From b6a068efc9bdc17de2697d8ba0d4183e7e9c24fd Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Wed, 28 Oct 2020 12:19:14 -0500 Subject: [PATCH] protect against accessing undefined variables in sysmon module (#22236) Closes #22219 (cherry picked from commit cffc81db9ae1f6ceab7c61ba5407e517165d1414) --- CHANGELOG.next.asciidoc | 1 + .../module/sysmon/config/winlogbeat-sysmon.js | 12 +++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index f96b5030e5b..656953b518f 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -438,6 +438,7 @@ field. You can revert this change by configuring tags for the module and omittin - Fix `event.outcome` in the security module for non-English languages. {issue}20079[20079] {pull}20564[2056 - Fix duplicated field error when exporting index-pattern with migration.6_to_7.enabled. {issue}20521[20521] {pull}20540[20540] - Fields from Winlogbeat modules were not being included in index templates and patterns. {pull}18983[18983] +- Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236] *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index ed1776779d5..727c566b5a6 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -303,6 +303,9 @@ var sysmon = (function () { return; } var exe = evt.Get(pathField); + if (!exe) { + return; + } evt.Put(nameField, path.basename(exe)); }; @@ -327,7 +330,11 @@ var sysmon = (function () { }; var addUser = function (evt) { - var userParts = evt.Get("winlog.event_data.User").split("\\"); + var userParts = evt.Get("winlog.event_data.User"); + if (!userParts) { + return; + } + userParts = userParts.split("\\"); if (userParts.length === 2) { evt.Delete("user"); evt.Put("user.domain", userParts[0]); @@ -406,6 +413,9 @@ var sysmon = (function () { // in the specified namespace. It also adds all the hashes to 'related.hash'. var addHashes = function (evt, namespace, hashField) { var hashes = evt.Get(hashField); + if (!hashes) { + return; + } evt.Delete(hashField); hashes.split(",").forEach(function (hash) { var parts = hash.split("=");