filebeat/module/crowdstrike: fix LocalIP and UserIP with N/A value

[elauqsap]

What does this PR do?

This PR fixes an issue causing an illegal_argument_exception when source.ip is indexed with a value of N/A.

Why is it important?

The document won't be ingested potentially causing data loss for users and lengthening MTTD for security events.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @elauqsap? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-10-24T21:40:35.676+0000

• Duration: 69 min 33 sec

Test stats 🧪

Test	Results
Failed	0
Passed	429
Skipped	0
Total	429

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

• /package : Generate the packages and run the E2E tests.

• /beats-tester : Run the installation tests with beats-tester.

• run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

[efd6]

Thank you for the contribution.

Please add a test and a line in the CHANGELOG.next.asciidoc file under the Bugfixes for Filebeat; something along the lines of - Fix handling of invalid UserIP and LocalIP values. {pull}32896[32896].

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[botelastic]

This pull request doesn't have a Team:<team> label.

[efd6]

/test

[efd6]

Are you able to regenerate the test files? This can be done with

TESTING_FILEBEAT_MODULES=crowdstrike MODULES_PATH=module GENERATE=true mage -v pythonIntegTest

in the x-pack/filebeat directory.

If not, please let me know and will do that for you.

[elauqsap]

Unfortunately the Makefile in the x-pack/filebeat directory is not working and I don't have mage built.

[efd6]

The following changes will fix the tests (note that the whitespace changes are significant).

diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log
index 0622d930cb..eb2b87955b 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log
+++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log
@@ -291,4 +291,4 @@
         "Success": true,
         "UTCTimestamp": 1581601820289
     }
-}
\ No newline at end of file
+}
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json
index e08637ea63..98ca437b2b 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json
+++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json
@@ -638,7 +638,6 @@
         "crowdstrike.event.Success": true,
         "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z",
         "crowdstrike.event.UserId": "[email protected]",
-        "crowdstrike.event.UserIp": "N/A",
         "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b",
         "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z",
         "crowdstrike.metadata.eventType": "AuthActivityAuditEvent",
@@ -660,7 +659,7 @@
         "log.flags": [
             "multiline"
         ],
-        "log.offset": 6627,
+        "log.offset": 8094,
         "message": "CrowdStrike Authentication",
         "related.user": [
             "[email protected]"
diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
index 41e8054609..0980bf0fb6 100644
--- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
+++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log
@@ -91,4 +91,4 @@
         ],
         "UTCTimestamp": 1593186952
     }
-}
\ No newline at end of file
+}

[andrewkroh]

/test

[efd6]

/test