filebeat/module/crowdstrike: fix LocalIP and UserIP with N/A value (#…

…32896) Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
elastic · Jun 1, 2023 · d3935c4 · d3935c4
1 parent 3d4956b
commit d3935c4
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -161,6 +161,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
 - httpjson input: Add request tracing logger. {issue}32402[32402] {pull}32412[32412]
 - Add cloudflare R2 to provider list in AWS S3 input. {pull}32620[32620]
 - Add support for single string containing multiple relation-types in getRFC5988Link. {pull}32811[32811]
+- Fix handling of invalid UserIP and LocalIP values. {pull}32896[32896]
 
 *Auditbeat*
 

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml
@@ -20,10 +20,9 @@ processors:
   - convert:
       field: crowdstrike.event.UserIp
       target_field: source.ip
-      type: string
+      type: ip
       ignore_missing: true
       ignore_failure: true
-      if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != ""
   - script:
       lang: painless
       source: |

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml
@@ -17,10 +17,9 @@ processors:
   - convert:
       field: crowdstrike.event.LocalIP
       target_field: source.ip
-      type: string
+      type: ip
       ignore_failure: true
       ignore_missing: true
-      if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != ""
   - convert:
       field: crowdstrike.event.ProcessId
       target_field: process.pid

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml
@@ -23,7 +23,6 @@ processors:
   - convert:
       field: crowdstrike.event.UserIp
       target_field: source.ip
-      type: string
+      type: ip
       ignore_failure: true
       ignore_missing: true
-      if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != ""
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log
@@ -275,3 +275,20 @@
         "UTCTimestamp": 1581603262
     }
 }
+{
+    "metadata": {
+        "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
+        "offset": 9,
+        "eventType": "AuthActivityAuditEvent",
+        "eventCreationTime": 1581601820289,
+        "version": "1.0"
+    },
+    "event": {
+        "UserId": "alice@company.com",
+        "UserIp": "N/A",
+        "OperationName": "selfAcceptEula",
+        "ServiceName": "CrowdStrike Authentication",
+        "Success": true,
+        "UTCTimestamp": 1581601820289
+    }
+}
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json
@@ -631,5 +631,44 @@
         ],
         "user.email": "alice@company.com",
         "user.name": "alice@company.com"
+    },
+    {
+        "crowdstrike.event.OperationName": "selfAcceptEula",
+        "crowdstrike.event.ServiceName": "CrowdStrike Authentication",
+        "crowdstrike.event.Success": true,
+        "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z",
+        "crowdstrike.event.UserId": "alice@company.com",
+        "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
+        "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z",
+        "crowdstrike.metadata.eventType": "AuthActivityAuditEvent",
+        "crowdstrike.metadata.offset": 9,
+        "crowdstrike.metadata.version": "1.0",
+        "event.action": "self_accept_eula",
+        "event.category": [
+            "authentication"
+        ],
+        "event.dataset": "crowdstrike.falcon_audit",
+        "event.kind": "event",
+        "event.module": "crowdstrike",
+        "event.outcome": "success",
+        "event.type": [
+            "change"
+        ],
+        "fileset.name": "falcon",
+        "input.type": "log",
+        "log.flags": [
+            "multiline"
+        ],
+        "log.offset": 8094,
+        "message": "CrowdStrike Authentication",
+        "related.user": [
+            "alice@company.com"
+        ],
+        "service.type": "crowdstrike",
+        "tags": [
+            "forwarded"
+        ],
+        "user.email": "alice@company.com",
+        "user.name": "alice@company.com"
     }
 ]