From 8c992c508b1bb3c690034b675110e2d595afd19a Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 29 Sep 2020 07:11:22 -0400 Subject: [PATCH] Add IP validation to Security module (#21325) For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes #19627 --- CHANGELOG.next.asciidoc | 1 + .../winlogbeat/module/security/config/winlogbeat-security.js | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 58ca2acb35c..76a7f1edeb6 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -367,6 +367,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix invalid IP addresses in DNS query results from Sysmon data. {issue}18432[18432] {pull}18436[18436] - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983] +- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] *Functionbeat* diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 9a117a42f6f..9a0899165b9 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1479,11 +1479,12 @@ var security = (function () { fields: [ {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, + {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], ignore_missing: true, + fail_on_error: false, }) .Add(function(evt) { var user = evt.Get("winlog.event_data.AccountName");