x-pack/winlogbeat/module/sysmon: handle empty sysmon DNS answer data (#…

…35207)
elastic · Jun 13, 2023 · 791fdf8 · 791fdf8
1 parent 7ad2548
commit 791fdf8
Show file tree

Hide file tree

Showing 14 changed files with 171 additions and 214 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -357,6 +357,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
 *Winlogbeat*
 
 - Set `host.os.type` and `host.os.family` to "windows" if not already set. {pull}35435[35435]
+- Handle empty DNS answer data in QueryResults for the Sysmon Pipeline {pull}35207[35207]
 
 
 *Elastic Log Driver*

diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml
@@ -782,15 +782,20 @@ processors:
 
           if (answer.startsWith("type:")) {
             def parts = /\s+/.split(answer);
-            if (parts.length != 3) {
+            if (parts.length < 2) {
               throw new Exception("unexpected QueryResult format");
             }
-
-            answers.add([
-              "type": params[parts[1]],
-              "data": parts[2]
-            ]);
-            relatedHosts.add(parts[2]);
+            if (parts.length == 3) {
+              answers.add([
+                "type": params[parts[1]],
+                "data": parts[2]
+              ]);
+              relatedHosts.add(parts[2]);
+            } else {
+              answers.add([
+                "type": params[parts[1]]
+              ]);
+            }
           } else {
             answer = answer.replace("::ffff:", "");
             ips.add(answer);

diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json
@@ -0,0 +1,47 @@
+[
+  {
+    "event": {
+      "code": "22",
+      "kind": "event",
+      "provider": "Microsoft-Windows-Sysmon"
+    },
+    "host": {
+      "name": "internal.network.org"
+    },
+    "log": {
+      "level": "information"
+    },
+    "winlog": {
+      "channel": "Microsoft-Windows-Sysmon/Operational",
+      "computer_name": "internal.network.org",
+      "event_data": {
+        "Image": "C:\\Windows\\System32\\lsass.exe",
+        "ProcessGuid": "{00000000-0000-0000-0000-000000000000}",
+        "ProcessId": "500",
+        "QueryName": "some.other.domain.com",
+        "QueryResults": "type:  33 ;type:  33 ;1:2:3::3;1.2.3.3;",
+        "QueryStatus": "0",
+        "RuleName": "-",
+        "User": "NT AUTHORITY\\SYSTEM",
+        "UtcTime": "2000-01-01T00:00:00.000"
+      },
+      "event_id": "22",
+      "level": "information",
+      "opcode": "Info",
+      "process": {
+        "pid": 1000,
+        "thread": {
+          "id": 2000
+        }
+      },
+      "provider_guid": "{00000000-0000-0000-0000-000000000000}",
+      "provider_name": "Microsoft-Windows-Sysmon",
+      "record_id": 1111,
+      "time_created": "2000-01-01T00:00:00Z",
+      "user": {
+        "identifier": "A-0-0-00"
+      },
+      "version": 5
+    }
+  }
+]