Skip to content

[System] Validate ClientAddress IP for Windows Security events #7237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 4, 2023
Merged

[System] Validate ClientAddress IP for Windows Security events #7237

merged 2 commits into from
Aug 4, 2023

Conversation

chemamartinez
Copy link
Contributor

What does this PR do?

It fixes a constraint error with the source.ip and related.ip fields when populated from winlog.event_data.ClientAddress that may contain invalid IP values, in particular LOCAL and Unknown, leading to this error:

[0] unexpected pipeline error: ['LOCAL' is not an IP string literal.]

This has been already fixed in Winlogbeat at elastic/beats#34295 but doesn't affect the winlog input and this ingest pipeline.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

Added pipeline tests to validate that ClientAddress is handled properly.

@chemamartinez chemamartinez self-assigned this Aug 3, 2023
@chemamartinez chemamartinez marked this pull request as ready for review August 3, 2023 09:47
@chemamartinez chemamartinez requested review from a team as code owners August 3, 2023 09:47
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@elasticmachine
Copy link

elasticmachine commented Aug 3, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-08-03T09:47:05.513+0000

  • Duration: 15 min 38 sec

Test stats 🧪

Test Results
Failed 0
Passed 151
Skipped 0
Total 151

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (3/3) 💚
Files 100.0% (4/4) 💚
Classes 100.0% (4/4) 💚
Methods 63.415% (52/82) 👍 38.415
Lines 99.863% (2924/2928) 👎 -0.137
Conditionals 100.0% (0/0) 💚

bhapas
bhapas approved these changes Aug 4, 2023
View reviewed changes
Copy link
Contributor

@bhapas bhapas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chemamartinez chemamartinez merged commit 196e624 into elastic:main Aug 4, 2023
@elasticmachine
Copy link

Package system - 1.38.2 containing this change is available at https://epr.elastic.co/search?package=system

@chemamartinez chemamartinez deleted the sdh-3679-system-security-IP-validation branch February 6, 2025 10:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bhapas bhapas bhapas approved these changes

Assignees

@chemamartinez chemamartinez

Labels
bugfix Pull request that fixes a bug issue Integration:system System
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chemamartinez @elasticmachine @bhapas