Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[windows] Support for Sysmon Registry non-QWORD/DWORD events #2962

Merged
merged 8 commits into from
Apr 28, 2022
Merged

[windows] Support for Sysmon Registry non-QWORD/DWORD events #2962

merged 8 commits into from
Apr 28, 2022

Conversation

r00tu53r
Copy link
Contributor

@r00tu53r r00tu53r commented Mar 31, 2022
edited
Loading

What does this PR do?

  • fixes the QWORD and DWORD regex
  • enables the sysmon_operational pipeline to process sysmon registry events for values other than QWORD and DWORD (REG_SZ, REG_MULTI_SZ, REG_BINARY, REG_EXPAND_SZ).

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

elastic-package test pipeline -v

Related issues

@r00tu53r r00tu53r added the enhancement New feature or request label Mar 31, 2022
@r00tu53r r00tu53r requested a review from a team March 31, 2022 08:54
@r00tu53r r00tu53r requested a review from a team as a code owner March 31, 2022 08:54
@r00tu53r r00tu53r self-assigned this Mar 31, 2022
@elasticmachine
Copy link

elasticmachine commented Mar 31, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-04-27T23:25:33.633+0000

  • Duration: 16 min 12 sec

Test stats 🧪

Test Results
Failed 0
Passed 126
Skipped 0
Total 126

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 reviewed Mar 31, 2022
View reviewed changes
packages/windows/data_stream/forwarded/sample_event.json Show resolved Hide resolved
...ges/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
"registry": {
"data": {
"strings": [
"0x12349abc"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the DWORD left as hex but the QWORD above is converted to decimal?

packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml Outdated Show resolved Hide resolved
@r00tu53r r00tu53r requested a review from efd6 April 1, 2022 01:33
@r00tu53r r00tu53r added the Team:Integrations Label for the Integrations team label Apr 1, 2022
@elasticmachine
Copy link

Pinging @elastic/integrations (Team:Integrations)

@r00tu53r
Copy link
Contributor Author

r00tu53r commented Apr 5, 2022

@elastic/integrations can someone please help review this PR?

@andrewkroh andrewkroh changed the title Support for Sysmon Registry non-QWORD/DWORD events [windows] Support for Sysmon Registry non-QWORD/DWORD events Apr 7, 2022
@elasticmachine
Copy link

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (4/4) 💚
Files 87.5% (7/8) 👎 -9.643
Classes 87.5% (7/8) 👎 -9.643
Methods 84.884% (73/86) 👎 -3.212
Lines 92.37% (4939/5347) 👍 3.532
Conditionals 100.0% (0/0) 💚

andrewkroh
andrewkroh approved these changes Apr 28, 2022
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@elastic/integrations, can you please take a look at this.

@r00tu53r r00tu53r merged commit ce0b4a7 into elastic:main Apr 28, 2022
@adriansr adriansr mentioned this pull request May 9, 2022
Merged
4 tasks
@andrewkroh andrewkroh mentioned this pull request May 11, 2022
Merged
@w0rk3r w0rk3r mentioned this pull request May 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

@andrewkroh andrewkroh andrewkroh approved these changes

@jsoriano jsoriano jsoriano approved these changes

Assignees

@r00tu53r r00tu53r

Labels
enhancement New feature or request Integration:windows Windows Team:Integrations Label for the Integrations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[windows] Lacks parsing for Sysmon Registry non-QWORD/DWORD events
5 participants
@r00tu53r @elasticmachine @jsoriano @andrewkroh @efd6