Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Update Sysmon module for Schema 4.70 that includes Event ID 26 #26280

Closed
Richman711 opened this issue Jun 14, 2021 · 2 comments · Fixed by #29957
Closed

[Winlogbeat] Update Sysmon module for Schema 4.70 that includes Event ID 26 #26280

Richman711 opened this issue Jun 14, 2021 · 2 comments · Fixed by #29957
Labels
8.1 candidate enhancement

Comments

@Richman711
Copy link

Describe the enhancement:
Requesting an update to the winlogbeat\module\sysmon\config\winlogbeat-sysmon.js to include event 26 for correct parsing into elasticsearch using the sysmon module.

The new sysmon event id is nearly identical to event id 23 except for the archived boolean.

DATA: RuleName, UtcTime, ProcessGuid, ProcessId, User, Image, TargetFilename, Hashes, IsExecutable

https://medium.com/falconforce/sysmon-13-10-filedeletedetected-fe2475cb419e

In Symon 13.21.0.0 the application supports the use of schema version 4.70 which can be verified by running the latest sysmon executable from Microsoft as .\sysmon.exe -s 

<Sysmon schemaversion="4.70">
   <EventFiltering>
      <RuleGroup name="" groupRelation="or">
         <FileDeleteDetected onmatch="exclude">
            <User condition="contains any">NETWORK SERVICE; LOCAL SERVICE</User>
         </FileDeleteDetected>
      </RuleGroup>
   </EventFiltering>
</Sysmon>

Describe a specific use case for the enhancement or feature:

Like event ID 23; Event ID 26 also hashes the deletion of files but without archiving the deleted file in C:\Sysmon allowing its use in areas outside of a malware sandbox or in IR triage. Maintaining a record of deleted files along with hashes can facilitate historical lookups during compromise investigations to identify which hosts have been affected by identified IoCs.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jun 14, 2021
@ChrsMark ChrsMark added the Team:Integrations Label for the Integrations team label Jun 15, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/integrations (Team:Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jun 15, 2021
@jamiehynds jamiehynds added Team:Security-External Integrations and removed Team:Integrations Label for the Integrations team labels Jun 16, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6 efd6 mentioned this issue Jan 24, 2022
Merged
6 tasks
@efd6 efd6 mentioned this issue Jan 25, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.1 candidate enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

x-pack/winlogbeat/module/sysmon: add eventid 26 handler efd6/beats
4 participants
@ChrsMark @elasticmachine @Richman711 @jamiehynds