Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Filebeat] Update crowdstrike module #20138

Merged
merged 18 commits into from
Jul 23, 2020

Conversation

andrewstucki
Copy link

@andrewstucki andrewstucki commented Jul 22, 2020

What does this PR do?

I've been in the crowdstrike module recently anyway and noticed that there was an open issue reporting some parsing errors. I went ahead and just added some fixes for them.

One thing to note--due to normalizing all timestamps to UNIX_MS this is technically a breaking change. Do we want to be more conservative about the normalization?

Checklist

  • My code follows the style guidelines of this project
  • [ ] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [ ] I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jul 22, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Jul 22, 2020

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: [andrewstucki commented: run tests]

  • Start Time: 2020-07-23T01:58:19.180+0000

  • Duration: 57 min 2 sec

Test stats 🧪

Test Results
Failed 0
Passed 4191
Skipped 562
Total 4753

evt.Delete("message");
evt.Delete("host.name");
dropIfEmpty(evt, "crowdstrike.event.UserIp");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think we need this. In the convert it should be "fail_on_error: false", not "ignore_failure: true", then we don't need the dropIfEmpty

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Made the change, but are we ok with passing off an empty string in an ip field? You can take a look at the difference in the approach here: a6d288c

cc: @tonymeehan

@tonymeehan
Copy link

First, I heart you. I had started working on this while I was on PTO but haven't had time to get to it since I've been back. I'll provide some comments

@tonymeehan
Copy link

These were my changes:

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js
index 6ef773761..002bb1d33 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js
+++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js
@@ -34,8 +34,7 @@ var crowdstrikeFalcon = (function() {
             { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" },
         ],
         mode: "copy",
-        ignore_missing: true,
-        ignore_failure: true
+        fail_on_error: false,
     });
 
     var parseTimestamp = new processor.Timestamp({
@@ -46,6 +45,14 @@ var crowdstrikeFalcon = (function() {
         ignore_missing: false,
     });
 
+    var parseEventTimestamp = new processor.Timestamp({
+        field: "crowdstrike.event.UTCTimestamp",
+        target_field: "crowdstrike.event.UTCTimestamp",
+        timezone: "UTC",
+        layouts: ["UNIX"],
+        ignore_missing: true,
+    });
+
     var processEvent = function(evt) {
         var eventType = evt.Get("crowdstrike.metadata.eventType")
         var outcome = evt.Get("crowdstrike.event.Success")
@@ -172,6 +179,7 @@ var crowdstrikeFalcon = (function() {
     var pipeline = new processor.Chain()
         .Add(decodeJson)
         .Add(parseTimestamp)
+        .Add(parseEventTimestamp)
         .Add(dropFields)
         .Add(convertFields)
         .Add(processEvent)

It's basically two things.

First, use fail_on_error to ignore missing fields.

Second, convert crowdstrike.event.UTCTimestamp so that it's rendered in the row-rendered view in Elastic Security (it's converted for some reason today in the JSON view but not the row-rendered view).

It might also be good to add event.ingested while we are here given #20073

@andrewstucki
Copy link
Author

andrewstucki commented Jul 22, 2020

@tonymeehan for the UTCTimestamp field there's a bit of a caveat -- sometimes it's in unix ms format, sometimes it's in unix second format. For example, if we do the parseEventTimestamp version on everything, we fail to parse AuthActivityAuditEvent events because they're in UNIX_MS, not UNIX--it's lame.

Rather than conditionally figuring out which events have unix v. unix ms and potentially missing some, I guess my approach was, "let's just shove all timestamps through this, check to see if they look like UNIX, convert to UNIX_MS and let Elasticsearch translate them into the properly encoded underlying date fields"--thoughts?

Edit:

Here's an example of UTCTimestamp in seconds from the epoch:

Here's an example of UTCTimestamp in milliseconds from the epoch in the same file:

@tonymeehan
Copy link

@andrewstucki gotcha, thanks for double checking. Like we discussed in Slack, I generally don't like guessing the timestamp format and would prefer to make it conditional based on event type (assuming it's at least consistent at the event level), but perhaps in this case for this data and because we don't have direct access to the product to validate whether the format is consistent for each event type, this is the best option we have to render the time correctly in the product.

@andrewstucki
Copy link
Author

So, from the sounds of it, the row renderers better support timestamps that are in string format in their source documents, so I just went ahead and ran all of the timestamps we set through the normalization function and made it also stringify the fields.

I can look into adding an event.ingested timestamp to the ingest pipeline as well.

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs a Changelog entry, but code changes LGTM

@andrewstucki andrewstucki requested a review from leehinman July 22, 2020 17:29
@vi-or-die
Copy link

vi-or-die commented Jul 22, 2020

@tonymeehan & @andrewstucki I have access to the product and am happy to provide anything you may need. Attached is a scrubbed set of sample data hope this helps!

edit by @gtback: removed the file

@andrewstucki
Copy link
Author

@vi-or-die thanks a bunch, I'll see about adding those into the test harness and it'll help us identify additional field mappings for SIEM compatibility

@andrewstucki andrewstucki requested a review from leehinman July 22, 2020 20:12
processors:
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewstucki andrewstucki merged commit 5e9a3a5 into elastic:master Jul 23, 2020
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 23, 2020
* Update crowdstrike module

(cherry picked from commit 5e9a3a5)
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 23, 2020
* Update crowdstrike module

(cherry picked from commit 5e9a3a5)
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Jul 23, 2020
* Update crowdstrike module

(cherry picked from commit 5e9a3a5)
andrewstucki pushed a commit that referenced this pull request Jul 23, 2020
* [Filebeat] Update crowdstrike module (#20138)

* Update crowdstrike module

(cherry picked from commit 5e9a3a5)

* Fix up changelog
andrewstucki pushed a commit that referenced this pull request Jul 23, 2020
* [Filebeat] Update crowdstrike module (#20138)

* Update crowdstrike module

(cherry picked from commit 5e9a3a5)

* Fix up changelog
v1v added a commit to v1v/beats that referenced this pull request Jul 27, 2020
…ne-2.0

* upstream/master: (41 commits)
  adding possibility to override content-type checks, it was breaking certain webhooks that is not able to set content-headers at all. Still defaults to application/json (elastic#20232)
  fix: use a fixed worker type for tests (elastic#20130)
  [Ingest Manager] Prepare packaging for endpoint and asc files (elastic#20186)
  [Packetbeat] HTTP: Improve support for 100-continue elastic#15830 (elastic#19349)
  Increase index.max_docvalue_fields_search to 200 (elastic#20218)
  [Ingest Manager] Prevent closing closed reader (elastic#20214)
  [Metricbeat] Use MySQL Host Parser in Query metricset (elastic#20191)
  Testing: Ignore timestamp from cylance/protect dataset (elastic#20211)
  [Filebeat] Ignore cylance.protect timestamps while testing (elastic#20207)
  [CI] remove codecov step (elastic#20102)
  [docs] Indicate that SYSTEM user is required on Windows to use Endpoint (elastic#20172)
  Remove f5/firepass rsa2elk fileset (elastic#20160)
  [Elastic Agent] Improve GRPC stop to be more relaxed. (elastic#20118)
  Fix fileset field prefixing (elastic#20170)
  Fix terminating pod autodiscover issue (elastic#20084)
  Call host parser only once when building light metricsets (elastic#20149)
  [CI] fix null string with contains (elastic#20182)
  [Ingest Manager] Fix failing unit tests on windows (elastic#20127)
  [Filebeat] Update crowdstrike module (elastic#20138)
  [docs] Add x-pack role to relevant metricsets (elastic#20167)
  ...
andrewstucki pushed a commit that referenced this pull request Jul 27, 2020
* [Filebeat] Update crowdstrike module (#20138)

* Update crowdstrike module

(cherry picked from commit 5e9a3a5)

* Fix up changelog

* Fix merge rendering issues
@jsoriano jsoriano added v7.8.2 and removed v7.8.1 labels Jul 28, 2020
v1v added a commit to v1v/beats that referenced this pull request Jul 29, 2020
* upstream/7.9: (32 commits)
  feat(ci): support storing artifacts for PRs in separate dirs (elastic#20282) (elastic#20301)
  Cisco ASA: Fix message 106100 (elastic#20245) (elastic#20277)
  [CI] Change upstream reference (elastic#20296) (elastic#20297)
  [docs] Fix Windows download link for agent (elastic#20258) (elastic#20290)
  Cherry-pick to 7.9: [docs] Rename release highlights to what's new (elastic#20255) (elastic#20285)
  Elastic agent on k8s (elastic#19727) (elastic#20262)
  [Filebeat Module] Defender ATP - Adding dashboard (elastic#20058) (elastic#20093)
  fix: use a fixed worker type for tests (elastic#20130) (elastic#20247)
  [Elastic Agent] Fix Windows powershell install service script (elastic#20203) (elastic#20252)
  [Ingest Manager] Fixed unzip on older windows  (elastic#20088) (elastic#20109)
  adding possibility to override content-type checks, it was breaking certain webhooks that is not able to set content-headers at all. Still defaults to application/json (elastic#20232) (elastic#20237)
  [Filebeat][Gsuite] Make GSuite docs more clear (elastic#19981) (elastic#20067)
  Increase index.max_docvalue_fields_search to 200 (elastic#20218) (elastic#20221)
  Call host parser only once when building light metricsets (elastic#20149) (elastic#20190)
  [Metricbeat] Use MySQL Host Parser in Query metricset (elastic#20191) (elastic#20212)
  [Filebeat] Ignore cylance.protect timestamps while testing (elastic#20207) (elastic#20217)
  [libbeat] Fix write error in ensureWriter.Write (elastic#20112) (elastic#20145)
  Cherry-pick elastic#20127 to 7.9: Fix failing unit tests on windows  (elastic#20180)
  Remove f5/firepass rsa2elk fileset (elastic#20160) (elastic#20206)
  Cherry-pick elastic#20138 to 7.9: [Filebeat] Update crowdstrike module (elastic#20177)
  ...
melchiormoulin pushed a commit to melchiormoulin/beats that referenced this pull request Oct 14, 2020
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
elastic#20177)

* [Filebeat] Update crowdstrike module (elastic#20138)

* Update crowdstrike module

(cherry picked from commit aa58f2e)

* Fix up changelog
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
elastic#20178)

* [Filebeat] Update crowdstrike module (elastic#20138)

* Update crowdstrike module

(cherry picked from commit aa58f2e)

* Fix up changelog

* Fix merge rendering issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Crowdstrike Filebeat Module: Parsing Issues
7 participants