduleHard-coded teleport

Detection Rules

Streaming Rules

RuleTriggerSeverity
Teleport – User Login (Certificate Issued)Any cert_create + outcome: successLow
Teleport – Application Access via App ProxyAny app_session_chunk + outcome: successLow
Teleport – Session Recording UploadedAny session_upload + outcome: successLow

All three streaming rules provide real-time audit trail coverage for every privileged access event in the Teleport cluster.

Correlation Rules

RuleLogicThresholdWindowSeverity
Teleport – Login Burst10+ cert_create events from same user.name≥ 10 logins15 minutesMedium
Teleport – User Accessing Multiple Applications5+ distinct service.name values by same user.name≥ 5 apps20 minutesMedium

Login Burst Detection

MITRE: TA0006 / T1110 (Brute Force)

Fires when a single user logs in 10 or more times within 15 minutes. This may indicate:

  • Automated credential stuffing
  • CI/CD pipeline misconfiguration
  • Stolen certificate being replayed

Recommended Response: Verify with the user whether the logins were intentional. If unexpected, revoke active certificates via tctl tokens rm and investigate source IP.

Multi-Application Access Detection

MITRE: TA0008 / T1021 (Remote Services)

Fires when a user accesses 5 or more distinct applications within 20 minutes. This may indicate:

  • Lateral movement by a compromised account
  • Reconnaissance of internal services
  • Unauthorized data collection

Recommended Response: Confirm with the account owner. Review which applications were accessed. If unexpected, lock the user account and revoke all active certificates.


Dashboard: Teleport Security Overview

The dashboard provides security operations visibility across all Teleport PAM activity.

SectionCharts
TrendEvents Over Time (LINE) — all event types by action
KPIsTotal Logins · Total App Sessions · Unique Users (METRIC x3)
DistributionEvent Type Distribution · Login Source IPs (PIE x2)
Top ListsTop Users by Login Count · Top Accessed Applications · Users by App Access Count (BAR_HORIZONTAL x3)
Event TablesRecent User Logins · Recent App Access Events · Recent Session Recordings (TABLE x3)

Default time range: Last 24 hours


Deployment Notes

Kafka Topic Setup

The Teleport connector must forward audit events to the topic ccsp-teleport-prod. Events must be delivered as-is from the Teleport Kafka export, preserving the outer Vector envelope with .message as the escaped JSON string.

Parser Notes

  • Double-JSON parsing: The parser first extracts .message as a string, then calls parse_json() to get the inner event object.
  • Timestamp source: Uses outer .timestamp from Vector (ISO 8601). The inner inner.time is also parsed but the final timestamp field uses the Vector envelope timestamp for reliability.
  • IPv6-mapped IPv4: source.ip values like ::ffff:202.134.16.242 are automatically normalized by stripping the ::ffff: prefix.
  • Unknown event types: Events not matching the three known types are mapped to event.category=host with event.action derived from the raw inner.event field (dots → underscores).

Sample Parser Output

cert.create (User Login)

{
  "timestamp": "2026-06-16 04:09:29",
  "event": {
    "module": "teleport",
    "id": "a1b2c3d4-0000-0000-0000-000000000001",
    "code": "TC000I",
    "action": "cert_create",
    "category": "authentication",
    "outcome": "success",
    "type": "start"
  },
  "observer": { "hostname": "teleport" },
  "user": { "name": "john.doe" },
  "source": { "ip": "203.0.113.45" },
  "message": "Certificate issued for user john.doe",
  "labels": {
    "log_type": "cert_create",
    "cluster_name": "teleport",
    "cert_type": "user",
    "cert_expires": "2026-06-23T18:00:00.000000000Z",
    "user_role": "dev-team"
  }
}

app.session.chunk (Application Access)

{
  "timestamp": "2026-06-16 04:06:32",
  "event": {
    "module": "teleport",
    "id": "b2c3d4e5-0000-0000-0000-000000000002",
    "code": "T2008I",
    "action": "app_session_chunk",
    "category": "network",
    "outcome": "success",
    "type": "connection"
  },
  "observer": { "hostname": "teleport" },
  "user": { "name": "john.doe" },
  "service": { "name": "internal-app-01" },
  "url": { "domain": "internal-app-01.example.com" },
  "message": "App session chunk for user john.doe",
  "labels": {
    "log_type": "app_session_chunk",
    "cluster_name": "teleport",
    "session_id": "c3d4e5f6-..."
  }
}

MITRE ATT&CK Coverage

TacticTechniqueDetection
Initial Access (TA0001)T1078 Valid AccountsTeleport Login streaming rule
Lateral Movement (TA0008)T1021 Remote ServicesApp Access streaming rule + Multi-App correlation
Collection (TA0009)T1560 Archive Collected DataSession Upload streaming rule
Credential Access (TA0006)T1110 Brute ForceLogin Burst correlation rule