Crowdstrike Filebeat Module: Parsing Issues

The CrowdStrike Filebeat (version 7.8) module appears to have two issues.

- Null / non-existent values in event.UserIP field causing parse errors during ingest.
- Parsing of UTCTimestamp to crowdstrike.event.UTCTimestamp (ECS Format) appears to be incorrect for eventType=="UserActivityAuditEvent", timestamp is in UNIX format not UNIX_MS.

For confirmed bugs, please report:
- Version: 7.8.0
- Operating System: Ubuntu
- Discuss Forum URL: https://discuss.elastic.co/t/crowdstrike-module-unable-to-convert-value-value-is-not-a-valid-ip-address/239187
- Steps to Reproduce: This happens with out of the box configuration
- Work Around: 

#### Empty Source IP field 
At line 22 in `/usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js` add 
```
if (evt.Get("crowdstrike.metadata.eventType") == "UserActivityAuditEvent") {
   evt.Delete("crowdstrike.event.UserIp")
}
```

#### UTCTimestamp Conversion
at line 51 in  in `/usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js` add the following function
```
    var parseUTCTimestamp = new processor.Timestamp({
        field: "crowdstrike.event.UTCTimestamp",
        target_field: "crowdstrike.event.UTCTimestamp",
        timezone: "UTC",
        layouts: ["UNIX"],
        ignore_missing: true,
    });
```
Add the following to the pipeline processor chain 
```
	.Add(parseUTCTimestamp)
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Crowdstrike Filebeat Module: Parsing Issues #20035

Empty Source IP field

UTCTimestamp Conversion

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Crowdstrike Filebeat Module: Parsing Issues #20035

Description

Empty Source IP field

UTCTimestamp Conversion

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions