[Filebeat] Use ingress/egress for crowdstrike and auditd modules (#23041)

Andrew Stucki · web-flow · commit 9c89efffb483 · 2020-12-09T19:13:59.000-05:00
* [Filebeat] Use ingress/egress for crowdstrike and auditd modules

* Add changelog entry
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -97,6 +97,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Remove `suricata.eve.timestamp` alias field. {issue}10535[10535] {pull}22095[22095]
 - Rename bad ECS field name tracing.trace.id to trace.id in aws elb fileset. {pull}22571[22571]
 - Fix parsing issues with nested JSON payloads in Elasticsearch audit log fileset. {pull}22975[22975]
+- Rename `network.direction` values in crowdstrike/falcon to `ingress`/`egress`. {pull}23041[23041]
 
 *Heartbeat*
 
@@ -568,7 +569,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Set event.outcome field based on googlecloud audit log output. {pull}15731[15731]
 - Add dashboard for AWS ELB fileset. {pull}15804[15804]
 - Add dashboard for AWS vpcflow fileset. {pull}16007[16007]
-
 - `container` and `docker` inputs now support reading of labels and env vars written by docker JSON file logging driver. {issue}8358[8358]
 - Add `index` option to all inputs to directly set a per-input index value. {pull}14010[14010]
 - Add ECS tls fields to zeek:smtp,rdp,ssl and aws:s3access,elb {issue}15757[15757] {pull}15935[15936]
@@ -749,6 +749,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Add `event.category` "configuration" to gsuite module events. {pull}23010[23010]
 - Add `event.category` "configuration" to o365 module events. {pull}23010[23010]
 - Add `event.category` "configuration" to zoom module events. {pull}23010[23010]
+- Add `network.direction` to auditd/log fileset. {pull}23041[23041]
 
 *Heartbeat*
 
diff --git a/filebeat/module/auditd/log/ingest/pipeline.yml b/filebeat/module/auditd/log/ingest/pipeline.yml
@@ -306,6 +306,23 @@ processors:
     field: container.runtime
     value: "{{ auditd.log.virt }}"
     ignore_empty_value: true
+- set:
+    if: >
+      ctx.auditd.log?.record_type == 'SYSCALL' && (
+      ctx.auditd.log?.syscall == 'accept' || ctx.auditd.log?.syscall == '43' ||
+      ctx.auditd.log?.syscall == 'recvfrom' || ctx.auditd.log?.syscall == '45' ||
+      ctx.auditd.log?.syscall == 'recvmsg' || ctx.auditd.log?.syscall == '47' ||
+      ctx.auditd.log?.syscall == 'accept4' || ctx.auditd.log?.syscall == '288' )
+    field: network.direction
+    value: ingress
+- set:
+    if: >
+      ctx.auditd.log?.record_type == 'SYSCALL' && (
+      ctx.auditd.log?.syscall == 'connect' || ctx.auditd.log?.syscall == '42' ||
+      ctx.auditd.log?.syscall == 'sendto' || ctx.auditd.log?.syscall == '44' ||
+      ctx.auditd.log?.syscall == 'sendmsg' || ctx.auditd.log?.syscall == '46')
+    field: network.direction
+    value: egress
 - rename:
     ignore_failure: true
     field: auditd.log.arch
diff --git a/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json b/filebeat/module/auditd/log/test/audit-rhel6.log-expected.json
@@ -144,6 +144,7 @@
         "host.architecture": "x86_64",
         "input.type": "log",
         "log.offset": 1162,
+        "network.direction": "egress",
         "process.executable": "/usr/libexec/strongswan/charon (deleted)",
         "process.exit_code": 184,
         "process.name": "charon",
diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log b/filebeat/module/auditd/log/test/audit-ubuntu1604.log
@@ -0,0 +1,6 @@
+type=SYSCALL msg=audit(1492752520.441:8832): arch=c000003e syscall=43 success=yes exit=5 a0=3 a1=7ffd0dc80040 a2=7ffd0dc7ffd0 a3=0 items=0 ppid=1 pid=1663 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sshd" exe="/usr/sbin/sshd" key="key=net"
+type=SOCKADDR msg=audit(1492752520.441:8832): saddr=0200E31C4853E6640000000000000000
+type=PROCTITLE msg=audit(1492752520.441:8832): proctitle="(sshd)"
+type=SYSCALL msg=audit(1492753107.096:9004): arch=c000003e syscall=42 success=no exit=-115 a0=5 a1=7ffc12ac3ab0 a2=10 a3=4 items=0 ppid=1 pid=1648 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="google_ip_forwa" exe="/usr/bin/python3.5" key="key=net"
+type=SOCKADDR msg=audit(1492753107.096:9004): saddr=02000050A9FEA9FE0000000000000000
+type=PROCTITLE msg=audit(1492753107.096:9004): proctitle="(g_daemon)"
diff --git a/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json b/filebeat/module/auditd/log/test/audit-ubuntu1604.log-expected.json
@@ -0,0 +1,130 @@
+[
+    {
+        "@timestamp": "2017-04-21T05:28:40.441Z",
+        "auditd.log.a0": "3",
+        "auditd.log.a1": "7ffd0dc80040",
+        "auditd.log.a2": "7ffd0dc7ffd0",
+        "auditd.log.a3": "0",
+        "auditd.log.items": "0",
+        "auditd.log.key": "key=net",
+        "auditd.log.sequence": 8832,
+        "auditd.log.ses": "4294967295",
+        "auditd.log.success": "yes",
+        "auditd.log.syscall": "43",
+        "auditd.log.tty": "(none)",
+        "event.action": "syscall",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "host.architecture": "x86_64",
+        "input.type": "log",
+        "log.offset": 0,
+        "network.direction": "ingress",
+        "process.executable": "/usr/sbin/sshd",
+        "process.exit_code": 5,
+        "process.name": "sshd",
+        "process.pid": 1663,
+        "process.ppid": 1,
+        "service.type": "auditd",
+        "user.audit.id": "4294967295",
+        "user.effective.group.id": "0",
+        "user.effective.id": "0",
+        "user.filesystem.group.id": "0",
+        "user.filesystem.id": "0",
+        "user.group.id": "0",
+        "user.id": "0",
+        "user.saved.group.id": "0",
+        "user.saved.id": "0"
+    },
+    {
+        "@timestamp": "2017-04-21T05:28:40.441Z",
+        "auditd.log.saddr": "0200E31C4853E6640000000000000000",
+        "auditd.log.sequence": 8832,
+        "event.action": "sockaddr",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 300,
+        "service.type": "auditd"
+    },
+    {
+        "@timestamp": "2017-04-21T05:28:40.441Z",
+        "auditd.log.proctitle": "(sshd)",
+        "auditd.log.sequence": 8832,
+        "event.action": "proctitle",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 385,
+        "service.type": "auditd"
+    },
+    {
+        "@timestamp": "2017-04-21T05:38:27.096Z",
+        "auditd.log.a0": "5",
+        "auditd.log.a1": "7ffc12ac3ab0",
+        "auditd.log.a2": "10",
+        "auditd.log.a3": "4",
+        "auditd.log.items": "0",
+        "auditd.log.key": "key=net",
+        "auditd.log.sequence": 9004,
+        "auditd.log.ses": "4294967295",
+        "auditd.log.success": "no",
+        "auditd.log.syscall": "42",
+        "auditd.log.tty": "(none)",
+        "event.action": "syscall",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "host.architecture": "x86_64",
+        "input.type": "log",
+        "log.offset": 451,
+        "network.direction": "egress",
+        "process.executable": "/usr/bin/python3.5",
+        "process.exit_code": -115,
+        "process.name": "google_ip_forwa",
+        "process.pid": 1648,
+        "process.ppid": 1,
+        "service.type": "auditd",
+        "user.audit.id": "4294967295",
+        "user.effective.group.id": "0",
+        "user.effective.id": "0",
+        "user.filesystem.group.id": "0",
+        "user.filesystem.id": "0",
+        "user.group.id": "0",
+        "user.id": "0",
+        "user.saved.group.id": "0",
+        "user.saved.id": "0"
+    },
+    {
+        "@timestamp": "2017-04-21T05:38:27.096Z",
+        "auditd.log.saddr": "02000050A9FEA9FE0000000000000000",
+        "auditd.log.sequence": 9004,
+        "event.action": "sockaddr",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 758,
+        "service.type": "auditd"
+    },
+    {
+        "@timestamp": "2017-04-21T05:38:27.096Z",
+        "auditd.log.proctitle": "(g_daemon)",
+        "auditd.log.sequence": 9004,
+        "event.action": "proctitle",
+        "event.dataset": "auditd.log",
+        "event.kind": "event",
+        "event.module": "auditd",
+        "fileset.name": "log",
+        "input.type": "log",
+        "log.offset": 843,
+        "service.type": "auditd"
+    }
+]
diff --git a/filebeat/module/auditd/log/test/test.log-expected.json b/filebeat/module/auditd/log/test/test.log-expected.json
@@ -40,6 +40,7 @@
         "host.architecture": "x86_64",
         "input.type": "log",
         "log.offset": 174,
+        "network.direction": "egress",
         "process.executable": "/usr/libexec/strongswan/charon (deleted)",
         "process.exit_code": 184,
         "process.name": "charon",
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js
@@ -45,13 +45,13 @@ var crowdstrikeFalconProcessor = (function () {
         var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress");
         var remotePort = evt.Get("crowdstrike.event.RemotePort");
         if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") {
-            evt.Put("network.direction", "inbound")
+            evt.Put("network.direction", "ingress")
             evt.Put("source.ip", remoteAddress)
             evt.Put("source.port", remotePort)
             evt.Put("destination.ip", localAddress)
             evt.Put("destination.port", localPort)
         } else {
-            evt.Put("network.direction", "outbound")
+            evt.Put("network.direction", "egress")
             evt.Put("destination.ip", remoteAddress)
             evt.Put("destination.port", remotePort)
             evt.Put("source.ip", localAddress)
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json
@@ -56,7 +56,7 @@
         ],
         "log.offset": 0,
         "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered",
-        "network.direction": "inbound",
+        "network.direction": "ingress",
         "network.type": "ipv4",
         "process.pid": "206158879910",
         "related.ip": [
