Fix related.ip field (#24892)

- [Winlogbeat] fix related.ip field in renameCommonAuthFields function Co-authored-by: Lee E. Hinman <[email protected]> (cherry picked from commit d0887fd)
elastic · May 5, 2021 · 09367ac · 09367ac
1 parent dbb35e9
commit 09367ac
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 2 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -350,6 +350,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 *Winlogbeat*
 
 - Change `event.code` and `winlog.event_id` from int to keyword. {pull}25176[25176]
+- Fix related.ip field in renameCommonAuthFields {pull}24892[24892]
 
 *Functionbeat*
 

diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js
@@ -1850,7 +1850,6 @@ var security = (function () {
                 {from: "winlog.event_data.AccountName", to: "user.name"},
                 {from: "winlog.event_data.AccountDomain", to: "user.domain"},
                 {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.ClientName", to: "source.domain"},
                 {from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
             ],
@@ -1861,6 +1860,12 @@ var security = (function () {
             var user = evt.Get("winlog.event_data.AccountName");
             evt.AppendTo('related.user', user);
         })
+        .Add(function(evt) {
+            var ip = evt.Get("source.ip");
+            if (ip) {
+                evt.Put('related.ip', ip);
+            }
+        })
         .Build();
 
     var addServiceFields = new processor.Chain()
@@ -2028,7 +2033,6 @@ var security = (function () {
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.ProcessName", to: "process.executable"},
                 {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"},
-                {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"},
                 {from: "winlog.event_data.IpPort", to: "source.port", type: "long"},
                 {from: "winlog.event_data.WorkstationName", to: "source.domain"},
             ],
@@ -2047,6 +2051,12 @@ var security = (function () {
             }
             evt.Put("process.name", path.basename(exe));
         })
+        .Add(function(evt) {
+            var ip = evt.Get("source.ip");
+            if (ip) {
+                evt.Put('related.ip', ip);
+            }
+        })
         .Build();
 
     var renameNewProcessFields = new processor.Chain()

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "at_adm"
     },
     "source": {

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "at_adm"
     },
     "source": {

diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json
@@ -22,6 +22,7 @@
       "level": "information"
     },
     "related": {
+      "ip": "::1",
       "user": "DC_TEST2K12$"
     },
     "source": {

diff --git a/...ck/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/...ck/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json
@@ -195,6 +195,7 @@
       "pid": 448
     },
     "related": {
+      "ip": "127.0.0.1",
       "user": [
         "vagrant",
         "VAGRANT-2012-R2$"
@@ -858,6 +859,7 @@
       "pid": 2812
     },
     "related": {
+      "ip": "10.0.2.2",
       "user": [
         "vagrant",
         "VAGRANT-2012-R2$"
@@ -1449,6 +1451,7 @@
       "pid": 836
     },
     "related": {
+      "ip": "::1",
       "user": "bosch"
     },
     "source": {