Skip to content

x-pack/filebeat/module/microsoft: drop empty api responses #34893

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
efd6 merged 2 commits into from
Mar 28, 2023
Merged

x-pack/filebeat/module/microsoft: drop empty api responses #34893

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
140d22c
x-pack/filebeat/module/microsoft: drop empty api responses
efd6 Mar 22, 2023
689f89c
add tests
efd6 Mar 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415
- Allow the `misp` fileset in the Filebeat `threatintel` module to ignore CIDR ranges for an IP field. {issue}29949[29949] {pull}34195[34195]
- Remove incorrect reference to CEL ext extensions package. {issue}34610[34610] {pull}34620[34620]
- Fix handling of RFC5988 links' relation parameters by `getRFC5988Link` in HTTPJSON. {issue}34603[34603] {pull}34622[34622]
- Drop empty API response events for Microsoft module. {issue}34786[34786] {pull}34893[34893]

*Auditbeat*

Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/microsoft/defender_atp/config/atp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ request.transforms:

response.split:
target: body.value
ignore_empty_value: true
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh Mar 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have any test cases in our logs that have an empty value field?

Copy link
Copy Markdown
Contributor Author

@efd6 efd6 Mar 27, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We do in the integration, but not here. I looked into adding one, but it's not as easy as it is in the integrations.

Copy link
Copy Markdown
Contributor Author

@efd6 efd6 Mar 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've come up with an approach that serves to test this. It's not pretty, but it works.

split:
target: body.evidence
keep_parent: true
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
description: Pipeline for parsing microsoft atp logs
processors:
- drop:
if: ctx.json?.value != null && ctx.json.value.isEmpty()
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,4 @@
{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"543bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"123543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"Process","sha1":"b6d237154f2e528f0b503b58b025862d66b02b73","sha256":"a92056d772260b39a876d01552496b2f8b4610a0b1e084952fe1176784e2ce77","fileName":"notepad.exe","filePath":"C:\\Windows\\System32","processId":4104,"processCommandLine":"\"notepad.exe\"","processCreationTime":"2020-06-30T09:45:38.9784654Z","parentProcessId":6012,"parentProcessCreationTime":"2020-06-30T09:04:51.487396Z","ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}}
{"id":"da637291048912199236_1126926584","incidentId":11,"investigationId":7,"assignedTo":null,"severity":"Medium","status":"New","classification":null,"determination":null,"investigationState":"TerminatedByUser","detectionSource":"WindowsDefenderAtp","category":"DefenseEvasion","threatFamilyName":null,"title":"Suspicious process injection observed","description":"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. \nAs a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server.","alertCreationTime":"2020-06-30T09:08:11.1084877Z","firstEventTime":"2020-06-30T09:04:56.8490679Z","lastEventTime":"2020-06-30T09:45:39.5484377Z","lastUpdateTime":"2020-06-30T15:29:44.7733333Z","resolvedTime":null,"machineId":"53425a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"43521344-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":{"userName":"administrator1","domainName":"TestServer4"},"comments":[],"evidence":{"entityType":"User","sha1":null,"sha256":null,"fileName":null,"filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":"administrator1","domainName":"TestServer4","userSid":"S-1-5-21-46152456-1367606905-4031241297-500","aadUserId":null,"userPrincipalName":null}}
{"id":"da637291063515066999_-2102938302","incidentId":12,"investigationId":9,"assignedTo":"Automation","severity":"Informational","status":"Resolved","classification":null,"determination":null,"investigationState":"Benign","detectionSource":"WindowsDefenderAv","category":"Malware","threatFamilyName":null,"title":"'Mountsi' malware was detected","description":"Malware and unwanted software are undesirable applications that perform annoying, disruptive, or harmful actions on affected machines. Some of these undesirable applications can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyber attacks.\n\nThis detection might indicate that the malware was stopped from delivering its payload. However, it is prudent to check the machine for signs of infection.","alertCreationTime":"2020-06-30T09:32:31.4579225Z","firstEventTime":"2020-06-30T09:31:22.5729558Z","lastEventTime":"2020-06-30T09:46:15.0876676Z","lastUpdateTime":"2020-06-30T11:13:12.9Z","resolvedTime":"2020-06-30T11:13:12.2680434Z","machineId":"t4563234bc5a964f417c11f6277d5bf9489f0d","computerDnsName":"testserver4","rbacGroupName":null,"aadTenantId":"1234543-d66c-4c7e-9e30-40034eb7c6f3","relatedUser":null,"comments":[],"evidence":{"entityType":"File","sha1":"ffb1670c6c6a9c5b4c5cea8b6b8e68d62e7ff281","sha256":"fd46705c4f67a8ef16e76259ca6d6253241e51a1f8952223145f92aa1907d356","fileName":"amsistream-1D89ECED25A52AB98B76FF619B7BA07A","filePath":null,"processId":null,"processCommandLine":null,"processCreationTime":null,"parentProcessId":null,"parentProcessCreationTime":null,"ipAddress":null,"url":null,"accountName":null,"domainName":null,"userSid":null,"aadUserId":null,"userPrincipalName":null}}
{"value":[],"note":"THIS MESSAGE SHOULD NOT END UP IN THE EXPECTS JSON FILE."}
Copy link
Copy Markdown
Contributor Author

@efd6 efd6 Mar 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this ends up in the result we error out. This is the case if the pipeline drop processors are not in place.

Copy link
Copy Markdown

@CyberTaoFlow CyberTaoFlow Mar 31, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you would like here is a sample of an empty event for your test case



{"@timestamp":"2023-03-31T23:06:13.507Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.4.3","pipeline":"filebeat-8.4.3-microsoft-defender_atp-pipeline"},"agent":{"type":"filebeat
","version":"8.4.3","ephemeral_id":"382fa7a9-285e-47b9-bedc-badbd225347e","id":"e20495e9-3358-4155-b4c9-9a519775d234","name":"collector-01"},"fileset":{"name":"defender_atp"},"service":{"typ
e":"microsoft"},"ecs":{"version":"1.12.0"},"input":{"type":"httpjson"},"organization":{"name":"acme"},"json":{"@odata.context":"https://api.securitycenter.windows.com/api/$metadata#Alerts","
value":[]},"event":{"created":"2023-03-31T23:06:13.507Z","dataset":"microsoft.defender_atp","module":"microsoft"},"message":"{\"@odata.context\":\"https://api.securitycenter.windows.com/api/
$metadata#Alerts\",\"value\":[]}","tags":["acme","defender-atp","forwarded"]}

1 change: 1 addition & 0 deletions x-pack/filebeat/module/microsoft/m365_defender/config/defender.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ request.transforms:

response.split:
target: body.value
ignore_empty_value: true
split:
target: body.alerts
keep_parent: true
Expand Down
2 changes: 2 additions & 0 deletions x-pack/filebeat/module/microsoft/m365_defender/ingest/pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
---
description: Pipeline for parsing microsoft atp logs
processors:
- drop:
if: ctx.json?.value != null && ctx.json.value.isEmpty()
- set:
field: event.ingested
value: '{{_ingest.timestamp}}'
Expand Down
1 change: 1 addition & 0 deletions x-pack/filebeat/module/microsoft/m365_defender/test/m365_defender-test-empty.ndjson.log
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
{"incidentId":1111,"redirectIncidentId":1107,"incidentName":"Impossible travel activity involving one user","createdTime":"2021-04-12T11:18:28.86Z","lastUpdateTime":"2021-04-12T11:18:30.4033333Z","assignedTo":null,"classification":"Unknown","determination":"NotAvailable","status":"Redirected","severity":"UnSpecified","tags":[],"comments":[],"alerts":[]}
{"value":[],"note":"THIS MESSAGE SHOULD NOT END UP IN THE EXPECTS JSON FILE."}
4 changes: 2 additions & 2 deletions .../filebeat/module/microsoft/m365_defender/test/m365_defender-test.ndjson.log-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"microsoft.m365_defender.alerts.detectionSource": "WindowsDefenderAv",
"microsoft.m365_defender.alerts.devices": [
{
"deviceDnsName": "TestServer5",
"deviceDnsName": "TestServer4",
"firstSeen": "2020-06-30T08:55:08.8320449Z",
"healthStatus": "Inactive",
"mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
Expand All @@ -43,7 +43,7 @@
"version": "Other"
},
{
"deviceDnsName": "TestServer4",
"deviceDnsName": "TestServer5",
"firstSeen": "2020-06-30T08:55:08.8320449Z",
"healthStatus": "Inactive",
"mdatpDeviceId": "75a63a39f9bc5a964f417c11f6277d5bf9489f0d",
Expand Down