-
Notifications
You must be signed in to change notification settings - Fork 387
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[integrations][CrowdStrike] - Fixed Windows NT timestamp parsing issue and IDP Log pipeline field naming issue #7548
[integrations][CrowdStrike] - Fixed Windows NT timestamp parsing issue and IDP Log pipeline field naming issue #7548
Conversation
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
🌐 Coverage report
|
🌐 Coverage report
|
@@ -28,12 +28,13 @@ | |||
"category": [ | |||
"malware" | |||
], | |||
"created": "+4223582-11-13T00:53:20.000Z", | |||
"created": "2023-03-01T05:50:56.000Z", | |||
"end": "1992-03-21T19:15:00.000Z", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't look right.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@efd6 This is what the source log has. I did not change anything here. You can check it here.
Both StartTime & EndTime have the exact value and if you plug these values here https://www.epochconverter.com/ldap, the result is the exactly the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I absolutely agree that this is what the input says, but I don't understand why the input has an event that occurred in 1992.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure either, maybe @P1llus has some idea since he worked on adding these events and logs.
"kind": "alert", | ||
"original": "{\n\t\"metadata\": {\n\t\t\"customerIDString\": \"12312312312312321\",\n\t\t\"offset\": 2662765,\n\t\t\"eventType\": \"IdpDetectionSummaryEvent\",\n\t\t\"eventCreationTime\": 1686848064000,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"ContextTimeStamp\": 133221234560000000,\n\t\t\"DetectId\": \"12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000\",\n\t\t\"DetectName\": \"Unusual login to an endpoint\",\n\t\t\"DetectDescription\": \"A user logged in to a machine for the first time\",\n\t\t\"FalconHostLink\": \"https://falcon.crowdstrike.com/identity-protection/detections/12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000?cid=12345678901234567890123456789012\",\n\t\t\"StartTime\": 123456789000000000,\n\t\t\"EndTime\": 123456789000000000,\n\t\t\"Severity\": 7,\n\t\t\"Tactic\": \"Initial Access\",\n\t\t\"Technique\": \"Valid Accounts\",\n\t\t\"Objective\": \"Gain Access\",\n\t\t\"SourceAccountDomain\": \"DOMAIN.COM\",\n\t\t\"SourceAccountName\": \"johnb\",\n\t\t\"SourceAccountObjectSid\": \"S-1-3-44-55555555-666666666-7777777777-88888\",\n\t\t\"SourceEndpointAccountObjectGuid\": \"12345678-1234-1234-1234-123456789000\",\n\t\t\"SourceEndpointAccountObjectSid\": \"S-1-3-44-55555555-666666666-7777777777-88888\",\n\t\t\"SourceEndpointHostName\": \"pc01.domain.com\",\n\t\t\"SourceEndpointIpAddress\": \"81.2.69.144\",\n\t\t\"SourceEndpointSensorId\": \"12345678901234567890123456789012\",\n\t\t\"PrecedingActivityTimeStamp\": 133154452345780000,\n\t\t\"MostRecentActivityTimeStamp\": 133313215755670000,\n\t\t\"ActivityId\": \"12345678-1234-1234-1234-123456789000\",\n\t\t\"PatternId\": 51135\n\t}\n}", | ||
"reference": "https://falcon.crowdstrike.com/identity-protection/detections/12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000?cid=12345678901234567890123456789012", | ||
"severity": 7, | ||
"start": "+3914159-11-26T20:00:00.000Z", | ||
"start": "1992-03-21T19:15:00.000Z", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same response as above.
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
…r of 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC). The high bit of this value is set to 1 to indicate that it's a Windows NT timestamp. The condition longValue > 0x0100000000000000L checks if the high bit of the 64-bit value is set, which indicates that it's a Windows NT timestamp. If this condition is true, it means the timestamp is a Windows NT timestamp and needs to be converted to a Unix timestamp. The conversion involves dividing the value by 10000000 to convert from 100-nanosecond intervals to seconds and then subtracting the offset 11644473600L to account for the difference between Windows NT and Unix epoch times.
@efd6 I've made the suggested updates |
Package crowdstrike - 1.18.1 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
…e and IDP Log pipeline field naming issue (#7548) * fixed windows NT timestamp issue and idp logs pipeline issues * updated changelog * updated comments and implemented PR sugestions * In Windows NT, the timestamp is a 64-bit value representing the number of 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC). The high bit of this value is set to 1 to indicate that it's a Windows NT timestamp. The condition longValue > 0x0100000000000000L checks if the high bit of the 64-bit value is set, which indicates that it's a Windows NT timestamp. If this condition is true, it means the timestamp is a Windows NT timestamp and needs to be converted to a Unix timestamp. The conversion involves dividing the value by 10000000 to convert from 100-nanosecond intervals to seconds and then subtracting the offset 11644473600L to account for the difference between Windows NT and Unix epoch times. * made PR suggested changes * updated comments
Type of change
What does this PR do?
This fixes the Windows NT timestamp parsing issues by introducing a conditional painless script that converts the NT timestamp to unix epoch timestamp. The PR also fixes a small field naming issue in the IDP Log pipeline, where target_field: event.end was mistakenly labelled as target_field: event.start.
Note
The logic for this PR is derived from the PR: #5168
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Related issues
Screenshots