Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crowdstrike Filebeat Module: Parsing Issues #20035

Closed
vi-or-die opened this issue Jul 17, 2020 · 1 comment · Fixed by #20138
Closed

Crowdstrike Filebeat Module: Parsing Issues #20035

vi-or-die opened this issue Jul 17, 2020 · 1 comment · Fixed by #20138
Labels

Comments

@vi-or-die
Copy link

vi-or-die commented Jul 17, 2020

The CrowdStrike Filebeat (version 7.8) module appears to have two issues.

  • Null / non-existent values in event.UserIP field causing parse errors during ingest.
  • Parsing of UTCTimestamp to crowdstrike.event.UTCTimestamp (ECS Format) appears to be incorrect for eventType=="UserActivityAuditEvent", timestamp is in UNIX format not UNIX_MS.

For confirmed bugs, please report:

Empty Source IP field

At line 22 in /usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js add

if (evt.Get("crowdstrike.metadata.eventType") == "UserActivityAuditEvent") {
   evt.Delete("crowdstrike.event.UserIp")
}

UTCTimestamp Conversion

at line 51 in in /usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js add the following function

    var parseUTCTimestamp = new processor.Timestamp({
        field: "crowdstrike.event.UTCTimestamp",
        target_field: "crowdstrike.event.UTCTimestamp",
        timezone: "UTC",
        layouts: ["UNIX"],
        ignore_missing: true,
    });

Add the following to the pipeline processor chain

	.Add(parseUTCTimestamp)
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jul 17, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants