From 4c341fded3fd4ee03828d6a439e08ad5dacfa008 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 09:20:32 -0400 Subject: [PATCH 01/16] Update crowdstrike module --- .../crowdstrike/falcon/_meta/fields.yml | 4 +- .../crowdstrike/falcon/config/pipeline.js | 62 ++++++++++++++----- .../falcon-audit-events.log-expected.json | 10 +-- x-pack/filebeat/module/crowdstrike/fields.go | 2 +- 4 files changed, 55 insertions(+), 23 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 2b32b5d270d..309d7f5b793 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -36,7 +36,7 @@ Event data fields for each event and alert. type: group default_field: false - fields: + fields: - name: ProcessStartTime type: date description: > @@ -106,7 +106,7 @@ type: keyword description: > SHA256 sum of the executable associated with the detection. - + - name: MD5String type: keyword description: > diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 6ef77376175..390e5ea3ea2 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,11 +2,18 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function() { +var crowdstrikeFalcon = (function () { var processor = require("processor"); - var convertUnderscore = function(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + var convertUnderscore = function (text) { + return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + }; + + var convertToMSEpoch = function (evt, field) { + var timestamp = evt.Get(field); + if (timestamp && timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } }; var decodeJson = new processor.DecodeJSONFields({ @@ -16,11 +23,19 @@ var crowdstrikeFalcon = (function() { max_depth: 8 }); - var dropFields = function(evt) { + var dropIfEmpty = function (evt, field) { + var value = evt.Get(field); + if (value && value === "") { + evt.Delete(field); + } + } + + var dropFields = function (evt) { evt.Delete("message"); evt.Delete("host.name"); + dropIfEmpty(evt, "crowdstrike.event.UserIp"); }; - + var setFields = function (evt) { evt.Put("agent.name", "falcon"); }; @@ -28,10 +43,21 @@ var crowdstrikeFalcon = (function() { var convertFields = new processor.Convert({ fields: [ // DetectionSummaryEvent - { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" }, - { from: "crowdstrike.event.ProcessId", to: "process.pid" }, + { + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, + { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, // UserActivityAuditEvent and AuthActivityAuditEvent - { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, + { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, ], mode: "copy", ignore_missing: true, @@ -46,7 +72,13 @@ var crowdstrikeFalcon = (function() { ignore_missing: false, }); - var processEvent = function(evt) { + var normalizeEpochMS = function (evt) { + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + }; + + var processEvent = function (evt) { var eventType = evt.Get("crowdstrike.metadata.eventType") var outcome = evt.Get("crowdstrike.event.Success") @@ -54,11 +86,9 @@ var crowdstrikeFalcon = (function() { if (outcome === true) { evt.Put("event.outcome", "success") - } - else if (outcome === false) { + } else if (outcome === false) { evt.Put("event.outcome", "failure") - } - else { + } else { evt.Put("event.outcome", "unknown") } @@ -66,7 +96,7 @@ var crowdstrikeFalcon = (function() { case "DetectionSummaryEvent": var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) + evt.Put("threat.technique.name", technique) evt.Put("threat.tactic.name", tactic) evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) @@ -167,14 +197,16 @@ var crowdstrikeFalcon = (function() { default: break; } - } + } var pipeline = new processor.Chain() .Add(decodeJson) .Add(parseTimestamp) + .Add(normalizeEpochMS) .Add(dropFields) .Add(convertFields) .Add(processEvent) + .Add(setFields) .Build(); return { diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e515eb46583..675e2d316d1 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -3,7 +3,7 @@ "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.StartTimestamp": 1582830734, + "crowdstrike.event.StartTimestamp": 1582830734000, "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.metadata.eventCreationTime": 1582830734000, @@ -35,7 +35,7 @@ }, { "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.event.EndTimestamp": 1582830772, + "crowdstrike.event.EndTimestamp": 1582830772000, "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", @@ -94,7 +94,7 @@ "crowdstrike.event.OperationName": "streamStarted", "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, + "crowdstrike.event.UTCTimestamp": 1581542950000, "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "crowdstrike.event.UserIp": "10.10.0.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", @@ -219,7 +219,7 @@ ], "crowdstrike.event.OperationName": "update_group", "crowdstrike.event.ServiceName": "groups", - "crowdstrike.event.UTCTimestamp": 1581546248, + "crowdstrike.event.UTCTimestamp": 1581546248000, "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", @@ -521,7 +521,7 @@ ], "crowdstrike.event.OperationName": "detection_update", "crowdstrike.event.ServiceName": "detections", - "crowdstrike.event.UTCTimestamp": 1581603262, + "crowdstrike.event.UTCTimestamp": 1581603262000, "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index e4a1224d75e..4943f2445b1 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mc1u4zYQx+95isGeuzkU2B58KGDYDtZoshvETtvbYkyNLTYSqZIje/32BUlJUWw5lmymOQWm+OdPw/kgR5/hhfYjEEbvEstGvtANAEvOaASfJq+/froBMJQRWhrBihhvABKywsiCpVYj+P0GAOBBJ2VGsNYGhM4yEizVBlo6QFtSbG9vANaSssSO/LzPoDCnQw73x/uCRrAxuiyqXzqWdX93Xs4v3V7vDjOhVVgWUCWAGRmGBBlvq7ltkDZMTozuuWagscxDNVJNbT1wAs7bhhihNcujEoq0guMUGaQSWZmQf22PyzIny5gXt22MI6OEtddYZvzDy49gjZml1vDha7Zf1RMs9wW9Ga0XeqH9TpvkYOydV3V/U2K3/VotyjxHs5+5JX6BuRIyIcVvf32iXDM9kS20srQga91ERsPvPTBTSTU8LjkdC5Zbyftxmch6mjbwbMkcDzW4p80xMYSOfynzbrMkyIcDZ2yyTMlvKHAqbbXtWojSGEpAK+CUgFRSaKmcK8DzcgLP3+Z//3hYOG/JkW/fB9frtSXupJWKaUNmGPB3rweqzFdkgoeyQfFiPWqmhbcQ6HVA9y8kFVg2hPktLN1rSgulpQRYg995ud5DqeS/JUFS+0grLbzzdqK0rHMy8+mCjVSbeM46qZRrQtkyVCfKlozzwHgEC5FSjke6R0mJ3nhvk5G8Uw9KR2HGO/moSZaxMk+3JR+NFmStD/bIoVYEabBOOwTeJUFVEc5U8kF8TCaXKoTStZTzQ7+7IvorSZhPXe1HDkHsIr0J3HNQaEjxR6B54caClxNOdF6UTOYbntjai6LZqdVZUVQrwC4lQ2/hmux/htIVsbiETtGLA1qrhfS220lOB1kvFPmPs90wjumrcMxzTDM8lGpBWzKS9/HcvlYEK7QZbKV6dtz9OmBi+nkuVd3JjOIyOMXgzZVJWk5d5whX3oZYy2k+IqfxKJ1ac1b6SaJkXGXXBeBE5zmq5F6qiNacvbIVDtlTibASZFIRoNmUeY8T2+Lr+Ncvv8U+rQVVsGV+uTW7eR+mX2LDPky/XEfaDYoilYqmOkcZM9l5vSZU8rDKVaThAv5VW76X6iViAXu6d7V+K2l3UFOlqhY9mw6V1ebEqeQypnCtmU87LVa1IqxftldB+//Y+u7mvRaYzR/jYc0fAZPEuARdRUiqLV8XG+PJOEhGjOLxJDrnEgVLEZFxvnyaAXtVEMi00WY/9IywJJF6T4nOVQtfjPZ99Y97bhsTjTjViQPpf6NhJqOm0hbaSjfhQ06d45DKGF9IwWrfL6Eds/2J2YmdvOj4eTqHYIt3MOVdhpvuWNV+yweeBZ0aSJVIgb79HNhsL7gFH9/kr9jGv1LilEIxlVXn050GcjR7kBZ0Qco3WrTaaMeqDYhM27MXwqaNGrltsnhtldSHgIa71ZXo15KoIeN2TmZVVzwC4J1UtHC3lk60daZxoO95MQ9WQ/W42Mes8rMcZfZaqQyU7p5/ouj7Pl8fwOJD6n0XksM9VwYKMr5XFvcKGfqhtlw5jbMnR7OVIvIdthLtMEv9reAcVSnEqUPPSuuM8LBAndurkEO1cQVyV6UybUBpbn/B2KEFG9Zel9k5f1pOlvUnrUgJodF7x3TDc4P/VvQH7X0J7TaqIss0uFPhe+3+U8qODIFIUW0ocYD9dzp8/4qZOCpJlyqqY5nxn9zAVN/cwIYnzqC5i577z79nPDwn+6bBU19N6yJQ0faDbKpmTDfsKJ1voYb7YFU4Y1IeVc8ejP8FAAD//637dzY=" + return "eJy8mUtv4zYQx+/5FIM9d3MosD34UMCwHazRZDeInba3xZgaW2wkUiVH9vrbF3xIUfyIrZhuToEp/vnTcB7k6DO80HYAwuhNZtnIF7oBYMkFDeDT6PXXTzcAhgpCSwNYEOMNQEZWGFmx1GoAv98AADzorC4IltqA0EVBgqVaQUcHaE2K7e0NwFJSkdmBn/cZFJa0y+H+eFvRAFZG11X85cCy7u/Oy/mlu+vdYSG0CssCqgywIMOQIeNtnNsF6cKUxOieawdayzzEkTi188AROG8bYoTOLI9KKPIIxzkySCWKOiP/2h6XZUmWsaxuuxh7RglrL7Eu+IeXH8ASC0ud4d3X7L6qJ5hvK3oz2iz0QtuNNtnO2Duv6v7GxG77tZrVZYlmO3FL/AJTJWRGit/++kSlZnoiW2llaUbWuomMht97YKKyODysOR8KlmvJ22GdyWaaNvBsyewPtbjHzTEyhI5/LsvDZsmQdwdO2GSek99Q4FzauO1aiNoYykAr4JyAVFZpqZwrwPN8BM/fpn//eJg5bymRb98H18ulJT5IKxXTikw/4O9eD1RdLsgED2WD4sV61EILbyHQy4DuX0gqsGwIy1uYu9eUFmpLGbAGv/NyuYVayX9rgqzxkU5aeOftRG1Zl2Sm4xkbqVbpnHUUlRtC2THUQZQ1GeeB6QhmIqcS93T3khK98d42I3mn7pWOwox38lGbLK+aeR6NFmStj/XEkVYFabBOO8TdR2IqEk5UdiU+JlNKFSLpUsrprttdEPxREqZjV/qRQwy7QG/j9hQUGlJ8DTQv3Frw44QjXVY1k/mGR7b2Q8Hs1JqkKOIKsMnJ0Fu4NvmfoHQ1LC2hU/TigNZqIb3tNpLzXtYLNf56tuvHMX4VTnmMaYf7Us1oTUbyNp3bN4pghTa9rdTMTrtfO0xMP0+lqjtZUFoGpxi8OZqk49RNjnDVrY+1nOYjcp6O0qm1R6WfJGrGRXFZAI50WaLK7qVKaM3JK1vlkD2VCCtBIRUBmlVdnnFgm30d/vrlt9SHtaAKti4TW/Nh/CU168P4yzVAUeRS0ViXKFPmOq/XRkoZVrmINFy/v2rL91K9JKxfT/eu1K8lbXZKqlRx0ZPZUFltjhxKPsYULjXT8UGLxUaE9cueVc/+P7Zzd/NeCyymj+mwpo+AWWZcfo4RkmvLl8XGcDQMkgmjeDhKzjlHwVIkZJzOnybAXhUEMq202fY9IsxJ5N5TknM1wh9G+774xz23TolGnOvMgZx/oWEmo8bSVtpKN+Eqh85hSGWML6RgsT0voe2z/YnFkZ380OnzeA7BDm9vyrsCV4djVfst73kUdGogVSYF+uZzYLNnwc14/yJ/wTb+lRPnFIqpjH1Pdxoo0WxBWtAVKd9m0WqlHas2IAptT94H2yZq4q7J7LVT0hwCWu5OU+K8jkQDmbZxMok98QSAd1LRzF1aDqItC409fc+LebAG6ox7fcoqPylRFq+VykDtrvlHir7v8p0DWF2l3h9CcrinykBFxrfK0t4gQzfU1guncfLkaNZSJL7CRtEDZmm+FJyiqoU4duhZaF0Q7haoU3sVcqg2rkBuYirTBpTm7veLDVqwYe1lXZzyp/lo3nzQSpQQWr13TNc/N/gvRX/Q1pfQw0ZVZJl6Nyp8p91/SNmQIRA5qhVlDvD8nQ5fv1ImjijpUkU8lhn/wQ1M/OIGNjxxAs1d9Nx//j3T4TnZN/2d5mraFIFIex5kWzVTuuGB0vkWqr8PxsKZknKvep7B+F8AAAD//22YdvY=" } From 665a80be7987b9d00a31e5bc4d6bdc0a0fdf10ad Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 09:34:21 -0400 Subject: [PATCH 02/16] Add in blank UserIP test --- .../crowdstrike/falcon/config/pipeline.js | 2 +- .../crowdstrike/falcon/test/falcon-events.log | 26 +++++++++++ .../test/falcon-events.log-expected.json | 45 +++++++++++++++++++ 3 files changed, 72 insertions(+), 1 deletion(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 390e5ea3ea2..51fab997e02 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -25,7 +25,7 @@ var crowdstrikeFalcon = (function () { var dropIfEmpty = function (evt, field) { var value = evt.Get(field); - if (value && value === "") { + if (!value || value === "") { evt.Delete(field); } } diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 7842299bacf..0980bf0fb60 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -66,3 +66,29 @@ "FineScore": 1.2 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 22865, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1593186952000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1593186952 + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 3213435b88c..1f8f46fe648 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -122,5 +122,50 @@ "tags": [ "forwarded" ] + }, + { + "@timestamp": "2020-06-26T15:55:52.000Z", + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": 1593186952000, + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1593186952000, + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 22865, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2579, + "message": "quarantined_file_update", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" } ] \ No newline at end of file From a6d288cc20da017ac3f322f7aa4dd98db683f9bb Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 10:52:19 -0400 Subject: [PATCH 03/16] Fix up conversion error with proper fail_on_error usage --- .../module/crowdstrike/falcon/config/pipeline.js | 10 +--------- .../falcon/test/falcon-events.log-expected.json | 1 + 2 files changed, 2 insertions(+), 9 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 51fab997e02..3a350270788 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -23,17 +23,9 @@ var crowdstrikeFalcon = (function () { max_depth: 8 }); - var dropIfEmpty = function (evt, field) { - var value = evt.Get(field); - if (!value || value === "") { - evt.Delete(field); - } - } - var dropFields = function (evt) { evt.Delete("message"); evt.Delete("host.name"); - dropIfEmpty(evt, "crowdstrike.event.UserIp"); }; var setFields = function (evt) { @@ -61,7 +53,7 @@ var crowdstrikeFalcon = (function () { ], mode: "copy", ignore_missing: true, - ignore_failure: true + fail_on_error: false }); var parseTimestamp = new processor.Timestamp({ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 1f8f46fe648..10fd383b874 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -139,6 +139,7 @@ "crowdstrike.event.ServiceName": "quarantined_files", "crowdstrike.event.UTCTimestamp": 1593186952000, "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.event.UserIp": "", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.metadata.eventCreationTime": 1593186952000, "crowdstrike.metadata.eventType": "UserActivityAuditEvent", From 30cf26dea2d46e0fdf13cad6de684c825be5db62 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 11:33:07 -0400 Subject: [PATCH 04/16] Add timestamp processing for all timestamps --- .../crowdstrike/falcon/config/pipeline.js | 31 ++++++++--- .../falcon-audit-events.log-expected.json | 52 +++++++++---------- .../test/falcon-events.log-expected.json | 14 ++--- 3 files changed, 56 insertions(+), 41 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 3a350270788..f27e32038cc 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -11,8 +11,16 @@ var crowdstrikeFalcon = (function () { var convertToMSEpoch = function (evt, field) { var timestamp = evt.Get(field); - if (timestamp && timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS - evt.Put(field, timestamp * 1000); + if (timestamp) { + if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } + (new processor.Timestamp({ + field: field, + target_field: field, + timezone: "UTC", + layouts: ["UNIX_MS"] + })).Run(evt); } }; @@ -56,18 +64,25 @@ var crowdstrikeFalcon = (function () { fail_on_error: false }); - var parseTimestamp = new processor.Timestamp({ - field: "crowdstrike.metadata.eventCreationTime", - target_field: "@timestamp", - timezone: "UTC", - layouts: ["UNIX_MS"], + var addTimestamp = new processor.Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", ignore_missing: false, + fail_on_error: true }); var normalizeEpochMS = function (evt) { + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") }; var processEvent = function (evt) { @@ -193,9 +208,9 @@ var crowdstrikeFalcon = (function () { var pipeline = new processor.Chain() .Add(decodeJson) - .Add(parseTimestamp) .Add(normalizeEpochMS) .Add(dropFields) + .Add(addTimestamp) .Add(convertFields) .Add(processEvent) .Add(setFields) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index 675e2d316d1..c625bd2c4b4 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -3,10 +3,10 @@ "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.StartTimestamp": 1582830734000, + "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:14.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", @@ -35,12 +35,12 @@ }, { "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.event.EndTimestamp": 1582830772000, + "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830772000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:52.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", @@ -94,11 +94,11 @@ "crowdstrike.event.OperationName": "streamStarted", "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950000, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:29:10.000Z", "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "crowdstrike.event.UserIp": "10.10.0.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581542950710, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:29:10.710Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 0, "crowdstrike.metadata.version": "1.0", @@ -132,11 +132,11 @@ "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581543577147, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581543577147, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:39:37.147Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 1, "crowdstrike.metadata.version": "1.0", @@ -171,11 +171,11 @@ "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581545677554, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.UserId": "bob@company.com", "crowdstrike.event.UserIp": "192.168.6.3", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581545677554, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:14:37.554Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 2, "crowdstrike.metadata.version": "1.0", @@ -219,11 +219,11 @@ ], "crowdstrike.event.OperationName": "update_group", "crowdstrike.event.ServiceName": "groups", - "crowdstrike.event.UTCTimestamp": 1581546248000, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581546248000, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:24:08.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 3, "crowdstrike.metadata.version": "1.0", @@ -264,11 +264,11 @@ "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601312140, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601312140, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:41:52.140Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 4, "crowdstrike.metadata.version": "1.0", @@ -303,11 +303,11 @@ "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601341730, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:42:21.730Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", @@ -348,11 +348,11 @@ "crowdstrike.event.OperationName": "changePassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601520236, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:45:20.236Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 6, "crowdstrike.metadata.version": "1.0", @@ -387,11 +387,11 @@ "crowdstrike.event.OperationName": "userAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601572362, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601572362, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:46:12.362Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 7, "crowdstrike.metadata.version": "1.0", @@ -426,11 +426,11 @@ "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601814754, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601814754, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:14.754Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 8, "crowdstrike.metadata.version": "1.0", @@ -465,11 +465,11 @@ "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601820289, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 9, "crowdstrike.metadata.version": "1.0", @@ -521,11 +521,11 @@ ], "crowdstrike.event.OperationName": "detection_update", "crowdstrike.event.ServiceName": "detections", - "crowdstrike.event.UTCTimestamp": 1581603262000, + "crowdstrike.event.UTCTimestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581603262000, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T14:14:22.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 10, "crowdstrike.metadata.version": "1.0", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 10fd383b874..8beb0d2882b 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -32,7 +32,7 @@ "crowdstrike.event.PatternDispositionValue": 16, "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, - "crowdstrike.event.ProcessStartTime": 1536846339, + "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", "crowdstrike.event.Severity": 4, @@ -41,7 +41,7 @@ "crowdstrike.event.Technique": "Ransomware", "crowdstrike.event.UserName": "alice", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582101000000, + "crowdstrike.metadata.eventCreationTime": "2020-02-19T08:30:00.000Z", "crowdstrike.metadata.eventType": "DetectionSummaryEvent", "crowdstrike.metadata.offset": 294564, "crowdstrike.metadata.version": "1.0", @@ -91,11 +91,11 @@ "@timestamp": "2020-03-04T04:17:56.766Z", "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.event.FineScore": 1.2, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.IncidentStartTime": 1583295228, + "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", + "crowdstrike.event.IncidentStartTime": "2020-03-04T04:13:48.000Z", "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.eventCreationTime": "2020-03-04T04:17:56.766Z", "crowdstrike.metadata.eventType": "IncidentSummaryEvent", "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", @@ -137,11 +137,11 @@ ], "crowdstrike.event.OperationName": "quarantined_file_update", "crowdstrike.event.ServiceName": "quarantined_files", - "crowdstrike.event.UTCTimestamp": 1593186952000, + "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", "crowdstrike.event.UserId": "Crowdstrike", "crowdstrike.event.UserIp": "", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1593186952000, + "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 22865, "crowdstrike.metadata.version": "1.0", From 2151eeabf542821acbf5112543608bfa11f04ef4 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 11:43:51 -0400 Subject: [PATCH 05/16] Add event ingested timestamp --- .../crowdstrike/falcon/ingest/pipeline.yml | 9 +++++++ .../module/suricata/eve/ingest/pipeline.yml | 24 +++++++++---------- 2 files changed, 21 insertions(+), 12 deletions(-) create mode 100644 x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml new file mode 100644 index 00000000000..767db49afc1 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -0,0 +1,9 @@ +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index 7f0b1983fab..c6b5dbfe5d7 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -3,9 +3,9 @@ description: Pipeline for parsing Suricata EVE logs processors: - set: - value: "{{suricata.eve.http.http_method}}" + value: '{{suricata.eve.http.http_method}}' field: http.request.method - if: "ctx?.suricata?.eve?.http?.http_method != null" + if: 'ctx?.suricata?.eve?.http?.http_method != null' - rename: field: suricata.eve.http.status target_field: http.response.status_code @@ -73,24 +73,24 @@ processors: ignore_missing: true - set: field: rule.category - value: "{{suricata.eve.alert.category}}" + value: '{{suricata.eve.alert.category}}' ignore_empty_value: true - set: field: rule.id - value: "{{suricata.eve.alert.signature_id}}" + value: '{{suricata.eve.alert.signature_id}}' ignore_empty_value: true - set: field: rule.name - value: "{{suricata.eve.alert.signature}}" + value: '{{suricata.eve.alert.signature}}' ignore_empty_value: true - set: field: suricata.eve.alert.action value: denied - if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" + if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" - append: field: event.type - value: "{{suricata.eve.alert.action}}" - if: "ctx?.suricata?.eve?.alert?.action != null" + value: '{{suricata.eve.alert.action}}' + if: 'ctx?.suricata?.eve?.alert?.action != null' - remove: field: suricata.eve.alert.action ignore_failure: true @@ -221,16 +221,16 @@ processors: ignore_missing: true - split: field: tls.server.hash.sha1 - separator: ":" + separator: ':' ignore_missing: true - join: field: tls.server.hash.sha1 - separator: "" + separator: '' ignore_failure: true - append: field: related.hash - value: "{{tls.server.hash.sha1}}" - if: "ctx?.tls?.server?.hash?.sha1 != null" + value: '{{tls.server.hash.sha1}}' + if: 'ctx?.tls?.server?.hash?.sha1 != null' - remove: field: - suricata.eve.app_proto From 8b4b57a28160108c45966bba19e9ee779a83853f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 11:46:43 -0400 Subject: [PATCH 06/16] Add Changelog entry --- CHANGELOG.next.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index b9ac5a369bf..adec4709566 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -219,6 +219,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972] - Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984] - Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] +- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] *Heartbeat* @@ -485,6 +486,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] - Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] - Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add event.ingested for CrowdStrike module {pull}20138[20138] *Heartbeat* From cc8f478412329f2369f593ff6a4acbe813f8519f Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 11:52:25 -0400 Subject: [PATCH 07/16] Revert accidentally touching suricata pipeline --- .../module/suricata/eve/ingest/pipeline.yml | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml index c6b5dbfe5d7..7f0b1983fab 100644 --- a/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml +++ b/x-pack/filebeat/module/suricata/eve/ingest/pipeline.yml @@ -3,9 +3,9 @@ description: Pipeline for parsing Suricata EVE logs processors: - set: - value: '{{suricata.eve.http.http_method}}' + value: "{{suricata.eve.http.http_method}}" field: http.request.method - if: 'ctx?.suricata?.eve?.http?.http_method != null' + if: "ctx?.suricata?.eve?.http?.http_method != null" - rename: field: suricata.eve.http.status target_field: http.response.status_code @@ -73,24 +73,24 @@ processors: ignore_missing: true - set: field: rule.category - value: '{{suricata.eve.alert.category}}' + value: "{{suricata.eve.alert.category}}" ignore_empty_value: true - set: field: rule.id - value: '{{suricata.eve.alert.signature_id}}' + value: "{{suricata.eve.alert.signature_id}}" ignore_empty_value: true - set: field: rule.name - value: '{{suricata.eve.alert.signature}}' + value: "{{suricata.eve.alert.signature}}" ignore_empty_value: true - set: field: suricata.eve.alert.action value: denied - if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" + if: "ctx?.suricata?.eve?.alert?.action == 'blocked'" - append: field: event.type - value: '{{suricata.eve.alert.action}}' - if: 'ctx?.suricata?.eve?.alert?.action != null' + value: "{{suricata.eve.alert.action}}" + if: "ctx?.suricata?.eve?.alert?.action != null" - remove: field: suricata.eve.alert.action ignore_failure: true @@ -221,16 +221,16 @@ processors: ignore_missing: true - split: field: tls.server.hash.sha1 - separator: ':' + separator: ":" ignore_missing: true - join: field: tls.server.hash.sha1 - separator: '' + separator: "" ignore_failure: true - append: field: related.hash - value: '{{tls.server.hash.sha1}}' - if: 'ctx?.tls?.server?.hash?.sha1 != null' + value: "{{tls.server.hash.sha1}}" + if: "ctx?.tls?.server?.hash?.sha1 != null" - remove: field: - suricata.eve.app_proto From 0c625ee9cf39376e77f183f8293a81559ab4fd99 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 13:26:36 -0400 Subject: [PATCH 08/16] Fix up integration tests --- filebeat/tests/system/test_modules.py | 10 ++++----- .../crowdstrike/falcon/ingest/pipeline.yml | 22 +++++++++++++++++++ .../module/crowdstrike/falcon/manifest.yml | 1 + .../falcon-audit-events.log-expected.json | 13 +++++++++++ .../test/falcon-events.log-expected.json | 4 +++- 5 files changed, 44 insertions(+), 6 deletions(-) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index a894290d37c..7a980b9ba3d 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -239,6 +239,9 @@ def clean_keys(obj): "redis.log", "system.auth", "system.syslog", + "microsoft.defender_atp", + "crowdstrike.falcon_endpoint", + "crowdstrike.falcon_audit", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { @@ -265,6 +268,8 @@ def clean_keys(obj): delete_key(obj, "@timestamp") # Also remove alternate time field from rsa parsers. delete_key(obj, "rsa.time.event_time") + # Remove event.ingested from testing, as it will never be the same. + delete_key(obj, "event.ingested") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is @@ -276,11 +281,6 @@ def clean_keys(obj): if "event.end" not in obj: delete_key(obj, "@timestamp") - # Remove event.ingested from testing, as it will never be the same. - if obj["event.dataset"] == "microsoft.defender_atp": - delete_key(obj, "event.ingested") - delete_key(obj, "@timestamp") - if obj["event.module"] == "gsuite": delete_key(obj, "event.ingested") diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml index 767db49afc1..3aa632ab715 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -3,6 +3,28 @@ processors: - set: field: event.ingested value: '{{_ingest.timestamp}}' + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index ab5f880e3a3..905124a0eab 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,3 +8,4 @@ var: default: [forwarded] input: config/falcon.yml +ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index c625bd2c4b4..bcd90cdb158 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -12,6 +12,7 @@ "crowdstrike.metadata.version": "1.0", "event.action": "remote_response_session_start_event", "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.471760Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -46,6 +47,7 @@ "crowdstrike.metadata.version": "1.0", "event.action": "remote_response_session_end_event", "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.478195Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -107,6 +109,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.479287Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -145,6 +148,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.480239Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -184,6 +188,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.481177Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -232,6 +237,7 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.482193Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -277,6 +283,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.483103Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -316,6 +323,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.484Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -361,6 +369,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.489492Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -400,6 +409,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.493387Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -439,6 +449,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.494263Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -478,6 +489,7 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.495231Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -534,6 +546,7 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:22.496040Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 8beb0d2882b..1ed7ac2ca0e 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -50,6 +50,7 @@ "malware" ], "event.dataset": "crowdstrike.falcon_endpoint", + "event.ingested": "2020-07-22T16:07:07.997487Z", "event.kind": "alert", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -104,6 +105,7 @@ "malware" ], "event.dataset": "crowdstrike.falcon_endpoint", + "event.ingested": "2020-07-22T16:07:08.106544Z", "event.kind": "alert", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -139,7 +141,6 @@ "crowdstrike.event.ServiceName": "quarantined_files", "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", "crowdstrike.event.UserId": "Crowdstrike", - "crowdstrike.event.UserIp": "", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", @@ -150,6 +151,7 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", + "event.ingested": "2020-07-22T16:07:08.107410Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", From 13c46c0c13cc4640548a655d3181f348bbb22c53 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 15:54:34 -0400 Subject: [PATCH 09/16] Update with new crowdstrike samples --- filebeat/tests/system/test_modules.py | 12 +- .../crowdstrike/falcon/_meta/fields.yml | 215 ++++++++- .../crowdstrike/falcon/config/pipeline.js | 72 ++- .../falcon/test/falcon-audit-events.log | 14 +- .../falcon-audit-events.log-expected.json | 36 +- .../test/falcon-events.log-expected.json | 6 - .../crowdstrike/falcon/test/falcon-sample.log | 254 +++++++++++ .../test/falcon-sample.log-expected.json | 420 ++++++++++++++++++ x-pack/filebeat/module/crowdstrike/fields.go | 2 +- 9 files changed, 974 insertions(+), 57 deletions(-) create mode 100644 x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log create mode 100644 x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 7a980b9ba3d..dc205e7aa08 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -242,6 +242,14 @@ def clean_keys(obj): "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { @@ -281,10 +289,6 @@ def clean_keys(obj): if "event.end" not in obj: delete_key(obj, "@timestamp") - if obj["event.module"] == "gsuite": - delete_key(obj, "event.ingested") - - def delete_key(obj, key): if key in obj: del obj[key] diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 309d7f5b793..6d7daaf1469 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -8,7 +8,7 @@ - name: eventType type: keyword description: > - DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date @@ -102,6 +102,11 @@ description: > Executable path with command line arguments. + - name: SHA1String + type: keyword + description: > + SHA1 sum of the executable associated with the detection. + - name: SHA256String type: keyword description: > @@ -227,6 +232,11 @@ description: > Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: > + Detected executables written to disk by a process. + - name: SessionId type: keyword description: > @@ -246,3 +256,206 @@ type: date description: > End time for the remote session in UTC UNIX format. + + - name: LateralMovement + type: long + description: > + Lateral movement field for incident. + + - name: ParentImageFileName + type: keyword + description: > + Path to the parent process. + + - name: ParentCommandLine + type: keyword + description: > + Parent process command line arguments. + + - name: GrandparentImageFileName + type: keyword + description: > + Path to the grandparent process. + + - name: GrandparentCommandLine + type: keyword + description: > + Grandparent process command line arguments. + + - name: IOCType + type: keyword + description: > + CrowdStrike type for indicator of compromise. + + - name: IOCValue + type: keyword + description: > + CrowdStrike value for indicator of compromise. + + # FirewallMatchEvent + - name: CustomerId + type: keyword + description: > + Customer identifier. + + - name: DeviceId + type: keyword + description: > + Device on which the event occurred. + + - name: Ipv + type: keyword + description: > + Protocol for network request. + + - name: ConnectionDirection + type: keyword + description: > + Direction for network connection. + + - name: EventType + type: keyword + description: > + CrowdStrike provided event type. + + - name: HostName + type: keyword + description: > + Host name of the local machine. + + - name: ICMPCode + type: keyword + description: > + RFC2780 ICMP Code field. + + - name: ICMPType + type: keyword + description: > + RFC2780 ICMP Type field. + + - name: ImageFileName + type: keyword + description: > + File name of the associated process for the detection. + + - name: PID + type: long + description: > + Associated process id for the detection. + + - name: LocalAddress + type: ip + description: > + IP address of local machine. + + - name: LocalPort + type: long + description: > + Port of local machine. + + - name: RemoteAddress + type: ip + description: > + IP address of remote machine. + + - name: RemotePort + type: long + description: > + Port of remote machine. + + - name: RuleAction + type: keyword + description: > + Firewall rule action. + + - name: RuleDescription + type: keyword + description: > + Firewall rule description. + + - name: RuleFamilyID + type: keyword + description: > + Firewall rule family id. + + - name: RuleGroupName + type: keyword + description: > + Firewall rule group name. + + - name: RuleName + type: keyword + description: > + Firewall rule name. + + - name: RuleId + type: keyword + description: > + Firewall rule id. + + - name: MatchCount + type: long + description: > + Number of firewall rule matches. + + - name: MatchCountSinceLastReport + type: long + description: > + Number of firewall rule matches since the last report. + + - name: Timestamp + type: date + description: > + Firewall rule triggered timestamp. + + # Not entirely sure about the descriptions of the following fields + - name: Flags.Audit + type: boolean + description: > + CrowdStrike audit flag. + + - name: Flags.Log + type: boolean + description: > + CrowdStrike log flag. + + - name: Flags.Monitor + type: boolean + description: > + CrowdStrike monitor flag. + + - name: Protocol + type: keyword + description: > + CrowdStrike provided protocol. + + - name: NetworkProfile + type: keyword + description: > + CrowdStrike network profile. + + - name: PolicyName + type: keyword + description: > + CrowdStrike policy name. + + - name: PolicyID + type: keyword + description: > + CrowdStrike policy id. + + - name: Status + type: keyword + description: > + CrowdStrike status. + + - name: TreeID + type: keyword + description: > + CrowdStrike tree id. + + # RemoteResponseSessionEndEvent + - name: Commands + type: keyword + description: > + Commands run in a remote session. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index f27e32038cc..078b84da535 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -52,12 +52,25 @@ var crowdstrikeFalcon = (function () { from: "crowdstrike.event.ProcessId", to: "process.pid" }, + { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, + { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, // UserActivityAuditEvent and AuthActivityAuditEvent { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, + // FirewallRuleIP4Matched + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, ], mode: "copy", ignore_missing: true, @@ -85,6 +98,16 @@ var crowdstrikeFalcon = (function () { convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") }; + var normalizeProcess = function (evt) { + var command_line = evt.Get("crowdstrike.event.CommandLine") + var args = command_line.split(' ') + var executable = args[0] + + evt.Put("process.command_line", command_line) + evt.Put("process.args", args) + evt.Put("process.executable", executable) + } + var processEvent = function (evt) { var eventType = evt.Get("crowdstrike.metadata.eventType") var outcome = evt.Get("crowdstrike.event.Success") @@ -117,13 +140,7 @@ var crowdstrikeFalcon = (function () { evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) + normalizeProcess(evt); evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) @@ -164,6 +181,47 @@ var crowdstrikeFalcon = (function () { break; + case "FirewallMatchEvent": + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + + evt.Put("event.category", ["network"]) + evt.Put("event.type", ["connection", "start"]) + evt.Put("event.outcome", ["unknown"]) + evt.Put("event.action", convertUnderscore(eventType)) + evt.Put("event.code", evt.Get("crowdstrike.event.EventType")) + evt.Put("event.dataset", "crowdstrike.falcon_endpoint") + evt.Put("process.pid", evt.Get("crowdstrike.event.PID")) + evt.Put("process.name", evt.Get("crowdstrike.event.ImageFileName")) + + normalizeProcess(evt); + + evt.Put("rule.id", evt.Get("crowdstrike.event.RuleId")) + evt.Put("rule.name", evt.Get("crowdstrike.event.RuleName")) + evt.Put("rule.ruleset", evt.Get("crowdstrike.event.RuleGroupName")) + evt.Put("rule.description", evt.Get("crowdstrike.event.RuleDescription")) + evt.Put("rule.category", evt.Get("crowdstrike.event.RuleFamilyID")) + + evt.Put("host.name", evt.Get("crowdstrike.event.HostName")) + + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) + } else { + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) + } + break; + case "AuthActivityAuditEvent": var userid = evt.Get("crowdstrike.event.UserId") evt.Put("user.name", userid) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index d23985338fc..1a403c955ce 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -150,10 +150,10 @@ ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 5, + "offset": 5, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601341730, "version": "1.0" @@ -167,10 +167,10 @@ "UTCTimestamp": 1581601341730 } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 6, + "offset": 6, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601520236, "version": "1.0" @@ -183,17 +183,17 @@ "Success": true, "UTCTimestamp": 1581601520236, "AuditKeyValues": [ - { + { "Key": "target_name", "ValueString": "first.last@company.com" } ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 7, + "offset": 7, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601572362, "version": "1.0" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index bcd90cdb158..d440e65a373 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", @@ -12,7 +11,6 @@ "crowdstrike.metadata.version": "1.0", "event.action": "remote_response_session_start_event", "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.471760Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -35,7 +33,6 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", @@ -47,7 +44,6 @@ "crowdstrike.metadata.version": "1.0", "event.action": "remote_response_session_end_event", "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.478195Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -70,7 +66,6 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-12T21:29:10.710Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -109,7 +104,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.479287Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -131,7 +125,6 @@ "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" }, { - "@timestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -148,7 +141,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.480239Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -171,7 +163,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -188,7 +179,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.481177Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -211,7 +201,6 @@ "user.name": "bob@company.com" }, { - "@timestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "group_id", @@ -237,7 +226,6 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.482193Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -260,7 +248,6 @@ "user.name": "chris@company.com" }, { - "@timestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -283,7 +270,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.483103Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -306,7 +292,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -323,7 +308,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.484Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -346,7 +330,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -369,7 +352,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.489492Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -381,7 +363,7 @@ "log.flags": [ "multiline" ], - "log.offset": 5003, + "log.offset": 4999, "message": "CrowdStrike Authentication", "service.type": "crowdstrike", "source.ip": "192.168.6.8", @@ -392,7 +374,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.OperationName": "userAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -409,7 +390,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.493387Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -421,7 +401,7 @@ "log.flags": [ "multiline" ], - "log.offset": 5657, + "log.offset": 5646, "message": "CrowdStrike Authentication", "service.type": "crowdstrike", "source.ip": "192.168.6.8", @@ -432,7 +412,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -449,7 +428,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.494263Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -461,7 +439,7 @@ "log.flags": [ "multiline" ], - "log.offset": 6149, + "log.offset": 6134, "message": "CrowdStrike Authentication", "service.type": "crowdstrike", "source.ip": "192.168.6.8", @@ -472,7 +450,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -489,7 +466,6 @@ "authentication" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.495231Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "success", @@ -501,7 +477,7 @@ "log.flags": [ "multiline" ], - "log.offset": 6642, + "log.offset": 6627, "message": "CrowdStrike Authentication", "service.type": "crowdstrike", "source.ip": "192.168.6.8", @@ -512,7 +488,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -546,7 +521,6 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:22.496040Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -558,7 +532,7 @@ "log.flags": [ "multiline" ], - "log.offset": 7128, + "log.offset": 7113, "message": "detection_update", "service.type": "crowdstrike", "source.ip": "192.168.6.8", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 1ed7ac2ca0e..a365dbe3b06 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-02-19T08:30:00.000Z", "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", @@ -50,7 +49,6 @@ "malware" ], "event.dataset": "crowdstrike.falcon_endpoint", - "event.ingested": "2020-07-22T16:07:07.997487Z", "event.kind": "alert", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -89,7 +87,6 @@ "user.name": "alice" }, { - "@timestamp": "2020-03-04T04:17:56.766Z", "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.event.FineScore": 1.2, "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", @@ -105,7 +102,6 @@ "malware" ], "event.dataset": "crowdstrike.falcon_endpoint", - "event.ingested": "2020-07-22T16:07:08.106544Z", "event.kind": "alert", "event.module": "crowdstrike", "event.outcome": "unknown", @@ -126,7 +122,6 @@ ] }, { - "@timestamp": "2020-06-26T15:55:52.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "quarantined_file_id", @@ -151,7 +146,6 @@ "iam" ], "event.dataset": "crowdstrike.falcon_audit", - "event.ingested": "2020-07-22T16:07:08.107410Z", "event.kind": "event", "event.module": "crowdstrike", "event.outcome": "unknown", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log new file mode 100644 index 00000000000..efd3b565576 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log @@ -0,0 +1,254 @@ +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70689, + "eventType": "FirewallMatchEvent", + "eventCreationTime": 1595248906000, + "version": "1.0" + }, + "event": { + "DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "Ipv": "ipv4", + "CommandLine": "", + "ConnectionDirection": "1", + "EventType": "FirewallRuleIP4Matched", + "Flags": { + "Audit": false, + "Log": false, + "Monitor": true + }, + "HostName": "TESTDEVICE01", + "ICMPCode": "", + "ICMPType": "", + "ImageFileName": "", + "LocalAddress": "10.37.60.194", + "LocalPort": "445", + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PID": "206158879910", + "PolicyName": "PROD-FW-Workstations-General", + "PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "Protocol": "6", + "RemoteAddress": "10.37.60.21", + "RemotePort": "54952", + "RuleAction": "2", + "RuleDescription": "", + "RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "RuleGroupName": "SMB Rules", + "RuleName": "Inbound SMB Block \u0026 Log Private", + "RuleId": "4877172638743447345", + "Status": "", + "Timestamp": "2020-07-20T12:41:44Z", + "TreeID": "" + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57181, + "eventType": "IncidentSummaryEvent", + "eventCreationTime": 1595005328414, + "version": "1.0" + }, + "event": { + "IncidentStartTime": 1595005316, + "IncidentEndTime": 1595005316, + "FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "State": "open", + "FineScore": 0.1, + "LateralMovement": 0 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70509, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1595247970093, + "version": "1.0" + }, + "event": { + "UserId": "first.last@company.com", + "UserIp": "165.225.220.184", + "OperationName": "saml2Assert", + "ServiceName": "Crowdstrike Authentication", + "Success": true, + "UTCTimestamp": 1595247970, + "AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70683, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1595248885000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1595248885 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57217, + "eventType": "RemoteResponseSessionStartEvent", + "eventCreationTime": 1595006093000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "StartTimestamp": 1595006093 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57269, + "eventType": "RemoteResponseSessionEndEvent", + "eventCreationTime": 1595006899000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "EndTimestamp": 1595006899, + "Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57047, + "eventType": "DetectionSummaryEvent", + "eventCreationTime": 1595002291000, + "version": "1.0" + }, + "event": { + "ProcessStartTime": 1595002290, + "ProcessEndTime": 1595002290, + "ProcessId": 663790158277, + "ParentProcessId": 627311656469, + "ComputerName": "TESTDEVICE01", + "UserName": "First.last", + "DetectName": "NGAV", + "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "Severity": 2, + "SeverityName": "Low", + "FileName": "filename.exe", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "SHA1String": "0000000000000000000000000000000000000000", + "MachineDomain": "NA", + "ExecutablesWritten": [ + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + } + ], + "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "IOCType": "hash_sha256", + "IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "LocalIP": "10.1.190.117", + "MACAddress": "54-ad-d4-d2-a8-0b", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "PatternDispositionValue": 2304, + "PatternDispositionFlags": { + "Indicator": false, + "Detect": false, + "InddetMask": false, + "SensorOnly": false, + "Rooting": false, + "KillProcess": false, + "KillSubProcess": false, + "QuarantineMachine": false, + "QuarantineFile": false, + "PolicyDisabled": true, + "KillParent": false, + "OperationBlocked": false, + "ProcessBlocked": true, + "RegistryOperationBlocked": false, + "CriticalProcessDisabled": false, + "BootupSafeguardEnabled": false, + "FsOperationBlocked": false + }, + "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe" + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json new file mode 100644 index 00000000000..370739abdd7 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -0,0 +1,420 @@ +[ + { + "crowdstrike.event.ConnectionDirection": "1", + "crowdstrike.event.CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "crowdstrike.event.EventType": "FirewallRuleIP4Matched", + "crowdstrike.event.Flags.Audit": false, + "crowdstrike.event.Flags.Log": false, + "crowdstrike.event.Flags.Monitor": true, + "crowdstrike.event.HostName": "TESTDEVICE01", + "crowdstrike.event.Ipv": "ipv4", + "crowdstrike.event.LocalAddress": "10.37.60.194", + "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.MatchCount": 1, + "crowdstrike.event.MatchCountSinceLastReport": 1, + "crowdstrike.event.NetworkProfile": "2", + "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", + "crowdstrike.event.Protocol": "6", + "crowdstrike.event.RemoteAddress": "10.37.60.21", + "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RuleAction": "2", + "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "crowdstrike.event.RuleGroupName": "SMB Rules", + "crowdstrike.event.RuleId": "4877172638743447345", + "crowdstrike.event.RuleName": "Inbound SMB Block & Log Private", + "crowdstrike.event.Timestamp": "2020-07-20T12:41:44Z", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:46.000Z", + "crowdstrike.metadata.eventType": "FirewallMatchEvent", + "crowdstrike.metadata.offset": 70689, + "crowdstrike.metadata.version": "1.0", + "destination.ip": "10.37.60.194", + "destination.port": "445", + "event.action": "firewall_match_event", + "event.category": [ + "network" + ], + "event.code": "FirewallRuleIP4Matched", + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": [ + "unknown" + ], + "event.type": [ + "connection", + "start" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", + "network.direction": "inbound", + "network.type": "ipv4", + "process.args": [ + "" + ], + "process.command_line": "", + "process.executable": "", + "process.name": "", + "process.pid": "206158879910", + "rule.category": "fec73e96a1bf4481be582c3f89b234fa", + "rule.description": "", + "rule.id": "4877172638743447345", + "rule.name": "Inbound SMB Block & Log Private", + "rule.ruleset": "SMB Rules", + "service.type": "crowdstrike", + "source.ip": "10.37.60.21", + "source.port": "54952", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "crowdstrike.event.FineScore": 0.1, + "crowdstrike.event.IncidentEndTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.IncidentStartTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.LateralMovement": 0, + "crowdstrike.event.State": "open", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:02:08.414Z", + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 57181, + "crowdstrike.metadata.version": "1.0", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1469, + "message": "Incident score 0.1", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ], + "crowdstrike.event.OperationName": "saml2Assert", + "crowdstrike.event.ServiceName": "Crowdstrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:26:10.000Z", + "crowdstrike.event.UserId": "first.last@company.com", + "crowdstrike.event.UserIp": "165.225.220.184", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:26:10.093Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 70509, + "crowdstrike.metadata.version": "1.0", + "event.action": "saml2_assert", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2041, + "message": "Crowdstrike Authentication", + "service.type": "crowdstrike", + "source.ip": "165.225.220.184", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:41:25.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:25.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 70683, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3219, + "message": "quarantined_file_update", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" + }, + { + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.StartTimestamp": "2020-07-17T17:14:53.000Z", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:14:53.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 57217, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_start_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "start" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4017, + "message": "Remote response session started", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ], + "crowdstrike.event.EndTimestamp": "2020-07-17T17:28:19.000Z", + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:28:19.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 57269, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4466, + "message": "Remote response session ended", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "crowdstrike.event.ComputerName": "TESTDEVICE01", + "crowdstrike.event.DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "crowdstrike.event.DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "crowdstrike.event.DetectName": "NGAV", + "crowdstrike.event.ExecutablesWritten": [ + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + } + ], + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.FileName": "filename.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "crowdstrike.event.GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "crowdstrike.event.GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "crowdstrike.event.IOCType": "hash_sha256", + "crowdstrike.event.IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.LocalIP": "10.1.190.117", + "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", + "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "crowdstrike.event.MachineDomain": "NA", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "crowdstrike.event.ParentProcessId": 627311656469, + "crowdstrike.event.PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled": false, + "crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled": false, + "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.FsOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, + "crowdstrike.event.PatternDispositionFlags.KillProcess": false, + "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, + "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": true, + "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": true, + "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, + "crowdstrike.event.PatternDispositionValue": 2304, + "crowdstrike.event.ProcessEndTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.ProcessId": 663790158277, + "crowdstrike.event.ProcessStartTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.SHA1String": "0000000000000000000000000000000000000000", + "crowdstrike.event.SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "crowdstrike.event.Severity": 2, + "crowdstrike.event.SeverityName": "Low", + "crowdstrike.event.Tactic": "Machine Learning", + "crowdstrike.event.Technique": "Sensor-based ML", + "crowdstrike.event.UserName": "First.last", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T16:11:31.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 57047, + "crowdstrike.metadata.version": "1.0", + "event.action": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.severity": 2, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "process.args": [ + "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "" + ], + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "process.name": "filename.exe", + "process.parent.command_line": "C:\\Windows\\Explorer.EXE", + "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "process.pid": 663790158277, + "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "rule.name": "NGAV", + "service.type": "crowdstrike", + "source.ip": "10.1.190.117", + "tags": [ + "forwarded" + ], + "threat.tactic.name": "machine learning", + "threat.technique.name": "sensor-based ml", + "user.domain": "NA", + "user.name": "First.last" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index 4943f2445b1..11622ad9ea7 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mUtv4zYQx+/5FIM9d3MosD34UMCwHazRZDeInba3xZgaW2wkUiVH9vrbF3xIUfyIrZhuToEp/vnTcB7k6DO80HYAwuhNZtnIF7oBYMkFDeDT6PXXTzcAhgpCSwNYEOMNQEZWGFmx1GoAv98AADzorC4IltqA0EVBgqVaQUcHaE2K7e0NwFJSkdmBn/cZFJa0y+H+eFvRAFZG11X85cCy7u/Oy/mlu+vdYSG0CssCqgywIMOQIeNtnNsF6cKUxOieawdayzzEkTi188AROG8bYoTOLI9KKPIIxzkySCWKOiP/2h6XZUmWsaxuuxh7RglrL7Eu+IeXH8ASC0ud4d3X7L6qJ5hvK3oz2iz0QtuNNtnO2Duv6v7GxG77tZrVZYlmO3FL/AJTJWRGit/++kSlZnoiW2llaUbWuomMht97YKKyODysOR8KlmvJ22GdyWaaNvBsyewPtbjHzTEyhI5/LsvDZsmQdwdO2GSek99Q4FzauO1aiNoYykAr4JyAVFZpqZwrwPN8BM/fpn//eJg5bymRb98H18ulJT5IKxXTikw/4O9eD1RdLsgED2WD4sV61EILbyHQy4DuX0gqsGwIy1uYu9eUFmpLGbAGv/NyuYVayX9rgqzxkU5aeOftRG1Zl2Sm4xkbqVbpnHUUlRtC2THUQZQ1GeeB6QhmIqcS93T3khK98d42I3mn7pWOwox38lGbLK+aeR6NFmStj/XEkVYFabBOO8TdR2IqEk5UdiU+JlNKFSLpUsrprttdEPxREqZjV/qRQwy7QG/j9hQUGlJ8DTQv3Frw44QjXVY1k/mGR7b2Q8Hs1JqkKOIKsMnJ0Fu4NvmfoHQ1LC2hU/TigNZqIb3tNpLzXtYLNf56tuvHMX4VTnmMaYf7Us1oTUbyNp3bN4pghTa9rdTMTrtfO0xMP0+lqjtZUFoGpxi8OZqk49RNjnDVrY+1nOYjcp6O0qm1R6WfJGrGRXFZAI50WaLK7qVKaM3JK1vlkD2VCCtBIRUBmlVdnnFgm30d/vrlt9SHtaAKti4TW/Nh/CU168P4yzVAUeRS0ViXKFPmOq/XRkoZVrmINFy/v2rL91K9JKxfT/eu1K8lbXZKqlRx0ZPZUFltjhxKPsYULjXT8UGLxUaE9cueVc/+P7Zzd/NeCyymj+mwpo+AWWZcfo4RkmvLl8XGcDQMkgmjeDhKzjlHwVIkZJzOnybAXhUEMq202fY9IsxJ5N5TknM1wh9G+774xz23TolGnOvMgZx/oWEmo8bSVtpKN+Eqh85hSGWML6RgsT0voe2z/YnFkZ380OnzeA7BDm9vyrsCV4djVfst73kUdGogVSYF+uZzYLNnwc14/yJ/wTb+lRPnFIqpjH1Pdxoo0WxBWtAVKd9m0WqlHas2IAptT94H2yZq4q7J7LVT0hwCWu5OU+K8jkQDmbZxMok98QSAd1LRzF1aDqItC409fc+LebAG6ox7fcoqPylRFq+VykDtrvlHir7v8p0DWF2l3h9CcrinykBFxrfK0t4gQzfU1guncfLkaNZSJL7CRtEDZmm+FJyiqoU4duhZaF0Q7haoU3sVcqg2rkBuYirTBpTm7veLDVqwYe1lXZzyp/lo3nzQSpQQWr13TNc/N/gvRX/Q1pfQw0ZVZJl6Nyp8p91/SNmQIRA5qhVlDvD8nQ5fv1ImjijpUkU8lhn/wQ1M/OIGNjxxAs1d9Nx//j3T4TnZN/2d5mraFIFIex5kWzVTuuGB0vkWqr8PxsKZknKvep7B+F8AAAD//22YdvY=" + return "eJy8m19v47gRwN/zKQZ3r72gXWCvRR4KGHayazTJBrG317cDQ40tNhSpI0f2+dsfSEqKbMuWZFObpyCShj8OyfnL/ALvuLsDbvQ2sWTEO94AkCCJd/DT9OOvP90AGJTILN7BGxK7AUjQciNyElrdwb9vAACedFJIhJU2wLWUyEmoNTTkAG5Qkb29AVgJlIm989/9AopleMjhfmiX4x2sjS7y8i8tw7qfBy/OD90c74FJrlUYFphKgEk0BAkjdlt+2wRpwmRIzL1XP6g181Q+KT9tvHACzusGiUHjK4+KjKclHKWMQCguiwT9tD0uiQwtsSy/bWIcKSWMvWKFpN+9+DtYMWmx8fhwms2peoLlLse9p9VA77jbapMcPDszVfczQ3LLr9WiyDJmdvduiL/BgzC4ZVI+MeJp+be54iJBRftvvmKmCV/R5lpZXKC1ThgxQ+deuFdJ+XhSUDrhJDaCdpMiEdVn2sB3i+b4UT2F0yqaGmRuTkuRtasqYXT4oENPyxT9IgOlwpZbQXNeGIMJaAWUIqBKci2U2x7wfTmF78/z//3+tHA7KGN0ex5cr1YWqZVWKMI1mmHA37w8UEX2hibsWjKMv1uPKjX3GgK9Cuh+QkKBJYMsu4Wlm6awUFhMgDT4lRerHRRK/FEgJNW+aZiKM7PjhSWdoZnPFmSEWsfbwNNSckUoGopqRdmgcTswHsGCp5ixI7lHhgr3dm9tpfymHmSiwhdnbFRtQEe1Ri9Gc7TWn/XIJy0PosE62eHcXXKmSsJ7lYzER2gyocJJupZyfrjtrjj8pUiYz1w4wCicYXfQ63PbBcUMKhoDzQuuNXg54VRneUFontmJpb3oMDtplVHk5QiwTdHgPlxt/DsonQ+LS+gkeuHArNVceN1tBaWDtBf8/ni6G8Yx+xAcM7SpHw+lWuAGjaBdvG1fSQTLtRmsperruOt1wET4Z5epehAS4zI4iWE3lyppbOrKRjjvNkRbTuYLozQepZNWh0p/Ii+IvcnrDuBUZxlTyaNQEbV5/8GWO2RPxcNIIIVCYGZdZD0CtsXXyT9ih2pOJtgii6zJxdfJp8+/jgD76fOvI+A+zT7HZn2afR4DlPFUKJzpjImYZtnLqw91Fka5ijRUD75qS49CvUd0ta+PLirZCNweeH+hykE7Dbey2pyIny5jCvnXfNaqsbKOYv2wvVzvj2Pru5qPmjM5f4mHNX8BliTGuZLyhKTa0nVnYzKdBJERT/FkGp1zyTgJHpFxvny9B/JSgTPCtTa7odHMEnnqd0p0rkrwxWjf3v7v3tvERENKdeJA+udeRGjUTNhcW+E+GCU+ngRTRuwdFbzt+hm0Y7b/MnliJS8KlE/bENbgHUz5INm6/axqv+QDo1YnDYRKBGe+dh7YbC+4BR3XHK5Yxt9SpBSDMxVlidZFAxkzOxAWdI7KV4S0WmvHqg1wqW1n6lrXeyMXeBYfRZ0qCKi5G/WTfsWTCjJujee+LOlHAHwQChcuv2pFW0nNBu49L8yDVVA9ShAxvfx9xoT88FQGCovmlNP3Bck+gPko/r4NyeF2uYEcja/qxU12Q+HWFm9ORmfkaDaCR862S6EtaqmaGl1UBeengp43rSWyQwfVtVbBhmrjHOS2NGXagNLUbLVsmQUbxl4Vsms/LafLqh8XySDU8s6obrht8E2t/+DOu9B2pSq0hINrKr4p4Hs+WzQIPGVqjYkD7L3SH6UE+5sRRNgeeVzCFxIPTBqJqoVtGMTlW4mw7y4gYVUFqPOo+J5iTBtXinRWrYwgjW9jgin7mGDDGx1oLid1v/kliYfnxO5VzaosuvJXJW0/yNrBxzwxLV5+H2r4cSl9fEzKI0d/LeMjIzRMPukNZvvtvg9MqY+KPx2YpVTISrGhLzckCAhtl3nG1hi/iOvLo2X7Jt/r7/SiGqUUetBnuqgI+sUwleQ/SnPrj9F6qq/BN4oOvxwTXabI+bdp3Gsr/u7QItwd8pdwwlFoxBJcZ7nRmbBdgdb82/R0Cns13MaJvoDu55YrOK341f2HmN6v5U5FZy3RxZUxGYJE0Aq2qeCNZKJv53WebyKeU6NJcy39SiqkrTbvYPCPAm2X5Z1qpULZZyZM+CWiliqRe2C8HrLLo8a/UNbc/LnRG5G4QC9cnevOelxgE9fCHoVKUnPnSUPA1LWHpk8vU51ExHl9mH7657/+7iWDEx1ceQ+OuMu0x7H0FrQPxzhecIwm8Mt8Fin4mhzDiGQwj+9qnOsZiMOYdlBXY8iu9igv2sSKTp2ooQzhVuh4+ijj+CEwI2hkGEUhcRLZP1RBBJhCYlml7oExSr9hn6Xxcg+gB5YJuTtxpCPQrLx8EF0G0LF8MbrIYxvAJoy/o+kH7EEzJkhPhJhh3z5A53r44Hiqi2iZ9nO4L61XsNojydxA2JXnfOAshOL4yCy9Yh7PrnTQgXWjhiiHWQLjx+7qxkYuqeyvIBmxXqPB1n+ROMh4njWByzcMyh3YwiCwN11Q6WbrQevu+EpLqbdCrY9vTzf6L5Kt7a2vtLZO8KKqdTPIZU40rCRbd3WCPMmjbr/4czWH1Ov+FE9aCdKHrdlIJFkQ3oemyqtGzj/ycpgOmueQP70YvRJypJyoytHyMEiXfrQUPPK1zz0Nefl9DH0giemBWzg67f2CGBUR79w0GayX3WUtDeJYSiCDZ1zez+f/k6qVtqwKxlRYKRFM4avj7KjV8FcAAAD//42ko/I=" } From 7dfae0aed29e22e3493d5450bcde343c84429599 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 16:03:00 -0400 Subject: [PATCH 10/16] Only normalize process when we have info --- .../crowdstrike/falcon/config/pipeline.js | 17 +++++++++-------- .../falcon/test/falcon-sample.log-expected.json | 6 ------ 2 files changed, 9 insertions(+), 14 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 078b84da535..daf8c334e07 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -99,13 +99,15 @@ var crowdstrikeFalcon = (function () { }; var normalizeProcess = function (evt) { - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) + var commandLine = evt.Get("crowdstrike.event.CommandLine") + if (commandLine && commandLine !== "") { + var args = commandLine.split(' ') + var executable = args[0] + + evt.Put("process.command_line", commandLine) + evt.Put("process.args", args) + evt.Put("process.executable", executable) + } } var processEvent = function (evt) { @@ -191,7 +193,6 @@ var crowdstrikeFalcon = (function () { evt.Put("event.code", evt.Get("crowdstrike.event.EventType")) evt.Put("event.dataset", "crowdstrike.falcon_endpoint") evt.Put("process.pid", evt.Get("crowdstrike.event.PID")) - evt.Put("process.name", evt.Get("crowdstrike.event.ImageFileName")) normalizeProcess(evt); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index 370739abdd7..8cdefc31819 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -58,12 +58,6 @@ "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", "network.direction": "inbound", "network.type": "ipv4", - "process.args": [ - "" - ], - "process.command_line": "", - "process.executable": "", - "process.name": "", "process.pid": "206158879910", "rule.category": "fec73e96a1bf4481be582c3f89b234fa", "rule.description": "", From ed257ee33c3427d886cc961ffd3f30814d1fe3e5 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 16:09:31 -0400 Subject: [PATCH 11/16] Remove empty arguments from string split --- .../filebeat/module/crowdstrike/falcon/config/pipeline.js | 6 ++++-- .../crowdstrike/falcon/test/falcon-sample.log-expected.json | 3 +-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index daf8c334e07..60b6907eb56 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -100,8 +100,10 @@ var crowdstrikeFalcon = (function () { var normalizeProcess = function (evt) { var commandLine = evt.Get("crowdstrike.event.CommandLine") - if (commandLine && commandLine !== "") { - var args = commandLine.split(' ') + if (commandLine && commandLine.trim() !== "") { + var args = commandLine.split(' ').filter(function (arg) { + return arg !== ""; + }); var executable = args[0] evt.Put("process.command_line", commandLine) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index 8cdefc31819..a480342c1cf 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -390,8 +390,7 @@ "log.offset": 5646, "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "process.args": [ - "\"C:\\ProgramData\\file\\path\\filename.exe\"", - "" + "\"C:\\ProgramData\\file\\path\\filename.exe\"" ], "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", From ad59746968e121ec5296f7dd0b97473c78d23f1a Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 16:13:25 -0400 Subject: [PATCH 12/16] update changelog entry --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8bb4ffffbbc..969befd66ed 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -489,6 +489,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] - Add initial support for configurable file identity tracking. {pull}18748[18748] - Add event.ingested for CrowdStrike module {pull}20138[20138] +- Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] *Heartbeat* From 4d8c1cf6b2e4433e1196fcce756b1fc923127667 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 17:31:58 -0400 Subject: [PATCH 13/16] Refactor to use built-in processors --- .../crowdstrike/falcon/config/pipeline.js | 629 +++++++++++------- .../test/falcon-sample.log-expected.json | 5 +- 2 files changed, 409 insertions(+), 225 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 60b6907eb56..59653072e95 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -24,80 +24,6 @@ var crowdstrikeFalcon = (function () { } }; - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }); - - var dropFields = function (evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }; - - var setFields = function (evt) { - evt.Put("agent.name", "falcon"); - }; - - var convertFields = new processor.Convert({ - fields: [ - // DetectionSummaryEvent - { - from: "crowdstrike.event.LocalIP", - to: "source.ip", - type: "ip" - }, - { - from: "crowdstrike.event.ProcessId", - to: "process.pid" - }, - { - from: "crowdstrike.event.ParentImageFileName", - to: "process.parent.executable" - }, - { - from: "crowdstrike.event.ParentCommandLine", - to: "process.parent.command_line" - }, - // UserActivityAuditEvent and AuthActivityAuditEvent - { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }, - // FirewallRuleIP4Matched - { - from: "crowdstrike.event.Ipv", - to: "network.type", - }, - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }); - - var addTimestamp = new processor.Convert({ - fields: [{ - from: "crowdstrike.metadata.eventCreationTime", - to: "@timestamp", - }], - mode: "copy", - ignore_missing: false, - fail_on_error: true - }); - - var normalizeEpochMS = function (evt) { - convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") - convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") - convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") - convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") - }; - var normalizeProcess = function (evt) { var commandLine = evt.Get("crowdstrike.event.CommandLine") if (commandLine && commandLine.trim() !== "") { @@ -112,173 +38,430 @@ var crowdstrikeFalcon = (function () { } } - var processEvent = function (evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") - } else if (outcome === false) { - evt.Put("event.outcome", "failure") + var normalizeSourceDestination = function (evt) { + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) } else { - evt.Put("event.outcome", "unknown") + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) } + } - switch (eventType) { - case "DetectionSummaryEvent": - var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() - var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) - evt.Put("threat.tactic.name", tactic) - - evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("event.severity", evt.Get("crowdstrike.event.Severity")) - evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) - evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - - normalizeProcess(evt); - - evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) - evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) - evt.Put("agent.id", evt.Get("crowdstrike.event.SensorId")) - evt.Put("host.name", evt.Get("crowdstrike.event.ComputerName")) - evt.Put("agent.type", "falcon") - evt.Put("file.hash.sha256", evt.Get("crowdstrike.event.SHA256String")) - evt.Put("file.hash.md5", evt.Get("crowdstrike.event.MD5String")) - evt.Put("rule.name", evt.Get("crowdstrike.event.DetectName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.DetectDescription")) - - break; - - case "IncidentSummaryEvent": - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.action", "incident") - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) + var normalizeEventAction = function (evt) { + var eventType = evt.Get("crowdstrike.metadata.eventType") + evt.Put("event.action", convertUnderscore(eventType)) + } - break; + var normalizeUsername = function (evt) { + var username = evt.Get("crowdstrike.event.UserName") + if (!username || username === "") { + username = evt.Get("crowdstrike.event.UserId") + } + if (username && username !== "") { + evt.Put("user.name", username) + if (username.split('@').length == 2) { + evt.Put("user.email", username) + } + } + } - case "UserActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) + // DetectionSummaryEvent + var convertDetectionSummaryEvent = new processor.Chain() + .AddFields({ + fields: { + kind: "alert", + category: ["malware"], + type: ["info"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .AddFields({ + fields: { + type: "falcon", + }, + target: "agent", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() + var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() + evt.Put("threat.technique.name", technique) + evt.Put("threat.tactic.name", tactic) + }) + .Add(normalizeProcess) + .Build() + + // IncidentSummaryEvent + var convertIncidentSummaryEvent = new processor.Chain() + .AddFields({ + fields: { + kind: "alert", + category: ["malware"], + type: ["info"], + action: "incident", + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .AddFields({ + fields: { + type: "falcon", + }, + target: "agent", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) + }) + .Add(normalizeProcess) + .Build() + + // UserActivityAuditEvent + var convertUserActivityAuditEvent = new processor.Chain() + .AddFields({ + fields: { + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(normalizeUsername) + .Add(normalizeEventAction) + .Build() + + // AuthActivityAuditEvent + var convertAuthActivityAuditEvent = new processor.Chain() + .AddFields({ + fields: { + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(normalizeUsername) + .Add(function (evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) + }) + .Build() + + // FirewallMatchEvent + var convertFirewallMatchEvent = new processor.Chain() + .AddFields({ + fields: { + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + }) + .Add(normalizeEventAction) + .Add(normalizeProcess) + .Add(normalizeSourceDestination) + .Build(); - evt.Put("message", evt.Get("crowdstrike.event.OperationName")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["iam"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "FirewallMatchEvent": - evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") - - evt.Put("event.category", ["network"]) - evt.Put("event.type", ["connection", "start"]) - evt.Put("event.outcome", ["unknown"]) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.code", evt.Get("crowdstrike.event.EventType")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - evt.Put("process.pid", evt.Get("crowdstrike.event.PID")) - - normalizeProcess(evt); - - evt.Put("rule.id", evt.Get("crowdstrike.event.RuleId")) - evt.Put("rule.name", evt.Get("crowdstrike.event.RuleName")) - evt.Put("rule.ruleset", evt.Get("crowdstrike.event.RuleGroupName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.RuleDescription")) - evt.Put("rule.category", evt.Get("crowdstrike.event.RuleFamilyID")) - - evt.Put("host.name", evt.Get("crowdstrike.event.HostName")) + // RemoteResponseSessionStartEvent + var convertRemoteResponseSessionStartEvent = new processor.Chain() + .AddFields({ + fields: { + type: ["start"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .AddFields({ + fields: { + message: "Remote response session started", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(normalizeUsername) + .Add(normalizeEventAction) + .Build() + + + // RemoteResponseSessionEndEvent + var convertRemoteResponseSessionEndEvent = new processor.Chain() + .AddFields({ + fields: { + type: ["end"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .AddFields({ + fields: { + message: "Remote response session ended", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(normalizeUsername) + .Add(normalizeEventAction) + .Build() - var localAddress = evt.Get("crowdstrike.event.LocalAddress"); - var localPort = evt.Get("crowdstrike.event.LocalPort"); - var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); - var remotePort = evt.Get("crowdstrike.event.RemotePort"); - if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { - evt.Put("network.direction", "inbound") - evt.Put("source.ip", remoteAddress) - evt.Put("source.port", remotePort) - evt.Put("destination.ip", localAddress) - evt.Put("destination.port", localPort) + return { + process: new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 + }) + .Add(function (evt) { + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + }) + .Add(function (evt) { + evt.Delete("message"); + evt.Delete("host.name"); + }) + .Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", + ignore_missing: false, + fail_on_error: true + }) + .Add(function (evt) { + var eventType = evt.Get("crowdstrike.metadata.eventType") + var outcome = evt.Get("crowdstrike.event.Success") + + evt.Put("event.kind", "event") + + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") } else { - evt.Put("network.direction", "outbound") - evt.Put("destination.ip", remoteAddress) - evt.Put("destination.port", remotePort) - evt.Put("source.ip", localAddress) - evt.Put("source.port", localPort) - } - break; - - case "AuthActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) + evt.Put("event.outcome", "unknown") } - evt.Put("message", evt.Get("crowdstrike.event.ServiceName")) - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["authentication"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") + switch (eventType) { + case "DetectionSummaryEvent": + convertDetectionSummaryEvent.Run(evt) + break; - break; + case "IncidentSummaryEvent": + convertIncidentSummaryEvent.Run(evt) + break; - case "RemoteResponseSessionStartEvent": - case "RemoteResponseSessionEndEvent": - var username = evt.Get("crowdstrike.event.UserName") - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } + case "UserActivityAuditEvent": + convertUserActivityAuditEvent.Run(evt) + break; - evt.Put("host.name", evt.Get("crowdstrike.event.HostnameField")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.dataset", "crowdstrike.falcon_audit") + case "FirewallMatchEvent": + convertFirewallMatchEvent.Run(evt) + break; - if (eventType == "RemoteResponseSessionStartEvent") { - evt.Put("event.type", ["start"]) - evt.Put("message", "Remote response session started") - } else { - evt.Put("event.type", ["end"]) - evt.Put("message", "Remote response session ended") - } + case "AuthActivityAuditEvent": + convertAuthActivityAuditEvent.Run(evt) + break; - break; + case "RemoteResponseSessionStartEvent": + convertRemoteResponseSessionStartEvent.Run(evt); + break; - default: - break; - } - } + case "RemoteResponseSessionEndEvent": + convertRemoteResponseSessionEndEvent.Run(evt); + break; - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(normalizeEpochMS) - .Add(dropFields) - .Add(addTimestamp) - .Add(convertFields) - .Add(processEvent) - .Add(setFields) - .Build(); - - return { - process: pipeline.Run, + default: + break; + } + }) + .Build() + .Run, }; })(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index a480342c1cf..69e55c42f6d 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -45,8 +45,8 @@ "unknown" ], "event.type": [ - "connection", - "start" + "start", + "connection" ], "fileset.name": "falcon", "host.name": "TESTDEVICE01", @@ -380,6 +380,7 @@ ], "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha1": "0000000000000000000000000000000000000000", "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", "fileset.name": "falcon", "host.name": "TESTDEVICE01", From 0606fc47601ad331633582fdf1fdb472cac8fb05 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 18:54:05 -0400 Subject: [PATCH 14/16] clean up pipeline code --- .../crowdstrike/falcon/config/pipeline.js | 699 ++++++++---------- 1 file changed, 322 insertions(+), 377 deletions(-) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 59653072e95..c109c4c17ac 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,14 +2,15 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function () { +var crowdstrikeFalconProcessor = (function () { var processor = require("processor"); - var convertUnderscore = function (text) { + // conversion helpers + function convertUnderscore(text) { return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - }; + } - var convertToMSEpoch = function (evt, field) { + function convertToMSEpoch(evt, field) { var timestamp = evt.Get(field); if (timestamp) { if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS @@ -22,9 +23,9 @@ var crowdstrikeFalcon = (function () { layouts: ["UNIX_MS"] })).Run(evt); } - }; + } - var normalizeProcess = function (evt) { + function convertProcess(evt) { var commandLine = evt.Get("crowdstrike.event.CommandLine") if (commandLine && commandLine.trim() !== "") { var args = commandLine.split(' ').filter(function (arg) { @@ -38,7 +39,7 @@ var crowdstrikeFalcon = (function () { } } - var normalizeSourceDestination = function (evt) { + function convertSourceDestination(evt) { var localAddress = evt.Get("crowdstrike.event.LocalAddress"); var localPort = evt.Get("crowdstrike.event.LocalPort"); var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); @@ -58,12 +59,11 @@ var crowdstrikeFalcon = (function () { } } - var normalizeEventAction = function (evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - evt.Put("event.action", convertUnderscore(eventType)) + function convertEventAction(evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) } - var normalizeUsername = function (evt) { + function convertUsername(evt) { var username = evt.Get("crowdstrike.event.UserName") if (!username || username === "") { username = evt.Get("crowdstrike.event.UserId") @@ -76,395 +76,340 @@ var crowdstrikeFalcon = (function () { } } - // DetectionSummaryEvent - var convertDetectionSummaryEvent = new processor.Chain() - .AddFields({ - fields: { - kind: "alert", - category: ["malware"], - type: ["info"], - dataset: "crowdstrike.falcon_endpoint", - }, - target: "event", - }) - .AddFields({ - fields: { - type: "falcon", - }, - target: "agent", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.LocalIP", - to: "source.ip", - type: "ip" - }, { - from: "crowdstrike.event.ProcessId", - to: "process.pid" - }, { - from: "crowdstrike.event.ParentImageFileName", - to: "process.parent.executable" - }, { - from: "crowdstrike.event.ParentCommandLine", - to: "process.parent.command_line" - }, { - from: "crowdstrike.event.PatternDispositionDescription", - to: "event.action", - }, { + // event processors by type + var eventProcessors = { + DetectionSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() + var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() + evt.Put("threat.technique.name", technique) + evt.Put("threat.tactic.name", tactic) + convertProcess(evt) + }) + .Build(), + + IncidentSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.action": "incident", + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ from: "crowdstrike.event.FalconHostLink", to: "event.url", - }, { - from: "crowdstrike.event.Severity", - to: "event.severity", - }, { - from: "crowdstrike.event.DetectDescription", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) + convertProcess(evt) + }) + .Build(), + + UserActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", to: "message", }, { - from: "crowdstrike.event.FileName", - to: "process.name", - }, { - from: "crowdstrike.event.UserName", - to: "user.name", + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + AuthActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", }, - { - from: "crowdstrike.event.MachineDomain", - to: "user.domain", + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) + convertUsername(evt) + }) + .Build(), + + FirewallMatchEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", }, - { - from: "crowdstrike.event.SensorId", - to: "agent.id", + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + convertEventAction(evt) + convertProcess(evt) + convertSourceDestination(evt) + }) + .Build(), + + RemoteResponseSessionStartEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["start"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session started", }, - { - from: "crowdstrike.event.ComputerName", + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", to: "host.name", - }, - { - from: "crowdstrike.event.SHA256String", - to: "file.hash.sha256", - }, - { - from: "crowdstrike.event.MD5String", - to: "file.hash.md5", - }, - { - from: "crowdstrike.event.SHA1String", - to: "file.hash.sha1", - }, - { - from: "crowdstrike.event.DetectName", - to: "rule.name", - }, - { - from: "crowdstrike.event.DetectDescription", - to: "rule.description", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() - var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) - evt.Put("threat.tactic.name", tactic) - }) - .Add(normalizeProcess) - .Build() - - // IncidentSummaryEvent - var convertIncidentSummaryEvent = new processor.Chain() - .AddFields({ - fields: { - kind: "alert", - category: ["malware"], - type: ["info"], - action: "incident", - dataset: "crowdstrike.falcon_endpoint", - }, - target: "event", - }) - .AddFields({ - fields: { - type: "falcon", - }, - target: "agent", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.FalconHostLink", - to: "event.url", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(function (evt) { - evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - }) - .Add(normalizeProcess) - .Build() - - // UserActivityAuditEvent - var convertUserActivityAuditEvent = new processor.Chain() - .AddFields({ - fields: { - category: ["iam"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.OperationName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(normalizeUsername) - .Add(normalizeEventAction) - .Build() - - // AuthActivityAuditEvent - var convertAuthActivityAuditEvent = new processor.Chain() - .AddFields({ - fields: { - category: ["authentication"], - type: ["change"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.ServiceName", - to: "message", - }, { - from: "crowdstrike.event.UserIp", - to: "source.ip", - type: "ip" - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(normalizeUsername) - .Add(function (evt) { - evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - }) - .Build() + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), - // FirewallMatchEvent - var convertFirewallMatchEvent = new processor.Chain() - .AddFields({ - fields: { - category: ["network"], - type: ["start", "connection"], - outcome: ["unknown"], - dataset: "crowdstrike.falcon_endpoint", - }, - target: "event", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.Ipv", - to: "network.type", - }, { - from: "crowdstrike.event.PID", - to: "process.pid", - }, - { - from: "crowdstrike.event.RuleId", - to: "rule.id" + RemoteResponseSessionEndEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["end"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session ended", }, - { - from: "crowdstrike.event.RuleName", - to: "rule.name" - }, - { - from: "crowdstrike.event.RuleGroupName", - to: "rule.ruleset" - }, - { - from: "crowdstrike.event.RuleDescription", - to: "rule.description" - }, - { - from: "crowdstrike.event.RuleFamilyID", - to: "rule.category" - }, - { - from: "crowdstrike.event.HostName", - to: "host.name" - }, - { - from: "crowdstrike.event.Ipv", - to: "network.type", - }, - { - from: "crowdstrike.event.EventType", - to: "event.code", - } - ], - mode: "copy", - ignore_missing: true, - fail_on_error: false + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + } + + // main processor + return new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 }) .Add(function (evt) { - evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") - }) - .Add(normalizeEventAction) - .Add(normalizeProcess) - .Add(normalizeSourceDestination) - .Build(); + evt.Delete("message"); + evt.Delete("host.name"); - // RemoteResponseSessionStartEvent - var convertRemoteResponseSessionStartEvent = new processor.Chain() - .AddFields({ - fields: { - type: ["start"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .AddFields({ - fields: { - message: "Remote response session started", - }, - target: "", - }) - .Convert({ - fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", - }], - mode: "copy", - ignore_missing: true, - fail_on_error: false - }) - .Add(normalizeUsername) - .Add(normalizeEventAction) - .Build() + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + var outcome = evt.Get("crowdstrike.event.Success") + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") + } else { + evt.Put("event.outcome", "unknown") + } - // RemoteResponseSessionEndEvent - var convertRemoteResponseSessionEndEvent = new processor.Chain() - .AddFields({ - fields: { - type: ["end"], - dataset: "crowdstrike.falcon_audit", - }, - target: "event", - }) - .AddFields({ - fields: { - message: "Remote response session ended", - }, - target: "", + var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] + if (eventProcessor) { + eventProcessor.Run(evt) + } }) .Convert({ fields: [{ - from: "crowdstrike.event.HostnameField", - to: "host.name", + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", }], mode: "copy", - ignore_missing: true, - fail_on_error: false + ignore_missing: false, + fail_on_error: true }) - .Add(normalizeUsername) - .Add(normalizeEventAction) .Build() - - return { - process: new processor.Chain() - .DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }) - .Add(function (evt) { - convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") - convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") - convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") - convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") - convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") - convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") - }) - .Add(function (evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }) - .Convert({ - fields: [{ - from: "crowdstrike.metadata.eventCreationTime", - to: "@timestamp", - }], - mode: "copy", - ignore_missing: false, - fail_on_error: true - }) - .Add(function (evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") - } else if (outcome === false) { - evt.Put("event.outcome", "failure") - } else { - evt.Put("event.outcome", "unknown") - } - - switch (eventType) { - case "DetectionSummaryEvent": - convertDetectionSummaryEvent.Run(evt) - break; - - case "IncidentSummaryEvent": - convertIncidentSummaryEvent.Run(evt) - break; - - case "UserActivityAuditEvent": - convertUserActivityAuditEvent.Run(evt) - break; - - case "FirewallMatchEvent": - convertFirewallMatchEvent.Run(evt) - break; - - case "AuthActivityAuditEvent": - convertAuthActivityAuditEvent.Run(evt) - break; - - case "RemoteResponseSessionStartEvent": - convertRemoteResponseSessionStartEvent.Run(evt); - break; - - case "RemoteResponseSessionEndEvent": - convertRemoteResponseSessionEndEvent.Run(evt); - break; - - default: - break; - } - }) - .Build() - .Run, - }; + .Run })(); function process(evt) { - crowdstrikeFalcon.process(evt); + crowdstrikeFalconProcessor(evt); } From 158971950a54d115761158c758db23bfceb4e8b6 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 21:40:25 -0400 Subject: [PATCH 15/16] Fix linter errors and add related fields --- filebeat/tests/system/test_modules.py | 1 + .../crowdstrike/falcon/config/pipeline.js | 15 ++++++++++++ .../falcon-audit-events.log-expected.json | 24 +++++++++++++++++++ .../test/falcon-events.log-expected.json | 2 ++ .../test/falcon-sample.log-expected.json | 10 ++++++++ 5 files changed, 52 insertions(+) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index dc205e7aa08..bbc0f1d65ed 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -289,6 +289,7 @@ def clean_keys(obj): if "event.end" not in obj: delete_key(obj, "@timestamp") + def delete_key(obj, key): if key in obj: del obj[key] diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index c109c4c17ac..b12309caef5 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -57,6 +57,8 @@ var crowdstrikeFalconProcessor = (function () { evt.Put("source.ip", localAddress) evt.Put("source.port", localPort) } + evt.AppendTo("related.ip", remoteAddress) + evt.AppendTo("related.ip", localAddress) } function convertEventAction(evt) { @@ -73,6 +75,7 @@ var crowdstrikeFalconProcessor = (function () { if (username.split('@').length == 2) { evt.Put("user.email", username) } + evt.AppendTo("related.user", username) } } @@ -94,6 +97,10 @@ var crowdstrikeFalconProcessor = (function () { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" + }, { + from: "crowdstrike.event.LocalIP", + to: "related.ip", + type: "ip" }, { from: "crowdstrike.event.ProcessId", to: "process.pid" @@ -213,6 +220,10 @@ var crowdstrikeFalconProcessor = (function () { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" }], mode: "copy", ignore_missing: true, @@ -240,6 +251,10 @@ var crowdstrikeFalconProcessor = (function () { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" }], mode: "copy", ignore_missing: true, diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index d440e65a373..4d21948cac7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -25,6 +25,7 @@ ], "log.offset": 0, "message": "Remote response session started", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -58,6 +59,7 @@ ], "log.offset": 457, "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -117,6 +119,8 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", + "related.ip": "10.10.0.8", + "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -154,6 +158,8 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -192,6 +198,8 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.3", + "related.user": "bob@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -239,6 +247,8 @@ ], "log.offset": 3136, "message": "update_group", + "related.ip": "192.168.6.13", + "related.user": "chris@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -283,6 +293,8 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -321,6 +333,8 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -365,6 +379,8 @@ ], "log.offset": 4999, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -403,6 +419,8 @@ ], "log.offset": 5646, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -441,6 +459,8 @@ ], "log.offset": 6134, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -479,6 +499,8 @@ ], "log.offset": 6627, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -534,6 +556,8 @@ ], "log.offset": 7113, "message": "detection_update", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index a365dbe3b06..47c0e10f47a 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -74,6 +74,7 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, + "related.ip": "192.168.12.51", "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -159,6 +160,7 @@ ], "log.offset": 2579, "message": "quarantined_file_update", + "related.user": "Crowdstrike", "service.type": "crowdstrike", "tags": [ "forwarded" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json index 69e55c42f6d..e1fd5b6b0c7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -59,6 +59,10 @@ "network.direction": "inbound", "network.type": "ipv4", "process.pid": "206158879910", + "related.ip": [ + "10.37.60.21", + "10.37.60.194" + ], "rule.category": "fec73e96a1bf4481be582c3f89b234fa", "rule.description": "", "rule.id": "4877172638743447345", @@ -159,6 +163,8 @@ ], "log.offset": 2041, "message": "Crowdstrike Authentication", + "related.ip": "165.225.220.184", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "source.ip": "165.225.220.184", "tags": [ @@ -205,6 +211,7 @@ ], "log.offset": 3219, "message": "quarantined_file_update", + "related.user": "Crowdstrike", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -237,6 +244,7 @@ ], "log.offset": 4017, "message": "Remote response session started", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -281,6 +289,7 @@ ], "log.offset": 4466, "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -399,6 +408,7 @@ "process.parent.command_line": "C:\\Windows\\Explorer.EXE", "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", "process.pid": 663790158277, + "related.ip": "10.1.190.117", "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "rule.name": "NGAV", "service.type": "crowdstrike", From 3ca4e46d67702e30b4f9e2572e653a4cae5116f8 Mon Sep 17 00:00:00 2001 From: Andrew Stucki Date: Wed, 22 Jul 2020 21:49:27 -0400 Subject: [PATCH 16/16] Run mage update in OSS folder to pick up updated fields docs --- filebeat/docs/fields.asciidoc | 422 +++++++++++++++++++++++++++++++++- 1 file changed, 421 insertions(+), 1 deletion(-) diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index f3136d3bba3..81f6bbe9182 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -32022,7 +32022,7 @@ Meta data fields for each event that include type and timestamp. *`crowdstrike.metadata.eventType`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent +DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword @@ -32202,6 +32202,16 @@ type: keyword Executable path with command line arguments. +type: keyword + +-- + +*`crowdstrike.event.SHA1String`*:: ++ +-- +SHA1 sum of the executable associated with the detection. + + type: keyword -- @@ -32452,6 +32462,16 @@ type: date Fields that were changed in this event. +type: nested + +-- + +*`crowdstrike.event.ExecutablesWritten`*:: ++ +-- +Detected executables written to disk by a process. + + type: nested -- @@ -32496,6 +32516,406 @@ type: date -- +*`crowdstrike.event.LateralMovement`*:: ++ +-- +Lateral movement field for incident. + + +type: long + +-- + +*`crowdstrike.event.ParentImageFileName`*:: ++ +-- +Path to the parent process. + + +type: keyword + +-- + +*`crowdstrike.event.ParentCommandLine`*:: ++ +-- +Parent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentImageFileName`*:: ++ +-- +Path to the grandparent process. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentCommandLine`*:: ++ +-- +Grandparent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.IOCType`*:: ++ +-- +CrowdStrike type for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.IOCValue`*:: ++ +-- +CrowdStrike value for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.CustomerId`*:: ++ +-- +Customer identifier. + + +type: keyword + +-- + +*`crowdstrike.event.DeviceId`*:: ++ +-- +Device on which the event occurred. + + +type: keyword + +-- + +*`crowdstrike.event.Ipv`*:: ++ +-- +Protocol for network request. + + +type: keyword + +-- + +*`crowdstrike.event.ConnectionDirection`*:: ++ +-- +Direction for network connection. + + +type: keyword + +-- + +*`crowdstrike.event.EventType`*:: ++ +-- +CrowdStrike provided event type. + + +type: keyword + +-- + +*`crowdstrike.event.HostName`*:: ++ +-- +Host name of the local machine. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPCode`*:: ++ +-- +RFC2780 ICMP Code field. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPType`*:: ++ +-- +RFC2780 ICMP Type field. + + +type: keyword + +-- + +*`crowdstrike.event.ImageFileName`*:: ++ +-- +File name of the associated process for the detection. + + +type: keyword + +-- + +*`crowdstrike.event.PID`*:: ++ +-- +Associated process id for the detection. + + +type: long + +-- + +*`crowdstrike.event.LocalAddress`*:: ++ +-- +IP address of local machine. + + +type: ip + +-- + +*`crowdstrike.event.LocalPort`*:: ++ +-- +Port of local machine. + + +type: long + +-- + +*`crowdstrike.event.RemoteAddress`*:: ++ +-- +IP address of remote machine. + + +type: ip + +-- + +*`crowdstrike.event.RemotePort`*:: ++ +-- +Port of remote machine. + + +type: long + +-- + +*`crowdstrike.event.RuleAction`*:: ++ +-- +Firewall rule action. + + +type: keyword + +-- + +*`crowdstrike.event.RuleDescription`*:: ++ +-- +Firewall rule description. + + +type: keyword + +-- + +*`crowdstrike.event.RuleFamilyID`*:: ++ +-- +Firewall rule family id. + + +type: keyword + +-- + +*`crowdstrike.event.RuleGroupName`*:: ++ +-- +Firewall rule group name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleName`*:: ++ +-- +Firewall rule name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleId`*:: ++ +-- +Firewall rule id. + + +type: keyword + +-- + +*`crowdstrike.event.MatchCount`*:: ++ +-- +Number of firewall rule matches. + + +type: long + +-- + +*`crowdstrike.event.MatchCountSinceLastReport`*:: ++ +-- +Number of firewall rule matches since the last report. + + +type: long + +-- + +*`crowdstrike.event.Timestamp`*:: ++ +-- +Firewall rule triggered timestamp. + + +type: date + +-- + +*`crowdstrike.event.Flags.Audit`*:: ++ +-- +CrowdStrike audit flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Log`*:: ++ +-- +CrowdStrike log flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Monitor`*:: ++ +-- +CrowdStrike monitor flag. + + +type: boolean + +-- + +*`crowdstrike.event.Protocol`*:: ++ +-- +CrowdStrike provided protocol. + + +type: keyword + +-- + +*`crowdstrike.event.NetworkProfile`*:: ++ +-- +CrowdStrike network profile. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyName`*:: ++ +-- +CrowdStrike policy name. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyID`*:: ++ +-- +CrowdStrike policy id. + + +type: keyword + +-- + +*`crowdstrike.event.Status`*:: ++ +-- +CrowdStrike status. + + +type: keyword + +-- + +*`crowdstrike.event.TreeID`*:: ++ +-- +CrowdStrike tree id. + + +type: keyword + +-- + +*`crowdstrike.event.Commands`*:: ++ +-- +Commands run in a remote session. + + +type: keyword + +-- + [[exported-fields-cylance]] == CylanceProtect fields