New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle empty sysmon DNS answer data #35207
Conversation
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
This pull request is now in conflicts. Could you fix it? 🙏
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
@Technici4n Are you able to provide a complete event XML (appropriately cleaned of private data) so that we can construct tests for this addition? |
Hi, here is a cleaned event: <Event
xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Sysmon' Guid='{00000000-0000-0000-0000-000000000000}'/>
<EventID>22</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>22</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime='2000-00-00T00:00:00.000Z'/>
<EventRecordID>1111</EventRecordID>
<Correlation/>
<Execution ProcessID='1000' ThreadID='2000'/>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>internal.network.org</Computer>
<Security UserID='A-0-0-00'/>
</System>
<EventData>
<Data Name='RuleName'>-</Data>
<Data Name='UtcTime'>2000-00-00T00:00:00.000</Data>
<Data Name='ProcessGuid'>{00000000-0000-0000-0000-000000000000}</Data>
<Data Name='ProcessId'>500</Data>
<Data Name='QueryName'>some.other.domain.com</Data>
<Data Name='QueryStatus'>0</Data>
<Data Name='QueryResults'>type: 33 ;type: 33 ;1:2:3::3;1.2.3.3;</Data>
<Data Name='Image'>C:\Windows\System32\lsass.exe</Data>
<Data Name='User'>NT AUTHORITY\SYSTEM</Data>
</EventData>
</Event> I am not running through winlogbeat directly, but I am reusing its pipelines. This is the error message that I get: |
Test event provided in elastic/beats#35207.
Test event provided in elastic/beats#35207.
I've added the test case. Would you resolve the conflict and address the comments? Thanks |
Test event provided in elastic/beats#35207.
0916a92
to
e17e0d0
Compare
/test |
x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json
Outdated
Show resolved
Hide resolved
/test |
Test event provided in elastic/beats#35207.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
Test event provided in elastic/beats#35207.
Test event provided in elastic/beats#35207.
What does this PR do?
Makes the sysmon pipeline handle DNS records with blank data, for example
<Data Name='QueryResults'>type: 33 ;type: 33 ;<some ip v6>;<some ip v4>;</Data>
.Why is it important?
I encountered such data - I am not sure how it was produced, it might have been an issue with the network configuration. Nonetheless, I did not want to drop the records, so I edited the pipeline a bit, and figured this might be useful to others. If you don't want this, it's also fine.
Checklist
I have made corresponding changes to the documentationI have made corresponding change to the default configuration filesCHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.Author's Checklist
How to test this PR locally
Related issues
Use cases
Screenshots
Logs