From 370cc579703271f3f9a8f99d61960d4f19332fb6 Mon Sep 17 00:00:00 2001 From: Sai Kiran <85323324+r00tu53r@users.noreply.github.com> Date: Wed, 6 Oct 2021 19:08:58 -0700 Subject: [PATCH] Resolved timestamp for defender atp (#28272) * Resolved timestamp for defender atp * Update Changelog for 28272 (cherry picked from commit 0786f893af7bdbe41c19042628c124447336a768) --- CHANGELOG.next.asciidoc | 2 ++ filebeat/tests/system/test_modules.py | 1 - .../module/microsoft/defender_atp/ingest/pipeline.yml | 9 +++++---- .../test/defender_atp-test.json.log-expected.json | 4 ++++ 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a1d09029c5e..da9a2679ff3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -170,6 +170,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve Cisco ASA/FTD parsing of messages - better support for identity FW messages. Change network.bytes, source.bytes, and destination.bytes to long from integer since value can exceed integer capacity. Add descriptions for various processors for easier pipeline editing in Kibana UI. {pull}23766[23766] - Update Sophos xg module pipeline to deal with missing `date` and `time` fields. {pull}27834[27834] - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826] +- Resolve issue with @timestamp for defender_atp. {pull}28272[28272] +- Tolerate faults when Windows Event Log session is interrupted {issue}27947[27947] {pull}28191[28191] *Heartbeat* diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index b2e6c03b1c5..8ca2adb4f1b 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -269,7 +269,6 @@ def clean_keys(obj): "symantec.endpointprotection", "system.auth", "system.syslog", - "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", "gsuite.admin", diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index aa8e3f97692..7a1d11e8af1 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -45,10 +45,11 @@ processors: - set: field: cloud.provider value: azure -- set: - field: '@timestamp' - value: '{{json.alertUpdateTime}}' - if: ctx.json?.alertUpdateTime != null +- date: + field: json.lastUpdateTime + formats: + - ISO8601 + if: ctx.json?.lastUpdateTime != null - rename: field: json.aadTenantId target_field: cloud.account.id diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index 81593221228..df3441fb8b9 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-07-03T15:15:39.130Z", "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -53,6 +54,7 @@ "threat.technique.name": "Malware" }, { + "@timestamp": "2020-06-30T15:29:44.773Z", "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -123,6 +125,7 @@ "user.name": "administrator1" }, { + "@timestamp": "2020-06-30T15:29:44.773Z", "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -184,6 +187,7 @@ "user.name": "administrator1" }, { + "@timestamp": "2020-06-30T11:13:12.900Z", "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure",