[SIEM] Authentications table doesn't show 'Last Success/Failed Source' column if only 'source.ip' is present

eextreemee · January 15, 2021, 12:24pm

I found solution here but i don't know how to implement it.

elastic/kibana/blob/23a0513469502f2e6aaa05728ceafd214bebe4d9/x-pack/legacy/plugins/siem/public/components/page/hosts/authentications_table/index.tsx#L269


    ),
},
{
  name: i18n.LAST_SUCCESSFUL_SOURCE,
  truncateText: false,
  hideForMobile: false,
  render: ({ node }) =>
    getRowItemDraggables({
      rowItems:
        node.lastSuccess != null &&
        node.lastSuccess.source != null &&
        node.lastSuccess.source.ip != null
          ? node.lastSuccess.source.ip
          : null,
      attrName: 'source.ip',
      idPrefix: `authentications-table-${node._id}-lastSuccessSource`,
      render: item => <IPDetailsLink ip={item} />,
    }),
},
{
  name: i18n.LAST_SUCCESSFUL_DESTINATION,

please help...

Nathan_Reese · January 15, 2021, 6:04pm

Can you please provide some more information.
What are you trying to do?
What problems are you facing?
What version of Elastic stack are you running?
How are you running Elastic stack? self hosted, elastic cloud,...

eextreemee · January 16, 2021, 1:24pm

Sorry for late reply.
It is self hosted Ubuntu server 20.04 TLS.

{
  "name" : "node-1",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "8LobUjvQQ-yDInaW6LkZwQ",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Sometimes it displays for few hosts Last successful/ failed source..

Frank_Hassanabad · January 18, 2021, 6:00pm

I just tested this out, locally by logging in using auditbeat into a Linux based system and things look ok where everything is showing up (i just blocked out the data):

It sometimes isn't going to show you last successful source or other fields if those aren't part of the events. It cannot show for example Last successful source if that particular event does not have source.ip within it. Instead it doesn't show anything.

For looking at source code since you're on 7.10.2, I would recommend using a link like the one below where it has /blob/v7.10 within it rather than a commit hash that is a moment in time:

github.com

elastic/kibana/blob/v7.10.2/x-pack/plugins/security_solution/public/hosts/components/authentications_table/index.tsx#L259


    ) : (
      getEmptyTagValue()
    ),
},
{
  name: i18n.LAST_SUCCESSFUL_SOURCE,
  truncateText: false,
  hideForMobile: false,
  render: ({ node }) =>
    getRowItemDraggables({
      rowItems: node.lastSuccess?.source?.ip || null,
      attrName: 'source.ip',
      idPrefix: `authentications-table-${node._id}-lastSuccessSource`,
      render: (item) => <NetworkDetailsLink ip={item} />,
    }),
},
{
  name: i18n.LAST_SUCCESSFUL_DESTINATION,
  truncateText: false,
  hideForMobile: false,
  render: ({ node }) =>

So you can get to the closest version to what you currently have. I think this might be a case where depending on how enriched the logs are, you will get either data such as source.ip vs. if you do not have source.ip in your logs then we cannot display that information.

eextreemee · January 19, 2021, 11:07am

Very strange... In Dashboard/[Winlogbeat Security]User Management Events I can see all source ips

But in SIEM/Hosts/Authentications only few random..

Frank_Hassanabad · January 19, 2021, 4:40pm

I think it might have to do with which events/logs it is taking them from. Also it is going to take from the very last record.

If you have 7.10.latest you should be able to determine which log(s) you want per page like so and select only winlogbeat to take a look? You might have other beats interfering without source.ip filled out?

Also, you can select the inspect query as I put above and then run the query in dev tooling to see if maybe there is a better query for us to use that would show the logs. But if you have source.ip and using the winlogbeat it should be showing up for authentication.

eextreemee · January 19, 2021, 5:25pm

Thanks for your time and effort.

system · February 16, 2021, 5:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.