-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Winlogbeat] Improve ECS field mappings in Sysmon module. #18381
Conversation
Pinging @elastic/siem (Team:SIEM) |
21cfb4f
to
92ae20a
Compare
💚 Build SucceededExpand to view the summary
Build stats
Test stats 🧪
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice. Couple suggestions around using AppendTo for the arrays.
AppendTo doesn't make an array when you just add one item, not what we want.
92ae20a
to
61f7f7d
Compare
At the end it was changed to use AppendTo as @leehinman suggested since from ES standpoint there is no practical difference. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, just one minor comment on behavior.
5d4f37e
to
cd5e61a
Compare
cd5e61a
to
5e4bec0
Compare
var addHashes = function (evt, hashField) { | ||
var setRelatedIP = function (evt) { | ||
var sourceIP = evt.Get("source.ip"); | ||
if (sourceIP && net.isIP(sourceIP)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isIP
is unnecessary since you are copying from source.ip
a value that has already been validating by the convert
processor and type: ip
.
"entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", | ||
"executable": "C:\\Windows\\system32\\svchost.exe", | ||
"hash": { | ||
"imphash": "00000000000000000000000000000000", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we should drop these? @andrewstucki, does this value have any meaning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So that looks odd to me--my guess is that sysmon is returning all zeroes in the case of not being able to grab the import symbols of the binary--I'd have to read the docs around it a bit more to be sure. That said, for sure that's not a valid value. Also--imphash
itself is a pe
specific thing and shouldn't be treated like other general purposes hashes here, we actually carved out a field for it in pe
in ECS--so this should get:
- Dropped if it's all zeroes
- Potentially dropped from the
related.hash
field (clarifying with @webmat that that's meant for general purpose hashes, correct?) - Moved from
process.hash.imphash
toprocess.pe.imphash
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, realized that imphash stuff is actually still not fully released (it's in unreleased ECS 1.6). It's not going away any time soon since the endpoint is using this field as well, but just making sure we're cool shipping this field a bit early?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Semantics of related.hash
are very broad. Any hash should be added there, even if it's a very specific thing like imphash 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
then, keeping it in related.hash
and moving it from process.hash.imphash
to process.pe.imphash
sounds good, as far as it is good to ship process.pe.imphash
now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Forward compatibility on upcoming fields like process.pe.imphash
is a product decision.
Although from the schema perspective, I've seen zero controversy about this new field. So I can say the risks of it changing until the ECS release are very slim. So this has my 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think so.
For testing this I'd try seeing if you can ensure that bad imphash
isn't in the output--and then try an generate another event that actually captures the proper imphash.
I poked around to find references to sysmon returning all zero hashes and this is the only thing I could find and it seems to indicate an "empty imphash value".
What's interesting is that I just grabbed the hash for svchost.exe
from the Windows 2019 VM and it should be 247b9220e5d9b720a82b2c8b5069ad69
--so I'm wondering if something is just misconfigured in sysmon? Either way we should be stripping out the 0000s--so a test case for inclusion of valid values and exclusion of the all zeros might be nice.
5e4bec0
to
bcd220c
Compare
bcd220c
to
c5f19d3
Compare
return true; | ||
} | ||
|
||
var match = emptyHashRegex.exec(value); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you use .test
instead of .exec
since you don't need matches. This is usually more efficient.
return namespace + ".hash." + hashKey; | ||
}; | ||
|
||
var emptyHashRegex = new RegExp(/^0*$/); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
var emptyHashRegex = new RegExp(/^0*$/); | |
var emptyHashRegex = /^0*$/; |
Use literal notation when the regular expression will remain constant. Also with the constructor version the parameters are not enclosed in slashes IIRC.
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364
c5f19d3
to
eef083f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364 (cherry picked from commit 096b88e)
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364 (cherry picked from commit 096b88e)
…w-oss * upstream/master: (27 commits) Disable host fields for "cloud", panw, cef modules (elastic#18223) [docs] Rename monitoring collection from legacy internal collection to legacy collection (elastic#18504) Introduce auto detection of format (elastic#18095) Add additional fields to address issue elastic#18465 for googlecloud audit log (elastic#18472) Fix libbeat import path in seccomp policy template (elastic#18418) Address Okta input issue elastic#18530 (elastic#18534) [Ingest Manager] Avoid Chown on windows (elastic#18512) Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#18376) [CI] Optimise stash/unstash performance (elastic#18473) Libbeat: Remove global loggers from libbeat/metric and libbeat/cloudid (elastic#18500) Fix PANW bad mapping of client/source and server/dest packets and bytes (elastic#18525) Add a file lock to the data directory on startup to prevent multiple agents. (elastic#18483) Followup to 12606 (elastic#18316) changed input from syslog to tcp/udp due to unsupported RFC (elastic#18447) Improve ECS field mappings in Sysmon module. (elastic#18381) [Elastic Agent] Cleaner output of inspect command (elastic#18405) [Elastic Agent] Pick up version from libbeat (elastic#18350) Update communitybeats.asciidoc (elastic#18470) [Metricbeat] Change visualization interval from 15m to >=15m (elastic#18466) docs: Fix typo in kerberos docs (elastic#18503) ...
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes #18364 (cherry picked from commit 096b88e)
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes #18364 (cherry picked from commit 096b88e)
What does this PR do?
Improve ECS field mappings in Sysmon module.
Why is it important?
Sysmon module was not reporting some fields and was reporting others in a namespace that was not aligned with ECS. This adds changes to improve the ECS field mapping for it.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
NOTES:
process.parent.hash
is not present in any event (you can check here), so nothing was done for it.rule.name
has been added to all events that can have it according to the previous schema, but will be ignored if empty or its value is-
.hash
object will not be removed until 8.0 since it is a breaking change.Related issues
Closes #18364