Closed jvalente-salemstate closed 5 months ago
Timestamp | InitiatingProcessAccountName | RemoteIP |
---|---|---|
2024-02-02T16:36:28.9574993Z | system | |
2024-02-02T16:36:28.9574814Z | system | |
2024-02-02T16:36:24.4051252Z | system | |
2024-02-02T16:36:22.2625214Z | system | |
2024-02-02T16:36:19.6658261Z | system |
Sample where RemoteIP isn't set, rather than set to -
Changes to the use of how the Geo IP plugin is used were made in #8891 and generally works well. However, when the value for source IP is not set, M365 Defender is sometimes setting these to "-" rather than blank as in other fields.
This means any time these events are processed:
Processor "conditional" with tag "geoip_source_ip" in pipeline "logs-m365_defender.event-2.6.2-pipeline_device" failed with message "'-' is not an IP string literal."
Within the document:
"ignored_field_values": { "source.ip": [ "-" ], "m365_defender.event.remote.ip": [ "-" ] }
This value is being captured directly from the event hub and a conditional check validity and not set the field to invalid values is needed.
KQL showing the RemoteIP is not blank, but a string -
DeviceLogonEvents | where AccountName contains '...REDACTED...' | sort by Timestamp desc | project Timestamp, ActionType, RemoteIP |limit 5
Oddly, this isn't consistent within the table. The above is from an event initiated by Firefox, while lsass.exe is correctly returning no value.
I'm using Elastic Agent 8.12.0 with the M365 Defender Integration v2.6.2