[ECS] Winlogbeat ecs 1.8 changes #23563

marc-gr · 2021-01-19T10:36:57Z

What does this PR do?

Adds new registry and session categories.

Fixes some user.* fields.

Adds multi user usage.

Why is it important?

Keep up to date with ecs 1.8 changes.

Checklist

My code follows the style guidelines of this project
I have commented my code, particularly in hard-to-understand areas
~~- [ ] I have made corresponding changes to the documentation~~
~~- [ ] I have made corresponding change to the default configuration files~~
I have added tests that prove my fix is effective or that my feature works
I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

elasticmachine · 2021-01-19T10:36:59Z

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine · 2021-01-19T10:43:01Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Build Cause: Pull request #23563 updated
- Start Time: 2021-02-03T10:16:01.188+0000
Duration: 27 min 12 sec
Commit: cc4c4cd

Test stats 🧪

Test	Results
Failed	0
Passed	864
Skipped	0
Total	864

Steps errors

Expand to view the steps failures

`x-pack/winlogbeat-windows-8-windows-8 - Install Go/Mage/Python 1.15.7`

Took 0 min 7 sec . View more details on here
Description: .ci/scripts/install-tools.bat

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test	Results
Failed	0
Passed	864
Skipped	0
Total	864

andrewkroh

LGTM

andrewkroh · 2021-01-25T01:08:52Z

x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.evtx.golden.json

-      "name": "Administrator"
+      "name": "Administrator",
+      "target": {
+        "name": "Administrator"


Seems like a target.group in ECS could be useful in this case, likeTargetUserName -> target.user.group.

Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host #23513 Winlogbeat #23563 Auditbeat auditd #23594 Journalbeat #23737 Packetbeat #23783 Filebeat: auditd #23723 cisco #23819 cef #23832 crowdstrike falcon #23875 fortinet firewall #23902 microsoft #23897 elasticsearch/audit #24000 Gsuite/Workspace #23709 o365 #23896 zoom #23904 okta #23929 aws/cloudtrail #23911 aws/s3access #23920 azure #23927 juniper/srx #23936 panw #23931 sophos/xg #23967 system/auth #23961 mysqlenterprise #23978 zeek #23847 Make all Beats and modules report ECS 1.8.0 #23992 Closes #23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>

Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host elastic#23513 Winlogbeat elastic#23563 Auditbeat auditd elastic#23594 Journalbeat elastic#23737 Packetbeat elastic#23783 Filebeat: auditd elastic#23723 cisco elastic#23819 cef elastic#23832 crowdstrike falcon elastic#23875 fortinet firewall elastic#23902 microsoft elastic#23897 elasticsearch/audit elastic#24000 Gsuite/Workspace elastic#23709 o365 elastic#23896 zoom elastic#23904 okta elastic#23929 aws/cloudtrail elastic#23911 aws/s3access elastic#23920 azure elastic#23927 juniper/srx elastic#23936 panw elastic#23931 sophos/xg elastic#23967 system/auth elastic#23961 mysqlenterprise elastic#23978 zeek elastic#23847 Make all Beats and modules report ECS 1.8.0 elastic#23992 Closes elastic#23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> (cherry picked from commit 048c3cc)

Incorporates ECS 1.8 changes from the following PRs: Support host.type field in add_host_metadata processor and Auditbeat's system/host #23513 Winlogbeat #23563 Auditbeat auditd #23594 Journalbeat #23737 Packetbeat #23783 Filebeat: auditd #23723 cisco #23819 cef #23832 crowdstrike falcon #23875 fortinet firewall #23902 microsoft #23897 elasticsearch/audit #24000 Gsuite/Workspace #23709 o365 #23896 zoom #23904 okta #23929 aws/cloudtrail #23911 aws/s3access #23920 azure #23927 juniper/srx #23936 panw #23931 sophos/xg #23967 system/auth #23961 mysqlenterprise #23978 zeek #23847 Make all Beats and modules report ECS 1.8.0 #23992 Closes #23118 Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com> (cherry picked from commit 048c3cc)

* User enhancements for powershell module * User enhancements for security and sysmon module * Add registry category to events * Add session category to events * Set target group when possible

marc-gr added enhancement Winlogbeat ecs Team:Security-External Integrations labels Jan 19, 2021

marc-gr requested review from a team as code owners January 19, 2021 10:36

botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Jan 19, 2021

marc-gr changed the base branch from master to feature-ecs-1.8 January 19, 2021 10:37

marc-gr requested a review from a team as a code owner January 19, 2021 10:37

marc-gr force-pushed the winlogbeat_ecs_1.8 branch from 828df50 to 1e24b8c Compare January 19, 2021 10:40

marc-gr requested a review from adriansr January 19, 2021 10:41

marc-gr mentioned this pull request Jan 19, 2021

[ECS] Upgrade modules to 1.8 #23118

Closed

89 tasks

andrewkroh changed the title ~~[ECS} Winlogbeat ecs 1.8 changes~~ [ECS] Winlogbeat ecs 1.8 changes Jan 24, 2021

andrewkroh approved these changes Jan 25, 2021

View reviewed changes

adriansr force-pushed the feature-ecs-1.8 branch 2 times, most recently from 8979980 to 376b26f Compare February 1, 2021 14:57

marc-gr added 3 commits February 3, 2021 10:02

User enhancements for powershell module

fb283a3

User enhancements for security and sysmon module

dfaf531

Add registry category to events

f468000

marc-gr force-pushed the winlogbeat_ecs_1.8 branch 2 times, most recently from 2937507 to 426e572 Compare February 3, 2021 10:13

marc-gr added 2 commits February 3, 2021 11:14

Add session category to events

c20482d

Set target group when possible

cc4c4cd

marc-gr force-pushed the winlogbeat_ecs_1.8 branch from 426e572 to cc4c4cd Compare February 3, 2021 10:15

marc-gr merged commit cd4bcb2 into elastic:feature-ecs-1.8 Feb 3, 2021

marc-gr deleted the winlogbeat_ecs_1.8 branch February 3, 2021 10:44

adriansr mentioned this pull request Feb 12, 2021

Update Beats to ECS 1.8.0 #23465

Merged

28 tasks

adriansr mentioned this pull request Feb 16, 2021

Cherry-pick #23465 to 7.x: Update Beats to ECS 1.8.0 #24072

Merged

28 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[ECS] Winlogbeat ecs 1.8 changes #23563

[ECS] Winlogbeat ecs 1.8 changes #23563

marc-gr commented Jan 19, 2021

elasticmachine commented Jan 19, 2021

elasticmachine commented Jan 19, 2021 •

edited by jenkins-beats-ci bot

Loading

Build stats

Test stats 🧪

`x-pack/winlogbeat-windows-8-windows-8 - Install Go/Mage/Python 1.15.7`

Test stats 🧪

andrewkroh left a comment

andrewkroh Jan 25, 2021 •

edited

Loading

[ECS] Winlogbeat ecs 1.8 changes #23563

[ECS] Winlogbeat ecs 1.8 changes #23563

Conversation

marc-gr commented Jan 19, 2021

What does this PR do?

Why is it important?

Checklist

elasticmachine commented Jan 19, 2021

elasticmachine commented Jan 19, 2021 • edited by jenkins-beats-ci bot Loading

💚 Build Succeeded

Build stats

Test stats 🧪

Steps errors

x-pack/winlogbeat-windows-8-windows-8 - Install Go/Mage/Python 1.15.7

💚 Flaky test report

Test stats 🧪

andrewkroh left a comment

Choose a reason for hiding this comment

andrewkroh Jan 25, 2021 • edited Loading

Choose a reason for hiding this comment

elasticmachine commented Jan 19, 2021 •

edited by jenkins-beats-ci bot

Loading

`x-pack/winlogbeat-windows-8-windows-8 - Install Go/Mage/Python 1.15.7`

andrewkroh Jan 25, 2021 •

edited

Loading