From 60478cf1972687d4a840ac734293991c1a78e428 Mon Sep 17 00:00:00 2001 From: r00tu53r Date: Wed, 6 Oct 2021 19:43:35 +1100 Subject: [PATCH 1/2] Resolved timestamp for defender atp --- filebeat/tests/system/test_modules.py | 1 - .../module/microsoft/defender_atp/ingest/pipeline.yml | 9 +++++---- .../test/defender_atp-test.json.log-expected.json | 4 ++++ 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index 3702de33c94..b552560f83c 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -274,7 +274,6 @@ def clean_keys(obj): "symantec.endpointprotection", "system.auth", "system.syslog", - "microsoft.defender_atp", "crowdstrike.falcon_endpoint", "crowdstrike.falcon_audit", "zoom.webhook", diff --git a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml index aa8e3f97692..7a1d11e8af1 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/ingest/pipeline.yml @@ -45,10 +45,11 @@ processors: - set: field: cloud.provider value: azure -- set: - field: '@timestamp' - value: '{{json.alertUpdateTime}}' - if: ctx.json?.alertUpdateTime != null +- date: + field: json.lastUpdateTime + formats: + - ISO8601 + if: ctx.json?.lastUpdateTime != null - rename: field: json.aadTenantId target_field: cloud.account.id diff --git a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json index 81593221228..df3441fb8b9 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json +++ b/x-pack/filebeat/module/microsoft/defender_atp/test/defender_atp-test.json.log-expected.json @@ -1,5 +1,6 @@ [ { + "@timestamp": "2020-07-03T15:15:39.130Z", "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "c5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -53,6 +54,7 @@ "threat.technique.name": "Malware" }, { + "@timestamp": "2020-06-30T15:29:44.773Z", "cloud.account.id": "123543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "543bc5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -123,6 +125,7 @@ "user.name": "administrator1" }, { + "@timestamp": "2020-06-30T15:29:44.773Z", "cloud.account.id": "43521344-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "53425a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", @@ -184,6 +187,7 @@ "user.name": "administrator1" }, { + "@timestamp": "2020-06-30T11:13:12.900Z", "cloud.account.id": "1234543-d66c-4c7e-9e30-40034eb7c6f3", "cloud.instance.id": "t4563234bc5a964f417c11f6277d5bf9489f0d", "cloud.provider": "azure", From 78cf129f01c568638e338551cefef66813f86e25 Mon Sep 17 00:00:00 2001 From: r00tu53r Date: Wed, 6 Oct 2021 19:49:07 +1100 Subject: [PATCH 2/2] update changelog for 28272 --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 1aa74ca99a3..3dcd3c93600 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -306,6 +306,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update indentation for azure filebeat configuration. {pull}26604[26604] - Update Sophos xg module pipeline to deal with missing `date` and `time` fields. {pull}27834[27834] - sophos/xg fileset: Add missing pipeline for System Health logs. {pull}27827[27827] {issue}27826[27826] +- Resolve issue with @timestamp for defender_atp. {pull}28272[28272] *Heartbeat*