Skip to content

Commit 07ef3af

Browse files
efd6efd6
committed
improve IP address handling
1 parent e0c3236 commit 07ef3af

File tree

3 files changed

+65
-0
lines changed

3 files changed

+65
-0
lines changed

packages/crowdstrike/changelog.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@
44
- description: Fix network direction handling for FDR data stream.
55
type: bugfix
66
link: https://github.com/elastic/integrations/pull/12508
7+
- description: Handle invalid IP addresses robustly.
8+
type: bugfix
9+
link: https://github.com/elastic/integrations/pull/12508
710
- version: "1.49.0"
811
changes:
912
- description: Add "preserve_original_event" tag to documents with `event.kind` manually set to "pipeline_error".

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/inbound_network.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,18 @@ processors:
1717
field: destination.ip
1818
if: ctx.destination?.ip == null && ctx.crowdstrike?.LocalAddressIP6 instanceof List && ctx.crowdstrike.LocalAddressIP6.length > 0
1919
value: '{{{crowdstrike.LocalAddressIP6.0}}}'
20+
- convert:
21+
tag: convert_destination_ip
22+
field: destination.ip
23+
type: ip
24+
ignore_missing: true
25+
on_failure:
26+
- remove:
27+
field: destination.ip
28+
ignore_missing: true
29+
- append:
30+
field: error.message
31+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
2032
- set:
2133
field: destination.address
2234
copy_from: destination.ip
@@ -36,6 +48,18 @@ processors:
3648
target_field: destination.mac
3749
ignore_missing: true
3850

51+
- convert:
52+
tag: convert_RemoteAddressIP4_ip
53+
field: crowdstrike.RemoteAddressIP4
54+
type: ip
55+
ignore_missing: true
56+
on_failure:
57+
- remove:
58+
field: crowdstrike.RemoteAddressIP4
59+
ignore_missing: true
60+
- append:
61+
field: error.message
62+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
3963
- rename:
4064
field: crowdstrike.RemoteAddressIP4
4165
target_field: source.ip
@@ -45,6 +69,13 @@ processors:
4569
field: crowdstrike.RemoteAddressIP6
4670
type: ip
4771
ignore_missing: true
72+
on_failure:
73+
- remove:
74+
field: crowdstrike.RemoteAddressIP6
75+
ignore_missing: true
76+
- append:
77+
field: error.message
78+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
4879
- rename:
4980
field: crowdstrike.RemoteAddressIP6
5081
target_field: source.ip

packages/crowdstrike/data_stream/fdr/elasticsearch/ingest_pipeline/outbound_network.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,18 @@ processors:
1717
field: source.ip
1818
if: ctx.source?.ip == null && ctx.crowdstrike?.LocalAddressIP6 instanceof List && ctx.crowdstrike.LocalAddressIP6.length > 0
1919
value: '{{{crowdstrike.LocalAddressIP6.0}}}'
20+
- convert:
21+
tag: convert_source_ip
22+
field: source.ip
23+
type: ip
24+
ignore_missing: true
25+
on_failure:
26+
- remove:
27+
field: source.ip
28+
ignore_missing: true
29+
- append:
30+
field: error.message
31+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
2032
- set:
2133
field: source.address
2234
copy_from: source.ip
@@ -36,6 +48,18 @@ processors:
3648
target_field: source.mac
3749
ignore_missing: true
3850

51+
- convert:
52+
tag: convert_RemoteAddressIP4_ip
53+
field: crowdstrike.RemoteAddressIP4
54+
type: ip
55+
ignore_missing: true
56+
on_failure:
57+
- remove:
58+
field: crowdstrike.RemoteAddressIP4
59+
ignore_missing: true
60+
- append:
61+
field: error.message
62+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
3963
- rename:
4064
field: crowdstrike.RemoteAddressIP4
4165
target_field: destination.ip
@@ -45,6 +69,13 @@ processors:
4569
field: crowdstrike.RemoteAddressIP6
4670
type: ip
4771
ignore_missing: true
72+
on_failure:
73+
- remove:
74+
field: crowdstrike.RemoteAddressIP6
75+
ignore_missing: true
76+
- append:
77+
field: error.message
78+
value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
4879
- rename:
4980
field: crowdstrike.RemoteAddressIP6
5081
target_field: destination.ip

0 commit comments

Comments
 (0)