Skip to content

Commit

Permalink
[Filebeat][Crowdstrike] Adding fix to ingest pipeline for command lin…
Browse files Browse the repository at this point in the history
…e array handling (#36496) (#36504)

* [Filebeat][Crowdstrike] Adding fix to ingest pipeline for command line args array handling

* changelog PR link update

* adding missing semicolon

* adding testdata to test the process commandline arg being an empty string

(cherry picked from commit 35fe318)

Co-authored-by: Marius Iversen <marius.iversen@elastic.co>
  • Loading branch information
mergify[bot] and P1llus authored Sep 5, 2023
1 parent 9ce1a9c commit bf1e585
Show file tree
Hide file tree
Showing 4 changed files with 41 additions and 7 deletions.
33 changes: 33 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,39 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Filebeat*

- [Gcs Input] - Added missing locks for safe concurrency {pull}34914[34914]
- Fix the ignore_inactive option being ignored in Filebeat's filestream input {pull}34770[34770]
- Fix TestMultiEventForEOFRetryHandlerInput unit test of CometD input {pull}34903[34903]
- Add input instance id to request trace filename for httpjson and cel inputs {pull}35024[35024]
- Fixes "Can only start an input when all related states are finished" error when running under Elastic-Agent {pull}35250[35250] {issue}33653[33653]
- [system] sync system/auth dataset with system integration 1.29.0. {pull}35581[35581]
- [GCS Input] - Fixed an issue where bucket_timeout was being applied to the entire bucket poll interval and not individual bucket object read operations. Fixed a map write concurrency issue arising from data races when using a high number of workers. Fixed the flaky tests that were present in the GCS test suit. {pull}35605[35605]
- Fix filestream false positive log error "filestream input with ID 'xyz' already exists" {issue}31767[31767]
- Fix error message formatting from filestream input. {pull}35658[35658]
- Fix error when trying to use `include_message` parser {issue}35440[35440]
- Fix handling of IPv6 unspecified addresses in TCP input. {issue}35064[35064] {pull}35637[35637]
- Fixed a minor code error in the GCS input scheduler where a config value was being used directly instead of the source struct. {pull}35729[35729]
- Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. {pull}35772[35772]
- Fix CEL input JSON marshalling of nested objects. {issue}35763[35763] {pull}35774[35774]
- Fix metric collection in GCPPubSub input. {pull}35773[35773]
- Fix end point deregistration in http_endpoint input. {issue}35899[35899] {pull}35903[35903]
- Fix duplicate ID panic in filestream metrics. {issue}35964[35964] {pull}35972[35972]
- Improve error reporting and fix IPv6 handling of TCP and UDP metric collection. {pull}35996[35996]
- Fix handling of NUL-terminated log lines in Fortinet Firewall module. {issue}36026[36026] {pull}36027[36027]
- Make redact field configuration recommended in CEL input and log warning if missing. {pull}36008[36008]
- Fix handling of region name configuration in awss3 input {pull}36034[36034]
- Fixed concurrency and flakey tests issue in azure blob storage input. {issue}35983[35983] {pull}36124[36124]
- Fix panic when sqs input metrics getter is invoked {pull}36101[36101] {issue}36077[36077]
- Make CEL input's `now` global variable static for evaluation lifetime. {pull}36107[36107]
- Update mito CEL extension library to v1.5.0. {pull}36146[36146]
- Filter out duplicate paths resolved from matching globs. {issue}36253[36253] {pull}36256[36256]
- Fix handling of TCP/UDP address resolution during metric initialization. {issue}35064[35064] {pull}36287[36287]
- Fix handling of Juniper SRX structured data when there is no leading junos element. {issue}36270[36270] {pull}36308[36308]
- Remove erroneous error log in GCPPubSub input. {pull}36296[36296]
- Fix Filebeat Cisco module with missing escape character {issue}36325[36325] {pull}36326[36326]
- Fix panic when redact option is not provided to CEL input. {issue}36387[36387] {pull}36388[36388]
- Remove 'onFilteredOut' and 'onDroppedOnPublish' callback logs {issue}36299[36299] {pull}36399[36399]
- Added a fix for Crowdstrike pipeline handling process arrays {pull}36496[36496]

*Heartbeat*

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ processors:
commandLine = commandLine.trim();
if (commandLine != "") {
def args = Arrays.asList(/ /.split(commandLine));
def args = new ArrayList(Arrays.asList(/ /.split(commandLine)));
args.removeIf(arg -> arg == "");
ctx['process'] = new HashMap();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"SeverityName": "High",
"FileName": "explorer.exe",
"FilePath": "\\Device\\HarddiskVolume1\\Windows",
"CommandLine": "C:\\Windows\\Explorer.EXE",
"CommandLine": "C:\\Windows\\Explorer.EXE --test",
"SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a",
"MD5String": "ac4c51eb24aa95b77f705ab159189e24",
"MachineDomain": "CORP-DOMAIN",
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[
{
"crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE",
"crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE --test",
"crowdstrike.event.ComputerName": "alice-laptop",
"crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"crowdstrike.event.DetectId": "ldt:ec86abd353824e96765ecbe18eb4f0b4:38655257584",
Expand Down Expand Up @@ -67,9 +67,10 @@
"log.offset": 0,
"message": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.",
"process.args": [
"C:\\Windows\\Explorer.EXE"
"C:\\Windows\\Explorer.EXE",
"--test"
],
"process.command_line": "C:\\Windows\\Explorer.EXE",
"process.command_line": "C:\\Windows\\Explorer.EXE --test",
"process.executable": "C:\\Windows\\Explorer.EXE",
"process.name": "explorer.exe",
"process.pid": 38684386611,
Expand Down Expand Up @@ -126,7 +127,7 @@
"log.flags": [
"multiline"
],
"log.offset": 2063,
"log.offset": 2071,
"message": "Incident score 1.2",
"service.type": "crowdstrike",
"tags": [
Expand Down Expand Up @@ -169,7 +170,7 @@
"log.flags": [
"multiline"
],
"log.offset": 2579,
"log.offset": 2587,
"message": "quarantined_file_update",
"related.user": [
"Crowdstrike"
Expand Down

0 comments on commit bf1e585

Please sign in to comment.