varonis: add pre-processor option to allow ingestion of non-conformant CEF messages (#13822)

Add a config option to add "pre-processors" which will run before
the "decode_cef" processor on the agent. CEF messages from some sources
may be malformed by not following the CEF spec exactly, which can then
cause problems in the "decode_cef" processor. Having a pre-processor
will allow running scripts that can correct the malformed CEF messages,
and allow decode_cef to process them correctly.

New test sample provided in issue from user.

Author: efd6

packages/varonis/_dev/build/docs/README.md

@@ -29,6 +29,15 @@ Users can configure the syslog server address in DatAlert so that alerts can be
 
 This integration expects to use `External system default template (CEF)` for alert forwarding in Varonis DatAlert tool. In case any custom template is used, all the fields in `External system default template (CEF)` should also be present in custom template along with the other additional fields. Additional fields will be part of `varonis.logs` object and such fields will be indexed only if dynamic mapping is enabled in Elasticsearch.
 
+## Pre-Processors
+
+There are cases where incoming CEF messages do not follow the CEF specification exactly, and this can cause errors with
+message decoding. To work around this, there is an option for pre-processors, which are run before the CEF message is decoded.
+These can be used modify the message to follow the CEF specification correctly, which will allow proper decoding.
+
+The pre-processors will modify the `message` field before CEF decoding is done on the agent, but the original, non-preprocessed,
+message will still be preserved in the `event.original` field when the agent sends the event.
+
 ## Logs reference
 
 ### varonis.logs

packages/varonis/_dev/deploy/docker/docker-compose.yml

@@ -10,3 +10,13 @@ services:
     volumes:
       - ./sample_logs:/sample_logs:ro
     command: log --start-signal=SIGHUP --delay=6s --addr elastic-agent:9031 -p=tcp /sample_logs/varonis.log
+  varonis-udp-invalid-cef:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=6s --addr elastic-agent:9032 -p=udp /sample_logs/varonis_invalid_cef.log
+  varonis-tcp-invalid-cef:
+    image: docker.elastic.co/observability/stream:v0.15.0
+    volumes:
+      - ./sample_logs:/sample_logs:ro
+    command: log --start-signal=SIGHUP --delay=6s --addr elastic-agent:9033 -p=tcp /sample_logs/varonis_invalid_cef.log

packages/varonis/_dev/deploy/docker/sample_logs/varonis_invalid_cef.log

@@ -0,0 +1,2 @@
+<14>Apr 28 15:59:01 VARONISSRVR1 CEF:0|Varonis Inc.|DatAdvantage|8.7.1|5015|DS object permission added|3|rt=Apr 28 2025 15:01:42 cat=Alert cs2=Permission changes on OU cs2Label=RuleName cn1=142 cn1Label=RuleID end=Apr 28 2025 14:53:02 duser=contosofoo.com\Bourne Jr., Jason dhost=AD-contosofoo.com filePath=contosofoo.com\Home Office Site\Computers\Containered fname=Containered act=DS object permission added dvchost=Compute outcome=Success msg=Permissions were added to "Containered" for group "contosofoo.com\Group Admins-Region_200" cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission=Write dpriv=contosofoo.com\Group Admins-Region_200 start=Apr 28 2025 14:53:02
+<14>Apr 28 15:59:02 VARONISSRVR1 CEF:0|Varonis Inc.|DatAdvantage|8.7.1|5015|DS object permission added|3|rt=Apr 28 2025 15:01:42 cat=Alert cs2=Permission changes on OU cs2Label=RuleName cn1=142 cn1Label=RuleID end=Apr 28 2025 14:53:04 duser=contosofoo.com\Bourne Jr., Jason dhost=AD-contosofoo.com filePath=contosofoo.com\Home Office Site\Computers\Containered fname=Containered act=DS object permission added dvchost=Compute outcome=Success msg=Permissions were added to "Containered" for group "contosofoo.com\Group Admins-Region_200" cs3= cs3Label=AttachmentName cs4= cs4Label=ClientAccessType deviceCustomDate1= fileType= cs1= cs1Label=MailRecipient suser= cs5= cs5Label=MailboxAccessType cnt= cs6= cs6Label=ChangedPermissions oldFilePermission= filePermission=Write dpriv=contosofoo.com\Group Admins-Region_200 start=Apr 28 2025 14:53:03

packages/varonis/changelog.yml

@@ -1,3 +1,8 @@
+- version: "0.2.0"
+  changes:
+    - description: Add preprocessors config option, to allow running processors before CEF messages are decoded.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/13822
 - version: "0.1.0"
   changes:
     - description: Initial release.

packages/varonis/data_stream/logs/_dev/test/system/test-tcp-invalid-cef-config.yml

@@ -0,0 +1,27 @@
+service: varonis-tcp-invalid-cef
+service_notify_signal: SIGHUP
+input: tcp
+data_stream:
+  vars:
+    tcp_host: 0.0.0.0
+    tcp_port: 9033
+    preserve_original_event: true
+    tags:
+      - forwarded
+    preprocessors: |
+      - script:
+          lang: javascript
+          description: Escape backslash characters.
+          source: >
+            function process(event) {
+              var m = event.Get("message");
+              event.Put("message", m.replace(/\\/g, "\\\\"));
+              return event;
+            }
+            function test() {
+              if ("\\".replace(/\\/g, "\\\\") !== "\\\\") {
+                throw "expected replace \\ to \\\\ failed";
+              }
+            }
+assert:
+  - hit_count: 2

packages/varonis/data_stream/logs/_dev/test/system/test-udp-invalid-cef-config.yml

@@ -0,0 +1,27 @@
+service: varonis-udp-invalid-cef
+service_notify_signal: SIGHUP
+input: udp
+data_stream:
+  vars:
+    udp_host: 0.0.0.0
+    udp_port: 9032
+    preserve_original_event: true
+    tags:
+      - forwarded
+    preprocessors: |
+      - script:
+          lang: javascript
+          description: Escape backslash characters.
+          source: >
+            function process(event) {
+              var m = event.Get("message");
+              event.Put("message", m.replace(/\\/g, "\\\\"));
+              return event;
+            }
+            function test() {
+              if ("\\".replace(/\\/g, "\\\\") !== "\\\\") {
+                throw "expected replace \\ to \\\\ failed";
+              }
+            }
+assert:
+  - hit_count: 2

packages/varonis/data_stream/logs/agent/stream/tcp.yml.hbs

@@ -17,13 +17,27 @@ publisher_pipeline.disable_host: true
 {{/contains}}
 
 processors:
+{{#if preprocessors}}
+- copy_fields:
+    fields:
+      - from: "message"
+        to: "@metadata.event_original"
+{{preprocessors}}
+{{/if}}
 - rename:
     fields:
       - {from: "message", to: "event.original"}
 
 - decode_cef:
     field: event.original
 
+{{#if preprocessors}}
+- convert:
+    mode: rename
+    fields:
+      - from: "@metadata.event_original"
+        to: "event.original"
+{{/if}}
 {{#if processors}}
 {{processors}}
 {{/if}}

packages/varonis/data_stream/logs/agent/stream/udp.yml.hbs

@@ -13,13 +13,27 @@ publisher_pipeline.disable_host: true
 {{/contains}}
 
 processors:
+{{#if preprocessors}}
+- copy_fields:
+    fields:
+      - from: "message"
+        to: "@metadata.event_original"
+{{preprocessors}}
+{{/if}}
 - rename:
     fields:
       - {from: "message", to: "event.original"}
 
 - decode_cef:
     field: event.original
 
+{{#if preprocessors}}
+- convert:
+    mode: rename
+    fields:
+      - from: "@metadata.event_original"
+        to: "event.original"
+{{/if}}
 {{#if processors}}
 {{processors}}
 {{/if}}

packages/varonis/data_stream/logs/fields/fields.yml

@@ -35,6 +35,9 @@
         - name: device_event_category
           type: keyword
           description: The category of the device event.
+        - name: device_host_name
+          type: keyword
+          description: The host name of the device.
         - name: device_receipt_time
           description: The time the device received the event.
         - name: base_event_count

packages/varonis/data_stream/logs/manifest.yml

@@ -39,6 +39,15 @@ streams:
         default:
           - cef
           - forwarded
+      - name: preprocessors
+        title: Pre-Processors
+        type: yaml
+        description: >
+          Pre-processors are run before the CEF message is decoded. They can be used to correct CEF formatting inconsistencies that may exist from some sources.
+          See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+        required: false
+        show_user: false
+        multi: false
       - name: processors
         type: yaml
         title: Processors
@@ -86,6 +95,15 @@ streams:
         default:
           - cef
           - forwarded
+      - name: preprocessors
+        title: Pre-Processors
+        type: yaml
+        description: >
+          Pre-processors are run before the CEF message is decoded. They can be used to correct CEF formatting inconsistencies that may exist from some sources.
+          See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details.
+        required: false
+        show_user: false
+        multi: false
       - name: processors
         type: yaml
         title: Processors