From 89a4a0ed8633f29a841c8f9a5459d4cefae2b5b9 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 29 Sep 2020 07:11:22 -0400 Subject: [PATCH] Add IP validation to Security module (#21325) For event 4778 (A session was reconnected to a Window Station) the `winlog.event_data.ClientAddress` could be "LOCAL" which is obviosuly not a valid IP so we don't want to copy it into `source.ip` in that case. Fixes #19627 (cherry picked from commit 8c992c508b1bb3c690034b675110e2d595afd19a) --- CHANGELOG.next.asciidoc | 1 + .../winlogbeat/module/security/config/winlogbeat-security.js | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c59fd8d84bf..3338d92085e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -327,6 +327,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* - Protect against accessing an undefined variable in Security module. {pull}22937[22937] +- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627] *Functionbeat* diff --git a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js index 95405498c2f..56cdced6b51 100644 --- a/x-pack/winlogbeat/module/security/config/winlogbeat-security.js +++ b/x-pack/winlogbeat/module/security/config/winlogbeat-security.js @@ -1500,11 +1500,12 @@ var security = (function () { fields: [ {from: "winlog.event_data.AccountName", to: "user.name"}, {from: "winlog.event_data.AccountDomain", to: "user.domain"}, - {from: "winlog.event_data.ClientAddress", to: "source.ip"}, + {from: "winlog.event_data.ClientAddress", to: "source.ip", type: "ip"}, {from: "winlog.event_data.ClientName", to: "source.domain"}, {from: "winlog.event_data.LogonID", to: "winlog.logon.id"}, ], ignore_missing: true, + fail_on_error: false, }) .Add(function(evt) { var user = evt.Get("winlog.event_data.AccountName");