search

counteractive / o365beat

Elastic Beat for fetching and shipping Office 365 audit events
Other
66 stars 27 forks source link

ClientIP not parsed to ECS client.ip when it has port but no brackets #16

Closed chris-counteractive closed 4 years ago

chris-counteractive commented 4 years ago

Microsoft's API creates events with the ClientIP field in one of (at least) three different formats:

  1. 10.10.10.10
  2. [10.10.10.10]:10100
  3. 10.10.10.10:10100

We handled the first two, but this third format (with a port but no brackets) is not handled by the current processors in o365beat.yml. Fix should be something like adding the following to current o365beat.yml, but still needs testing:

processors:
  - dissect:
      field: ClientIP
      tokenizer: '%{clientip}:%{clientport}'
      when:
        contains:
          ClientIP: ':'
        not:
          contains:
            ClientIP: '['
chris-counteractive commented 4 years ago

Fix isn't in a release yet, but it's straightforward to copy into your o365beat.yml config file (there's no changes to the beat itself).