Skip to content

Commit

Permalink
Use ingest pipelines for forwarded data set (#973)
Browse files Browse the repository at this point in the history
  • Loading branch information
@marc-gr
marc-gr authored May 11, 2021
1 parent 9b706ad commit f363ff7
Show file tree
Hide file tree
Showing 251 changed files with 52,471 additions and 10,199 deletions.
6 changes: 2 additions & 4 deletions packages/windows/_dev/build/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,8 @@ Both datasets are available on Windows only.
### Forwarded

The Windows `forwarded` dataset provides events from the Windows
`ForwardedEvents` event log.

{{fields "forwarded"}}

`ForwardedEvents` event log. The fields will be the same as the
channel specific datasets.

### Powershell

Expand Down
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.8.0"
changes:
- description: Use ingest pipelines for forwarded dataset.
type: enhancement
link: https://github.com/elastic/integrations/pull/973
- version: "0.7.0"
changes:
- description: Move Sysmon edge processing to ingest pipeline.
Expand Down
178 changes: 178 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions ...s/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
dynamic_fields:
event.ingested: ".*"
272 changes: 272 additions & 0 deletions ...indows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-expected.json
View file

Large diffs are not rendered by default.

178 changes: 178 additions & 0 deletions .../windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json
View file

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions ...ta_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
dynamic_fields:
event.ingested: ".*"
272 changes: 272 additions & 0 deletions ...stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-expected.json
View file

Large diffs are not rendered by default.

53 changes: 53 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"events": [
{
"@timestamp": "2021-04-15T19:07:13.883Z",
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml"
},
"level": "information"
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"agent": {
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat",
"version": "8.0.0",
"ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3"
},
"ecs": {
"version": "1.8.0"
},
"winlog": {
"keywords": [
"Audit Success"
],
"time_created": "2019-11-07T10:37:04.226Z",
"outcome": "success",
"level": "information",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"channel": "Security",
"event_id": 1100,
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"opcode": "Info",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": 14257
},
"event": {
"code": 1100,
"provider": "Microsoft-Windows-Eventlog",
"outcome": "success",
"kind": "event"
}
}
]
}
2 changes: 2 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
dynamic_fields:
event.ingested: ".*"
61 changes: 61 additions & 0 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
{
"expected": [
{
"agent": {
"name": "Lees-MBP.localdomain",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3",
"type": "filebeat",
"version": "8.0.0"
},
"@timestamp": "2019-11-07T10:37:04.226Z",
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"record_id": "14257",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"event_id": "1100",
"keywords": [
"Audit Success"
],
"level": "information",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"channel": "Security",
"time_created": "2019-11-07T10:37:04.226Z",
"opcode": "Info",
"provider_name": "Microsoft-Windows-Eventlog",
"outcome": "success"
},
"ecs": {
"version": "1.9.0"
},
"log": {
"level": "information",
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml"
}
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"event": {
"ingested": "2021-05-05T08:09:31.321736508Z",
"code": "1100",
"provider": "Microsoft-Windows-Eventlog",
"kind": "event",
"action": "logging-service-shutdown",
"category": [
"process"
],
"type": [
"end"
],
"outcome": "success"
}
}
]
}
60 changes: 60 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
{
"events": [
{
"@timestamp": "2021-04-15T19:07:33.932Z",
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml"
},
"level": "information"
},
"agent": {
"ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat",
"version": "8.0.0"
},
"ecs": {
"version": "1.8.0"
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"opcode": "Info",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"time_created": "2019-11-07T10:34:29.055Z",
"outcome": "success",
"level": "information",
"event_id": 1102,
"provider_name": "Microsoft-Windows-Eventlog",
"user_data": {
"SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
"SubjectUserName": "Administrator",
"SubjectDomainName": "WLBEAT",
"SubjectLogonId": "0x50e87",
"xml_name": "LogFileCleared"
},
"keywords": [
"Audit Success"
],
"process": {
"pid": 1144,
"thread": {
"id": 1824
}
},
"channel": "Security",
"record_id": 14224
},
"event": {
"provider": "Microsoft-Windows-Eventlog",
"outcome": "success",
"kind": "event",
"code": 1102
}
}
]
}
2 changes: 2 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
dynamic_fields:
event.ingested: ".*"
82 changes: 82 additions & 0 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-expected.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
{
"expected": [
{
"agent": {
"name": "Lees-MBP.localdomain",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5",
"type": "filebeat",
"version": "8.0.0"
},
"@timestamp": "2019-11-07T10:34:29.055Z",
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"process": {
"pid": 1144,
"thread": {
"id": 1824
}
},
"keywords": [
"Audit Success"
],
"level": "information",
"logon": {
"id": "0x50e87"
},
"channel": "Security",
"user_data": {
"SubjectUserName": "Administrator",
"SubjectDomainName": "WLBEAT",
"SubjectLogonId": "0x50e87",
"SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500",
"xml_name": "LogFileCleared"
},
"opcode": "Info",
"record_id": "14224",
"event_id": "1102",
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"time_created": "2019-11-07T10:34:29.055Z",
"provider_name": "Microsoft-Windows-Eventlog",
"outcome": "success"
},
"ecs": {
"version": "1.9.0"
},
"related": {
"user": [
"Administrator"
]
},
"log": {
"level": "information",
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml"
}
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"event": {
"ingested": "2021-05-05T08:09:31.399419889Z",
"code": "1102",
"provider": "Microsoft-Windows-Eventlog",
"kind": "event",
"action": "audit-log-cleared",
"category": [
"iam"
],
"type": [
"admin",
"change"
],
"outcome": "success"
},
"user": {
"name": "Administrator",
"domain": "WLBEAT",
"id": "S-1-5-21-101361758-2486510592-3018839910-500"
}
}
]
}
53 changes: 53 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
{
"events": [
{
"@timestamp": "2021-04-15T19:06:48.792Z",
"event": {
"code": 1104,
"provider": "Microsoft-Windows-Eventlog",
"outcome": "success",
"kind": "event"
},
"log": {
"file": {
"path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml"
},
"level": "error"
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"agent": {
"version": "8.0.0",
"ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01",
"id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17",
"name": "Lees-MBP.localdomain",
"type": "filebeat"
},
"ecs": {
"version": "1.8.0"
},
"winlog": {
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"opcode": "Info",
"outcome": "success",
"process": {
"pid": 1096,
"thread": {
"id": 1444
}
},
"channel": "Security",
"event_id": 1104,
"record_id": 19352,
"time_created": "2019-11-08T07:56:17.321Z",
"level": "error",
"provider_name": "Microsoft-Windows-Eventlog",
"keywords": [
"Audit Success"
],
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"
}
}
]
}
2 changes: 2 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-config.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
dynamic_fields:
event.ingested: ".*"
Loading

0 comments on commit f363ff7

Please sign in to comment.