Teleport
Teleport
Version: 1.0.0
Vendor: Teleport
Capabilities: Parser · Rules · Dashboard
Overview
The Teleport provides comprehensive security monitoring for Teleport Privileged Access Management (PAM) audit logs. Teleport controls and records access to SSH servers, Kubernetes clusters, databases, and internal web applications via a unified gateway.
This pack parses Teleport audit events delivered as JSON via Kafka, applies detection rules for anomalous privileged access patterns, and provides a security operations dashboard with full audit visibility.
Log Source
| Field | Value |
|---|---|
| Kafka Topic | teleport-audit-events |
| Log Format | JSON (double-encoded — inner payload in .message) |
| Event Types | cert.create, session.upload, app.session.chunk |
| Cluster Name | teleport |
Log Structure
Teleport events arrive in a Vector Kafka sink envelope:
{
"file_name": "",
"file_path": "",
"headers": {},
"message": "{\"ei\":0,\"event\":\"cert.create\",\"uid\":\"a1b2c3d4-0000-0000-0000-000000000001\",\"time\":\"2026-06-23T08:30:00.000Z\", ...}",
"message_key": null,
"time_unix_nano": 1750668600000000000,
"timestamp": "2026-06-23T08:30:00.000Z"
}
The .message field contains the actual Teleport audit event as an escaped JSON string that the parser decodes with parse_json().
Parser
Event Type Mapping
| Teleport Event | event.action | event.category | event.type |
|---|---|---|---|
cert.create | cert_create | authentication | start |
session.upload | session_upload | session | end |
app.session.chunk | app_session_chunk | network | connection |
| (other) | <event_name_with_underscores> | host | — |
ECS Field Mapping
| Source (Inner JSON) | ECS Output Field | Notes |
|---|---|---|
inner.uid | event.id | UUID of the Teleport event |
inner.code | event.code | Teleport code (e.g. TC000I) |
inner.event | event.action | Dots replaced with underscores |
inner.cluster_name | observer.hostname | Teleport cluster name |
inner.identity.user | user.name | Login user (cert.create only) |
inner.identity.client_ip | source.ip | Stripped of ::ffff: prefix |
inner.user | user.name | Login user (app.session.chunk) |
inner.app_name | service.name | Application name |
inner.app_public_addr | url.domain | Public hostname of app |
inner.identity.roles[0] | labels.user_role | First assigned role |
inner.cert_type | labels.cert_type | Certificate type (user) |
inner.identity.expires | labels.cert_expires | Certificate expiry time |
inner.sid | labels.session_id | Session UUID |
inner.cluster_name | labels.cluster_name | Cluster name in labels |
| — | event.module | Hard-coded teleport |
Detection Rules
Streaming Rules
| Rule | Trigger | Severity |
|---|---|---|
| Teleport – User Login (Certificate Issued) | Any cert_create + outcome: success | Low |
| Teleport – Application Access via App Proxy | Any app_session_chunk + outcome: success | Low |
| Teleport – Session Recording Uploaded | Any session_upload + outcome: success | Low |
All three streaming rules provide real-time audit trail coverage for every privileged access event in the Teleport cluster.
Correlation Rules
| Rule | Logic | Threshold | Window | Severity |
|---|---|---|---|---|
| Teleport – Login Burst | 10+ cert_create events from same user.name | ≥ 10 logins | 15 minutes | Medium |
| Teleport – User Accessing Multiple Applications | 5+ distinct service.name values by same user.name | ≥ 5 apps | 20 minutes | Medium |
Login Burst Detection
MITRE: TA0006 / T1110 (Brute Force)
Fires when a single user logs in 10 or more times within 15 minutes. This may indicate:
- Automated credential stuffing
- CI/CD pipeline misconfiguration
- Stolen certificate being replayed
Recommended Response: Verify with the user whether the logins were intentional. If unexpected, revoke active certificates via tctl tokens rm and investigate source IP.
Multi-Application Access Detection
MITRE: TA0008 / T1021 (Remote Services)
Fires when a user accesses 5 or more distinct applications within 20 minutes. This may indicate:
- Lateral movement by a compromised account
- Reconnaissance of internal services
- Unauthorized data collection
Recommended Response: Confirm with the account owner. Review which applications were accessed. If unexpected, lock the user account and revoke all active certificates.
Dashboard: Teleport Security Overview
The dashboard provides security operations visibility across all Teleport PAM activity.
| Section | Charts |
|---|---|
| Trend | Events Over Time (LINE) — all event types by action |
| KPIs | Total Logins · Total App Sessions · Unique Users (METRIC x3) |
| Distribution | Event Type Distribution · Login Source IPs (PIE x2) |
| Top Lists | Top Users by Login Count · Top Accessed Applications · Users by App Access Count (BAR_HORIZONTAL x3) |
| Event Tables | Recent User Logins · Recent App Access Events · Recent Session Recordings (TABLE x3) |
Default time range: Last 24 hours
Deployment Notes
Kafka Topic Setup
The Teleport connector must forward audit events to the topic ccsp-teleport-prod. Events must be delivered as-is from the Teleport Kafka export, preserving the outer Vector envelope with .message as the escaped JSON string.
Parser Notes
- Double-JSON parsing: The parser first extracts
.messageas a string, then callsparse_json()to get the inner event object. - Timestamp source: Uses outer
.timestampfrom Vector (ISO 8601). The innerinner.timeis also parsed but the finaltimestampfield uses the Vector envelope timestamp for reliability. - IPv6-mapped IPv4:
source.ipvalues like::ffff:202.134.16.242are automatically normalized by stripping the::ffff:prefix. - Unknown event types: Events not matching the three known types are mapped to
event.category=hostwithevent.actionderived from the rawinner.eventfield (dots → underscores).
Sample Parser Output
cert.create (User Login)
{
"timestamp": "2026-06-16 04:09:29",
"event": {
"module": "teleport",
"id": "a1b2c3d4-0000-0000-0000-000000000001",
"code": "TC000I",
"action": "cert_create",
"category": "authentication",
"outcome": "success",
"type": "start"
},
"observer": { "hostname": "teleport" },
"user": { "name": "john.doe" },
"source": { "ip": "203.0.113.45" },
"message": "Certificate issued for user john.doe",
"labels": {
"log_type": "cert_create",
"cluster_name": "teleport",
"cert_type": "user",
"cert_expires": "2026-06-23T18:00:00.000000000Z",
"user_role": "dev-team"
}
}
app.session.chunk (Application Access)
{
"timestamp": "2026-06-16 04:06:32",
"event": {
"module": "teleport",
"id": "b2c3d4e5-0000-0000-0000-000000000002",
"code": "T2008I",
"action": "app_session_chunk",
"category": "network",
"outcome": "success",
"type": "connection"
},
"observer": { "hostname": "teleport" },
"user": { "name": "john.doe" },
"service": { "name": "internal-app-01" },
"url": { "domain": "internal-app-01.example.com" },
"message": "App session chunk for user john.doe",
"labels": {
"log_type": "app_session_chunk",
"cluster_name": "teleport",
"session_id": "c3d4e5f6-..."
}
}
MITRE ATT&CK Coverage
| Tactic | Technique | Detection |
|---|---|---|
| Initial Access (TA0001) | T1078 Valid Accounts | Teleport Login streaming rule |
| Lateral Movement (TA0008) | T1021 Remote Services | App Access streaming rule + Multi-App correlation |
| Collection (TA0009) | T1560 Archive Collected Data | Session Upload streaming rule |
| Credential Access (TA0006) | T1110 Brute Force | Login Burst correlation rule |