Skip to content

Commit

Permalink
Add IP validation to Security module (elastic#21325)
Browse files Browse the repository at this point in the history
For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress`
could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case.

Fixes elastic#19627

(cherry picked from commit 8c992c5)
  • Loading branch information
andrewkroh committed Jan 5, 2021
1 parent bf0fb8d commit 06fca06
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -330,6 +330,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
*Winlogbeat*

- Protect against accessing an undefined variable in Security module. {pull}22937[22937]
- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]

*Functionbeat*

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1500,11 +1500,12 @@ var security = (function () {
fields: [
{from: "winlog.event_data.AccountName", to: "user.name"},
{from: "winlog.event_data.AccountDomain", to: "user.domain"},
{from: "winlog.event_data.ClientAddress", to: "source.ip"},
{from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"},
{from: "winlog.event_data.ClientName", to: "source.domain"},
{from: "winlog.event_data.LogonID", to: "winlog.logon.id"},
],
ignore_missing: true,
fail_on_error: false,
})
.Add(function(evt) {
var user = evt.Get("winlog.event_data.AccountName");
Expand Down

0 comments on commit 06fca06

Please sign in to comment.