-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Winlogbeat] Add support for FileDelete events (event id 23) to sysmon module #18340
[Winlogbeat] Add support for FileDelete events (event id 23) to sysmon module #18340
Conversation
Pinging @elastic/siem (Team:SIEM) |
💚 Build SucceededExpand to view the summary
Build stats
Test stats 🧪
|
x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
Outdated
Show resolved
Hide resolved
to: "process.executable", | ||
}, | ||
{ | ||
from: "winlog.event_data.Archived", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The process
namespace is "managed" by ECS. If archived
and is_executable
are not part of ECS then we should not add them to process
.
Either leave them as-is or copy them over to a sysmon
namespace like sysmon.is_archived
. Then add an entry to this file for the field. https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/sysmon/_meta/fields.yml The benefit of copying them is that we can set the correct data type. Leaving them in winlog.event_data
means they will be a keyword
in Elasticsearch rather than boolean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added them to sysmon.file.archived
and sysmon.file.is_executable
👍
8dbb6cc
to
0eab793
Compare
FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094
0eab793
to
69510ad
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Congrats on your first Beats PR 🍾 .
As a follow-up pull request, I noticed a few issues with the module as a whole that we should address.
- Set
related.hash
. - Set
file.extension/name/directory
. hash.*
is not part of ECS. It should be used asfile.hash.*
orprocess.hash.*
. We can't delete the existinghash.*
fields until 8.0, so for 7.x we could populate them both. And then do a breaking change for 8.0 where we drophash.*
.
…stic#18340) FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094 (cherry picked from commit 0a327bb)
@marc-gr I opened #18364 to track those additional changes. And I disucssed the Normally you will merge the PRs after they are approved and green on CI, but I wanted to get this into the 7.8 branch asap so that it can be included in 7.8.0. This still needs to be backported into the 7.x branch. Can you please use the |
…stic#18340) FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094 (cherry picked from commit 0a327bb)
What does this PR do?
FileDelete events were added in Sysmon v11, this PR adds support for FileDelete events (event id 23) to sysmon module.
Why is it important?
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.TODO
Empty strings are replaced with “-“ to work around a WEF bugRelated issues
Closes #18094