Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] Sysmon Module - Missing DNS Status Codes #15685

Closed
nicpenning opened this issue Jan 20, 2020 · 3 comments · Fixed by #16040
Closed

[Winlogbeat] Sysmon Module - Missing DNS Status Codes #15685

nicpenning opened this issue Jan 20, 2020 · 3 comments · Fixed by #16040
Labels
bug Winlogbeat

Comments

@nicpenning
Copy link
Contributor

nicpenning commented Jan 20, 2020
edited
Loading

For confirmed bugs, please report:

Look at the logs that get ingested into Elastic or see the JSON output of WLB and see that event code 9560 is stored in the symon.dns.status field.

Similar behavior exists for these event codes as well, but I do not know how to test for them at this time:

1460
9560
123
1223
4312
10054

More rare ones that trip:
14
1214
8
10060
13
10055
5

This is per request by @andrewkroh.

Thank you!
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@andrewkroh andrewkroh changed the title WinLogBeat SysMon Module - DNS Missing Code(s) [Winlogbeat] Sysmon Module - Missing DNS Status Codes Jan 31, 2020
@andrewkroh andrewkroh mentioned this issue Feb 3, 2020
Merged
@andrewkroh
Copy link
Member

I opened a fix for this issue in #16040.

andrewkroh added a commit to andrewkroh/beats that referenced this issue Feb 25, 2020
@andrewkroh
Update error codes for sysmon DNS
281ff90 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in elastic#15685.

Fixes elastic#15685
andrewkroh added a commit that referenced this issue Mar 10, 2020
@andrewkroh
Update error codes for sysmon DNS (#16040)
8f5d755 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in #15685.

Fixes #15685
@nicpenning
Copy link
Contributor Author

Thanks for addressing and fixing these @andrewkroh . I look forward to the update, whenever that may come. I will follow up after we apply the new SysMon .js module when it has been released.

@andrewkroh andrewkroh mentioned this issue Mar 10, 2020
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 10, 2020
@andrewkroh
Update error codes for sysmon DNS (elastic#16040)
33dc5a2 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in elastic#15685.

Fixes elastic#15685

(cherry picked from commit 8f5d755)
@andrewkroh andrewkroh mentioned this issue Mar 10, 2020
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 10, 2020
@andrewkroh
Update error codes for sysmon DNS (elastic#16040)
058ba50 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in elastic#15685.

Fixes elastic#15685

(cherry picked from commit 8f5d755)
andrewkroh added a commit that referenced this issue Mar 11, 2020
@andrewkroh
Update error codes for sysmon DNS (#16040) (#16942)
6add1cf 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in #15685.

Fixes #15685

(cherry picked from commit 8f5d755)
andrewkroh added a commit that referenced this issue Mar 11, 2020
@andrewkroh
Update error codes for sysmon DNS (#16040) (#16943)
00116d8 
This generates a list of error numbers / symbolic names from winerror.h. I included errors that began with "DNS_" and some additional error codes as reported in #15685.

Fixes #15685

(cherry picked from commit 8f5d755)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update error codes for Sysmon DNS andrewkroh/beats
4 participants
@jsoriano @andrewkroh @nicpenning @elasticmachine