Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crowdstrike: remove redundant GeoIP look-ups #5456

Merged
merged 1 commit into from
Mar 18, 2023
Merged

crowdstrike: remove redundant GeoIP look-ups #5456

merged 1 commit into from
Mar 18, 2023

Conversation

efd6
Copy link
Contributor

@efd6 efd6 commented Mar 7, 2023
edited
Loading

What does this PR do?

Removes redundant GeoIP look-ups. These appear ~twice (the first instance is a subset of the second — this change removes the first).

integrations/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

Lines 1463 to 1505 in 96e8c05

## IP Geolocation Lookup
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
## IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true

integrations/packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/default.yml

Lines 1979 to 2025 in 96e8c05

## IP Geolocation Lookup
- geoip:
field: observer.ip
target_field: observer.geo
ignore_missing: true
- geoip:
field: source.ip
target_field: source.geo
ignore_missing: true
- geoip:
field: destination.ip
target_field: destination.geo
ignore_missing: true
## IP Autonomous System (AS) Lookup
- geoip:
database_file: GeoLite2-ASN.mmdb
field: source.ip
target_field: source.as
properties:
- asn
- organization_name
ignore_missing: true
- geoip:
database_file: GeoLite2-ASN.mmdb
field: destination.ip
target_field: destination.as
properties:
- asn
- organization_name
ignore_missing: true
- rename:
field: source.as.asn
target_field: source.as.number
ignore_missing: true
- rename:
field: source.as.organization_name
target_field: source.as.organization.name
ignore_missing: true
- rename:
field: destination.as.asn
target_field: destination.as.number
ignore_missing: true
- rename:
field: destination.as.organization_name
target_field: destination.as.organization.name
ignore_missing: true

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • [ ]

How to test this PR locally

Related issues

Screenshots

@efd6 efd6 self-assigned this Mar 7, 2023
@elasticmachine
Copy link

elasticmachine commented Mar 7, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-03-17T23:18:40.411+0000

  • Duration: 15 min 20 sec

Test stats 🧪

Test Results
Failed 0
Passed 14
Skipped 0
Total 14

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@metalshanked
Copy link

@efd6 - had a question on the below line.
It seems to create many events with the current timestamp due to the _ingest.timestamp block after the below.
Shouldn't the current timestamp be used for @timestamp like a last resort after some other potential date fields can be used for @timestamp?
Example: crowdstrike.FirstSeen or crowdstrike.Time etc?

{"processors": [{"set": {"tag": "set-timestamp", "field": "@timestamp", "copy_from": "event.created", "if": "ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == \"\")"}}]}

  - set:
      tag: set-timestamp
      field: "@timestamp"
      copy_from: event.created
      if: ctx.event?.created != null && (ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == "")
  - set:
      tag: set-timestamp-ingest
      field: "@timestamp"
      copy_from: _ingest.timestamp
      if: ctx["@timestamp"] == null

@elasticmachine
Copy link

elasticmachine commented Mar 7, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (2/2) 💚
Files 100.0% (9/9) 💚 3.432
Classes 100.0% (9/9) 💚 3.432
Methods 100.0% (53/53) 💚 8.84
Lines 95.111% (2646/2782) 👍 3.729
Conditionals 100.0% (0/0) 💚

@efd6 efd6 marked this pull request as ready for review March 7, 2023 01:01
@efd6 efd6 requested a review from a team as a code owner March 7, 2023 01:01
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6
Copy link
Contributor Author

efd6 commented Mar 7, 2023

@metalshanked The second set processor only sets the @timestamp from _ingest.timestamp if it is not already set, as a fallback. If you are having problems with this, please file an issue with details so we can look into it.

@metalshanked
Copy link

Thanks @efd6 . Yes, due to ctx.crowdstrike?.ContextTimeStamp == null || ctx.crowdstrike?.ContextTimeStamp == ""
Lot of messages get marked with the _ingest.timestamp as a fallback. So was wondering if other timestamps in the Crowdstrike fields crowdstrike.FirstSeen or crowdstrike.Time can also be attempted before the _ingest.timestamp is applied.

kcreddy
kcreddy approved these changes Mar 17, 2023
View reviewed changes
Copy link
Contributor

@kcreddy kcreddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@efd6 efd6 merged commit 4bddd20 into elastic:main Mar 18, 2023
@elasticmachine
Copy link

Package crowdstrike - 1.10.2 containing this change is available at https://epr.elastic.co/search?package=crowdstrike

agithomas pushed a commit to agithomas/integrations that referenced this pull request Mar 20, 2023
@efd6 @agithomas
crowdstrike: remove redundant GeoIP look-ups (elastic#5456)
bd1b794
agithomas pushed a commit to agithomas/integrations that referenced this pull request Mar 21, 2023
@efd6 @agithomas
crowdstrike: remove redundant GeoIP look-ups (elastic#5456)
2781c32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kcreddy kcreddy kcreddy approved these changes

Assignees

@efd6 efd6

Labels
bug Something isn't working Integration:crowdstrike CrowdStrike
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@efd6 @elasticmachine @metalshanked @kcreddy