Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add winlog.event_data.* parameters to index template #13704

Merged
merged 2 commits into from Sep 17, 2019
Merged

Add winlog.event_data.* parameters to index template #13704

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1f92f00
Add winlog.event_data.* parameters to index template
andrewkroh Sep 16, 2019
8b9a0c8
Fix generated doc issues
andrewkroh Sep 17, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
View file
Open in desktop
Expand Up @@ -393,6 +393,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add `event.category: process` and `event.type: process_start/process_end` to Sysmon process events (event ID 1 and 5). {pull}13047[13047]
- Add support for event ID 4672 to the Security module. {pull}12975[12975]
- Add support for event ID 22 (DNS query) to the Sysmon module. {pull}12960[12960]
- Add certain winlog.event_data.* fields to the index template. {issue}13700[13700] {pull}13704[13704]

==== Deprecated

Expand Down
4 changes: 2 additions & 2 deletions dev-tools/mage/docs.go
View file
Open in desktop
Expand Up @@ -122,14 +122,14 @@ func (b docsBuilder) AsciidocBook(opts ...DocsOption) error {

// Render HTML.
htmlDir := CWD("build/html_docs", params.name)
buildDocsScript := filepath.Join(cloneDir, "build_docs")
args := []string{
filepath.Join(cloneDir, "build_docs.pl"),
"--chunk=1",
"--doc", params.indexFile,
"--out", htmlDir,
}
fmt.Println(">> Building HTML docs at", filepath.Join(htmlDir, "index.html"))
if err := sh.Run("perl", args...); err != nil {
if err := sh.Run(buildDocsScript, args...); err != nil {
return err
}

Expand Down
226 changes: 226 additions & 0 deletions winlogbeat/_meta/fields.common.yml
View file
Open in desktop
Expand Up @@ -69,6 +69,232 @@
`param2`, and so on, because event log parameters are unnamed in
earlier versions of Windows.

- name: event_data
type: group
description: >
This is a non-exhaustive list of parameters that are used in
Windows events. By having these fields defined in the template they
can be used in dashboards and machine-learning jobs.
fields:
- name: AuthenticationPackageName
type: keyword
- name: Binary
type: keyword
- name: BitlockerUserInputTime
type: keyword
- name: BootMode
type: keyword
- name: BootType
type: keyword
- name: BuildVersion
type: keyword
- name: Company
type: keyword
- name: CorruptionActionState
type: keyword
- name: CreationUtcTime
type: keyword
- name: Description
type: keyword
- name: Detail
type: keyword
- name: DeviceName
type: keyword
- name: DeviceNameLength
type: keyword
- name: DeviceTime
type: keyword
- name: DeviceVersionMajor
type: keyword
- name: DeviceVersionMinor
type: keyword
- name: DriveName
type: keyword
- name: DriverName
type: keyword
- name: DriverNameLength
type: keyword
- name: DwordVal
type: keyword
- name: EntryCount
type: keyword
- name: ExtraInfo
type: keyword
- name: FailureName
type: keyword
- name: FailureNameLength
type: keyword
- name: FileVersion
type: keyword
- name: FinalStatus
type: keyword
- name: Group
type: keyword
- name: IdleImplementation
type: keyword
- name: IdleStateCount
type: keyword
- name: ImpersonationLevel
type: keyword
- name: IntegrityLevel
type: keyword
- name: IpAddress
type: keyword
- name: IpPort
type: keyword
- name: KeyLength
type: keyword
- name: LastBootGood
type: keyword
- name: LastShutdownGood
type: keyword
- name: LmPackageName
type: keyword
- name: LogonGuid
type: keyword
- name: LogonId
type: keyword
- name: LogonProcessName
type: keyword
- name: LogonType
type: keyword
- name: MajorVersion
type: keyword
- name: MaximumPerformancePercent
type: keyword
- name: MinimumPerformancePercent
type: keyword
- name: MinimumThrottlePercent
type: keyword
- name: MinorVersion
type: keyword
- name: NewProcessId
type: keyword
- name: NewProcessName
type: keyword
- name: NewSchemeGuid
type: keyword
- name: NewTime
type: keyword
- name: NominalFrequency
type: keyword
- name: Number
type: keyword
- name: OldSchemeGuid
type: keyword
- name: OldTime
type: keyword
- name: OriginalFileName
type: keyword
- name: Path
type: keyword
- name: PerformanceImplementation
type: keyword
- name: PreviousCreationUtcTime
type: keyword
- name: PreviousTime
type: keyword
- name: PrivilegeList
type: keyword
- name: ProcessId
type: keyword
- name: ProcessName
type: keyword
- name: ProcessPath
type: keyword
- name: ProcessPid
type: keyword
- name: Product
type: keyword
- name: PuaCount
type: keyword
- name: PuaPolicyId
type: keyword
- name: QfeVersion
type: keyword
- name: Reason
type: keyword
- name: SchemaVersion
type: keyword
- name: ScriptBlockText
type: keyword
- name: ServiceName
type: keyword
- name: ServiceVersion
type: keyword
- name: ShutdownActionType
type: keyword
- name: ShutdownEventCode
type: keyword
- name: ShutdownReason
type: keyword
- name: Signature
type: keyword
- name: SignatureStatus
type: keyword
- name: Signed
type: keyword
- name: StartTime
type: keyword
- name: State
type: keyword
- name: Status
type: keyword
- name: StopTime
type: keyword
- name: SubjectDomainName
type: keyword
- name: SubjectLogonId
type: keyword
- name: SubjectUserName
type: keyword
- name: SubjectUserSid
type: keyword
- name: TSId
type: keyword
- name: TargetDomainName
type: keyword
- name: TargetInfo
type: keyword
- name: TargetLogonGuid
type: keyword
- name: TargetLogonId
type: keyword
- name: TargetServerName
type: keyword
- name: TargetUserName
type: keyword
- name: TargetUserSid
type: keyword
- name: TerminalSessionId
type: keyword
- name: TokenElevationType
type: keyword
- name: TransmittedServices
type: keyword
- name: UserSid
type: keyword
- name: Version
type: keyword
- name: Workstation
type: keyword
- name: param1
type: keyword
- name: param2
type: keyword
- name: param3
type: keyword
- name: param4
type: keyword
- name: param5
type: keyword
- name: param6
type: keyword
- name: param7
type: keyword
- name: param8
type: keyword

- name: event_id
type: keyword
required: true
Expand Down