-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate Source IP "LOCAL" or "Unknown" in Windows Security Logs #34295
Conversation
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks.
Are you able to provide events to exercise this in tests?
I unfortunately cannot provide EVTX files for this one, as the only record of this happening so far is from servers, and I do not have access to log into those servers. Since I have already made the changes to our Ingest Pipeline, I could provide the JSON of some of these documents in Elasticsearch for these events. |
Scratch that. I was able to find a client with some of these. As with the other PR, these events do contain sensitive information. Please let me know how/where I can send them to you, and I will do that. |
Attaching five scrubbed events of each where the source IP is either "LOCAL" or "Unknown". |
Can we back-port this? |
Tests cases mechanically derived from user-provided XML scrubbed event data.
I've added the tests temporarily in the collection testdata. I want to flesh this out with a way to just drop XML files into inputs, but this is a bigger change, so I will do that separately. |
/test |
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
) Tests cases mechanically derived from user-provided XML scrubbed event data. Co-authored-by: Dan Kortschak <[email protected]> (cherry picked from commit 4a1e56f) # Conflicts: # x-pack/winlogbeat/module/security/ingest/security.yml # x-pack/winlogbeat/module/security/test/testdata/4778.evtx.golden.json # x-pack/winlogbeat/module/security/test/testdata/4778.golden.json # x-pack/winlogbeat/module/security/test/testdata/4779.evtx.golden.json # x-pack/winlogbeat/module/security/test/testdata/4779.golden.json
) Tests cases mechanically derived from user-provided XML scrubbed event data. Co-authored-by: Dan Kortschak <[email protected]> (cherry picked from commit 4a1e56f)
) (#34309) Tests cases mechanically derived from user-provided XML scrubbed event data. Co-authored-by: Dan Kortschak <[email protected]> (cherry picked from commit 4a1e56f) Co-authored-by: Eric <[email protected]>
) Tests cases mechanically derived from user-provided XML scrubbed event data. Co-authored-by: Dan Kortschak <[email protected]>
What does this PR do?
Some security events contain a source IP address of "LOCAL" or "Unknown" which are not valid IP addresses. This PR will correct the processing of events containing one of those values.
Why is it important?
This bug causes mapping exceptions and prevents these events from being ingested.
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Related issues
-fixes #34263