From b08013feeae7baeb689be3cfb746c32de3aa01df Mon Sep 17 00:00:00 2001 From: Marius Iversen Date: Tue, 5 Sep 2023 14:59:06 +0200 Subject: [PATCH] [Filebeat][Crowdstrike] Adding fix to ingest pipeline for command line array handling (#36496) * [Filebeat][Crowdstrike] Adding fix to ingest pipeline for command line args array handling * changelog PR link update * adding missing semicolon * adding testdata to test the process commandline arg being an empty string (cherry picked from commit 35fe3188702baa6cdc742e57c8da39e3c71e49e5) --- CHANGELOG.next.asciidoc | 33 +++++++++++++++++++ .../crowdstrike/falcon/ingest/pipeline.yml | 2 +- .../crowdstrike/falcon/test/falcon-events.log | 2 +- .../test/falcon-events.log-expected.json | 11 ++++--- 4 files changed, 41 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 3273bc369830..8517a1543aec 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -40,6 +40,39 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* +- [Gcs Input] - Added missing locks for safe concurrency {pull}34914[34914] +- Fix the ignore_inactive option being ignored in Filebeat's filestream input {pull}34770[34770] +- Fix TestMultiEventForEOFRetryHandlerInput unit test of CometD input {pull}34903[34903] +- Add input instance id to request trace filename for httpjson and cel inputs {pull}35024[35024] +- Fixes "Can only start an input when all related states are finished" error when running under Elastic-Agent {pull}35250[35250] {issue}33653[33653] +- [system] sync system/auth dataset with system integration 1.29.0. {pull}35581[35581] +- [GCS Input] - Fixed an issue where bucket_timeout was being applied to the entire bucket poll interval and not individual bucket object read operations. Fixed a map write concurrency issue arising from data races when using a high number of workers. Fixed the flaky tests that were present in the GCS test suit. {pull}35605[35605] +- Fix filestream false positive log error "filestream input with ID 'xyz' already exists" {issue}31767[31767] +- Fix error message formatting from filestream input. {pull}35658[35658] +- Fix error when trying to use `include_message` parser {issue}35440[35440] +- Fix handling of IPv6 unspecified addresses in TCP input. {issue}35064[35064] {pull}35637[35637] +- Fixed a minor code error in the GCS input scheduler where a config value was being used directly instead of the source struct. {pull}35729[35729] +- Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. {pull}35772[35772] +- Fix CEL input JSON marshalling of nested objects. {issue}35763[35763] {pull}35774[35774] +- Fix metric collection in GCPPubSub input. {pull}35773[35773] +- Fix end point deregistration in http_endpoint input. {issue}35899[35899] {pull}35903[35903] +- Fix duplicate ID panic in filestream metrics. {issue}35964[35964] {pull}35972[35972] +- Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. {pull}35996[35996] +- Fix handling of NUL-terminated log lines in Fortinet Firewall module. {issue}36026[36026] {pull}36027[36027] +- Make redact field configuration recommended in CEL input and log warning if missing. {pull}36008[36008] +- Fix handling of region name configuration in awss3 input {pull}36034[36034] +- Fixed concurrency and flakey tests issue in azure blob storage input. {issue}35983[35983] {pull}36124[36124] +- Fix panic when sqs input metrics getter is invoked {pull}36101[36101] {issue}36077[36077] +- Make CEL input's `now` global variable static for evaluation lifetime. {pull}36107[36107] +- Update mito CEL extension library to v1.5.0. {pull}36146[36146] +- Filter out duplicate paths resolved from matching globs. {issue}36253[36253] {pull}36256[36256] +- Fix handling of TCP/UDP address resolution during metric initialization. {issue}35064[35064] {pull}36287[36287] +- Fix handling of Juniper SRX structured data when there is no leading junos element. {issue}36270[36270] {pull}36308[36308] +- Remove erroneous error log in GCPPubSub input. {pull}36296[36296] +- Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326] +- Fix panic when redact option is not provided to CEL input. {issue}36387[36387] {pull}36388[36388] +- Remove 'onFilteredOut' and 'onDroppedOnPublish' callback logs {issue}36299[36299] {pull}36399[36399] +- Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496] *Heartbeat* diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml index 9aeb653b4888..94d312d7e116 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -281,7 +281,7 @@ processors: commandLine = commandLine.trim(); if (commandLine != "") { - def args = Arrays.asList(/ /.split(commandLine)); + def args = new ArrayList(Arrays.asList(/ /.split(commandLine))); args.removeIf(arg -> arg == ""); ctx['process'] = new HashMap(); diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 0980bf0fb601..f7cb78602c8f 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -19,7 +19,7 @@ "SeverityName": "High", "FileName": "explorer.exe", "FilePath": "\\Device\\HarddiskVolume1\\Windows", - "CommandLine": "C:\\Windows\\Explorer.EXE", + "CommandLine": "C:\\Windows\\Explorer.EXE --test", "SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", "MD5String": "ac4c51eb24aa95b77f705ab159189e24", "MachineDomain": "CORP-DOMAIN", diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 0756dfac4772..9ed507981435 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,6 +1,6 @@ [ { - "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE --test", "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584", @@ -67,9 +67,10 @@ "log.offset": 0, "message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "process.args": [ - "C:\\Windows\\Explorer.EXE" + "C:\\Windows\\Explorer.EXE", + "--test" ], - "process.command_line": "C:\\Windows\\Explorer.EXE", + "process.command_line": "C:\\Windows\\Explorer.EXE --test", "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, @@ -126,7 +127,7 @@ "log.flags": [ "multiline" ], - "log.offset": 2063, + "log.offset": 2071, "message": "Incident score 1.2", "service.type": "crowdstrike", "tags": [ @@ -169,7 +170,7 @@ "log.flags": [ "multiline" ], - "log.offset": 2579, + "log.offset": 2587, "message": "quarantined_file_update", "related.user": [ "Crowdstrike"