Skip to content

Commit

Permalink
packages/windows/sysmon_operational: add sysmon event 26 handler (ela…
Browse files Browse the repository at this point in the history 
…stic#2566)

* packages/windows/sysmon_operational: normalise field order and remove event.ingested

* packages/windows/sysmon_operational: add sysmon event 26 handler

* packages/windows/forwarded: normalise field order and remove event.ingested

* packages/windows/forwarded: add sysmon event 26 handler
  • Loading branch information
@efd6
efd6 authored Feb 1, 2022
1 parent 6b50495 commit 1c17de0
Show file tree
Hide file tree
Showing 89 changed files with 25,786 additions and 25,822 deletions.
8 changes: 8 additions & 0 deletions packages/windows/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "1.10.0"
changes:
- description: Add sysmon event 26 handling
type: enhancement
link: https://github.com/elastic/integrations/pull/2566
- description: Normalise field order and remove event.ingested
type: enhancement
link: https://github.com/elastic/integrations/pull/2566
- version: "1.9.0"
changes:
- description: Expose winlog input ignore_older option.
Expand Down
324 changes: 160 additions & 164 deletions ...indows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json
View file

Large diffs are not rendered by default.

324 changes: 160 additions & 164 deletions ...stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json
View file

Large diffs are not rendered by default.

75 changes: 37 additions & 38 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,60 +1,59 @@
{
"expected": [
{
"@timestamp": "2019-11-07T10:37:04.226Z",
"agent": {
"name": "Lees-MBP.localdomain",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat",
"version": "8.0.0"
},
"@timestamp": "2019-11-07T10:37:04.226Z",
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"record_id": "14257",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"event_id": "1100",
"keywords": [
"Audit Success"
],
"level": "information",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"channel": "Security",
"time_created": "2019-11-07T10:37:04.226Z",
"opcode": "Info",
"provider_name": "Microsoft-Windows-Eventlog",
"outcome": "success"
},
"ecs": {
"version": "8.0.0"
},
"log": {
"level": "information",
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml"
}
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"event": {
"ingested": "2022-01-12T05:16:18.700629099Z",
"code": "1100",
"provider": "Microsoft-Windows-Eventlog",
"kind": "event",
"action": "logging-service-shutdown",
"category": [
"process"
],
"code": "1100",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"end"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml"
},
"level": "information"
},
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_id": "1100",
"keywords": [
"Audit Success"
],
"outcome": "success"
"level": "information",
"opcode": "Info",
"outcome": "success",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "14257",
"time_created": "2019-11-07T10:37:04.226Z"
}
}
]
Expand Down
109 changes: 54 additions & 55 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,81 +1,80 @@
{
"expected": [
{
"@timestamp": "2019-11-07T10:34:29.055Z",
"agent": {
"name": "Lees-MBP.localdomain",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat",
"version": "8.0.0"
},
"@timestamp": "2019-11-07T10:34:29.055Z",
"ecs": {
"version": "8.0.0"
},
"event": {
"action": "audit-log-cleared",
"category": [
"iam"
],
"code": "1102",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"admin",
"change"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml"
},
"level": "information"
},
"related": {
"user": [
"Administrator"
]
},
"user": {
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500",
"name": "Administrator"
},
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"process": {
"pid": 1144,
"thread": {
"id": 1824
}
},
"event_id": "1102",
"keywords": [
"Audit Success"
],
"level": "information",
"logon": {
"id": "0x50e87"
},
"channel": "Security",
"opcode": "Info",
"outcome": "success",
"process": {
"pid": 1144,
"thread": {
"id": 1824
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "14224",
"time_created": "2019-11-07T10:34:29.055Z",
"user_data": {
"SubjectUserName": "Administrator",
"SubjectDomainName": "WLBEAT",
"SubjectLogonId": "0x50e87",
"SubjectUserName": "Administrator",
"SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
"xml_name": "LogFileCleared"
},
"opcode": "Info",
"record_id": "14224",
"event_id": "1102",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"time_created": "2019-11-07T10:34:29.055Z",
"provider_name": "Microsoft-Windows-Eventlog",
"outcome": "success"
},
"ecs": {
"version": "8.0.0"
},
"related": {
"user": [
"Administrator"
]
},
"log": {
"level": "information",
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml"
}
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"event": {
"ingested": "2022-01-12T05:16:18.932471733Z",
"code": "1102",
"provider": "Microsoft-Windows-Eventlog",
"kind": "event",
"action": "audit-log-cleared",
"category": [
"iam"
],
"type": [
"admin",
"change"
],
"outcome": "success"
},
"user": {
"name": "Administrator",
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
}
}
]
Expand Down
75 changes: 37 additions & 38 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -1,60 +1,59 @@
{
"expected": [
{
"@timestamp": "2019-11-08T07:56:17.321Z",
"agent": {
"name": "Lees-MBP.localdomain",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat",
"version": "8.0.0"
},
"@timestamp": "2019-11-08T07:56:17.321Z",
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"record_id": "19352",
"process": {
"pid": 1096,
"thread": {
"id": 1444
}
},
"event_id": "1104",
"keywords": [
"Audit Success"
],
"level": "error",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"channel": "Security",
"time_created": "2019-11-08T07:56:17.321Z",
"opcode": "Info",
"provider_name": "Microsoft-Windows-Eventlog",
"outcome": "success"
},
"ecs": {
"version": "8.0.0"
},
"log": {
"level": "error",
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml"
}
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"event": {
"ingested": "2022-01-12T05:16:19.597216295Z",
"code": "1104",
"provider": "Microsoft-Windows-Eventlog",
"kind": "event",
"action": "logging-full",
"category": [
"iam"
],
"code": "1104",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"admin"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml"
},
"level": "error"
},
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_id": "1104",
"keywords": [
"Audit Success"
],
"outcome": "success"
"level": "error",
"opcode": "Info",
"outcome": "success",
"process": {
"pid": 1096,
"thread": {
"id": 1444
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "19352",
"time_created": "2019-11-08T07:56:17.321Z"
}
}
]
Expand Down
Loading

0 comments on commit 1c17de0

Please sign in to comment.