Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Add registry and code signature information and ECS categorization fields for sysmon module #18058

Merged
merged 4 commits into from
May 5, 2020
Merged

[Winlogbeat] Add registry and code signature information and ECS categorization fields for sysmon module #18058

merged 4 commits into from
May 5, 2020

Conversation

andrewstucki
Copy link

@andrewstucki andrewstucki commented Apr 28, 2020
edited
Loading

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@andrewstucki andrewstucki requested a review from a team April 28, 2020 17:14
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 28, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Apr 28, 2020
edited
Loading

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 80
Skipped 0
Total 80

leehinman
leehinman reviewed Apr 29, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ECS categorizations look good to me

@andrewstucki
Copy link
Author

@leehinman , 👍 , still need to add some fields for 1.5 compat (i.e. process.command_line). I'll ping you again when this is good to go.

@andresrc andresrc removed the needs_team Indicates that the issue/PR needs a Team:* label label May 2, 2020
@andrewstucki andrewstucki changed the title [Winlogbeat] Add sysmon module ECS categorization fields [Winlogbeat] Add registry and code signature information and ECS categorization fields for sysmon module May 5, 2020
@andrewstucki andrewstucki marked this pull request as ready for review May 5, 2020 06:28
@andrewstucki
Copy link
Author

ok, feel free to review again, added in code signature and registry info to the fields we ship

leehinman
leehinman approved these changes May 5, 2020
View reviewed changes
Copy link
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andrewstucki andrewstucki merged commit eb3c191 into elastic:master May 5, 2020
@andrewstucki andrewstucki deleted the winlogbeat-sysmon-update branch May 5, 2020 16:06
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request May 5, 2020
[Winlogbeat] Add registry and code signature information and ECS cate…
6ad8b41 
…gorization fields for sysmon module (elastic#18058)

* [Winlogbeat] Add sysmon module ECS categorization fields

* Add registry and code signature information

* Add changelog entry

* Add baseline registry event json

(cherry picked from commit eb3c191)
@andrewstucki andrewstucki mentioned this pull request May 5, 2020
Merged
2 tasks
andrewstucki pushed a commit that referenced this pull request May 5, 2020
[Winlogbeat] Add registry and code signature information and ECS cate…
cf65d69 
…gorization fields for sysmon module (#18058) (#18255)

* [Winlogbeat] Add sysmon module ECS categorization fields

* Add registry and code signature information

* Add changelog entry

* Add baseline registry event json

(cherry picked from commit eb3c191)
andrewkroh
andrewkroh reviewed May 19, 2020
View reviewed changes
x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
var event3 = new processor.Chain()
.Add(parseUtcTime)
.AddFields({
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some of these add_fields processors are missing targets so the fields are being written as fields.event.category. Maybe we should set target: event then use fields: {category: ....

I deployed the latest snapshot and the data is our siem dev cluster if you want to see it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@leehinman leehinman leehinman approved these changes

Assignees
No one assigned
Labels
enhancement v7.8.0 Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Winlogbeat] Update Winlogbeat sysmon module to ECS 1.4
5 participants
@andrewstucki @elasticmachine @andrewkroh @leehinman @andresrc