From cbf7d7ecb3fa4ed75dc42881d5a5ac89cf82b5b0 Mon Sep 17 00:00:00 2001 From: Pasquale D'Agostino <2095574+elauqsap@users.noreply.github.com> Date: Fri, 26 Aug 2022 15:20:25 -0700 Subject: [PATCH 1/4] fix LocalIP and UserIP with N/A value --- .../module/crowdstrike/falcon/ingest/auth_activity_audit.yml | 2 +- .../module/crowdstrike/falcon/ingest/detection_summary.yml | 2 +- .../module/crowdstrike/falcon/ingest/user_activity_audit.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml index c7ba463c7bc..22b218be5a6 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml @@ -23,7 +23,7 @@ processors: type: string ignore_missing: true ignore_failure: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" && ctx?.crowdstrike?.event?.UserIp != "N/A" - script: lang: painless source: | diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml index b721c6df1bf..eea203f68fe 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml @@ -20,7 +20,7 @@ processors: type: string ignore_failure: true ignore_missing: true - if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" + if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" && ctx?.crowdstrike?.event?.LocalIP != "N/A" - convert: field: crowdstrike.event.ProcessId target_field: process.pid diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml index 6998062561d..106e93ec334 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml @@ -26,4 +26,4 @@ processors: type: string ignore_failure: true ignore_missing: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" + if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" && ctx?.crowdstrike?.event?.UserIp != "N/A" From 8fc265aa86323c71b9b7af715795b4f0681ce80c Mon Sep 17 00:00:00 2001 From: Pasquale D'Agostino <2095574+elauqsap@users.noreply.github.com> Date: Mon, 29 Aug 2022 09:11:16 -0700 Subject: [PATCH 2/4] address change suggestions and requests --- CHANGELOG.next.asciidoc | 1 + .../falcon/ingest/auth_activity_audit.yml | 3 +- .../falcon/ingest/detection_summary.yml | 3 +- .../falcon/ingest/user_activity_audit.yml | 3 +- .../falcon/test/falcon-audit-events.log | 17 ++++++++ .../falcon-audit-events.log-expected.json | 40 +++++++++++++++++++ .../crowdstrike/falcon/test/falcon-events.log | 2 +- 7 files changed, 62 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 333e5997a8d..3c4aea86a05 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -119,6 +119,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff] - httpjson input: Add request tracing logger. {issue}32402[32402] {pull}32412[32412] - Add cloudflare R2 to provider list in AWS S3 input. {pull}32620[32620] - Add support for single string containing multiple relation-types in getRFC5988Link. {pull}32811[32811] +- Fix handling of invalid UserIP and LocalIP values. {pull}32896[32896] *Auditbeat* diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml index 22b218be5a6..fd9e3992343 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/auth_activity_audit.yml @@ -20,10 +20,9 @@ processors: - convert: field: crowdstrike.event.UserIp target_field: source.ip - type: string + type: ip ignore_missing: true ignore_failure: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" && ctx?.crowdstrike?.event?.UserIp != "N/A" - script: lang: painless source: | diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml index eea203f68fe..4d1a07fdfab 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/detection_summary.yml @@ -17,10 +17,9 @@ processors: - convert: field: crowdstrike.event.LocalIP target_field: source.ip - type: string + type: ip ignore_failure: true ignore_missing: true - if: ctx?.crowdstrike?.event?.LocalIP != null && ctx?.crowdstrike?.event?.LocalIP != "" && ctx?.crowdstrike?.event?.LocalIP != "N/A" - convert: field: crowdstrike.event.ProcessId target_field: process.pid diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml index 106e93ec334..626825f93df 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/user_activity_audit.yml @@ -23,7 +23,6 @@ processors: - convert: field: crowdstrike.event.UserIp target_field: source.ip - type: string + type: ip ignore_failure: true ignore_missing: true - if: ctx?.crowdstrike?.event?.UserIp != null && ctx?.crowdstrike?.event?.UserIp != "" && ctx?.crowdstrike?.event?.UserIp != "N/A" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index 1a403c955ce..0622d930cbb 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -275,3 +275,20 @@ "UTCTimestamp": 1581603262 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 9, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1581601820289, + "version": "1.0" + }, + "event": { + "UserId": "alice@company.com", + "UserIp": "N/A", + "OperationName": "selfAcceptEula", + "ServiceName": "CrowdStrike Authentication", + "Success": true, + "UTCTimestamp": 1581601820289 + } +} \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index 49856354eb7..e08637ea63b 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -631,5 +631,45 @@ ], "user.email": "alice@company.com", "user.name": "alice@company.com" + }, + { + "crowdstrike.event.OperationName": "selfAcceptEula", + "crowdstrike.event.ServiceName": "CrowdStrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "N/A", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 9, + "crowdstrike.metadata.version": "1.0", + "event.action": "self_accept_eula", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 6627, + "message": "CrowdStrike Authentication", + "related.user": [ + "alice@company.com" + ], + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 0980bf0fb60..41e80546095 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -91,4 +91,4 @@ ], "UTCTimestamp": 1593186952 } -} +} \ No newline at end of file From 4a4ba5d03db59863a036c3ad9aeef6dcaa679f20 Mon Sep 17 00:00:00 2001 From: Pasquale D'Agostino <2095574+elauqsap@users.noreply.github.com> Date: Tue, 30 Aug 2022 11:17:24 -0700 Subject: [PATCH 3/4] fixes for tests --- .../module/crowdstrike/falcon/test/falcon-audit-events.log | 2 +- .../falcon/test/falcon-audit-events.log-expected.json | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index 0622d930cbb..eb2b87955bc 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -291,4 +291,4 @@ "Success": true, "UTCTimestamp": 1581601820289 } -} \ No newline at end of file +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e08637ea63b..98ca437b2b2 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -638,7 +638,6 @@ "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "N/A", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", @@ -660,7 +659,7 @@ "log.flags": [ "multiline" ], - "log.offset": 6627, + "log.offset": 8094, "message": "CrowdStrike Authentication", "related.user": [ "alice@company.com" From 29c78cf96b68bfb818b1aaf86dc05717332f7b3a Mon Sep 17 00:00:00 2001 From: Pasquale D'Agostino <2095574+elauqsap@users.noreply.github.com> Date: Tue, 30 Aug 2022 11:19:35 -0700 Subject: [PATCH 4/4] missing newline --- .../filebeat/module/crowdstrike/falcon/test/falcon-events.log | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 41e80546095..0980bf0fb60 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -91,4 +91,4 @@ ], "UTCTimestamp": 1593186952 } -} \ No newline at end of file +}