Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add process.command_line to Sysmon module #17327

Closed
wants to merge 1 commit into from
Closed

Add process.command_line to Sysmon module #17327

wants to merge 1 commit into from

Conversation

webhead404
Copy link
Contributor

@webhead404 webhead404 commented Mar 30, 2020
edited by andresrc
Loading

Adds the process.command_line field to Sysmon module that does not split the field into multiple values.

-Enhancement

What does this PR do?

Added process.command_line field to sysmon module.

Why is it important?

Previously the only field for the Sysmon module was process.args

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@webhead404
Add process.command_line to Sysmon module
70056da 
Adds the process.command_line field to Sysmon module that does not split the field into multiple values.
@webhead404 webhead404 requested a review from a team as a code owner March 30, 2020 14:03
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

1 similar comment
@elasticmachine
Copy link
Collaborator

Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually?

@cla-checker-service
Copy link

cla-checker-service bot commented Mar 30, 2020
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@webhead404
Copy link
Contributor Author

I did sign CLA, looks like the bot hasn't updated status.

andrewkroh
andrewkroh requested changes Apr 1, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -307,6 +307,7 @@ var sysmon = (function () {
return;
}
evt.Put(field, winlogbeat.splitCommandLine(commandLine));
evt.Put("process.command_line", commandLine);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check out where this function is called. It's used in two different contexts so hard-coding the target field won't work. I suggest changing the field parameter to be the target namespace. Like this, then update the callers.

var splitCommandLine = function(evt, namespace) {
        var commandLine = evt.Get(field);
        if (!commandLine) {
            return;
        }
        evt.Put(namespace+".args", winlogbeat.splitCommandLine(commandLine));
        evt.Put(namespace+".command_line", commandLine);
}

@andrewkroh andrewkroh mentioned this pull request Apr 20, 2020
Merged
3 tasks
@andrewkroh
Copy link
Member

I opened #17823 to finish the change. It looks like this fork no longer exists.

@andrewkroh andrewkroh closed this Apr 20, 2020
@zube zube bot added [zube]: Done and removed [zube]: Inbox labels Apr 20, 2020
@andrewkroh andrewkroh mentioned this pull request May 4, 2020
Merged
3 tasks
@rw-access rw-access mentioned this pull request Jul 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh requested changes

Assignees
No one assigned
Labels
review [zube]: Done
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Winlogbeat] CLI Values to ECS process.command_line
5 participants
@webhead404 @elasticmachine @andrewkroh @andresrc @ChrsMark