x-pack/filebeat/module/microsoft: drop empty api responses#34893
Merged
efd6 merged 2 commits intoelastic:mainfrom Mar 28, 2023
Merged
x-pack/filebeat/module/microsoft: drop empty api responses#34893efd6 merged 2 commits intoelastic:mainfrom
efd6 merged 2 commits intoelastic:mainfrom
Conversation
efd6
added
Filebeat
botelastic
Bot
added
needs_team
Contributor
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
💚 Flaky test reportTests succeeded. 🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
Contributor
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
andrewkroh
approved these changes
Mar 27, 2023
Member
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
LGTM. If there's not a sample log test case it would be nice to have one (but actually now that I think about this, I have no idea if the test harness would support verifying drops).
|
|
||
| response.split: | ||
| target: body.value | ||
| ignore_empty_value: true |
Member
There was a problem hiding this comment.
Do we have any test cases in our logs that have an empty value field?
Contributor
Author
There was a problem hiding this comment.
We do in the integration, but not here. I looked into adding one, but it's not as easy as it is in the integrations.
Contributor
Author
There was a problem hiding this comment.
I've come up with an approach that serves to test this. It's not pretty, but it works.
efd6
commented
Mar 28, 2023
| {"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"543bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"Process","sha1":"b6d237154f2e528f0b503b58b025862d66b02b73","sha256":"a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77","fileName":"notepad.exe","filePath":"C:\\Windows\\System32","processId":4104,"processCommandLine":"\"notepad.exe\"","processCreationTime":"2020-06-30T09:45:38.9784654Z","parentProcessId":6012,"parentProcessCreationTime":"2020-06-30T09:04:51.487396Z","ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} | ||
| {"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"53425a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"43521344-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"User","sha1":null,"sha256":null,"fileName":null,"filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":"administrator1","domainName":"TestServer4","userSid":"S-1-5-21-46152456-1367606905-4031241297-500","aadUserId":null,"userPrincipalName":null}} | ||
| {"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}} | ||
| {"value":[],"note":"THIS MESSAGE SHOULD NOT END UP IN THE EXPECTS JSON FILE."} |
Contributor
Author
There was a problem hiding this comment.
If this ends up in the result we error out. This is the case if the pipeline drop processors are not in place.
There was a problem hiding this comment.
if you would like here is a sample of an empty event for your test case
{"@timestamp":"2023-03-31T23:06:13.507Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.4.3","pipeline":"filebeat-8.4.3-microsoft-defender_atp-pipeline"},"agent":{"type":"filebeat
","version":"8.4.3","ephemeral_id":"382fa7a9-285e-47b9-bedc-badbd225347e","id":"e20495e9-3358-4155-b4c9-9a519775d234","name":"collector-01"},"fileset":{"name":"defender_atp"},"service":{"typ
e":"microsoft"},"ecs":{"version":"1.12.0"},"input":{"type":"httpjson"},"organization":{"name":"acme"},"json":{"@odata.context":"https://api.securitycenter.windows.com/api/$metadata#Alerts","
value":[]},"event":{"created":"2023-03-31T23:06:13.507Z","dataset":"microsoft.defender_atp","module":"microsoft"},"message":"{\"@odata.context\":\"https://api.securitycenter.windows.com/api/
$metadata#Alerts\",\"value\":[]}","tags":["acme","defender-atp","forwarded"]}
mergify Bot
pushed a commit
that referenced
this pull request
Mar 28, 2023
This is a port of elastic/integrations#5164. (cherry picked from commit 429bdeb)
efd6
added a commit
that referenced
this pull request
Mar 28, 2023
…34947) This is a port of elastic/integrations#5164. (cherry picked from commit 429bdeb) Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com> Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
chrisberkhout
pushed a commit
that referenced
this pull request
Jun 1, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Allows dropping of responses that hold no event data.
This is a port of elastic/integrations#5164.
Why is it important?
Empty responses waste space and do not conform to the expected format of the datastream.
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs