From 09367ace63c907a5a9e2fbc3008bab712090dfcd Mon Sep 17 00:00:00 2001 From: Anabella Cristaldi <33020901+janniten@users.noreply.github.com> Date: Wed, 5 May 2021 02:28:32 +0200 Subject: [PATCH] Fix related.ip field (#24892) - [Winlogbeat] fix related.ip field in renameCommonAuthFields function Co-authored-by: Lee E. Hinman (cherry picked from commit d0887fd12a462d4a35a8c9b11aac8b6e8e71b463) --- CHANGELOG.next.asciidoc | 1 + .../module/security/config/winlogbeat-security.js | 14 ++++++++++++-- .../security-windows2012_4768.evtx.golden.json | 1 + .../security-windows2012_4769.evtx.golden.json | 1 + .../security-windows2012_4770.evtx.golden.json | 1 + .../security-windows2012r2-logon.evtx.golden.json | 3 +++ 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 9333cf10e2b..fdce22249cf 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -350,6 +350,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Change `event.code` and `winlog.event_id` from int to keyword. {pull}25176[25176] +- Fix related.ip field in renameCommonAuthFields {pull}24892[24892] *Functionbeat* diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index e624a819beb..181e2612b46 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1850,7 +1850,6 @@ var security = (function () { {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], @@ -1861,6 +1860,12 @@ var security = (function () { var user = evt.Get("winlog.event_data.AccountName"); evt.AppendTo('related.user', user); }) + .Add(function(evt) { + var ip = evt.Get("source.ip"); + if (ip) { + evt.Put('related.ip', ip); + } + }) .Build(); var addServiceFields = new processor.Chain() @@ -2028,7 +2033,6 @@ var security = (function () { {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"}, {from: "winlog.event_data.ProcessName", to: "process.executable"}, {from: "winlog.event_data.IpAddress", to: "source.ip", type: "ip"}, - {from: "winlog.event_data.ClientAddress", to: "related.ip", type: "ip"}, {from: "winlog.event_data.IpPort", to: "source.port", type: "long"}, {from: "winlog.event_data.WorkstationName", to: "source.domain"}, ], @@ -2047,6 +2051,12 @@ var security = (function () { } evt.Put("process.name", path.basename(exe)); }) + .Add(function(evt) { + var ip = evt.Get("source.ip"); + if (ip) { + evt.Put('related.ip', ip); + } + }) .Build(); var renameNewProcessFields = new processor.Chain() diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json index e2c20d00775..819570bff67 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "::1", "user": "at_adm" }, "source": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json index d9035b80116..064cbd79ae3 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "::1", "user": "at_adm" }, "source": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json index c5d65a65deb..49db848f27a 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.evtx.golden.json @@ -22,6 +22,7 @@ "level": "information" }, "related": { + "ip": "::1", "user": "DC_TEST2K12$" }, "source": { diff --git a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json index 745498c40d1..cc4d8079f0b 100644 --- a/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json +++ b/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.evtx.golden.json @@ -195,6 +195,7 @@ "pid": 448 }, "related": { + "ip": "127.0.0.1", "user": [ "vagrant", "VAGRANT-2012-R2$" @@ -858,6 +859,7 @@ "pid": 2812 }, "related": { + "ip": "10.0.2.2", "user": [ "vagrant", "VAGRANT-2012-R2$" @@ -1449,6 +1451,7 @@ "pid": 836 }, "related": { + "ip": "::1", "user": "bosch" }, "source": {