Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Winlogbeat NewProcessFields Function Missing Parent Process #29237

Closed
veritasr3x opened this issue Dec 1, 2021 · 2 comments
Closed

Winlogbeat NewProcessFields Function Missing Parent Process #29237

veritasr3x opened this issue Dec 1, 2021 · 2 comments
Labels
enhancement Winlogbeat

Comments

@veritasr3x
Copy link

veritasr3x commented Dec 1, 2021
edited

Hi Elastic Team ,

Github issue approval noted in Elastic Discussion Forums.

I'm writing to request an update to the winlogbeat Windows Security module to add the parent process ID value for Windows Security event 4688.

Lines 2132 to 2142 handle field renames for parent/child process fields in 4688:

        .Convert({
            fields: [
                {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
                {from: "winlog.event_data.NewProcessName", to: "process.executable"},
                {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
            ],
            mode: "rename",
            ignore_missing: true,
            fail_on_error: false,
        })

The parent process ID is missing from the function, which affects Windows Security Event 4688. Looking at a raw sample for a 4688, the parent process in friendly view is re-labeled by Microsoft as Creator Process ID. However, the XML shows the parent process ID structured as ProcessId:

image

The winlogbeat security module variable event4688 references the renameNewProcessFields function and is the only variable that does, so I propose the renameNewProcessFields function be updated to include the parent process PID:

        .Convert({
            fields: [
                {from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
                {from: "winlog.event_data.NewProcessName", to: "process.executable"},
                {from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
                {from: "winlog.event_data.ProcessId", to: "process.parent.pid"}  //<---updated line
            ],
            mode: "rename",
            ignore_missing: true,
            fail_on_error: false,
        })

Since it's an event-dependent variable reference, the context will only be invoked for 4688s and not conflict with any others.

label:Team:Elastic-Agent
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 1, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 2, 2021
This was referenced Apr 1, 2022
Merged
Merged
@efd6
Copy link
Contributor

efd6 commented May 5, 2022

This should have been autoclosed by #31102.

@efd6 efd6 closed this as completed May 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Winlogbeat
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@veritasr3x @andrewkroh @elasticmachine @jamiehynds @efd6