CrowdStrike Module unable to convert value []: value is not a valid IP address

Elastic Stack Beats
1

The CrowdStrike Filebeat (version 7.8) module appears to have two issues.

  1. Null / non-existent values in event.UserIP field causing parse errors during ingest.
  2. Parsing of UTCTimestamp to crowdstrike.event.UTCTimestamp (ECS Format) appears to be incorrect.

Please see the examples below. This was recreated on two separate servers with the default installation of CrowdStrike SIEM connector.

Original Log Format

    {
        "metadata": {
            "customerIDString": "...redacted...",
            "offset": 22865,
            "eventType": "UserActivityAuditEvent",
            "eventCreationTime": 1593186952000,
            "version": "1.0"
        },
        "event": {
            "UserId": "Crowdstrike",
            "UserIp": "",
            "OperationName": "quarantined_file_update",
            "ServiceName": "quarantined_files",
            "AuditKeyValues": [
                {
                    "Key": "quarantined_file_id",
                    "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78"
                },
                {
                    "Key": "action_taken",
                    "ValueString": "quarantined"
                }
            ],
            "UTCTimestamp": 1593186952
        }
    }

Filebeat Parsed Event

    {
      "_index": "filebeat-7.8.0-2020.06.22-000001",
      "_type": "_doc",
      "_id": "0fdX8XIBwKcnb42G66Yn",
      "_version": 1,
      "_score": null,
      "_source": {
        "@timestamp": "2020-06-26T15:55:52.000Z",
        "service": {
          "type": "crowdstrike"
        },
        "input": {
          "type": "log"
        },
        "event": {
          "module": "crowdstrike",
          "dataset": "crowdstrike.falcon"
        },
        "fileset": {
          "name": "falcon"
        },
        "crowdstrike": {
          "metadata": {
            "eventType": "UserActivityAuditEvent",
            "eventCreationTime": 1593186952000,
            "version": "1.0",
            "customerIDString": "...redacted...",
            "offset": 22865
          },
          "event": {
            "OperationName": "quarantined_file_update",
            "ServiceName": "quarantined_files",
            "AuditKeyValues": [
              {
                "Key": "quarantined_file_id",
                "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78"
              },
              {
                "Key": "action_taken",
                "ValueString": "quarantined"
              }
            ],
            "UTCTimestamp": 1593186952,
            "UserId": "Crowdstrike",
            "UserIp": ""
          }
        },
        "error": {
          "message": "GoError: failed in processor.convert: conversion of field [crowdstrike.event.UserIp] to type [ip] with target field [source.ip] failed: unable to convert value []: value is not a valid IP address"
        },
        "host": {
          "mac": [
            "...redacted..."
          ],
          "hostname": "...redacted...",
          "architecture": "x86_64",
          "os": {
            "codename": "bionic",
            "platform": "ubuntu",
            "version": "18.04.3 LTS (Bionic Beaver)",
            "family": "debian",
            "name": "Ubuntu",
            "kernel": "5.0.0-1036-azure"
          },
          "id": "...redacted...",
          "name": "...redacted...",
          "containerized": false,
          "ip": [
            "...redacted...",
            "...redacted..."
          ]
        },
        "log": {
          "flags": [
            "multiline"
          ],
          "offset": 29298,
          "file": {
            "path": "/var/log/crowdstrike/falconhoseclient/output"
          }
        },
        "tags": [
          "_js_exception"
        ],
        "agent": {
          "version": "7.8.0",
          "hostname": "...redacted...",
          "ephemeral_id": "...redacted...",
          "id": "...redacted...",
          "name": "...redacted...",
          "type": "filebeat"
        },
        "ecs": {
          "version": "1.5.0"
        },
        "cloud": {
          "region": "...redacted...",
          "provider": "az",
          "instance": {
            "id": "...redacted...",
            "name": "...redacted..."
          },
          "machine": {
            "type": "Standard_B4ms"
          }
        }
      },
      "fields": {
        "@timestamp": [
          "2020-06-26T15:55:52.000Z"
        ],
        "crowdstrike.event.UTCTimestamp": [
          "1970-01-19T10:33:06.952Z"
        ],
        "crowdstrike.metadata.eventCreationTime": [
          "2020-06-26T15:55:52.000Z"
        ],
        "suricata.eve.timestamp": [
          "2020-06-26T15:55:52.000Z"
        ]
      },
      "highlight": {
        "event.module": [
          "@kibana-highlighted-field@crowdstrike@/kibana-highlighted-field@"
        ]
      },
      "sort": [
        1593186952000
      ]
    }

Code with issue

/usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js

        var convertFields = new processor.Convert({
            fields: [
                // DetectionSummaryEvent
                { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" },
                { from: "crowdstrike.event.ProcessId", to: "process.pid" },
                // UserActivityAuditEvent and AuthActivityAuditEvent
                { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" },
            ],
            mode: "copy",
            ignore_missing: true,
            ignore_failure: true
        });

While ignore_missing and ignore_failure exist within this function it doesn't seem to do it. Please note the tag _js_exception and the error written to the document.

GoError: failed in processor.convert: conversion of field [crowdstrike.event.UserIp] to type [ip] with target field [source.ip] failed: unable to convert value []: value is not a valid IP address

Time Parsing issue

The UTC timestamp does not appear to be properly translated from the UNIX_MS format by the ingest parser file. The original field is missing the trailing three 0 (zeros) that would make it the proper length.

Original Value
"UTCTimestamp": 1593186952

Destination ECS Field
fields.crowdstrike.event.UTCTimestamp

        "crowdstrike.event.UTCTimestamp": [
          "1970-01-19T10:33:06.952Z"
        ],
2

Thanks, @James_Cribbs. I'll take a look at this.

Regarding the timestamp issue, it looks like this particular event type uses UNIX epoch instead of UNIX_MS like the other events. Sorry about that -- we only had a few events provided by users to use in testing when creating this module. Any chance you could generate more event types to see if this happens with other events?

Regarding the empty event.UserIP field, I can look into that as well.

-Tony

3

Hey @tonymeehan!
Thanks for the quick response! I am still looking through the other event types but it looks like this might be a unique field to the UserActivityAuditEvent event types. The DetectionSummaryEvent as shown below doesn't even have that field.

DetectionSummaryEvent

{
    "metadata": {
        "customerIDString": "...redacted...",
        "offset": 24071,
        "eventType": "DetectionSummaryEvent",
        "eventCreationTime": 1593461994000,
        "version": "1.0"
    },
    "event": {
        "ProcessStartTime": 1593460800,
        "ProcessEndTime": 1593460802,
        "ProcessId": 8835878156,
        "ParentProcessId": 8834996104,
        "ComputerName": "...redacted...",
        "UserName": "...redacted...",
        "DetectName": "NGAV",
        "DetectDescription": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.",
        "Severity": 2,
        "SeverityName": "Low",
        "FileName": "...redacted...",
        "FilePath": "...redacted...",
        "CommandLine": "...redacted...",
        "SHA256String": "...redacted...",
        "MD5String": "...redacted...",
        "SHA1String": "...redacted...",
        "MachineDomain": "...redacted...",
        "DocumentsAccessed": [
            {
                "Timestamp": 1593460800,
                "FileName": "...redacted...",
                "FilePath": "...redacted..."
            }
        ],
        "FalconHostLink": "...redacted...",
        "SensorId": "...redacted...",
        "IOCType": "hash_sha256",
        "IOCValue": "...redacted...",
        "DetectId": "...redacted...",
        "LocalIP": "...redacted...",
        "MACAddress": "...redacted...",
        "Tactic": "Machine Learning",
        "Technique": "Cloud-based ML",
        "Objective": "Falcon Detection Method",
        "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.",
        "PatternDispositionValue": 2304,
        "PatternDispositionFlags": {
            "Indicator": false,
            "Detect": false,
            "InddetMask": false,
            "SensorOnly": false,
            "Rooting": false,
            "KillProcess": false,
            "KillSubProcess": false,
            "QuarantineMachine": false,
            "QuarantineFile": false,
            "PolicyDisabled": true,
            "KillParent": false,
            "OperationBlocked": false,
            "ProcessBlocked": true,
            "RegistryOperationBlocked": false,
            "CriticalProcessDisabled": false,
            "BootupSafeguardEnabled": false,
            "FsOperationBlocked": false
        },
        "ParentImageFileName": "...redacted...",
        "ParentCommandLine": "...redacted...",
        "GrandparentImageFileName": "...redacted...",
        "GrandparentCommandLine": "...redacted..."
    }
}
4

Hey @tonymeehan !
Just to be safe I reinstalled CrowdStrike SIEM connector with all default settings on my server again today. After configuring it with the API keys I am getting all events again but still getting the errors on the UserActivityAuditEvent. So it appears that both the time and blank field are issues with just that event type. The other event types are currently parsing correctly, without error.

5

@tonymeehan I have opened up a bug on Github to track this. Thanks for your help!

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.