New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update sysmon and security modules #13047
Update sysmon and security modules #13047
Conversation
andrewkroh
commented
Jul 23, 2019
- Add event.module for both modules.
- Add event.output to Security log authentication events.
- Add event.category=process and event.type=process_start/process_end to Sysmon process events (event ID 1 and 5).
8ef7630
to
9e1a3a1
Compare
Pinging @elastic/secops |
Some tests seem to be failing due to different case in GUID fields |
I'm guessing this GUID casing is some kind of subtle difference in Windows 2019. This job ran on a 2019 worker machine which I think are relatively new. I'll run some tests there and try to reproduce. |
- Add event.module for both modules. - Add event.output to Security log authentication events. - Add event.category=process and event.type=process_start/process_end to Sysmon process events (event ID 1 and 5).
This also improves the diff output when a test fails.
9e1a3a1
to
54e9bfc
Compare
I found that Windows 2019 generates GUID values with lowercase hex (as per the RFC). So I've update the test case to normalize any uppercase GUIDs to lowercase. I also improved the diff output to make it easier to read.
|
This cherry-picks part of elastic#13047 which fixes testing on Windows 2019. GUIDs are formatted differently in Windows 2019 than they were in past Windows versions so the golden tests were failing.
This cherry-picks part of #13047 which fixes testing on Windows 2019. GUIDs are formatted differently in Windows 2019 than they were in past Windows versions so the golden tests were failing.
This cherry-picks part of elastic#13047 which fixes testing on Windows 2019. GUIDs are formatted differently in Windows 2019 than they were in past Windows versions so the golden tests were failing.