Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #18381 to 7.8: Improve ECS field mappings in Sysmon module. (#18381) #18518

Merged
merged 1 commit into from
May 15, 2020
Merged

Cherry-pick #18381 to 7.8: Improve ECS field mappings in Sysmon module. (#18381) #18518

merged 1 commit into from
May 15, 2020

Conversation

marc-gr
Copy link
Contributor

@marc-gr marc-gr commented May 14, 2020

Cherry-pick #18381 to 7.8 branch. Original message:

What does this PR do?

Improve ECS field mappings in Sysmon module.

  • related.hash, related.ip and related.user are now populated.
  • hashes are now also populated to the corresponding process.hash or file.hash
  • file.name, file.directory and file.extension are now populated.
  • rule.name is populated for all events when present.

Why is it important?

Sysmon module was not reporting some fields and was reporting others in a namespace that was not aligned with ECS. This adds changes to improve the ECS field mapping for it.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Set related.hash, related.ip and related.user
  • Set file.extension/name/directory.
  • hash.* is not part of ECS. It should be used as file.hash., process.hash. or process.parent.hash.*.
  • Drop the rule.name field when it has a tack - value

NOTES:

  • process.parent.hash is not present in any event (you can check here), so nothing was done for it.
  • rule.name has been added to all events that can have it according to the previous schema, but will be ignored if empty or its value is -.
  • as mentioned in [Winlogbeat] More ECS changes for Sysmon #18364, the previous root level hash object will not be removed until 8.0 since it is a breaking change.

Related issues

Closes #18364

@marc-gr
Improve ECS field mappings in Sysmon module. (elastic#18381)
c790bac 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes elastic#18364

(cherry picked from commit 096b88e)
@marc-gr marc-gr requested a review from a team as a code owner May 14, 2020 13:09
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 14, 2020
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 81
Skipped 0
Total 81

@marc-gr marc-gr merged commit 6c460ea into elastic:7.8 May 15, 2020
@marc-gr marc-gr deleted the backport_18381_7.8 branch May 15, 2020 06:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@marc-gr @elasticmachine @leehinman