Skip to content

Commit

Permalink
Disable host.* fields by default for CrowdStrike module (#19132) (#19297
Browse files Browse the repository at this point in the history 
)

For the CrowdStrike module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields.

Relates: #13920
(cherry picked from commit 59b133e)
@andrewkroh
andrewkroh authored Jun 26, 2020
1 parent 7858df6 commit 18ee16d
Showing 5 changed files with 467 additions and 389 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
@@ -46,6 +46,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
field. You can revert this change by configuring tags for the module and omitting
`forwarded` from the list. {issue}13920[13920]
* Cisco {pull}18753[18753]
* CrowdStrike {pull}19132[19132]
* iptables {pull}18756[18756]
* Checkpoint {pull}18754[18754]
* Netflow {pull}19087[19087]
* Suricata {pull}19107[19107] (`forwarded` tag is not included by default)
3 changes: 3 additions & 0 deletions x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml
View file
Original file line number Diff line number Diff line change
@@ -12,6 +12,9 @@ multiline.match: after
multiline.max_lines: 5000
multiline.timeout: 10

tags: {{.tags | tojson}}
publisher_pipeline.disable_host: {{ inList .tags "forwarded" }}

processors:
- script:
lang: javascript
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/crowdstrike/falcon/manifest.yml
View file
Original file line number Diff line number Diff line change
@@ -4,5 +4,7 @@ var:
- name: paths
default:
- /var/log/crowdstrike/falconhoseclient/output
- name: tags
default: [forwarded]

input: config/falcon.yml
661 changes: 360 additions & 301 deletions x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json
View file

Large diffs are not rendered by default.

188 changes: 100 additions & 88 deletions x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,113 +1,125 @@
[
{
"@timestamp": "2020-02-19T08:30:00.000Z",
"process.pid": 38684386611,
"process.name": "explorer.exe",
"process.command_line": "C:\\Windows\\Explorer.EXE",
"process.executable": "C:\\Windows\\Explorer.EXE",
"process.args": ["C:\\Windows\\Explorer.EXE"],
"event.dataset": "crowdstrike.falcon_endpoint",
"event.kind": "alert",
"event.action": "Prevention, process killed.",
"event.type": ["info"],
"event.category": ["malware"],
"event.severity": 4,
"event.module": "crowdstrike",
"event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4",
"event.outcome": "unknown",
"service.type": "crowdstrike",
"user.name": "alice",
"user.domain": "CORP-DOMAIN",
"rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"rule.name": "Process Terminated",
"log.flags": [
"multiline"
],
"log.offset": 0,
"log.file.path": "falcon-events.log",
"source.ip": "192.168.12.51",
"agent.type": "falcon",
"host.name": "alice-laptop",
"message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"fileset.name": "falcon",
"input.type": "log",
"file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24",
"file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"threat.tactic.name": "malware",
"threat.technique.name": "ransomware",
"crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"crowdstrike.metadata.offset": 294564,
"crowdstrike.metadata.eventType": "DetectionSummaryEvent",
"crowdstrike.metadata.eventCreationTime": 1582101000000,
"crowdstrike.metadata.version": "1.0",
"crowdstrike.event.ParentProcessId": 38682494050,
"crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268",
"crowdstrike.event.LocalIP": "192.168.12.51",
"crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4",
"crowdstrike.event.Tactic": "Malware",
"crowdstrike.event.ProcessEndTime": 0,
"crowdstrike.event.Severity": 4,
"crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE",
"crowdstrike.event.Technique": "Ransomware",
"crowdstrike.event.Objective": "Falcon Detection Method",
"crowdstrike.event.ProcessId": 38684386611,
"crowdstrike.event.ComputerName": "alice-laptop",
"crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",
"crowdstrike.event.DetectName": "Process Terminated",
"crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4",
"crowdstrike.event.FileName": "explorer.exe",
"crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows",
"crowdstrike.event.LocalIP": "192.168.12.51",
"crowdstrike.event.MACAddress": "00-00-00-11-22-33",
"crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24",
"crowdstrike.event.MachineDomain": "CORP-DOMAIN",
"crowdstrike.event.Objective": "Falcon Detection Method",
"crowdstrike.event.ParentProcessId": 38682494050,
"crowdstrike.event.PatternDispositionDescription": "Prevention, process killed.",
"crowdstrike.event.PatternDispositionFlags.Indicator": false,
"crowdstrike.event.PatternDispositionFlags.Detect": false,
"crowdstrike.event.PatternDispositionFlags.InddetMask": false,
"crowdstrike.event.PatternDispositionFlags.Indicator": false,
"crowdstrike.event.PatternDispositionFlags.KillParent": false,
"crowdstrike.event.PatternDispositionFlags.KillProcess": true,
"crowdstrike.event.PatternDispositionFlags.KillSubProcess": false,
"crowdstrike.event.PatternDispositionFlags.KillParent": false,
"crowdstrike.event.PatternDispositionFlags.OperationBlocked": false,
"crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false,
"crowdstrike.event.PatternDispositionFlags.ProcessBlocked": false,
"crowdstrike.event.PatternDispositionFlags.InddetMask": false,
"crowdstrike.event.PatternDispositionFlags.SensorOnly": false,
"crowdstrike.event.PatternDispositionFlags.Rooting": false,
"crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false,
"crowdstrike.event.PatternDispositionFlags.QuarantineFile": false,
"crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false,
"crowdstrike.event.FileName": "explorer.exe",
"crowdstrike.event.MachineDomain": "CORP-DOMAIN",
"crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false,
"crowdstrike.event.PatternDispositionFlags.Rooting": false,
"crowdstrike.event.PatternDispositionFlags.SensorOnly": false,
"crowdstrike.event.PatternDispositionValue": 16,
"crowdstrike.event.ComputerName": "alice-laptop",
"crowdstrike.event.UserName": "alice",
"crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24",
"crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",
"crowdstrike.event.MACAddress": "00-00-00-11-22-33",
"crowdstrike.event.ProcessEndTime": 0,
"crowdstrike.event.ProcessId": 38684386611,
"crowdstrike.event.ProcessStartTime": 1536846339,
"crowdstrike.event.DetectName": "Process Terminated",
"crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268",
"crowdstrike.event.Severity": 4,
"crowdstrike.event.SeverityName": "High",
"crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows"
},
{
"@timestamp": "2020-03-04T04:17:56.766Z",
"log.offset": 2063,
"log.file.path": "falcon-events.log",
"log.flags": [
"multiline"
"crowdstrike.event.Tactic": "Malware",
"crowdstrike.event.Technique": "Ransomware",
"crowdstrike.event.UserName": "alice",
"crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"crowdstrike.metadata.eventCreationTime": 1582101000000,
"crowdstrike.metadata.eventType": "DetectionSummaryEvent",
"crowdstrike.metadata.offset": 294564,
"crowdstrike.metadata.version": "1.0",
"event.action": "Prevention, process killed.",
"event.category": [
"malware"
],
"event.module": "crowdstrike",
"event.dataset": "crowdstrike.falcon_endpoint",
"event.kind": "alert",
"event.type": ["info"],
"event.category": ["malware"],
"event.action": "incident",
"event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"event.module": "crowdstrike",
"event.outcome": "unknown",
"event.severity": 4,
"event.type": [
"info"
],
"event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4",
"file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24",
"file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"fileset.name": "falcon",
"input.type": "log",
"log.flags": [
"multiline"
],
"log.offset": 0,
"message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"process.args": [
"C:\\Windows\\Explorer.EXE"
],
"process.command_line": "C:\\Windows\\Explorer.EXE",
"process.executable": "C:\\Windows\\Explorer.EXE",
"process.name": "explorer.exe",
"process.pid": 38684386611,
"rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"rule.name": "Process Terminated",
"service.type": "crowdstrike",
"source.ip": "192.168.12.51",
"tags": [
"forwarded"
],
"threat.tactic.name": "malware",
"threat.technique.name": "ransomware",
"user.domain": "CORP-DOMAIN",
"user.name": "alice"
},
{
"@timestamp": "2020-03-04T04:17:56.766Z",
"crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"crowdstrike.event.FineScore": 1.2,
"crowdstrike.event.IncidentEndTime": 1583295470,
"crowdstrike.event.IncidentStartTime": 1583295228,
"crowdstrike.event.State": "open",
"crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"crowdstrike.metadata.offset": 1824,
"crowdstrike.metadata.eventType": "IncidentSummaryEvent",
"crowdstrike.metadata.eventCreationTime": 1583295476766,
"crowdstrike.metadata.eventType": "IncidentSummaryEvent",
"crowdstrike.metadata.offset": 1824,
"crowdstrike.metadata.version": "1.0",
"crowdstrike.event.IncidentStartTime": 1583295228,
"crowdstrike.event.IncidentEndTime": 1583295470,
"crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"crowdstrike.event.State": "open",
"crowdstrike.event.FineScore": 1.2,
"message": "Incident score 1.2",
"event.action": "incident",
"event.category": [
"malware"
],
"event.dataset": "crowdstrike.falcon_endpoint",
"event.kind": "alert",
"event.module": "crowdstrike",
"event.outcome": "unknown",
"event.type": [
"info"
],
"event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
"fileset.name": "falcon",
"service.type": "crowdstrike"
"input.type": "log",
"log.flags": [
"multiline"
],
"log.offset": 2063,
"message": "Incident score 1.2",
"service.type": "crowdstrike",
"tags": [
"forwarded"
]
}
]
]

0 comments on commit 18ee16d

Please sign in to comment.