-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Winlogbeat] Add IP validation to Security module #21325
Conversation
Pinging @elastic/siem (Team:SIEM) |
f9a1fa2
to
719af9d
Compare
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627
719af9d
to
7c0a160
Compare
💔 Build FailedExpand to view the summary
Build stats
Test stats 🧪
Steps errorsExpand to view the steps failures
Log outputExpand to view the last 100 lines of log output
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
run tests |
* upstream/master: feat: prepare release pipelines (elastic#21238) Add IP validation to Security module (elastic#21325) Fixes for new 7.10 rsa2elk datasets (elastic#21240) o365input: Restart after fatal error (elastic#21258) Fix panic in cgroups monitoring (elastic#21355) Handle multiple upstreams in ingress-controller (elastic#21215) [CI] Fix runbld when workspace does not exist (elastic#21350) [Filebeat] Fix checkpoint (elastic#21344) [CI] Archive build reasons (elastic#21347) Add dashboard for pubsub metricset in googlecloud module (elastic#21326) [Elastic Agent] Allow embedding of certificate (elastic#21179) Adds a default for failure_cache.min_ttl (elastic#21085) [libbeat] Disk queue implementation (elastic#21176)
…ci-build-label-support * upstream/master: [JJBB] Set shallow cloning to 10 (elastic#21409) docs: add link to release notes for 7.9.2 (elastic#21405) (elastic#21419) docs: Prepare Changelog for 7.9.2 (elastic#21229) (elastic#21403) fix: mark flaky tests (elastic#21300) fix: use a fixed version of setuptools (elastic#21393) Move Kubernetes events metricset to its own block in reference config (elastic#21407) [libbeat] Enable WriteAheadLimit in the disk queue (elastic#21391) docs: fix apt/yum formatting (elastic#21362) Fix shutdown tracking in s3 input (elastic#21380) [libbeat] Fix position writing in the disk queue Add UBI 8 image to the dependencies report (elastic#21374) Fix debug message to show actual SQS message ID (elastic#20614) [Elastic Agent] Rename *ConfigChange to PolicyChange (elastic#20779) [Elastic Agent] Add install/uninstall sub-command (elastic#21206) [Filebeat][httpjson] Make httpjson use cursor input when using date cursor (elastic#20751) feat: prepare release pipelines (elastic#21238) Add IP validation to Security module (elastic#21325)
What version of Winlogbeat should we expect to see this fix applied to? We are currently running 7.10.1 and still seeing this issue. |
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627 (cherry picked from commit 8c992c5)
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes elastic#19627 (cherry picked from commit 8c992c5)
@MakoWish Sorry I missed a backport for this. The PRs to add this to 7.11 and future 7.x releases are open. |
What does this PR do?
For event 4778 (A session was reconnected to a Window Station) the
winlog.event_data.ClientAddress
could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into
source.ip
in that case.Why is it important?
This bug can causes mapping exceptions.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues