Resolved timestamp for defender atp (#28272)

* Resolved timestamp for defender atp * Update Changelog for 28272 (cherry picked from commit 0786f89)
elastic · Oct 7, 2021 · 370cc57 · 370cc57
1 parent f7e2366
commit 370cc57
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 5 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -170,6 +170,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766]
 - Update Sophos xg module pipeline to deal with missing `date` and `time` fields. {pull}27834[27834]
 - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826]
+- Resolve issue with @timestamp for defender_atp. {pull}28272[28272]
+- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191]
 
 *Heartbeat*
 

diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py
@@ -269,7 +269,6 @@ def clean_keys(obj):
  "symantec.endpointprotection",
  "system.auth",
  "system.syslog",
- "microsoft.defender_atp",
  "crowdstrike.falcon_endpoint",
  "crowdstrike.falcon_audit",
  "gsuite.admin",

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
@@ -45,10 +45,11 @@ processors:
 - set:
  field: cloud.provider
  value: azure
-- set:
- field: '@timestamp'
- value: '{{json.alertUpdateTime}}'
- if: ctx.json?.alertUpdateTime != null
+- date:
+ field: json.lastUpdateTime
+ formats:
+ - ISO8601
+ if: ctx.json?.lastUpdateTime != null
 - rename:
  field: json.aadTenantId
  target_field: cloud.account.id

diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json
@@ -1,5 +1,6 @@
 [
  {
+ "@timestamp": "2020-07-03T15:15:39.130Z",
  "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
  "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d",
  "cloud.provider": "azure",
@@ -53,6 +54,7 @@
  "threat.technique.name": "Malware"
  },
  {
+ "@timestamp": "2020-06-30T15:29:44.773Z",
  "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3",
  "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d",
  "cloud.provider": "azure",
@@ -123,6 +125,7 @@
  "user.name": "administrator1"
  },
  {
+ "@timestamp": "2020-06-30T15:29:44.773Z",
  "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3",
  "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d",
  "cloud.provider": "azure",
@@ -184,6 +187,7 @@
  "user.name": "administrator1"
  },
  {
+ "@timestamp": "2020-06-30T11:13:12.900Z",
  "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3",
  "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d",
  "cloud.provider": "azure",