From 3734c0fe372673164bd9262b914e3f7c1c2d81e2 Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Mon, 18 Dec 2023 17:44:43 +1030 Subject: [PATCH] crowdstrike: map host and user metatdata to ECS fields --- packages/crowdstrike/changelog.yml | 3 ++ .../elasticsearch/ingest_pipeline/default.yml | 39 +++++++++++++++++++ .../data_stream/fdr/sample_event.json | 26 +++++++++---- packages/crowdstrike/docs/README.md | 26 +++++++++---- 4 files changed, 78 insertions(+), 16 deletions(-) diff --git a/packages/crowdstrike/changelog.yml b/packages/crowdstrike/changelog.yml index 86590297c6b9..00f38bb3d76f 100644 --- a/packages/crowdstrike/changelog.yml +++ b/packages/crowdstrike/changelog.yml @@ -4,6 +4,9 @@ - description: Enrich events with userinfo user details fields. type: enhancement link: https://github.com/elastic/integrations/pull/1 + - description: Map host and user metatdata to ECS fields. + type: enhancement + link: https://github.com/elastic/integrations/pull/1 - version: "1.27.0" changes: - description: Allow aidmaster metadata to be retained after host enrichment. diff --git a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml index a5e365d6d809..5e258dadf72a 100644 --- a/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml @@ -1499,6 +1499,16 @@ processors: copy_from: host.hostname ignore_empty_value: true ignore_failure: true + - append: + field: related.hosts + value: "{{{crowdstrike.info.host.ComputerName}}}" + allow_duplicates: false + if: ctx.crowdstrike?.info?.host?.ComputerName != null + - rename: + field: crowdstrike.info.host.ComputerName + target_field: host.name + ignore_missing: true + if: ctx.host?.name == null - append: field: related.hosts value: "{{{host.name}}}" @@ -1529,6 +1539,25 @@ processors: target_field: host.domain ignore_missing: true ignore_failure: true + - convert: + field: crowdstrike.info.host.aip + target_field: _temp.aip + type: ip + ignore_missing: true + ignore_failure: true + - remove: + field: crowdstrike.info.host.aip + if: ctx._temp?.aip != null + - append: + field: host.ip + value: '{{{_temp.aip}}}' + allow_duplicates: false + if: ctx._temp?.aip != null + - append: + field: related.ip + value: '{{{_temp.aip}}}' + allow_duplicates: false + if: ctx._temp?.aip != null ## OS fields. - set: @@ -1796,6 +1825,10 @@ processors: field: crowdstrike.UID target_field: user.id ignore_missing: true + - rename: + field: crowdstrike.info.user.UserName + target_field: user.name + ignore_missing: true - rename: field: crowdstrike.GID target_field: user.group.id @@ -1840,6 +1873,12 @@ processors: ignore_failure: true allow_duplicates: false if: ctx.user?.name != null + - append: + field: related.user + value: "{{{crowdstrike.info.user.User}}}" + ignore_failure: true + allow_duplicates: false + if: ctx.crowdstrike?.info?.user?.User != null - append: field: related.user value: "{{{user.full_name}}}" diff --git a/packages/crowdstrike/data_stream/fdr/sample_event.json b/packages/crowdstrike/data_stream/fdr/sample_event.json index 587fd3078d58..ff4fd6ccbe30 100644 --- a/packages/crowdstrike/data_stream/fdr/sample_event.json +++ b/packages/crowdstrike/data_stream/fdr/sample_event.json @@ -1,7 +1,7 @@ { "@timestamp": "2020-10-01T09:58:32.519Z", "agent": { - "ephemeral_id": "4425a102-81c9-49bd-bef6-a39dee6768a1", + "ephemeral_id": "ea19fa42-bc7b-4504-9153-b8e5d9f37c65", "id": "96a6843b-0843-4420-ab87-e5cfc16d378c", "name": "docker-fleet-agent", "type": "filebeat", @@ -40,7 +40,6 @@ "BiosVersion": "vG17V.21040423/z64", "ChassisType": "Other", "City": "Chicago", - "ComputerName": "FEVWSN1-234", "ConfigBuild": "1007.3.0017312.1", "ConfigIDBuild": "13922", "Continent": "North America", @@ -59,7 +58,6 @@ "Time": "1697992719.22", "Timezone": "America/Chicago", "Version": "Windows Server 2021", - "aip": "16.15.12.10", "cid": "ffffffff30a3407dae27d0503611022d", "event_platform": "Win" }, @@ -74,7 +72,6 @@ "User": "DOMAIN\\BRADLEYA", "UserIsAdmin": "0", "UserLogonFlags_decimal": "0", - "UserName": "Alan-One", "_time": "1702546168.576", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", "event_platform": "Win", @@ -105,7 +102,7 @@ "created": "2020-10-01T09:58:32.519Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-8462-02ade3b2f949", - "ingested": "2023-12-18T06:04:39Z", + "ingested": "2023-12-18T07:11:33Z", "kind": "event", "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1601546312519\"}", "outcome": "success", @@ -115,6 +112,10 @@ ] }, "host": { + "ip": [ + "16.15.12.10" + ], + "name": "FEVWSN1-234", "os": { "type": "windows" } @@ -124,7 +125,7 @@ }, "log": { "file": { - "path": "https://elastic-package-crowdstrike-fdr-83810.s3.us-east-1.amazonaws.com/data" + "path": "https://elastic-package-crowdstrike-fdr-90399.s3.us-east-1.amazonaws.com/data" }, "offset": 107991 }, @@ -176,8 +177,16 @@ "b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37", "3998263252" ], + "hosts": [ + "FEVWSN1-234" + ], "ip": [ - "67.43.156.14" + "67.43.156.14", + "16.15.12.10" + ], + "user": [ + "Alan-One", + "DOMAIN\\BRADLEYA" ] }, "tags": [ @@ -189,6 +198,7 @@ "scheme": "http" }, "user": { - "id": "S-1-12-1-3697283754-1083485977-2164330645-2516515886" + "id": "S-1-12-1-3697283754-1083485977-2164330645-2516515886", + "name": "Alan-One" } } \ No newline at end of file diff --git a/packages/crowdstrike/docs/README.md b/packages/crowdstrike/docs/README.md index 545aa6f5d9b5..dc326ba444e2 100644 --- a/packages/crowdstrike/docs/README.md +++ b/packages/crowdstrike/docs/README.md @@ -1117,7 +1117,7 @@ An example event for `fdr` looks as following: { "@timestamp": "2020-10-01T09:58:32.519Z", "agent": { - "ephemeral_id": "4425a102-81c9-49bd-bef6-a39dee6768a1", + "ephemeral_id": "ea19fa42-bc7b-4504-9153-b8e5d9f37c65", "id": "96a6843b-0843-4420-ab87-e5cfc16d378c", "name": "docker-fleet-agent", "type": "filebeat", @@ -1156,7 +1156,6 @@ An example event for `fdr` looks as following: "BiosVersion": "vG17V.21040423/z64", "ChassisType": "Other", "City": "Chicago", - "ComputerName": "FEVWSN1-234", "ConfigBuild": "1007.3.0017312.1", "ConfigIDBuild": "13922", "Continent": "North America", @@ -1175,7 +1174,6 @@ An example event for `fdr` looks as following: "Time": "1697992719.22", "Timezone": "America/Chicago", "Version": "Windows Server 2021", - "aip": "16.15.12.10", "cid": "ffffffff30a3407dae27d0503611022d", "event_platform": "Win" }, @@ -1190,7 +1188,6 @@ An example event for `fdr` looks as following: "User": "DOMAIN\\BRADLEYA", "UserIsAdmin": "0", "UserLogonFlags_decimal": "0", - "UserName": "Alan-One", "_time": "1702546168.576", "cid": "ffffffff15754bcfb5f9152ec7ac90ac", "event_platform": "Win", @@ -1221,7 +1218,7 @@ An example event for `fdr` looks as following: "created": "2020-10-01T09:58:32.519Z", "dataset": "crowdstrike.fdr", "id": "ffffffff-1111-11eb-8462-02ade3b2f949", - "ingested": "2023-12-18T06:04:39Z", + "ingested": "2023-12-18T07:11:33Z", "kind": "event", "original": "{\"AuthenticationId\":\"3783389\",\"CommandLine\":\"\\\"C:\\\\WINDOWS\\\\system32\\\\backgroundTaskHost.exe\\\" -ServerName:App.AppXnme9zjyebb2xnyygh6q9ev6p5d234br2.mca\",\"ConfigBuild\":\"1007.3.0012309.1\",\"ConfigStateHash\":\"3998263252\",\"EffectiveTransmissionClass\":\"3\",\"Entitlements\":\"15\",\"ImageFileName\":\"\\\\Device\\\\HarddiskVolume3\\\\Windows\\\\System32\\\\backgroundTaskHost.exe\",\"ImageSubsystem\":\"2\",\"IntegrityLevel\":\"4096\",\"MD5HashData\":\"50d5fd1290d94d46acca0585311e74d5\",\"ParentAuthenticationId\":\"3783389\",\"ParentBaseFileName\":\"svchost.exe\",\"ParentProcessId\":\"2439558094566\",\"ProcessCreateFlags\":\"525332\",\"ProcessEndTime\":\"\",\"ProcessParameterFlags\":\"16385\",\"ProcessStartTime\":\"1604855181.648\",\"ProcessSxsFlags\":\"1600\",\"RawProcessId\":\"22272\",\"RpcClientProcessId\":\"2439558094566\",\"SHA1HashData\":\"0000000000000000000000000000000000000000\",\"SHA256HashData\":\"b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37\",\"SessionId\":\"1\",\"SourceProcessId\":\"2439558094566\",\"SourceThreadId\":\"77538684027214\",\"Tags\":\"41, 12094627905582, 12094627906234\",\"TargetProcessId\":\"2450046082233\",\"TokenType\":\"2\",\"UserSid\":\"S-1-12-1-3697283754-1083485977-2164330645-2516515886\",\"WindowFlags\":\"128\",\"aid\":\"ffffffff655344736aca58d17fb570f0\",\"aip\":\"67.43.156.14\",\"cid\":\"ffffffff30a3407dae27d0503611022d\",\"event_platform\":\"Win\",\"event_simpleName\":\"ProcessRollup2\",\"id\":\"ffffffff-1111-11eb-8462-02ade3b2f949\",\"name\":\"ProcessRollup2V18\",\"timestamp\":\"1601546312519\"}", "outcome": "success", @@ -1231,6 +1228,10 @@ An example event for `fdr` looks as following: ] }, "host": { + "ip": [ + "16.15.12.10" + ], + "name": "FEVWSN1-234", "os": { "type": "windows" } @@ -1240,7 +1241,7 @@ An example event for `fdr` looks as following: }, "log": { "file": { - "path": "https://elastic-package-crowdstrike-fdr-83810.s3.us-east-1.amazonaws.com/data" + "path": "https://elastic-package-crowdstrike-fdr-90399.s3.us-east-1.amazonaws.com/data" }, "offset": 107991 }, @@ -1292,8 +1293,16 @@ An example event for `fdr` looks as following: "b8e176fe76a1454a00c4af0f8bf8870650d9c33d3e333239a59445c5b35c9a37", "3998263252" ], + "hosts": [ + "FEVWSN1-234" + ], "ip": [ - "67.43.156.14" + "67.43.156.14", + "16.15.12.10" + ], + "user": [ + "Alan-One", + "DOMAIN\\BRADLEYA" ] }, "tags": [ @@ -1305,7 +1314,8 @@ An example event for `fdr` looks as following: "scheme": "http" }, "user": { - "id": "S-1-12-1-3697283754-1083485977-2164330645-2516515886" + "id": "S-1-12-1-3697283754-1083485977-2164330645-2516515886", + "name": "Alan-One" } } ```