Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Winlogbeat] More ECS changes for Sysmon #18364

Closed
andrewkroh opened this issue May 7, 2020 · 3 comments · Fixed by #18381
Closed

[Winlogbeat] More ECS changes for Sysmon #18364

andrewkroh opened this issue May 7, 2020 · 3 comments · Fixed by #18381
Assignees
@marc-gr
Labels
ecs enhancement Winlogbeat

Comments

@andrewkroh
Copy link
Member

There are few addition improvements we can make the Winlogbeat Sysmon module to better align we ECS.

  • Set related.hash.
  • Set file.extension/name/directory. Use the JS path module .
  • hash.* is not part of ECS. It should be used as file.hash.* or process.hash.*. We can't delete the existing hash.* fields until 8.0, so for 7.x we can populate them both. And then do a breaking change for 8.0 where we drop hash.* completely.
  • Drop the rule.name field when it has a tack - value
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 7, 2020
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 7, 2020
This was referenced May 7, 2020
Merged
Merged
@marc-gr
Copy link
Contributor

marc-gr commented May 8, 2020

Do you think it might also be needed for related.ip, related.user and process.parent.hash?

@andrewkroh
Copy link
Member Author

Yes to all. Good catch.

@marc-gr marc-gr mentioned this issue May 8, 2020
Merged
8 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue May 14, 2020
@marc-gr
Improve ECS field mappings in Sysmon module.
eef083f 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes elastic#18364
marc-gr added a commit that referenced this issue May 14, 2020
@marc-gr
Improve ECS field mappings in Sysmon module. (#18381)
096b88e 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes #18364
marc-gr added a commit to marc-gr/beats that referenced this issue May 14, 2020
@marc-gr
Improve ECS field mappings in Sysmon module. (elastic#18381)
c790bac 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes elastic#18364

(cherry picked from commit 096b88e)
@marc-gr marc-gr mentioned this issue May 14, 2020
Merged
8 tasks
marc-gr added a commit to marc-gr/beats that referenced this issue May 14, 2020
@marc-gr
Improve ECS field mappings in Sysmon module. (elastic#18381)
3d5c8ce 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes elastic#18364

(cherry picked from commit 096b88e)
@marc-gr marc-gr mentioned this issue May 14, 2020
Merged
8 tasks
marc-gr added a commit that referenced this issue May 15, 2020
@marc-gr
Improve ECS field mappings in Sysmon module. (#18381) (#18519)
b68cde3 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes #18364

(cherry picked from commit 096b88e)
marc-gr added a commit that referenced this issue May 15, 2020
@marc-gr
Improve ECS field mappings in Sysmon module. (#18381) (#18518)
6c460ea 
- related.hash, related.ip, and related.user are now populated.
- hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash
- file.name, file.directory, and file.extension are now populated.
- rule.name is populated for all events when present.

Closes #18364

(cherry picked from commit 096b88e)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marc-gr marc-gr

Labels
ecs enhancement Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Winlogbeat] Improve ECS field mappings in Sysmon module. marc-gr/beats
3 participants
@andrewkroh @marc-gr @elasticmachine