[Winlogbeat] Add support for FileDelete events (event id 23) to sysmon module #18340
Conversation
botelastic
bot
added
the
needs_team
marc-gr
added
Team:SIEM
Winlogbeat
and removed
needs_team
|
Pinging @elastic/siem (Team:SIEM) |
marc-gr
changed the title
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
|
x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-registry.evtx.golden.json
Outdated
Show resolved
Hide resolved
| to: "process.executable", | ||
| }, | ||
| { | ||
| from: "winlog.event_data.Archived", |
There was a problem hiding this comment.
The process namespace is "managed" by ECS. If archived and is_executable are not part of ECS then we should not add them to process.
Either leave them as-is or copy them over to a sysmon namespace like sysmon.is_archived. Then add an entry to this file for the field. https://github.com/elastic/beats/blob/master/x-pack/winlogbeat/module/sysmon/_meta/fields.yml The benefit of copying them is that we can set the correct data type. Leaving them in winlog.event_data means they will be a keyword in Elasticsearch rather than boolean.
There was a problem hiding this comment.
Added them to sysmon.file.archived and sysmon.file.is_executable 👍
marc-gr
force-pushed
the
winlogbeat-add_sysmon-v11_support
branch
2 times, most recently
from
8dbb6cc
to
0eab793
Compare
FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094
marc-gr
force-pushed
the
winlogbeat-add_sysmon-v11_support
branch
from
0eab793
to
69510ad
Compare
There was a problem hiding this comment.
LGTM. Congrats on your first Beats PR 🍾 .
As a follow-up pull request, I noticed a few issues with the module as a whole that we should address.
- Set
related.hash. - Set
file.extension/name/directory. hash.*is not part of ECS. It should be used asfile.hash.*orprocess.hash.*. We can't delete the existinghash.*fields until 8.0, so for 7.x we could populate them both. And then do a breaking change for 8.0 where we drophash.*.
andrewkroh
added
the
needs_backport
…stic#18340) FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094 (cherry picked from commit 0a327bb)
andrewkroh
added
v7.8.0
and removed
needs_backport
|
@marc-gr I opened #18364 to track those additional changes. And I disucssed the Normally you will merge the PRs after they are approved and green on CI, but I wanted to get this into the 7.8 branch asap so that it can be included in 7.8.0. This still needs to be backported into the 7.x branch. Can you please use the |
…stic#18340) FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes elastic#18094 (cherry picked from commit 0a327bb)
What does this PR do?
FileDelete events were added in Sysmon v11, this PR adds support for FileDelete events (event id 23) to sysmon module.
Why is it important?
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.TODO
Empty strings are replaced with “-“ to work around a WEF bugRelated issues
Closes #18094