From 18ee16d6941d17ea278197c5ff10f61279456bf7 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Fri, 26 Jun 2020 11:09:49 -0400 Subject: [PATCH] Disable host.* fields by default for CrowdStrike module (#19132) (#19297) For the CrowdStrike module when data is forwarded to Filebeat from another host/device you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. Relates: #13920 (cherry picked from commit 59b133e9e994c15abbbdd65300e3a5a97af09af4) --- CHANGELOG.next.asciidoc | 2 + .../crowdstrike/falcon/config/falcon.yml | 3 + .../module/crowdstrike/falcon/manifest.yml | 2 + .../falcon-audit-events.log-expected.json | 661 ++++++++++-------- .../test/falcon-events.log-expected.json | 188 ++--- 5 files changed, 467 insertions(+), 389 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e4963636df7..c27a9bb599d 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -46,6 +46,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d field. You can revert this change by configuring tags for the module and omitting `forwarded` from the list. {issue}13920[13920] * Cisco {pull}18753[18753] +* CrowdStrike {pull}19132[19132] +* iptables {pull}18756[18756] * Checkpoint {pull}18754[18754] * Netflow {pull}19087[19087] * Suricata {pull}19107[19107] (`forwarded` tag is not included by default) diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml index e9e9d253ca8..689bd725530 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/falcon.yml @@ -12,6 +12,9 @@ multiline.match: after multiline.max_lines: 5000 multiline.timeout: 10 +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + processors: - script: lang: javascript diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index b3d3edbb641..ab5f880e3a3 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -4,5 +4,7 @@ var: - name: paths default: - /var/log/crowdstrike/falconhoseclient/output + - name: tags + default: [forwarded] input: config/falcon.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e5466024247..3aae7f3f80e 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,97 +1,72 @@ [ { "@timestamp": "2020-02-27T19:12:14.000Z", - "service.type": "crowdstrike", - "input.type": "log", + "crowdstrike.event.HostnameField": "hostnameofmachine", + "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", + "crowdstrike.event.StartTimestamp": 1582830734, + "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1045, - "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.HostnameField": "hostnameofmachine", - "crowdstrike.event.UserName": "first.last@company.com", - "crowdstrike.event.StartTimestamp": 1582830734, - "event.module": "crowdstrike", + "event.action": "remote_response_session_start_event", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "remote_response_session_start_event", - "event.type": [ "start" ], + "event.module": "crowdstrike", "event.outcome": "unknown", - "message": "Remote response session started", - "host.name": "hostnameofmachine", - "user.name": "first.last@company.com", - "user.email": "first.last@company.com", - "agent.type": "falcon", + "event.type": [ + "start" + ], "fileset.name": "falcon", - "log.file.path": "falcon-events.log", + "input.type": "log", "log.flags": [ "multiline" ], - "log.offset": 0 + "log.offset": 0, + "message": "Remote response session started", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" }, { "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.metadata.offset": 1046, - "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", - "crowdstrike.metadata.eventCreationTime": 1582830772000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", + "crowdstrike.event.EndTimestamp": 1582830772, "crowdstrike.event.HostnameField": "hostnameofmachine", + "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", - "crowdstrike.event.EndTimestamp": 1582830772, - "user.name": "first.last@company.com", - "user.email": "first.last@company.com", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "input.type": "log", - "event.module": "crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1582830772000, + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 1046, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "remote_response_session_end_event", - "event.type": ["end"], + "event.module": "crowdstrike", "event.outcome": "unknown", - "message": "Remote response session ended", - "host.name": "hostnameofmachine", - "log.file.path": "falcon-events.log", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], "log.offset": 457, - "agent.type": "falcon" + "message": "Remote response session ended", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" }, { "@timestamp": "2020-02-12T21:29:10.710Z", - "message": "Crowdstrike Streaming API", - "source.ip": "10.10.0.8", - "input.type": "log", - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "event.action": "stream_started", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "agent.type": "falcon", - "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", - "log.offset": 910, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" - ], - "service.type": "crowdstrike", - "fileset.name": "falcon", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 0, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581542950710, - "crowdstrike.event.UserIp": "10.10.0.8", - "crowdstrike.event.OperationName": "streamStarted", - "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", - "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -114,175 +89,215 @@ "ValueString": "[UserActivityAuditEvent HashSpreadingEvent RemoteResponseSessionStartEvent RemoteResponseSessionEndEvent DetectionSummaryEvent AuthActivityAuditEvent]" } ], - "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" - }, - { - "@timestamp": "2020-02-12T21:39:37.147Z", - "log.offset": 2152, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.OperationName": "streamStarted", + "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": 1581542950, + "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", + "crowdstrike.event.UserIp": "10.10.0.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581542950710, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 0, + "crowdstrike.metadata.version": "1.0", + "event.action": "stream_started", + "event.category": [ + "authentication" ], - "source.ip": "192.168.6.8", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "input.type": "log", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", - "crowdstrike.metadata.eventCreationTime": 1581543577147, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 910, + "message": "Crowdstrike Streaming API", + "service.type": "crowdstrike", + "source.ip": "10.10.0.8", + "tags": [ + "forwarded" + ], + "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" + }, + { + "@timestamp": "2020-02-12T21:39:37.147Z", + "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581543577147, "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "twoFactorAuthenticate", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication" - }, - { - "@timestamp": "2020-02-12T22:14:37.554Z", - "log.flags": [ - "multiline" + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581543577147, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 1, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" ], - "log.offset": 2645, - "log.file.path": "falcon-events.log", - "fileset.name": "falcon", - "service.type": "crowdstrike", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 2, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581545677554, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.UserId": "bob@company.com", - "crowdstrike.event.UserIp": "192.168.6.3", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2152, + "message": "CrowdStrike Authentication", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { + "@timestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581545677554, - "user.name": "bob@company.com", - "user.email": "bob@company.com", + "crowdstrike.event.UserId": "bob@company.com", + "crowdstrike.event.UserIp": "192.168.6.3", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581545677554, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 2, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2645, "message": "CrowdStrike Authentication", + "service.type": "crowdstrike", "source.ip": "192.168.6.3", - "input.type": "log", - "agent.type": "falcon" + "tags": [ + "forwarded" + ], + "user.email": "bob@company.com", + "user.name": "bob@company.com" }, { "@timestamp": "2020-02-12T22:24:08.000Z", - "input.type": "log", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 3, - "crowdstrike.metadata.eventType": "UserActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581546248000, - "crowdstrike.event.ServiceName": "groups", "crowdstrike.event.AuditKeyValues": [ { - "ValueString": "3c80ce30b9654cb4bd15beec6a517e65", - "Key": "group_id" + "Key": "group_id", + "ValueString": "3c80ce30b9654cb4bd15beec6a517e65" }, { "Key": "action_name", "ValueString": "add_group_member" } ], + "crowdstrike.event.OperationName": "update_group", + "crowdstrike.event.ServiceName": "groups", "crowdstrike.event.UTCTimestamp": 1581546248, "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", - "crowdstrike.event.OperationName": "update_group", - "log.offset": 3136, - "log.file.path": "falcon-events.log", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581546248000, + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 3, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], - "service.type": "crowdstrike", - "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "chris@company.com", - "user.email": "chris@company.com", + "log.offset": 3136, "message": "update_group", + "service.type": "crowdstrike", "source.ip": "192.168.6.13", - "event.kind": "event", - "event.action": "user_activity_audit_event", - "event.type": ["change"], - "event.outcome": "unknown", - "event.category": ["iam"], - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit" + "tags": [ + "forwarded" + ], + "user.email": "chris@company.com", + "user.name": "chris@company.com" }, { "@timestamp": "2020-02-13T13:41:52.140Z", - "source.ip": "192.168.6.8", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 4, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601312140, - "crowdstrike.metadata.version": "1.0", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", "ValueString": "alice@company.com" } ], - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581601312140, - "agent.type": "falcon", - "message": "CrowdStrike Authentication", - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581601312140, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 4, + "crowdstrike.metadata.version": "1.0", + "event.action": "request_reset_password", + "event.category": [ + "authentication" ], - "log.offset": 3858, - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "request_reset_password", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "fileset.name": "falcon" - }, - { - "@timestamp": "2020-02-13T13:42:21.730Z", - "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.dataset": "crowdstrike.falcon_audit", "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com", "input.type": "log", - "source.ip": "192.168.6.8", + "log.flags": [ + "multiline" + ], + "log.offset": 3858, + "message": "CrowdStrike Authentication", "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { + "@timestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, @@ -290,183 +305,200 @@ "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 5, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", - "message": "CrowdStrike Authentication", - "log.offset": 4506, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" - ] - }, - { - "@timestamp": "2020-02-13T13:45:20.236Z", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "log.offset": 5003, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" ], - "event.action": "change_password", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4506, "message": "CrowdStrike Authentication", - "source.ip": "192.168.6.8", "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 6, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601520236, - "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { + "@timestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", "ValueString": "first.last@company.com" } ], + "crowdstrike.event.OperationName": "changePassword", + "crowdstrike.event.ServiceName": "CrowdStrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": 1581601520236, "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "changePassword", - "crowdstrike.event.ServiceName": "CrowdStrike Authentication" - }, - { - "@timestamp": "2020-02-13T13:46:12.362Z", - "log.offset": 5657, - "log.file.path": "falcon-events.log", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581601520236, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 6, + "crowdstrike.metadata.version": "1.0", + "event.action": "change_password", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], + "log.offset": 5003, + "message": "CrowdStrike Authentication", "service.type": "crowdstrike", - "input.type": "log", - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601572362, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 7, + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" + }, + { + "@timestamp": "2020-02-13T13:46:12.362Z", + "crowdstrike.event.OperationName": "userAuthenticate", + "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581601572362, "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "userAuthenticate", - "crowdstrike.event.ServiceName": "CrowdStrike Authentication", - "message": "CrowdStrike Authentication", - "source.ip": "192.168.6.8", - "event.module": "crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581601572362, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 7, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_authenticate", + "event.category": [ + "authentication" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "user_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], + "event.module": "crowdstrike", "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "agent.type": "falcon", - "user.name": "alice@company.com", - "user.email": "alice@company.com" + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5657, + "message": "CrowdStrike Authentication", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { "@timestamp": "2020-02-13T13:50:14.754Z", - "input.type": "log", - "crowdstrike.metadata.eventCreationTime": 1581601814754, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 8, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581601814754, "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "twoFactorAuthenticate", - "agent.type": "falcon", - "source.ip": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581601814754, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 8, + "crowdstrike.metadata.version": "1.0", + "event.action": "two_factor_authenticate", + "event.category": [ + "authentication" + ], "event.dataset": "crowdstrike.falcon_audit", "event.kind": "event", - "event.action": "two_factor_authenticate", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "service.type": "crowdstrike", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication", - "log.offset": 6149, - "log.file.path": "falcon-events.log", + "input.type": "log", "log.flags": [ "multiline" - ] + ], + "log.offset": 6149, + "message": "CrowdStrike Authentication", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { "@timestamp": "2020-02-13T13:50:20.289Z", - "agent.type": "falcon", - "event.action": "self_accept_eula", - "event.type": ["change"], - "event.category": ["authentication"], - "event.outcome": "success", - "event.module": "crowdstrike", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 9, - "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", - "crowdstrike.metadata.eventCreationTime": 1581601820289, - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581601820289, + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 9, + "crowdstrike.metadata.version": "1.0", + "event.action": "self_accept_eula", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], "fileset.name": "falcon", - "service.type": "crowdstrike", "input.type": "log", - "user.name": "alice@company.com", - "user.email": "alice@company.com", - "message": "CrowdStrike Authentication", - "log.file.path": "falcon-events.log", "log.flags": [ "multiline" ], "log.offset": 6642, - "source.ip": "192.168.6.8" + "message": "CrowdStrike Authentication", + "service.type": "crowdstrike", + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" }, { "@timestamp": "2020-02-13T14:14:22.000Z", - "agent.type": "falcon", - "message": "detection_update", - "source.ip": "192.168.6.8", - "input.type": "log", - "event.dataset": "crowdstrike.falcon_audit", - "event.kind": "event", - "event.action": "user_activity_audit_event", - "event.type": ["change"], - "event.outcome": "unknown", - "event.category": ["iam"], - "event.module": "crowdstrike", - "fileset.name": "falcon", - "crowdstrike.metadata.eventCreationTime": 1581603262000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 10, - "crowdstrike.metadata.eventType": "UserActivityAuditEvent", - "crowdstrike.event.UTCTimestamp": 1581603262, - "crowdstrike.event.UserId": "alice@company.com", - "crowdstrike.event.UserIp": "192.168.6.8", - "crowdstrike.event.OperationName": "detection_update", - "crowdstrike.event.ServiceName": "detections", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -485,13 +517,40 @@ "ValueString": "first.last@company.com" } ], - "log.offset": 7128, - "log.file.path": "falcon-events.log", + "crowdstrike.event.OperationName": "detection_update", + "crowdstrike.event.ServiceName": "detections", + "crowdstrike.event.UTCTimestamp": 1581603262, + "crowdstrike.event.UserId": "alice@company.com", + "crowdstrike.event.UserIp": "192.168.6.8", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1581603262000, + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 10, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", "log.flags": [ "multiline" ], + "log.offset": 7128, + "message": "detection_update", "service.type": "crowdstrike", - "user.name": "alice@company.com", - "user.email": "alice@company.com" + "source.ip": "192.168.6.8", + "tags": [ + "forwarded" + ], + "user.email": "alice@company.com", + "user.name": "alice@company.com" } -] +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index fddd89e4fea..e4f8a56d58c 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,113 +1,125 @@ [ { "@timestamp": "2020-02-19T08:30:00.000Z", - "process.pid": 38684386611, - "process.name": "explorer.exe", - "process.command_line": "C:\\Windows\\Explorer.EXE", - "process.executable": "C:\\Windows\\Explorer.EXE", - "process.args": ["C:\\Windows\\Explorer.EXE"], - "event.dataset": "crowdstrike.falcon_endpoint", - "event.kind": "alert", - "event.action": "Prevention, process killed.", - "event.type": ["info"], - "event.category": ["malware"], - "event.severity": 4, - "event.module": "crowdstrike", - "event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", - "event.outcome": "unknown", - "service.type": "crowdstrike", - "user.name": "alice", - "user.domain": "CORP-DOMAIN", - "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", - "rule.name": "Process Terminated", - "log.flags": [ - "multiline" - ], - "log.offset": 0, - "log.file.path": "falcon-events.log", - "source.ip": "192.168.12.51", - "agent.type": "falcon", - "host.name": "alice-laptop", - "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", - "fileset.name": "falcon", - "input.type": "log", - "file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24", - "file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", - "threat.tactic.name": "malware", - "threat.technique.name": "ransomware", - "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 294564, - "crowdstrike.metadata.eventType": "DetectionSummaryEvent", - "crowdstrike.metadata.eventCreationTime": 1582101000000, - "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.ParentProcessId": 38682494050, - "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", - "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", - "crowdstrike.event.LocalIP": "192.168.12.51", - "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", - "crowdstrike.event.Tactic": "Malware", - "crowdstrike.event.ProcessEndTime": 0, - "crowdstrike.event.Severity": 4, "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", - "crowdstrike.event.Technique": "Ransomware", - "crowdstrike.event.Objective": "Falcon Detection Method", - "crowdstrike.event.ProcessId": 38684386611, + "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", + "crowdstrike.event.DetectName": "Process Terminated", + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", + "crowdstrike.event.FileName": "explorer.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows", + "crowdstrike.event.LocalIP": "192.168.12.51", + "crowdstrike.event.MACAddress": "00-00-00-11-22-33", + "crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24", + "crowdstrike.event.MachineDomain": "CORP-DOMAIN", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentProcessId": 38682494050, "crowdstrike.event.PatternDispositionDescription": "Prevention, process killed.", - "crowdstrike.event.PatternDispositionFlags.Indicator": false, "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, "crowdstrike.event.PatternDispositionFlags.KillProcess": true, "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, - "crowdstrike.event.PatternDispositionFlags.KillParent": false, "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false, "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": false, - "crowdstrike.event.PatternDispositionFlags.InddetMask": false, - "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, - "crowdstrike.event.PatternDispositionFlags.Rooting": false, - "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, - "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": false, - "crowdstrike.event.FileName": "explorer.exe", - "crowdstrike.event.MachineDomain": "CORP-DOMAIN", + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, "crowdstrike.event.PatternDispositionValue": 16, - "crowdstrike.event.ComputerName": "alice-laptop", - "crowdstrike.event.UserName": "alice", - "crowdstrike.event.MD5String": "ac4c51eb24aa95b77f705ab159189e24", - "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", - "crowdstrike.event.MACAddress": "00-00-00-11-22-33", + "crowdstrike.event.ProcessEndTime": 0, + "crowdstrike.event.ProcessId": 38684386611, "crowdstrike.event.ProcessStartTime": 1536846339, - "crowdstrike.event.DetectName": "Process Terminated", + "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", + "crowdstrike.event.Severity": 4, "crowdstrike.event.SeverityName": "High", - "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume1\\Windows" - }, - { - "@timestamp": "2020-03-04T04:17:56.766Z", - "log.offset": 2063, - "log.file.path": "falcon-events.log", - "log.flags": [ - "multiline" + "crowdstrike.event.Tactic": "Malware", + "crowdstrike.event.Technique": "Ransomware", + "crowdstrike.event.UserName": "alice", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": 1582101000000, + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 294564, + "crowdstrike.metadata.version": "1.0", + "event.action": "Prevention, process killed.", + "event.category": [ + "malware" ], - "event.module": "crowdstrike", "event.dataset": "crowdstrike.falcon_endpoint", "event.kind": "alert", - "event.type": ["info"], - "event.category": ["malware"], - "event.action": "incident", - "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "event.module": "crowdstrike", "event.outcome": "unknown", + "event.severity": 4, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/ec86abd353824e96765ecbe18eb4f0b4", + "file.hash.md5": "ac4c51eb24aa95b77f705ab159189e24", + "file.hash.sha256": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", + "fileset.name": "falcon", "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "process.args": [ + "C:\\Windows\\Explorer.EXE" + ], + "process.command_line": "C:\\Windows\\Explorer.EXE", + "process.executable": "C:\\Windows\\Explorer.EXE", + "process.name": "explorer.exe", + "process.pid": 38684386611, + "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", + "rule.name": "Process Terminated", + "service.type": "crowdstrike", + "source.ip": "192.168.12.51", + "tags": [ + "forwarded" + ], + "threat.tactic.name": "malware", + "threat.technique.name": "ransomware", + "user.domain": "CORP-DOMAIN", + "user.name": "alice" + }, + { + "@timestamp": "2020-03-04T04:17:56.766Z", + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.event.FineScore": 1.2, + "crowdstrike.event.IncidentEndTime": 1583295470, + "crowdstrike.event.IncidentStartTime": 1583295228, + "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.offset": 1824, - "crowdstrike.metadata.eventType": "IncidentSummaryEvent", "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", - "crowdstrike.event.IncidentStartTime": 1583295228, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.event.State": "open", - "crowdstrike.event.FineScore": 1.2, - "message": "Incident score 1.2", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "fileset.name": "falcon", - "service.type": "crowdstrike" + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2063, + "message": "Incident score 1.2", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ] } -] +] \ No newline at end of file