From d6be9341d93eba56ee44a83c9937699733d5f03d Mon Sep 17 00:00:00 2001 From: Youhei Sakurai Date: Sat, 3 Dec 2022 10:08:31 +0900 Subject: [PATCH] Fix parse of CommandLine in Falcon pipeline Closes #4746 --- .../falcon/_dev/test/pipeline/test-falcon-sample.log | 2 +- .../pipeline/test-falcon-sample.log-expected.json | 11 +++++++---- .../falcon/elasticsearch/ingest_pipeline/default.yml | 2 +- 3 files changed, 9 insertions(+), 6 deletions(-) diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log index 87070601c1..e98386107a 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log @@ -188,7 +188,7 @@ "SeverityName": "Low", "FileName": "filename.exe", "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", - "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2 arg3 ", "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", "MD5String": "0ab1235adca04aef6239f5496ef0a5df", "SHA1String": "0000000000000000000000000000000000000000", diff --git a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json index df0299c3da..8ae3132ff3 100644 --- a/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json +++ b/packages/crowdstrike/data_stream/falcon/_dev/test/pipeline/test-falcon-sample.log-expected.json @@ -401,7 +401,7 @@ }, "crowdstrike": { "event": { - "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2 arg3 ", "ComputerName": "TESTDEVICE01", "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", @@ -492,7 +492,7 @@ "malware" ], "kind": "alert", - "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57047,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1595002291000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1595002290,\n \"ProcessEndTime\": 1595002290,\n \"ProcessId\": 663790158277,\n \"ParentProcessId\": 627311656469,\n \"ComputerName\": \"TESTDEVICE01\",\n \"UserName\": \"First.last\",\n \"DetectName\": \"NGAV\",\n \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n \"Severity\": 2,\n \"SeverityName\": \"Low\",\n \"FileName\": \"filename.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" \",\n \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n \"SHA1String\": \"0000000000000000000000000000000000000000\",\n \"MachineDomain\": \"NA\",\n \"ExecutablesWritten\": [\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n }\n ],\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n \"IOCType\": \"hash_sha256\",\n \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n \"LocalIP\": \"10.1.190.117\",\n \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n \"Tactic\": \"Machine Learning\",\n \"Technique\": \"Sensor-based ML\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n \"PatternDispositionValue\": 2304,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": false,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": true,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": true,\n \"RegistryOperationBlocked\": false,\n \"CriticalProcessDisabled\": false,\n \"BootupSafeguardEnabled\": false,\n \"FsOperationBlocked\": false\n },\n \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n }\n}", + "original": "{\n \"metadata\": {\n \"customerIDString\": \"12345a1bc2d34fghi56jk7890lmno12p\",\n \"offset\": 57047,\n \"eventType\": \"DetectionSummaryEvent\",\n \"eventCreationTime\": 1595002291000,\n \"version\": \"1.0\"\n },\n \"event\": {\n \"ProcessStartTime\": 1595002290,\n \"ProcessEndTime\": 1595002290,\n \"ProcessId\": 663790158277,\n \"ParentProcessId\": 627311656469,\n \"ComputerName\": \"TESTDEVICE01\",\n \"UserName\": \"First.last\",\n \"DetectName\": \"NGAV\",\n \"DetectDescription\": \"This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.\",\n \"Severity\": 2,\n \"SeverityName\": \"Low\",\n \"FileName\": \"filename.exe\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\",\n \"CommandLine\": \"\\\"C:\\\\ProgramData\\\\file\\\\path\\\\filename.exe\\\" arg1 arg2 arg3 \",\n \"SHA256String\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"MD5String\": \"0ab1235adca04aef6239f5496ef0a5df\",\n \"SHA1String\": \"0000000000000000000000000000000000000000\",\n \"MachineDomain\": \"NA\",\n \"ExecutablesWritten\": [\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939Configuration.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n },\n {\n \"Timestamp\": 1595002290,\n \"FileName\": \"NEURO_200_J1939CanPackMessage.mexw64\",\n \"FilePath\": \"\\\\Device\\\\HarddiskVolume2\\\\ProgramData\\\\file\\\\path\\\\is\\\\right\\\\here\\\\folder\"\n }\n ],\n \"FalconHostLink\": \"https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p\",\n \"SensorId\": \"1abcd2345b8c4151a0cb45dcfbe6d3d0\",\n \"IOCType\": \"hash_sha256\",\n \"IOCValue\": \"0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb\",\n \"DetectId\": \"ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719\",\n \"LocalIP\": \"10.1.190.117\",\n \"MACAddress\": \"54-ad-d4-d2-a8-0b\",\n \"Tactic\": \"Machine Learning\",\n \"Technique\": \"Sensor-based ML\",\n \"Objective\": \"Falcon Detection Method\",\n \"PatternDispositionDescription\": \"Detection, process would have been blocked if related prevention policy setting was enabled.\",\n \"PatternDispositionValue\": 2304,\n \"PatternDispositionFlags\": {\n \"Indicator\": false,\n \"Detect\": false,\n \"InddetMask\": false,\n \"SensorOnly\": false,\n \"Rooting\": false,\n \"KillProcess\": false,\n \"KillSubProcess\": false,\n \"QuarantineMachine\": false,\n \"QuarantineFile\": false,\n \"PolicyDisabled\": true,\n \"KillParent\": false,\n \"OperationBlocked\": false,\n \"ProcessBlocked\": true,\n \"RegistryOperationBlocked\": false,\n \"CriticalProcessDisabled\": false,\n \"BootupSafeguardEnabled\": false,\n \"FsOperationBlocked\": false\n },\n \"ParentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\explorer.exe\",\n \"ParentCommandLine\": \"C:\\\\Windows\\\\Explorer.EXE\",\n \"GrandparentImageFileName\": \"\\\\Device\\\\HarddiskVolume2\\\\Windows\\\\System32\\\\userinit.exe\",\n \"GrandparentCommandLine\": \"C:\\\\Windows\\\\system32\\\\userinit.exe\"\n }\n}", "outcome": "unknown", "severity": 2, "type": [ @@ -513,9 +513,12 @@ "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", "process": { "args": [ - "\"C:\\ProgramData\\file\\path\\filename.exe\"" + "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "arg1", + "arg2", + "arg3" ], - "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" arg1 arg2 arg3", "executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", "name": "filename.exe", "parent": { diff --git a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml index a7969fc4d3..d1c6b5b6fb 100644 --- a/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml +++ b/packages/crowdstrike/data_stream/falcon/elasticsearch/ingest_pipeline/default.yml @@ -309,7 +309,7 @@ processors: commandLine = commandLine.trim(); if (commandLine != "") { - def args = Arrays.asList(/ /.split(commandLine)); + def args = new ArrayList(Arrays.asList(/ /.split(commandLine))); args.removeIf(arg -> arg == ""); ctx.process = [