Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry-pick #18340 to 7.8: [Winlogbeat] Add support for FileDelete events (event id 23) to sysmon module #18363

Merged
merged 1 commit into from
May 7, 2020
Merged

Cherry-pick #18340 to 7.8: [Winlogbeat] Add support for FileDelete events (event id 23) to sysmon module #18363

merged 1 commit into from
May 7, 2020

Conversation

andrewkroh
Copy link
Member

@andrewkroh andrewkroh commented May 7, 2020
edited by zube bot
Loading

Cherry-pick of PR #18340 to 7.8 branch. Original message:

What does this PR do?

FileDelete events were added in Sysmon v11, this PR adds support for FileDelete events (event id 23) to sysmon module.

Why is it important?

Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

TODO

  • Diff the schema XML from v10 to v11 and make updates.
  • Empty strings are replaced with “-“ to work around a WEF bug
  • Handle Event ID 23
  • Add .evtx test files from v11.

Related issues

Closes #18094

@marc-gr @andrewkroh
Add support for FileDelete events (event id 23) to sysmon module (ela…
7630c38 
…stic#18340)

FileDelete events were added in Sysmon v11.
Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message.

Closes elastic#18094

(cherry picked from commit 0a327bb)
@andrewkroh andrewkroh requested a review from a team as a code owner May 7, 2020 17:50
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 7, 2020
@andrewkroh andrewkroh added Team:SIEM and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 7, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels May 7, 2020
kaiyan-sheng
kaiyan-sheng approved these changes May 7, 2020
View reviewed changes
Copy link
Contributor

@kaiyan-sheng kaiyan-sheng left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

backport looks good.

andrewstucki
andrewstucki approved these changes May 7, 2020
View reviewed changes
Copy link

@andrewstucki andrewstucki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from my one comment which we can do in a follow up PR to the 7.x branch (along with the other changes you suggested in #18340) LGTM

x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json
"pid": 776
},
"rule": {
"name": "-"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might want to consider dropping this field if it doesn't actually contain anything valuable

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added that to #18364.

@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

Pipeline View Test View Changes Artifacts preview stats

Expand to view the summary

Build stats

Test stats 🧪

Test Results
Failed 0
Passed 263
Skipped 1
Total 264

@andrewkroh andrewkroh merged commit cdbe1fe into elastic:7.8 May 7, 2020
@andrewkroh andrewkroh deleted the backport_18340_7.8 branch January 14, 2022 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiyan-sheng kaiyan-sheng kaiyan-sheng approved these changes

@andrewstucki andrewstucki andrewstucki approved these changes

Assignees
No one assigned
Labels
backport review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@andrewkroh @elasticmachine @andrewstucki @kaiyan-sheng @marc-gr