Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Add subdomain value for sysmon module #22999

Merged
merged 4 commits into from
Dec 9, 2020
Merged

[Winlogbeat] Add subdomain value for sysmon module #22999

merged 4 commits into from
Dec 9, 2020

Conversation

andrewstucki
Copy link

@andrewstucki andrewstucki commented Dec 8, 2020
edited
Loading

What does this PR do?

This adds subdomain to the event in the sysmon module. To make it a bit more reusable I added an optional target_subdomain_field to the registered_domain processor that different modules in winlogbeat and filebeat use for parsing out the registered_domain value.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Related issues

@andrewstucki andrewstucki requested a review from a team December 8, 2020 22:41
@andrewstucki andrewstucki requested a review from a team as a code owner December 8, 2020 22:41
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot added needs_team Indicates that the issue/PR needs a Team:* label and removed needs_team Indicates that the issue/PR needs a Team:* label labels Dec 8, 2020
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 8, 2020
edited by jenkins-beats-ci bot
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview

Expand to view the summary

Build stats

  • Build Cause: Pull request #22999 updated

  • Start Time: 2020-12-09T02:12:38.596+0000

  • Duration: 67 min 35 sec

Test stats 🧪

Test Results
Failed 0
Passed 17359
Skipped 1373
Total 18732

Steps errors 2

Expand to view the steps failures

Terraform Apply on x-pack/metricbeat/module/aws
  • Took 0 min 14 sec . View more details on here
Terraform Apply on x-pack/metricbeat/module/aws
  • Took 0 min 15 sec . View more details on here

💚 Flaky test report

Tests succeeded.

Expand to view the summary

Test stats 🧪

Test Results
Failed 0
Passed 17359
Skipped 1373
Total 18732

@andrewstucki andrewstucki mentioned this pull request Dec 8, 2020
Closed
andrewkroh
andrewkroh approved these changes Dec 9, 2020
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea to update the processor.

I noticed there is a dns.question.top_level_domain field. I guess. that. could go in there too. https://www.elastic.co/guide/en/ecs/current/ecs-dns.html#field-dns-question-top-level-domain

libbeat/processors/registered_domain/docs/registered_domain.asciidoc Show resolved Hide resolved
@andrewstucki andrewstucki mentioned this pull request Dec 9, 2020
Closed
@andrewstucki
Copy link
Author

Opened an issue to track circling back and adding "top_level_domain" handling: #23005

@andrewstucki andrewstucki merged commit d38a5d0 into elastic:master Dec 9, 2020
andrewstucki pushed a commit to andrewstucki/beats that referenced this pull request Dec 9, 2020
[Winlogbeat] Add subdomain value for sysmon module (elastic#22999)
52cdd0a 
* [Winlogbeat] Add subdomain value for sysmon module

* Add changelog entry

* Add target_subdomain_field to docs example

(cherry picked from commit d38a5d0)
@andrewstucki andrewstucki mentioned this pull request Dec 9, 2020
Merged
6 tasks
andrewstucki pushed a commit that referenced this pull request Dec 9, 2020
Cherry-pick #22999 to 7.x: [Winlogbeat] Add subdomain value for sysmo…
171a849 
…n module (#23008)

* [Winlogbeat] Add subdomain value for sysmon module (#22999)

* [Winlogbeat] Add subdomain value for sysmon module

* Add changelog entry

* Add target_subdomain_field to docs example

(cherry picked from commit d38a5d0)

* Fix up changelog
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

Assignees
No one assigned
Labels
ecs enhancement v7.11.0 Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewstucki @elasticmachine @andrewkroh