Support multiple IPs in aip & add more fields (#5655)

elastic · Mar 23, 2023 · 97f4971 · 97f4971
1 parent f68a57a
commit 97f4971
Show file tree

Hide file tree

Showing 9 changed files with 1,064 additions and 285 deletions.
diff --git a/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log b/packages/crowdstrike/_dev/deploy/docker/sample_logs/fdr-sample.log
@@ -122,3 +122,4 @@
 {"AuthenticationId":"703298","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"2642284486","ContextProcessId":"1161025471861","ContextThreadId":"34929528116709","ContextTimeStamp":"1604851030.593","DiskParentDeviceInstanceId":"USB\\VID_1058\u0026PID_2621\\57583431453939315A4C5255","EffectiveTransmissionClass":"3","Entitlements":"15","FileEcpBitmask":"0","FileIdentifier":"262fbc677256cf4c8d6c6a227285a072c06830873b000000","FileObject":"18446664963104449168","IrpFlags":"1028","IsOnNetwork":"0","IsOnRemovableDisk":"1","MajorFunction":"18","MinorFunction":"0","OperationFlags":"0","Size":"517029","TargetFileName":"\\Device\\HarddiskVolume5\\01.png.tmp$$","TokenType":"1","UserName":"user9","aid":"ffffffff16bf4c7bb5ad755a4722025c","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"GenericFileWritten","id":"ffffffff-1111-11eb-800a-06cecfd73923","name":"GenericFileWrittenV11","timestamp":"1604851031298"}
 {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"1604850899.164","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812"}
 {"ConfigBuild":"1007.4.0009906.1","ConfigStateHash":"3429017943","ContextProcessId":"66426035996442255","ContextTimeStamp":"1604851098.548","Entitlements":"15","aid":"ffffffff899541b94b9adff8922aa70a","aip":"67.43.156.14","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Mac","event_simpleName":"FirewallDisabled","id":"ffffffff-1111-11eb-9d4c-02f402df8c1f","name":"FirewallDisabledMacV1","timestamp":"1604851040625"}
+{"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"}
diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.11.1"
+  changes:
+    - description: Multiple IPs in `aip` field and add new fields
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/5655
 - version: "1.11.0"
   changes:
     - description: Support `max_number_of_messages` in SQS mode

diff --git a/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log b/packages/crowdstrike/data_stream/fdr/_dev/test/pipeline/test-fdr.log
@@ -126,3 +126,5 @@
 {"AuthenticationId":"317005428","AuthenticationPackage":"Negotiate","ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"3950066843","EffectiveTransmissionClass":"2","Entitlements":"15","LogoffTime":"1604855132.756","LogonDomain":"dom1","LogonServer":"srv2","LogonTime":"1604855131.666","LogonType":"7","PasswordLastSet":"1598119332.510","RemoteAccount":"1","UserFlags":"32","UserIsAdmin":"0","UserLogoffType":"3","UserLogonFlags":"0","UserName":"user4","UserPrincipal":"[email protected]","UserSid":"S-1-5-21-606747145-1364589140-725345543-28636","aid":"ffffffffe0104823bd3de859d5bc8bc7","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"UserLogoff","id":"ffffffff-1111-11eb-8913-0287fd11c79b","name":"UserLogoffV3","UTCTimestamp":"1604855134461"}
 {"ProcessCreateFlags":"1024","IntegrityLevel":"8192","ParentProcessId":"434985540832797032","SourceProcessId":"434985540832797032","aip":"89.160.20.120","SHA1HashData":"0000000000000000000000000000000000000000","UserSid":"S-1-5-21-4084637156-299436391-3671333128-115430","event_platform":"Win","TokenType":"2","ProcessEndTime":"","ParentBaseFileName":"EmUser.exe","ImageSubsystem":"2","id":"9686a6b3-1d39-11ed-9370-0660bfa16adf","EffectiveTransmissionClass":"3","SessionId":"1","Tags":"25, 27, 862, 874, 924, 12094627905582, 12094627906234","timestamp":"1660636869410","event_simpleName":"ProcessRollup2","RawProcessId":"6108","ConfigStateHash":"518095218","MD5HashData":"e570911fc2ab74ecf0dc59f324318f6e","SHA256HashData":"f470180a4f67ebd944570b3eaf040caa8c0713252c6228e60c413714375ccfe2","ProcessSxsFlags":"64","AuthenticationId":"29530993","ConfigBuild":"1007.3.0015103.1","CommandLine":"\"C:\\Program Files\\nirsoft\\SoundVolumeView.exe\" /SetDefault \"Teradici Virtual Audio Driver\\device\\speakers\\\" all","ParentAuthenticationId":"29530993","TargetProcessId":"434985669758362104","ImageFileName":"\\Device\\HarddiskVolume3\\Program Files\\NirSoft\\SoundVolumeView.exe","SourceThreadId":"434985668331321297","Entitlements":"15","name":"ProcessRollup2V19","ProcessStartTime":"1660636868.576","ProcessParameterFlags":"24577","aid":"50deaa55144543089a1f463b568cdc53","cid":"1301ac65ae144fbb9689a8472f828c2e"}
 {"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":133145666190000000,"EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000}
+{"ComputerName":"HQ-sadhkbasHS","CurrentLocalIP":"67.43.156.13","FirstDiscoveredDate":"1669625277.827","LastDiscoveredBy":"c1b74438660b44cfa93e24c9d44badab","LocalAddressIP4":"67.43.156.13","MAC":"AA-AA-AA-AA-AA-AA","MACPrefix":"AA-AA-AA","NeighborName":"!!!!UNKNOWN!!!!","__mv_LocalAddressIP4":"","__mv_aip":"$67.43.156.14$;$67.43.156.13$","__mv_discoverer_aid":"$4b8f58d3f5f040b3804d3820ca2aed67$;$c1b74438660b44cfa93e24c9d44badab$","__mv_discoverer_devicetype":"","_time":"1678931820.343","aip":"67.43.156.13 67.43.156.14 81.2.69.192","aipCount":"3","cid":"500c5073b4d7443688f4b32c5eeb295b","discovererCount":"2","discoverer_aid":"4b8f58d3f5f040b3804d3820ca2aed67 c1b74438660b44cfa93e24c9d44badab","discoverer_devicetype":"","localipCount":"1","subnet":"10.0"}
+{"ConfigBuild":"1007.3.0011603.1","ConfigStateHash":"666346415","ContextProcessId":"1717987648455","ContextThreadId":"55064470042288","ContextTimeStamp":"","EffectiveTransmissionClass":"3","Entitlements":"15","VolumeName":"\\Device\\HarddiskVolume27","aid":"ffffffff896b43725b83c79aa79959da","aip":"67.43.156.13","cid":"ffffffff30a3407dae27d0503611022d","event_platform":"Win","event_simpleName":"FsVolumeUnmounted","id":"ffffffff-1111-11eb-9f70-0634389d9ea9","name":"FsVolumeUnmountedV2","timestamp":"1604850899812","StartTime":133145665200000000,"EndTime":133145665200000000}