search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
193 stars 414 forks source link

[cisco_duo] Parsing Error when IP address includes a port #3101

Closed jamiehynds closed 2 years ago

jamiehynds commented 2 years ago

When an IP address includes a port number within a Cisco Duo event, our pipeline produces an error. 

"reason":"'192.168.41.126:64912' is not an IP string literal."}}, dropping event!`

This can be addressed by modifying our pipeline:

ADDED:

    {
      "dissect": {
        "field": "json.access_device.ip",
        "pattern": "%{source.ip}:%{source.port}",
        "ignore_missing": true,
        "if": "ctx?.json?.access_device?.ip.contains(':')",
        "ignore_failure": true
      }
    },
    {
      "convert": {
        "field": "json.access_device.ip",
        "type": "ip",
        "target_field": "source.ip",
        "ignore_missing": true,
        "if": "ctx?.source?.ip != null",
        "ignore_failure": true
      }
    }

REMOVED:

    {
      "set": {
        "field": "source.ip",
        "copy_from": "json.access_device.ip",
        "ignore_failure": true
      }
    }

Sample error:

Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Date(2022, time.April, 14, 13, 12, 21, 364773335, time.Local), Meta:{"raw_index":"logs-cisco_duo.auth-authentication"}, Fields:{"agent":{"ephemeral_id":"22c78825-6cbc-48e3-af6e-55c5790f1b06","hostname":"host1.some.domain.com","id":"b9f12fbf-e81a-436d-8f5f-66bfbff5e05e","name":"host1.some.domain.com","type":"filebeat","version":"7.17.1"},"data_stream":{"dataset":"cisco_duo.auth","namespace":"authentication","type":"logs"},"ecs":{"version":"1.12.0"},"elastic_agent":{"id":"b9f12fbf-e81a-436d-8f5f-66bfbff5e05e","snapshot":false,"version":"7.17.1"},"event":{"created":"2022-04-14T03:12:21.364Z","dataset":"cisco_duo.auth"},"input":{"type":"httpjson"},"message":"{\"access_device\":{\"browser\":null,\"browser_version\":null,\"epkey\":null,\"flash_version\":null,\"hostname\":null,\"ip\":\"192.168.41.126:64912\",\"is_encryption_enabled\":\"unknown\",\"is_firewall_enabled\":\"unknown\",\"is_password_set\":\"unknown\",\"java_version\":null,\"location\":{\"city\":null,\"country\":null,\"state\":null},\"os\":null,\"os_version\":null},\"alias\":\"luket\",\"application\":{\"key\":\"DIV6YO1ZZZDDEHPBC4JE\",\"name\":\"XSOAR\"},\"auth_device\":{\"ip\":\"192.168.5.163\",\"location\":{\"city\":\"Sydney\",\"country\":\"Australia\",\"state\":\"New South Wales\"},\"name\":\"+61 555 111 148\"},\"email\":\"u5593@some.domain.com\",\"event_type\":\"authentication\",\"factor\":\"duo_push\",\"isotimestamp\":\"2022-04-14T03:09:21.183229+00:00\",\"ood_software\":null,\"reason\":\"user_approved\",\"result\":\"success\",\"timestamp\":1649905700,\"txid\":\"70ba2044-846d-4226-81aa-f109e23d74bd\",\"user\":{\"groups\":[],\"key\":\"DUO2E0TU3HG4BZI4XL0E\",\"name\":\"u5593\"}}","tags":["forwarded","cisco_duo-auth"]}, Private:(*cursor.updateOp)(0xc00a332980), TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [source.ip] of type [ip] in document with id 'OpAbRw4SX/pvrHbdO4V98YhSVeI='. Preview of field's value: '192.168.41.126:64912'","caused_by":{"type":"illegal_argument_exception","reason":"'192.168.41.126:64912' is not an IP string literal."}}, dropping event!
elasticmachine commented 2 years ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)