Filebeat IIS module - add all forwarded ip parsing

leweafan commented 1 year ago

Describe the enhancement:

If several forwarded ip present only one parsed and all other missing. Missing network forwarded ip can affect security issues discovery.

Describe a specific use case for the enhancement or feature:

In an example below ip 172.20.97.46 not parsed.

POST /_ingest/pipeline/filebeat-8.6.1-iis-access-pipeline/_simulate
{
  "docs": [
    {
      "_source": {
        "@timestamp": "2023-02-22T12:51:14.333",
        "message" : "2023-02-22 12:51:14 172.20.98.21 POST /mapi/emsmdb/ MailboxId=xxx@test.com 444 Anonymous 172.20.98.22 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10395;+Pro) - 200 0 64 92255 172.20.102.177,172.20.97.46"
      }
    }
  ]
}

{
  "docs": [
    {
      "doc": {
        "_index": "_index",
        "_id": "_id",
        "_version": "-3",
        "_source": {
          "temp": {},
          "destination": {
            "address": "172.20.98.21",
            "port": 444,
            "ip": "172.20.98.21"
          },
          "source": {
            "address": "172.20.98.22",
            "ip": "172.20.98.22"
          },
          "url": {
            "path": "/mapi/emsmdb/",
            "original": "/mapi/emsmdb/",
            "query": "MailboxId=xxx@test.com"
          },
          "network": {
            "forwarded_ip": "172.20.102.177"
          },
          "tags": [
            "_geoip_database_unavailable_GeoLite2-City.mmdb",
            "_geoip_database_unavailable_GeoLite2-ASN.mmdb"
          ],
          "iis": {
            "access": {
              "sub_status": 0,
              "win32_status": 64
            }
          },
          "@timestamp": "2023-02-22T12:51:14.000Z",
          "related": {
            "ip": [
              "172.20.98.22",
              "172.20.98.21"
            ],
            "user": [
              "Anonymous"
            ]
          },
          "http": {
            "request": {
              "method": "POST"
            },
            "response": {
              "status_code": 200
            }
          },
          "event": {
            "duration": 92255000000,
            "ingested": "2023-02-22T13:54:15.620326130Z",
            "original": "2023-02-22 12:51:14 172.20.98.21 POST /mapi/emsmdb/ MailboxId=xxx@test.com 444 Anonymous 172.20.98.22 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.10395;+Pro) - 200 0 64 92255 172.20.102.177,172.20.97.46",
            "created": "2023-02-22T12:51:14.333",
            "kind": "event",
            "category": [
              "web",
              "network"
            ],
            "type": [
              "connection"
            ],
            "outcome": "success"
          },
          "user": {
            "name": "Anonymous"
          },
          "user_agent": {
            "original": "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.10395; Pro)",
            "os": {
              "name": "Windows",
              "version": "10",
              "full": "Windows 10"
            },
            "name": "Outlook",
            "device": {
              "name": "Other"
            },
            "version": "2016"
          }
        },
        "_ingest": {
          "timestamp": "2023-02-22T13:54:15.62032613Z"
        }
      }
    }
  ]
}

botelastic[bot] commented 1 year ago

This issue doesn't have a Team:<team> label.

botelastic[bot] commented 6 months ago

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

elastic / beats

Filebeat IIS module - add all forwarded ip parsing #34642