Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update sysmon and security modules #13047

Merged
merged 4 commits into from Jul 26, 2019
Merged

Update sysmon and security modules #13047

merged 4 commits into from Jul 26, 2019

Conversation

andrewkroh
Copy link
Member

  • Add event.module for both modules.
  • Add event.output to Security log authentication events.
  • Add event.category=process and event.type=process_start/process_end to Sysmon process events (event ID 1 and 5).

@andrewkroh andrewkroh force-pushed the feature/wlb/more-event-fields branch from 8ef7630 to 9e1a3a1 Compare July 23, 2019 22:11
@elasticmachine
Copy link
Collaborator

Pinging @elastic/secops

@adriansr
Copy link
Contributor

Some tests seem to be failing due to different case in GUID fields

@andrewkroh
Copy link
Member Author

I'm guessing this GUID casing is some kind of subtle difference in Windows 2019. This job ran on a 2019 worker machine which I think are relatively new. I'll run some tests there and try to reproduce.

@andrewkroh
Update sysmon and security modules
f4f669c 
- Add event.module for both modules.
- Add event.output to Security log authentication events.
- Add event.category=process and event.type=process_start/process_end to Sysmon process events (event ID 1 and 5).
@andrewkroh
Normalize GUIDs to lowercase in golden file tests
54e9bfc 
This also improves the diff output when a test fails.
@andrewkroh andrewkroh force-pushed the feature/wlb/more-event-fields branch from 9e1a3a1 to 54e9bfc Compare July 25, 2019 16:36
@andrewkroh
Copy link
Member Author

I found that Windows 2019 generates GUID values with lowercase hex (as per the RFC). So I've update the test case to normalize any uppercase GUIDs to lowercase. I also improved the diff output to make it easier to read.

        testing_windows.go:68: Expected and actual are different:
            --- Expected
            +++ Actual
            @@ -34,3 +34,3 @@
                 },
            -    "provider_guid": "{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",
            +    "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
                 "provider_name": "Microsoft-Windows-Sysmon",

@andrewkroh andrewkroh requested a review from adriansr July 25, 2019 20:28
@andrewkroh andrewkroh merged commit cca42cf into elastic:master Jul 26, 2019
andrewkroh added a commit to andrewkroh/beats that referenced this pull request Jul 30, 2019
@andrewkroh
Normalize GUID case for Windows 2019
f6e7b93 
This cherry-picks part of elastic#13047 which fixes testing on Windows 2019.
GUIDs are formatted differently in Windows 2019 than they were in
past Windows versions so the golden tests were failing.
@andrewkroh andrewkroh mentioned this pull request Jul 30, 2019
Merged
andrewkroh added a commit that referenced this pull request Jul 30, 2019
@andrewkroh
Normalize GUID case for Windows 2019 (#13102)
b1526bf 
This cherry-picks part of #13047 which fixes testing on Windows 2019.
GUIDs are formatted differently in Windows 2019 than they were in
past Windows versions so the golden tests were failing.
@cwurm cwurm mentioned this pull request Aug 21, 2019
Open
10 tasks
leweafan pushed a commit to leweafan/beats that referenced this pull request Apr 28, 2023
@andrewkroh
Normalize GUID case for Windows 2019 (elastic#13102)
aa6e3b3 
This cherry-picks part of elastic#13047 which fixes testing on Windows 2019.
GUIDs are formatted differently in Windows 2019 than they were in
past Windows versions so the golden tests were failing.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adriansr adriansr adriansr approved these changes

Assignees
No one assigned
Labels
enhancement module review Winlogbeat
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andrewkroh @elasticmachine @adriansr