Skip to content

Commit

Permalink
windows: allow DNS query responses to have no data
Browse files Browse the repository at this point in the history 
Test event provided in elastic/beats#35207.
  • Loading branch information
@efd6
efd6 committed Jun 7, 2023
1 parent 819801c commit df1746d
Show file tree
Hide file tree
Showing 5 changed files with 169 additions and 9 deletions.
7 changes: 6 additions & 1 deletion packages/windows/changelog.yml
View file
@@ -1,9 +1,14 @@
# newer versions go on top
- version: "1.23.0"
changes:
- description: Allow DNS query responses to have no data.
type: enhancement
link: https://github.com/elastic/integrations/pull/6508
- version: "1.22.0"
changes:
- description: Set `host.os.type` and `host.os.family` in forwarded events.
type: enhancement
link: https://github.com/elastic/integrations/pull/1
link: https://github.com/elastic/integrations/pull/6180
- version: "1.21.1"
changes:
- description: Improve regular expression search efficiency to allow parsing large events.
Expand Down
45 changes: 45 additions & 0 deletions packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json
View file
Expand Up @@ -9483,6 +9483,51 @@
"log": {
"level": "information"
}
},
{
"event": {
"code": "22",
"kind": "event",
"provider": "Microsoft-Windows-Sysmon"
},
"host": {
"name": "internal.network.org"
},
"log": {
"level": "information"
},
"winlog": {
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "internal.network.org",
"event_data": {
"Image": "C:\\Windows\\System32\\lsass.exe",
"ProcessGuid": "{00000000-0000-0000-0000-000000000000}",
"ProcessId": "500",
"QueryName": "some.other.domain.com",
"QueryResults": "type: 33 ;type: 33 ;81.2.69.144;81.2.69.142;",
"QueryStatus": "0",
"RuleName": "-",
"User": "NT AUTHORITY\\SYSTEM",
"UtcTime": "2000-01-01T00:00:00.000"
},
"event_id": "22",
"level": "information",
"opcode": "Info",
"process": {
"pid": 1000,
"thread": {
"id": 2000
}
},
"provider_guid": "{00000000-0000-0000-0000-000000000000}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 1111,
"time_created": "2000-01-01T00:00:00Z",
"user": {
"identifier": "A-0-0-00"
},
"version": 5
}
}
]
}
104 changes: 104 additions & 0 deletions .../windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-expected.json
View file
Expand Up @@ -22758,6 +22758,110 @@
},
"version": 5
}
},
{
"dns": {
"answers": [
{
"data": "",
"type": "SRV"
},
{
"data": "",
"type": "SRV"
},
{
"data": "81.2.69.144",
"type": "A"
},
{
"data": "81.2.69.142",
"type": "A"
}
],
"question": {
"name": "some.other.domain.com",
"registered_domain": "domain.com",
"subdomain": "some.other",
"top_level_domain": "com"
},
"resolved_ip": [
"81.2.69.144",
"81.2.69.142"
]
},
"ecs": {
"version": "8.0.0"
},
"event": {
"category": [
"network"
],
"code": "22",
"created": "2000-01-01T00:00:00.000Z",
"kind": "event",
"provider": "Microsoft-Windows-Sysmon",
"type": [
"connection",
"protocol",
"info"
]
},
"host": {
"name": "internal.network.org"
},
"log": {
"level": "information"
},
"network": {
"protocol": "dns"
},
"process": {
"executable": "C:\\Windows\\System32\\lsass.exe",
"name": "lsass.exe",
"pid": 500
},
"related": {
"hosts": [
"some.other.domain.com"
],
"ip": [
"81.2.69.144",
"81.2.69.142"
],
"user": [
"SYSTEM"
]
},
"sysmon": {
"dns": {
"status": "SUCCESS"
}
},
"user": {
"domain": "NT AUTHORITY",
"id": "A-0-0-00",
"name": "SYSTEM"
},
"winlog": {
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "internal.network.org",
"event_id": "22",
"opcode": "Info",
"process": {
"pid": 1000,
"thread": {
"id": 2000
}
},
"provider_guid": "{00000000-0000-0000-0000-000000000000}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": "1111",
"user": {
"identifier": "A-0-0-00"
},
"version": 5
}
}
]
}
20 changes: 13 additions & 7 deletions packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
View file
Expand Up @@ -788,15 +788,21 @@ processors:
if (answer.startsWith("type:")) {
def parts = /\s+/.split(answer);
if (parts.length != 3) {
if (parts.length < 2) {
throw new Exception("unexpected QueryResult format");
}
answers.add([
"type": params[parts[1]],
"data": parts[2]
]);
relatedHosts.add(parts[2]);
if (parts.length == 3) {
answers.add([
"type": params[parts[1]],
"data": parts[2]
]);
relatedHosts.add(parts[2]);
} else {
answers.add([
"type": params[parts[1]],
"data": ""
]);
}
} else {
answer = answer.replace("::ffff:", "");
ips.add(answer);
Expand Down
2 changes: 1 addition & 1 deletion packages/windows/manifest.yml
View file
@@ -1,6 +1,6 @@
name: windows
title: Windows
version: 1.22.0
version: 1.23.0
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit df1746d

Please sign in to comment.