Skip to content

Commit

Permalink
Add support for FileDelete events (event id 23) to sysmon module (ela…
Browse files Browse the repository at this point in the history 
…stic#18340)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes elastic#18094

(cherry picked from commit 0a327bb)
  • Loading branch information
@marc-gr @andrewkroh
marc-gr authored and andrewkroh committed May 7, 2020
1 parent d38ea1b commit 7630c38
Show file tree
Hide file tree
Showing 7 changed files with 161 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094]

*Functionbeat*


Expand Down
18 changes: 18 additions & 0 deletions winlogbeat/docs/fields.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7572,6 +7572,24 @@ type: keyword
--
*`sysmon.file.archived`*::
+
--
Indicates if the deleted file was archived.
type: boolean
--
*`sysmon.file.is_executable`*::
+
--
Indicates if the deleted file was an executable.
type: boolean
--
[[exported-fields-winlog]]
== Winlogbeat fields
Expand Down
8 changes: 8 additions & 0 deletions x-pack/winlogbeat/module/sysmon/_meta/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,11 @@
- name: sysmon.dns.status
type: keyword
description: Windows status code returned for the DNS query.

- name: sysmon.file.archived
type: boolean
description: Indicates if the deleted file was archived.

- name: sysmon.file.is_executable
type: boolean
description: Indicates if the deleted file was an executable.
58 changes: 58 additions & 0 deletions x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1392,6 +1392,63 @@ var sysmon = (function () {
.Add(removeEmptyEventData)
.Build();

// Event ID 23 - FileDelete (A file delete was detected).
var event23 = new processor.Chain()
.Add(parseUtcTime)
.AddFields({
fields: {
"event.category": ["file"], // pipes are files
"event.type": ["deletion"],
},
})
.Convert({
fields: [
{
from: "winlog.event_data.UtcTime",
to: "@timestamp",
},
{
from: "winlog.event_data.ProcessGuid",
to: "process.entity_id",
},
{
from: "winlog.event_data.ProcessId",
to: "process.pid",
type: "long",
},
{
from: "winlog.event_data.RuleName",
to: "rule.name",
},
{
from: "winlog.event_data.TargetFilename",
to: "file.name",
},
{
from: "winlog.event_data.Image",
to: "process.executable",
},
{
from: "winlog.event_data.Archived",
to: "sysmon.file.archived",
type: "boolean",
},
{
from: "winlog.event_data.IsExecutable",
to: "sysmon.file.is_executable",
type: "boolean",
},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(addUser)
.Add(splitHashes)
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();

// Event ID 255 - Error report.
var event255 = new processor.Chain()
.Add(parseUtcTime)
Expand Down Expand Up @@ -1436,6 +1493,7 @@ var sysmon = (function () {
20: event20.Run,
21: event21.Run,
22: event22.Run,
23: event23.Run,
255: event255.Run,

process: function (evt) {
Expand Down
2 changes: 1 addition & 1 deletion x-pack/winlogbeat/module/sysmon/fields.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Binary file added x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx
View file
Binary file not shown.
74 changes: 74 additions & 0 deletions x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
[
{
"@timestamp": "2020-05-07T07:27:18.722Z",
"event": {
"code": 23,
"kind": "event",
"module": "sysmon",
"provider": "Microsoft-Windows-Sysmon"
},
"fields": {
"event": {
"category": [
"file"
],
"type": [
"deletion"
]
}
},
"file": {
"name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat"
},
"hash": {
"sha1": "115106f5b338c87ae6836d50dd890de3da296367"
},
"host": {
"name": "vagrant-2012-r2"
},
"log": {
"level": "information"
},
"process": {
"entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}",
"executable": "C:\\Windows\\System32\\svchost.exe",
"name": "svchost.exe",
"pid": 776
},
"rule": {
"name": "-"
},
"sysmon": {
"file": {
"archived": true,
"is_executable": false
}
},
"user": {
"domain": "NT AUTHORITY",
"name": "LOCAL SERVICE"
},
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "vagrant-2012-r2",
"event_id": 23,
"process": {
"pid": 664,
"thread": {
"id": 2360
}
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 11,
"user": {
"domain": "NT AUTHORITY",
"identifier": "S-1-5-18",
"name": "SYSTEM",
"type": "Well Known Group"
},
"version": 5
}
}
]

0 comments on commit 7630c38

Please sign in to comment.