[integrations][CrowdStrike] - Fixed Windows NT timestamp parsing issue and IDP Log pipeline field naming issue #7548
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
ShourieG
added
bugfix
8.10 candidate
integration
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
🌐 Coverage report
|
🌐 Coverage report
|
efd6
reviewed
Aug 27, 2023
| @@ -28,12 +28,13 @@ | |||
| "category": [ | |||
| "malware" | |||
| ], | |||
| "created": "+4223582-11-13T00:53:20.000Z", | |||
| "created": "2023-03-01T05:50:56.000Z", | |||
| "end": "1992-03-21T19:15:00.000Z", | |||
There was a problem hiding this comment.
@efd6 This is what the source log has. I did not change anything here. You can check it here.
Both StartTime & EndTime have the exact value and if you plug these values here https://www.epochconverter.com/ldap, the result is the exactly the same.
There was a problem hiding this comment.
Oh, I absolutely agree that this is what the input says, but I don't understand why the input has an event that occurred in 1992.
There was a problem hiding this comment.
I'm not sure either, maybe @P1llus has some idea since he worked on adding these events and logs.
| "kind": "alert", | ||
| "original": "{\n\t\"metadata\": {\n\t\t\"customerIDString\": \"12312312312312321\",\n\t\t\"offset\": 2662765,\n\t\t\"eventType\": \"IdpDetectionSummaryEvent\",\n\t\t\"eventCreationTime\": 1686848064000,\n\t\t\"version\": \"1.0\"\n\t},\n\t\"event\": {\n\t\t\"ContextTimeStamp\": 133221234560000000,\n\t\t\"DetectId\": \"12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000\",\n\t\t\"DetectName\": \"Unusual login to an endpoint\",\n\t\t\"DetectDescription\": \"A user logged in to a machine for the first time\",\n\t\t\"FalconHostLink\": \"https://falcon.crowdstrike.com/identity-protection/detections/12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000?cid=12345678901234567890123456789012\",\n\t\t\"StartTime\": 123456789000000000,\n\t\t\"EndTime\": 123456789000000000,\n\t\t\"Severity\": 7,\n\t\t\"Tactic\": \"Initial Access\",\n\t\t\"Technique\": \"Valid Accounts\",\n\t\t\"Objective\": \"Gain Access\",\n\t\t\"SourceAccountDomain\": \"DOMAIN.COM\",\n\t\t\"SourceAccountName\": \"johnb\",\n\t\t\"SourceAccountObjectSid\": \"S-1-3-44-55555555-666666666-7777777777-88888\",\n\t\t\"SourceEndpointAccountObjectGuid\": \"12345678-1234-1234-1234-123456789000\",\n\t\t\"SourceEndpointAccountObjectSid\": \"S-1-3-44-55555555-666666666-7777777777-88888\",\n\t\t\"SourceEndpointHostName\": \"pc01.domain.com\",\n\t\t\"SourceEndpointIpAddress\": \"81.2.69.144\",\n\t\t\"SourceEndpointSensorId\": \"12345678901234567890123456789012\",\n\t\t\"PrecedingActivityTimeStamp\": 133154452345780000,\n\t\t\"MostRecentActivityTimeStamp\": 133313215755670000,\n\t\t\"ActivityId\": \"12345678-1234-1234-1234-123456789000\",\n\t\t\"PatternId\": 51135\n\t}\n}", | ||
| "reference": "https://falcon.crowdstrike.com/identity-protection/detections/12345678901234567890123456789012:ind:12345678901234567890123456789012:12345678-1234-1234-1234-123456789000?cid=12345678901234567890123456789012", | ||
| "severity": 7, | ||
| "start": "+3914159-11-26T20:00:00.000Z", | ||
| "start": "1992-03-21T19:15:00.000Z", |
There was a problem hiding this comment.
Same response as above.
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
efd6
reviewed
Aug 28, 2023
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
efd6
reviewed
Aug 28, 2023
packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
…r of 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC). The high bit of this value is set to 1 to indicate that it's a Windows NT timestamp. The condition longValue > 0x0100000000000000L checks if the high bit of the 64-bit value is set, which indicates that it's a Windows NT timestamp. If this condition is true, it means the timestamp is a Windows NT timestamp and needs to be converted to a Unix timestamp. The conversion involves dividing the value by 10000000 to convert from 100-nanosecond intervals to seconds and then subtracting the offset 11644473600L to account for the difference between Windows NT and Unix epoch times.
|
@efd6 I've made the suggested updates |
efd6
approved these changes
Aug 28, 2023
|
Package crowdstrike - 1.18.1 containing this change is available at https://epr.elastic.co/search?package=crowdstrike |
This was referenced Aug 29, 2023
Closed
gizas
pushed a commit
that referenced
this pull request
Sep 5, 2023
…e and IDP Log pipeline field naming issue (#7548) * fixed windows NT timestamp issue and idp logs pipeline issues * updated changelog * updated comments and implemented PR sugestions * In Windows NT, the timestamp is a 64-bit value representing the number of 100-nanosecond intervals that have elapsed since January 1, 1601 (UTC). The high bit of this value is set to 1 to indicate that it's a Windows NT timestamp. The condition longValue > 0x0100000000000000L checks if the high bit of the 64-bit value is set, which indicates that it's a Windows NT timestamp. If this condition is true, it means the timestamp is a Windows NT timestamp and needs to be converted to a Unix timestamp. The conversion involves dividing the value by 10000000 to convert from 100-nanosecond intervals to seconds and then subtracting the offset 11644473600L to account for the difference between Windows NT and Unix epoch times. * made PR suggested changes * updated comments
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Type of change
What does this PR do?
This fixes the Windows NT timestamp parsing issues by introducing a conditional painless script that converts the NT timestamp to unix epoch timestamp. The PR also fixes a small field naming issue in the IDP Log pipeline, where target_field: event.end was mistakenly labelled as target_field: event.start.
Note
The logic for this PR is derived from the PR: #5168
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots