CrowdStrike Module unable to convert value []: value is not a valid IP address

The CrowdStrike Filebeat (version 7.8) module appears to have two issues.

  1. Null / non-existent values in event.UserIP field causing parse errors during ingest.
  2. Parsing of UTCTimestamp to crowdstrike.event.UTCTimestamp (ECS Format) appears to be incorrect.

Please see the examples below. This was recreated on two separate servers with the default installation of CrowdStrike SIEM connector.

Original Log Format

    {
        "metadata": {
            "customerIDString": "...redacted...",
            "offset": 22865,
            "eventType": "UserActivityAuditEvent",
            "eventCreationTime": 1593186952000,
            "version": "1.0"
        },
        "event": {
            "UserId": "Crowdstrike",
            "UserIp": "",
            "OperationName": "quarantined_file_update",
            "ServiceName": "quarantined_files",
            "AuditKeyValues": [
                {
                    "Key": "quarantined_file_id",
                    "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78"
                },
                {
                    "Key": "action_taken",
                    "ValueString": "quarantined"
                }
            ],
            "UTCTimestamp": 1593186952
        }
    }

Filebeat Parsed Event

    {
      "_index": "filebeat-7.8.0-2020.06.22-000001",
      "_type": "_doc",
      "_id": "0fdX8XIBwKcnb42G66Yn",
      "_version": 1,
      "_score": null,
      "_source": {
        "@timestamp": "2020-06-26T15:55:52.000Z",
        "service": {
          "type": "crowdstrike"
        },
        "input": {
          "type": "log"
        },
        "event": {
          "module": "crowdstrike",
          "dataset": "crowdstrike.falcon"
        },
        "fileset": {
          "name": "falcon"
        },
        "crowdstrike": {
          "metadata": {
            "eventType": "UserActivityAuditEvent",
            "eventCreationTime": 1593186952000,
            "version": "1.0",
            "customerIDString": "...redacted...",
            "offset": 22865
          },
          "event": {
            "OperationName": "quarantined_file_update",
            "ServiceName": "quarantined_files",
            "AuditKeyValues": [
              {
                "Key": "quarantined_file_id",
                "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78"
              },
              {
                "Key": "action_taken",
                "ValueString": "quarantined"
              }
            ],
            "UTCTimestamp": 1593186952,
            "UserId": "Crowdstrike",
            "UserIp": ""
          }
        },
        "error": {
          "message": "GoError: failed in processor.convert: conversion of field [crowdstrike.event.UserIp] to type [ip] with target field [source.ip] failed: unable to convert value []: value is not a valid IP address"
        },
        "host": {
          "mac": [
            "...redacted..."
          ],
          "hostname": "...redacted...",
          "architecture": "x86_64",
          "os": {
            "codename": "bionic",
            "platform": "ubuntu",
            "version": "18.04.3 LTS (Bionic Beaver)",
            "family": "debian",
            "name": "Ubuntu",
            "kernel": "5.0.0-1036-azure"
          },
          "id": "...redacted...",
          "name": "...redacted...",
          "containerized": false,
          "ip": [
            "...redacted...",
            "...redacted..."
          ]
        },
        "log": {
          "flags": [
            "multiline"
          ],
          "offset": 29298,
          "file": {
            "path": "/var/log/crowdstrike/falconhoseclient/output"
          }
        },
        "tags": [
          "_js_exception"
        ],
        "agent": {
          "version": "7.8.0",
          "hostname": "...redacted...",
          "ephemeral_id": "...redacted...",
          "id": "...redacted...",
          "name": "...redacted...",
          "type": "filebeat"
        },
        "ecs": {
          "version": "1.5.0"
        },
        "cloud": {
          "region": "...redacted...",
          "provider": "az",
          "instance": {
            "id": "...redacted...",
            "name": "...redacted..."
          },
          "machine": {
            "type": "Standard_B4ms"
          }
        }
      },
      "fields": {
        "@timestamp": [
          "2020-06-26T15:55:52.000Z"
        ],
        "crowdstrike.event.UTCTimestamp": [
          "1970-01-19T10:33:06.952Z"
        ],
        "crowdstrike.metadata.eventCreationTime": [
          "2020-06-26T15:55:52.000Z"
        ],
        "suricata.eve.timestamp": [
          "2020-06-26T15:55:52.000Z"
        ]
      },
      "highlight": {
        "event.module": [
          "@kibana-highlighted-field@crowdstrike@/kibana-highlighted-field@"
        ]
      },
      "sort": [
        1593186952000
      ]
    }

Code with issue

/usr/share/filebeat/module/crowdstrike/falcon/config/pipeline.js

        var convertFields = new processor.Convert({
            fields: [
                // DetectionSummaryEvent
                { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" },
                { from: "crowdstrike.event.ProcessId", to: "process.pid" },
                // UserActivityAuditEvent and AuthActivityAuditEvent
                { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" },
            ],
            mode: "copy",
            ignore_missing: true,
            ignore_failure: true
        });

While ignore_missing and ignore_failure exist within this function it doesn't seem to do it. Please note the tag _js_exception and the error written to the document.

GoError: failed in processor.convert: conversion of field [crowdstrike.event.UserIp] to type [ip] with target field [source.ip] failed: unable to convert value []: value is not a valid IP address

Time Parsing issue

The UTC timestamp does not appear to be properly translated from the UNIX_MS format by the ingest parser file. The original field is missing the trailing three 0 (zeros) that would make it the proper length.

Original Value
"UTCTimestamp": 1593186952

Destination ECS Field
fields.crowdstrike.event.UTCTimestamp

        "crowdstrike.event.UTCTimestamp": [
          "1970-01-19T10:33:06.952Z"
        ],

Thanks, @James_Cribbs. I'll take a look at this.

Regarding the timestamp issue, it looks like this particular event type uses UNIX epoch instead of UNIX_MS like the other events. Sorry about that -- we only had a few events provided by users to use in testing when creating this module. Any chance you could generate more event types to see if this happens with other events?

Regarding the empty event.UserIP field, I can look into that as well.

-Tony

Hey @tonymeehan!
Thanks for the quick response! I am still looking through the other event types but it looks like this might be a unique field to the UserActivityAuditEvent event types. The DetectionSummaryEvent as shown below doesn't even have that field.

DetectionSummaryEvent

{
    "metadata": {
        "customerIDString": "...redacted...",
        "offset": 24071,
        "eventType": "DetectionSummaryEvent",
        "eventCreationTime": 1593461994000,
        "version": "1.0"
    },
    "event": {
        "ProcessStartTime": 1593460800,
        "ProcessEndTime": 1593460802,
        "ProcessId": 8835878156,
        "ParentProcessId": 8834996104,
        "ComputerName": "...redacted...",
        "UserName": "...redacted...",
        "DetectName": "NGAV",
        "DetectDescription": "This file meets the File Analysis ML algorithm's low-confidence threshold for malware.",
        "Severity": 2,
        "SeverityName": "Low",
        "FileName": "...redacted...",
        "FilePath": "...redacted...",
        "CommandLine": "...redacted...",
        "SHA256String": "...redacted...",
        "MD5String": "...redacted...",
        "SHA1String": "...redacted...",
        "MachineDomain": "...redacted...",
        "DocumentsAccessed": [
            {
                "Timestamp": 1593460800,
                "FileName": "...redacted...",
                "FilePath": "...redacted..."
            }
        ],
        "FalconHostLink": "...redacted...",
        "SensorId": "...redacted...",
        "IOCType": "hash_sha256",
        "IOCValue": "...redacted...",
        "DetectId": "...redacted...",
        "LocalIP": "...redacted...",
        "MACAddress": "...redacted...",
        "Tactic": "Machine Learning",
        "Technique": "Cloud-based ML",
        "Objective": "Falcon Detection Method",
        "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.",
        "PatternDispositionValue": 2304,
        "PatternDispositionFlags": {
            "Indicator": false,
            "Detect": false,
            "InddetMask": false,
            "SensorOnly": false,
            "Rooting": false,
            "KillProcess": false,
            "KillSubProcess": false,
            "QuarantineMachine": false,
            "QuarantineFile": false,
            "PolicyDisabled": true,
            "KillParent": false,
            "OperationBlocked": false,
            "ProcessBlocked": true,
            "RegistryOperationBlocked": false,
            "CriticalProcessDisabled": false,
            "BootupSafeguardEnabled": false,
            "FsOperationBlocked": false
        },
        "ParentImageFileName": "...redacted...",
        "ParentCommandLine": "...redacted...",
        "GrandparentImageFileName": "...redacted...",
        "GrandparentCommandLine": "...redacted..."
    }
}