Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Winlogbeat] Update Sysmon module for v11.0 #18094

Closed
3 of 4 tasks
andrewkroh opened this issue Apr 29, 2020 · 4 comments · Fixed by #18340
Closed
3 of 4 tasks

[Winlogbeat] Update Sysmon module for v11.0 #18094

andrewkroh opened this issue Apr 29, 2020 · 4 comments · Fixed by #18340

Comments

@andrewkroh
Copy link
Member

andrewkroh commented Apr 29, 2020

Sysmon v11.0 was released on April 28, 2020 and includes a new Event ID and few other minor changes. The Symon module in Winlogbeat should be updated.

References

TODO

  • Diff the schema XML from v10 to v11 and make updates.
  • Empty strings are replaced with “-“ to work around a WEF bug
  • Handle Event ID 23
  • Add .evtx test files from v11.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh
Copy link
Member Author

Here's a sample from Event ID 23 under the current Sysmon module (note the error):

{
  "@timestamp": "2020-04-29T18:54:08.273Z",
  "agent": {
    "ephemeral_id": "04b7fb0c-af8b-4505-a602-6469112f53c3",
    "hostname": "myhost",
    "id": "019d02af-40d1-41cf-9233-fc7250dda03d",
    "type": "winlogbeat",
    "version": "8.0.0"
  },
  "cloud": {
    "availability_zone": "us-central1-a",
    "instance": {
      "id": "123",
      "name": "myhost"
    },
    "machine": {
      "type": "g1-small"
    },
    "project": {
      "id": "project"
    },
    "provider": "gcp"
  },
  "ecs": {
    "version": "1.5.0"
  },
  "error": {
    "message": "unexpected sysmon event_id at C:\\Program Files\\Winlogbeat/module/sysmon/config/winlogbeat-sysmon.js:958:23(18)"
  },
  "event": {
    "action": "File Delete (rule: FileDelete)",
    "code": 23,
    "created": "2020-04-29T18:54:09.191Z",
    "kind": "event",
    "provider": "Microsoft-Windows-Sysmon"
  },
  "host": {
    "architecture": "x86_64",
    "hostname": "myhost",
    "id": "xyz",
    "ip": [
      "fe80::f18d:e1d8:d3cf:da36",
      "10.200.0.12"
    ],
    "mac": [
      "42:01:0a:c8:00:0c"
    ],
    "name": "myhost",
    "os": {
      "build": "17763.1039",
      "family": "windows",
      "kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
      "name": "Windows Server 2019 Datacenter",
      "platform": "windows",
      "version": "10.0"
    }
  },
  "log": {
    "level": "information"
  },
  "message": "File Delete:\nRuleName: -\nUtcTime: 2020-04-29 18:54:08.259\nProcessGuid: {edd932b7-cb4b-5ea9-2b00-000000000800}\nProcessId: 1792\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\System32\\spoolsv.exe\nTargetFilename: C:\\Windows\\System32\\spool\\drivers\\x64\\{4A2BB754-6413-4445-8D8B-6F42020CAAAD}\\tsprint.dll\nHashes: SHA1=64132E602E62EE91151E0CEA4E84C3A6A29DF0E7,MD5=F5BC6B2FBCE0BDDB1532E23D45739443,SHA256=A50A37ED1AD64B0304A5E94B5CA8A326507575727AB7C4B450F2BC110B0E323A,IMPHASH=C83D0EDEB4A96A1E299D9AEB65CD81ED\nIsExecutable: true\nArchived: true",
  "tags": [
    "_js_exception"
  ],
  "winlog": {
    "api": "wineventlog",
    "channel": "Microsoft-Windows-Sysmon/Operational",
    "computer_name": "myhost",
    "event_data": {
      "Archived": "true",
      "Hashes": "SHA1=64132E602E62EE91151E0CEA4E84C3A6A29DF0E7,MD5=F5BC6B2FBCE0BDDB1532E23D45739443,SHA256=A50A37ED1AD64B0304A5E94B5CA8A326507575727AB7C4B450F2BC110B0E323A,IMPHASH=C83D0EDEB4A96A1E299D9AEB65CD81ED",
      "Image": "C:\\Windows\\System32\\spoolsv.exe",
      "IsExecutable": "true",
      "ProcessGuid": "{edd932b7-cb4b-5ea9-2b00-000000000800}",
      "ProcessId": "1792",
      "RuleName": "-",
      "TargetFilename": "C:\\Windows\\System32\\spool\\drivers\\x64\\{4A2BB754-6413-4445-8D8B-6F42020CAAAD}\\tsprint.dll",
      "User": "NT AUTHORITY\\SYSTEM",
      "UtcTime": "2020-04-29 18:54:08.259"
    },
    "event_id": 23,
    "opcode": "Info",
    "process": {
      "pid": 2368,
      "thread": {
        "id": 1360
      }
    },
    "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
    "provider_name": "Microsoft-Windows-Sysmon",
    "record_id": 1405,
    "task": "File Delete (rule: FileDelete)",
    "user": {
      "domain": "NT AUTHORITY",
      "identifier": "S-1-5-18",
      "name": "SYSTEM",
      "type": "User"
    },
    "version": 5
  }
}

@marc-gr
Copy link
Contributor

marc-gr commented May 7, 2020

Here's the diff between 10.4 and 11 schemas

https://gist.github.com/marc-gr/bb1f6208b0b761f6f4b9d59939f6e3c8

marc-gr added a commit to marc-gr/beats that referenced this issue May 7, 2020
FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes elastic#18094
@marc-gr
Copy link
Contributor

marc-gr commented May 7, 2020

After commenting it with @andrewkroh it is likely that we do not need to do anything about Empty strings are replaced with “-“ to work around a WEF bug since it seems unlikely to cause any issues and is not clear which ones might come like that.

andrewkroh pushed a commit that referenced this issue May 7, 2020
)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes #18094
andrewkroh pushed a commit to andrewkroh/beats that referenced this issue May 7, 2020
…stic#18340)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes elastic#18094

(cherry picked from commit 0a327bb)
andrewkroh added a commit that referenced this issue May 7, 2020
) (#18363)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes #18094

(cherry picked from commit 0a327bb)

Co-authored-by: Marc Guasch <marc-gr@users.noreply.github.com>
marc-gr added a commit to marc-gr/beats that referenced this issue May 8, 2020
…stic#18340)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes elastic#18094

(cherry picked from commit 0a327bb)
marc-gr added a commit that referenced this issue May 8, 2020
) (#18371)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes #18094

(cherry picked from commit 0a327bb)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants