[Winlogbeat] Improve ECS field mappings in Sysmon module. #18381
Conversation
botelastic
bot
added
the
needs_team
|
Pinging @elastic/siem (Team:SIEM) |
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
21cfb4f
to
92ae20a
Compare
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
leehinman
dismissed
their stale review
AppendTo doesn't make an array when you just add one item, not what we want.
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
92ae20a
to
61f7f7d
Compare
|
At the end it was changed to use AppendTo as @leehinman suggested since from ES standpoint there is no practical difference. |
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
2 times, most recently
from
5d4f37e
to
cd5e61a
Compare
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
cd5e61a
to
5e4bec0
Compare
| var addHashes = function (evt, hashField) { | ||
| var setRelatedIP = function (evt) { | ||
| var sourceIP = evt.Get("source.ip"); | ||
| if (sourceIP && net.isIP(sourceIP)) { |
There was a problem hiding this comment.
isIP is unnecessary since you are copying from source.ip a value that has already been validating by the convert processor and type: ip.
| "entity_id": "{42f11c3b-4664-5eba-91ae-000000000000}", | ||
| "executable": "C:\\Windows\\system32\\svchost.exe", | ||
| "hash": { | ||
| "imphash": "00000000000000000000000000000000", |
There was a problem hiding this comment.
Maybe we should drop these? @andrewstucki, does this value have any meaning?
There was a problem hiding this comment.
So that looks odd to me--my guess is that sysmon is returning all zeroes in the case of not being able to grab the import symbols of the binary--I'd have to read the docs around it a bit more to be sure. That said, for sure that's not a valid value. Also--imphash itself is a pe specific thing and shouldn't be treated like other general purposes hashes here, we actually carved out a field for it in pe in ECS--so this should get:
- Dropped if it's all zeroes
- Potentially dropped from the
related.hashfield (clarifying with @webmat that that's meant for general purpose hashes, correct?) - Moved from
process.hash.imphashtoprocess.pe.imphash
There was a problem hiding this comment.
btw, realized that imphash stuff is actually still not fully released (it's in unreleased ECS 1.6). It's not going away any time soon since the endpoint is using this field as well, but just making sure we're cool shipping this field a bit early?
There was a problem hiding this comment.
Semantics of related.hash are very broad. Any hash should be added there, even if it's a very specific thing like imphash 👍
There was a problem hiding this comment.
then, keeping it in related.hash and moving it from process.hash.imphash to process.pe.imphash sounds good, as far as it is good to ship process.pe.imphash now?
There was a problem hiding this comment.
Forward compatibility on upcoming fields like process.pe.imphash is a product decision.
Although from the schema perspective, I've seen zero controversy about this new field. So I can say the risks of it changing until the ECS release are very slim. So this has my 👍
There was a problem hiding this comment.
I think so.
For testing this I'd try seeing if you can ensure that bad imphash isn't in the output--and then try an generate another event that actually captures the proper imphash.
I poked around to find references to sysmon returning all zero hashes and this is the only thing I could find and it seems to indicate an "empty imphash value".
What's interesting is that I just grabbed the hash for svchost.exe from the Windows 2019 VM and it should be 247b9220e5d9b720a82b2c8b5069ad69--so I'm wondering if something is just misconfigured in sysmon? Either way we should be stripping out the 0000s--so a test case for inclusion of valid values and exclusion of the all zeros might be nice.
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
5e4bec0
to
bcd220c
Compare
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
bcd220c
to
c5f19d3
Compare
| return true; | ||
| } | ||
|
|
||
| var match = emptyHashRegex.exec(value); |
There was a problem hiding this comment.
Can you use .test instead of .exec since you don't need matches. This is usually more efficient.
| return namespace + ".hash." + hashKey; | ||
| }; | ||
|
|
||
| var emptyHashRegex = new RegExp(/^0*$/); |
There was a problem hiding this comment.
| var emptyHashRegex = new RegExp(/^0*$/); | |
| var emptyHashRegex = /^0*$/; |
Use literal notation when the regular expression will remain constant. Also with the constructor version the parameters are not enclosed in slashes IIRC.
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364
marc-gr
force-pushed
the
winlogbeat-sysmon_ecs_changes
branch
from
c5f19d3
to
eef083f
Compare
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364 (cherry picked from commit 096b88e)
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes elastic#18364 (cherry picked from commit 096b88e)
…w-oss * upstream/master: (27 commits) Disable host fields for "cloud", panw, cef modules (elastic#18223) [docs] Rename monitoring collection from legacy internal collection to legacy collection (elastic#18504) Introduce auto detection of format (elastic#18095) Add additional fields to address issue elastic#18465 for googlecloud audit log (elastic#18472) Fix libbeat import path in seccomp policy template (elastic#18418) Address Okta input issue elastic#18530 (elastic#18534) [Ingest Manager] Avoid Chown on windows (elastic#18512) Fix Cisco ASA/FTD msgs that use a host name as NAT address (elastic#18376) [CI] Optimise stash/unstash performance (elastic#18473) Libbeat: Remove global loggers from libbeat/metric and libbeat/cloudid (elastic#18500) Fix PANW bad mapping of client/source and server/dest packets and bytes (elastic#18525) Add a file lock to the data directory on startup to prevent multiple agents. (elastic#18483) Followup to 12606 (elastic#18316) changed input from syslog to tcp/udp due to unsupported RFC (elastic#18447) Improve ECS field mappings in Sysmon module. (elastic#18381) [Elastic Agent] Cleaner output of inspect command (elastic#18405) [Elastic Agent] Pick up version from libbeat (elastic#18350) Update communitybeats.asciidoc (elastic#18470) [Metricbeat] Change visualization interval from 15m to >=15m (elastic#18466) docs: Fix typo in kerberos docs (elastic#18503) ...
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes #18364 (cherry picked from commit 096b88e)
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes #18364 (cherry picked from commit 096b88e)
What does this PR do?
Improve ECS field mappings in Sysmon module.
Why is it important?
Sysmon module was not reporting some fields and was reporting others in a namespace that was not aligned with ECS. This adds changes to improve the ECS field mapping for it.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Author's Checklist
NOTES:
process.parent.hashis not present in any event (you can check here), so nothing was done for it.rule.namehas been added to all events that can have it according to the previous schema, but will be ignored if empty or its value is-.hashobject will not be removed until 8.0 since it is a breaking change.Related issues
Closes #18364