Skip to content

Commit

Permalink
Validate Source IP "LOCAL" or "Unknown" in Windows Security Logs (#34295
Browse files Browse the repository at this point in the history 
) (#34309)

Tests cases mechanically derived from user-provided XML scrubbed event data.

Co-authored-by: Dan Kortschak <[email protected]>
(cherry picked from commit 4a1e56f)

Co-authored-by: Eric <[email protected]>
  • Loading branch information
@mergify @MakoWish
mergify[bot] and MakoWish authored Jan 19, 2023
1 parent 41d17fd commit 837d967
Show file tree
Hide file tree
Showing 6 changed files with 1,155 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]

*Winlogbeat*

- Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest

*Functionbeat*

Expand Down
7 changes: 6 additions & 1 deletion x-pack/winlogbeat/module/security/ingest/security.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2349,7 +2349,12 @@ processors:
//ClientAddress to source.ip and related.ip
if (ctx?.winlog?.event_data?.ClientAddress != null &&
ctx.winlog.event_data.ClientAddress != "-") {
ctx.winlog.event_data.ClientAddress != "-" &&
ctx.winlog.event_data.ClientAddress != "Unknown") {
// Correct invalid IP address "LOCAL"
if (ctx?.winlog?.event_data?.ClientAddress == "LOCAL") {
ctx.winlog.event_data.ClientAddress="127.0.0.1";
}
if (ctx?.source == null) {
HashMap hm = new HashMap();
ctx.put("source", hm);
Expand Down
212 changes: 212 additions & 0 deletions x-pack/winlogbeat/module/security/test/testdata/collection/4778.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,212 @@
[
{
"event": {
"code": "4778",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "LOCAL",
"ClientName": "Unknown",
"LogonID": "0x5c7c095",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 4484
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6540868,
"time_created": "2023-01-17T21:35:22.347697Z"
}
},
{
"event": {
"code": "4778",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "LOCAL",
"ClientName": "Unknown",
"LogonID": "0x2d7650",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 9240
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6533066,
"time_created": "2023-01-17T14:30:22.2097094Z"
}
},
{
"event": {
"code": "4778",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "LOCAL",
"ClientName": "Unknown",
"LogonID": "0x2d7650",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 20588
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6529837,
"time_created": "2023-01-17T12:16:32.6562756Z"
}
},
{
"event": {
"code": "4778",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "LOCAL",
"ClientName": "Unknown",
"LogonID": "0x2d7650",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 1560
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6528511,
"time_created": "2023-01-17T11:38:09.0384455Z"
}
},
{
"event": {
"code": "4778",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "COMPUTER1.contoso.com"
},
"log": {
"level": "information"
},
"winlog": {
"activity_id": "{7261ec5d-29d2-0001-bdec-6172d229d901}",
"channel": "Security",
"computer_name": "COMPUTER1.contoso.com",
"event_data": {
"AccountDomain": "CONTOSO",
"AccountName": "user1",
"ClientAddress": "LOCAL",
"ClientName": "Unknown",
"LogonID": "0x32b6a80",
"SessionName": "Console"
},
"event_id": "4778",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 320,
"thread": {
"id": 1560
}
},
"provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 6524523,
"time_created": "2023-01-17T05:15:18.8083596Z"
}
}
]
Loading

0 comments on commit 837d967

Please sign in to comment.