Populate quesiton.type for dns events#88
Conversation
|
Out of curiosity why do we need to populate these fields in the pipeline rather than have the endpoint populate the fields when it builds the rest of the event? |
Yeah @jrmolin or @ferullo can probably answer better here. I believe certain fields are more difficult than others to parse on the endpoint side. I think most of the information was retrieved in the ETW events for the original sensor and they have to track multiple events to get the information. But since we're already putting the information in the |
|
@jonathan-buttner if/when Endpoint begins to populate this data will the pipeline still overwrite with Endpoint sets or will this code be effectively disabled? |
The way this PR is right now, it'd overwrite what the endpoint puts in those fields. I can add a simple |
|
I think that would be a good check to add. Marshall makes a good point about Endpoint doing this itself. The reality though is Endpoint won't get that done for 7.10 and functionally it doesn't matter if Endpoint or the pipeline does this until detection rules can be run in Endpoint. We should move this logic to Endpoint when that happens but if there's no reason to not merge this it seems like it'll give detection rules the data they need in the meantime. Does that sound reasonable? |
|
Once we add and ship this pipeline we can't really remove it from the package unless we can ensure that all endpoints that use it have been upgraded to populate the fields on the endpoint side, or we'd have to be comfortable breaking compatibility at some point between new package versions and old endpoints. So the risk is that long term we build up a bunch of these fixes applying subtly different modifications and end up with a complex pipeline if we're not careful about what we use it for. I think the |
Yeah that's a good point. I agree, hopefully we can stick to adding fields that don't exist in the pipelines and avoid modifying existing fields. If we end up having to make breaking changes we should wait until an 8.x release for that. I'll add the check to see if the field already exists. |
| - "^DNS query is completed for the name %{DOMAIN_NAME:dns.question.name}, type %{WORD:dns.question.Ext.type}" | ||
| - script: | ||
| ignore_failure: true | ||
| if: "ctx.network.protocol == 'dns' && ctx.dns?.question?.Ext?.type != null && ctx.dns?.question?.type == null" |
There was a problem hiding this comment.
If above grok doesn't run then this processor won't run either because it needs the dns.quesiton.Ext.type to be present.
| - location | ||
| ignore_missing: true | ||
| - grok: | ||
| if: "ctx.network.protocol == 'dns' && ctx.dns?.question?.name == null" |
There was a problem hiding this comment.
if dns.question.type exists but the name doesn't, name would still be filled in using grok here.
|
I must have completely overlooked this but the endpoint is already populating Doesn't look like linux or mac send dns events, but I assume once they do they can just populate the |
This PR adds a couple pipeline processors to parse the DNS network events
messagefield. It uses themessagefield to populatedns.question.typeanddns.question.name. I also switched the pipeline over to be a yml file instead of json so I could write a multiline script.@ferullo @jrmolin once this goes in we'll need to coordinate on any changes to the DNS events
messagefield. Also could you point me at the endgame sensor'squestion.typeparsing code for number -> string representation. I just want to make sure I miss any.I'm using this regex:
WORDis defined here: https://github.com/elastic/elasticsearch/blob/7.9/libs/grok/src/main/resources/patterns/grok-patterns#L14Since it's possible the domain name could have invalid characters in the request I figured it's best to get everything and assume a comma ends the field. Let me know if you have better ideas though.
Reference:
#83
Working example
cc: @MikePaquette