From 238e3baa2f716311504943f44777ffd3de953834 Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Tue, 25 Apr 2023 11:56:48 +0200 Subject: [PATCH 1/6] Handle empty sysmon DNS answer data --- .../module/sysmon/ingest/sysmon.yml | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 8468c29e87d..59d239540af 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -782,15 +782,21 @@ processors: if (answer.startsWith("type:")) { def parts = /\s+/.split(answer); - if (parts.length != 3) { + + if (parts.length == 3) { + answers.add([ + "type": params[parts[1]], + "data": parts[2] + ]); + relatedHosts.add(parts[2]); + } else if (parts.length == 2) { + answers.add([ + "type": params[parts[1]], + "data": "" + ]); + } else { throw new Exception("unexpected QueryResult format"); } - - answers.add([ - "type": params[parts[1]], - "data": parts[2] - ]); - relatedHosts.add(parts[2]); } else { answer = answer.replace("::ffff:", ""); ips.add(answer); From 2997b76b75e2002e0a499e6f4fc843fb3fa3290a Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Tue, 25 Apr 2023 12:16:22 +0200 Subject: [PATCH 2/6] Add comment and changelog --- CHANGELOG.next.asciidoc | 4 ++++ x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index e960210f610..8460333fba5 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -31,6 +31,10 @@ https://github.com/elastic/beats/compare/v8.7.1\...main[Check the HEAD diff] *Winlogbeat* - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193] +- Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest {issue}19627[19627] {pull}34295[34295] +- Added processing for Windows Event ID's 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline {issue}34293[34293] {pull}34294[34294] +- Added processing for Windows Event ID's 5140 and 5145 for the Security Ingest Pipeline {pull}34352[34352] +- Handle empty DNS answer data in QueryResults for the Sysmon Pipeline {pull}35207[35207] *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 59d239540af..154f2956c3c 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -790,6 +790,7 @@ processors: ]); relatedHosts.add(parts[2]); } else if (parts.length == 2) { + // Missing data, for example with "type: 33 ;" answers.add([ "type": params[parts[1]], "data": "" From d5d18195fc11d26fe358143e0da06932966d31fe Mon Sep 17 00:00:00 2001 From: Dan Kortschak Date: Thu, 8 Jun 2023 09:08:43 +0930 Subject: [PATCH 3/6] add test case and update test golden values --- .../sysmon-no-evtx.evtx.golden.json | 47 +++++ .../ingest/sysmon-10.2-dns.golden.json | 166 +----------------- .../ingest/sysmon-11-filedelete.golden.json | 3 - .../sysmon-11-filedeletedetected.golden.json | 2 - .../ingest/sysmon-11-registry.golden.json | 5 - .../ingest/sysmon-12-loadimage.golden.json | 1 - .../sysmon-12-processcreate.golden.json | 1 - .../sysmon-13-clipboardchange.golden.json | 1 - .../sysmon-13-processtampering.golden.json | 1 - .../testdata/ingest/sysmon-9.01.golden.json | 32 ---- .../ingest/sysmon-no-evtx.golden.json | 106 +++++++++++ x-pack/winlogbeat/module/testing.go | 2 +- 12 files changed, 160 insertions(+), 207 deletions(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json new file mode 100644 index 00000000000..32626231386 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/collection/sysmon-no-evtx.evtx.golden.json @@ -0,0 +1,47 @@ +[ + { + "event": { + "code": "22", + "kind": "event", + "provider": "Microsoft-Windows-Sysmon" + }, + "host": { + "name": "internal.network.org" + }, + "log": { + "level": "information" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "internal.network.org", + "event_data": { + "Image": "C:\\Windows\\System32\\lsass.exe", + "ProcessGuid": "{00000000-0000-0000-0000-000000000000}", + "ProcessId": "500", + "QueryName": "some.other.domain.com", + "QueryResults": "type: 33 ;type: 33 ;1:2:3::3;1.2.3.3;", + "QueryStatus": "0", + "RuleName": "-", + "User": "NT AUTHORITY\\SYSTEM", + "UtcTime": "2000-01-01T00:00:00.000" + }, + "event_id": "22", + "level": "information", + "opcode": "Info", + "process": { + "pid": 1000, + "thread": { + "id": 2000 + } + }, + "provider_guid": "{00000000-0000-0000-0000-000000000000}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 1111, + "time_created": "2000-01-01T00:00:00Z", + "user": { + "identifier": "A-0-0-00" + }, + "version": 5 + } + } +] diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json index 57fddb0e275..be32a76383e 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-10.2-dns.golden.json @@ -34,7 +34,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773701Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -136,7 +135,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773734900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -239,7 +237,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773751300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -346,7 +343,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773860300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -449,7 +445,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773878300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -539,8 +534,9 @@ ], "question": { "name": "confiant-integrations.global.ssl.fastly.net", - "registered_domain": "confiant-integrations.global.ssl.fastly.net", - "top_level_domain": "global.ssl.fastly.net" + "registered_domain": "global.ssl.fastly.net", + "subdomain": "confiant-integrations", + "top_level_domain": "ssl.fastly.net" }, "resolved_ip": [ "151.101.1.194", @@ -557,7 +553,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773931300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -656,7 +651,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773947600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -762,7 +756,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.773963700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -857,7 +850,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774007200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -965,7 +957,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774062200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1109,7 +1100,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774078900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1215,7 +1205,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774112400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1316,7 +1305,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774166300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1423,7 +1411,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774267400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1518,7 +1505,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774283800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1624,7 +1610,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774312Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1727,7 +1712,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774330300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1829,7 +1813,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774385800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1958,7 +1941,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774419200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2053,8 +2035,9 @@ ], "question": { "name": "clarium.freetls.fastly.net", - "registered_domain": "clarium.freetls.fastly.net", - "top_level_domain": "freetls.fastly.net" + "registered_domain": "freetls.fastly.net", + "subdomain": "clarium", + "top_level_domain": "fastly.net" }, "resolved_ip": [ "151.101.194.79", @@ -2071,7 +2054,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774434800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2226,7 +2208,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774450Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2378,7 +2359,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774489600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2533,7 +2513,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774523Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2654,7 +2633,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774562600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2805,7 +2783,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774578600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2966,7 +2943,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774592900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3074,7 +3050,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774604100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3216,7 +3191,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774616600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3326,7 +3300,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774629200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3469,7 +3442,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774645300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3575,7 +3547,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774658100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3672,7 +3643,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774732100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3808,7 +3778,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774764Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -3941,7 +3910,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774798100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4044,7 +4012,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774809600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4176,7 +4143,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774843200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4330,7 +4296,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774880100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4488,7 +4453,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774892300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4595,7 +4559,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774905800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4742,7 +4705,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774932Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4893,7 +4855,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774942600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -4999,7 +4960,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774956100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5092,7 +5052,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774966100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5201,7 +5160,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.774991400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5341,7 +5299,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775006900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5490,7 +5447,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775021800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5604,7 +5560,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775036700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5754,7 +5709,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775051600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5870,7 +5824,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775066300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -5998,7 +5951,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775081Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6105,7 +6057,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775096200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6203,7 +6154,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775111500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6287,7 +6237,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775148400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6367,7 +6316,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775184200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6505,7 +6453,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775246500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6620,7 +6567,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775264600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6719,7 +6665,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775280100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6861,7 +6806,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775295Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -6976,7 +6920,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775309500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7120,7 +7063,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775324500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7226,7 +7168,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775338700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7338,7 +7279,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775353200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7453,7 +7393,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775367700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7554,7 +7493,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775383700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7696,7 +7634,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775398800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -7852,7 +7789,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775413200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8010,7 +7946,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775427900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8162,7 +8097,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775442300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8277,7 +8211,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775456800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8391,7 +8324,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775472Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8491,7 +8423,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775486500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8633,7 +8564,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775501200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8794,7 +8724,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775515700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -8946,7 +8875,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775530400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9056,7 +8984,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775570Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9204,7 +9131,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775583800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9315,7 +9241,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775615300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9463,7 +9388,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775648500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9615,7 +9539,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775770600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9744,7 +9667,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775788300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -9897,7 +9819,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775820400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10029,7 +9950,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775851100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10127,7 +10047,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775888700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10268,7 +10187,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775899100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10389,7 +10307,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775953700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10484,7 +10401,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.775968900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10625,7 +10541,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776019500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10777,7 +10692,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776052500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -10908,7 +10822,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776093500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11055,7 +10968,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776107700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11195,7 +11107,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776118400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11333,7 +11244,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776133300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11492,7 +11402,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776144300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11646,7 +11555,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776158800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11791,7 +11699,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776170Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -11941,7 +11848,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776180100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12092,7 +11998,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776194800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12202,7 +12107,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776209300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12343,7 +12247,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776223400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12453,7 +12356,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776242400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12566,7 +12468,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776257400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12671,7 +12572,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776271800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12774,7 +12674,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776286200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12876,7 +12775,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776300500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -12979,7 +12877,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776314800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13077,7 +12974,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776329Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13183,7 +13079,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776343200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13286,7 +13181,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776357400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13392,7 +13286,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776371400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13495,7 +13388,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776385700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13597,7 +13489,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776400100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13699,7 +13590,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776414600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13848,7 +13738,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776428700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -13970,7 +13859,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776443200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14076,7 +13964,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776457400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14220,7 +14107,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776471400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14322,7 +14208,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776485800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14422,7 +14307,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776500100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14570,7 +14454,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776514300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14677,7 +14560,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776528600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14778,7 +14660,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776542700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -14924,7 +14805,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776556700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15085,7 +14965,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776570600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15197,7 +15076,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776586800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15345,7 +15223,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776601200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15503,7 +15380,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776616500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15656,7 +15532,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776672300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15803,7 +15678,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776839200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -15959,7 +15833,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776888800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16321,7 +16194,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16534,7 +16406,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776929800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16644,7 +16515,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776944Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16749,7 +16619,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776960900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16835,7 +16704,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776975700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -16932,7 +16800,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.776990100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17081,7 +16948,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777004300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17239,7 +17105,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777018400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17350,7 +17215,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777032700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17493,7 +17357,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777046600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17644,7 +17507,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777060700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17794,7 +17656,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777079700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -17933,7 +17794,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777088100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18041,7 +17901,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777094600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18143,7 +18002,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777102400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18286,7 +18144,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777108200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18408,7 +18265,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777117700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18560,7 +18416,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777144300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18667,7 +18522,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777156200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18768,7 +18622,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777163100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18866,7 +18719,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.777205500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -18950,7 +18802,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778350300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -19027,7 +18878,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778386300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -19104,7 +18954,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778398900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -19205,7 +19054,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778411100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -19304,7 +19152,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778423200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -19435,7 +19282,6 @@ "network" ], "code": "22", - "ingested": "2022-06-08T05:43:58.778435Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json index fd3bd910927..b9a4dad64b7 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedelete.golden.json @@ -9,7 +9,6 @@ "file" ], "code": "23", - "ingested": "2022-06-08T05:43:59.441187600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -95,7 +94,6 @@ "file" ], "code": "23", - "ingested": "2022-06-08T05:43:59.441228100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -177,7 +175,6 @@ "file" ], "code": "23", - "ingested": "2022-06-08T05:43:59.441237800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json index 7c3de49ee67..e058bfb168d 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-filedeletedetected.golden.json @@ -9,7 +9,6 @@ "file" ], "code": "26", - "ingested": "2022-06-08T05:43:59.469107800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -90,7 +89,6 @@ "file" ], "code": "26", - "ingested": "2022-06-08T05:43:59.469128600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json index 3202da160c8..82c66715fdc 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-11-registry.golden.json @@ -10,7 +10,6 @@ "registry" ], "code": "13", - "ingested": "2022-06-08T05:43:59.481703200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -83,7 +82,6 @@ "registry" ], "code": "13", - "ingested": "2022-06-08T05:43:59.481743400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -156,7 +154,6 @@ "registry" ], "code": "13", - "ingested": "2022-06-08T05:43:59.481754200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -229,7 +226,6 @@ "registry" ], "code": "13", - "ingested": "2022-06-08T05:43:59.481765Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -302,7 +298,6 @@ "registry" ], "code": "13", - "ingested": "2022-06-08T05:43:59.481866400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json index 3bec5596d5c..f03df6a6dfd 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-loadimage.golden.json @@ -9,7 +9,6 @@ "process" ], "code": "7", - "ingested": "2022-06-08T05:43:59.511582Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json index 7768f215d47..7747ccf46eb 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-12-processcreate.golden.json @@ -9,7 +9,6 @@ "process" ], "code": "1", - "ingested": "2022-06-08T05:43:59.519128600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json index b8bf9c88b0d..a8e3c1c18b7 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-clipboardchange.golden.json @@ -6,7 +6,6 @@ }, "event": { "code": "24", - "ingested": "2022-06-08T05:43:59.529777700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json index 039fa1ab72a..8ff7aca6af2 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-13-processtampering.golden.json @@ -9,7 +9,6 @@ "process" ], "code": "25", - "ingested": "2022-06-08T05:43:59.536869500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json index b7f7a5b5595..67e22fa1753 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-9.01.golden.json @@ -9,7 +9,6 @@ "configuration" ], "code": "16", - "ingested": "2022-06-08T05:43:59.545036400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -60,7 +59,6 @@ "process" ], "code": "4", - "ingested": "2022-06-08T05:43:59.545055Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -116,7 +114,6 @@ "process" ], "code": "1", - "ingested": "2022-06-08T05:43:59.545067Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -219,7 +216,6 @@ "process" ], "code": "1", - "ingested": "2022-06-08T05:43:59.545078400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -325,7 +321,6 @@ "process" ], "code": "5", - "ingested": "2022-06-08T05:43:59.545089900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -382,7 +377,6 @@ "process" ], "code": "5", - "ingested": "2022-06-08T05:43:59.545101100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -439,7 +433,6 @@ "process" ], "code": "1", - "ingested": "2022-06-08T05:43:59.545112500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -549,7 +542,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545123700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -634,7 +626,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545135100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -720,7 +711,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545143100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -806,7 +796,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545149Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -892,7 +881,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545153600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -978,7 +966,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545160600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1062,7 +1049,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545170500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1148,7 +1134,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545180100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1233,7 +1218,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545191700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1317,7 +1301,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545202500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1401,7 +1384,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545207800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1486,7 +1468,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545212500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1571,7 +1552,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545217900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1656,7 +1636,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545228Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1741,7 +1720,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545239300Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1826,7 +1804,6 @@ "network" ], "code": "3", - "ingested": "2022-06-08T05:43:59.545244900Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1907,7 +1884,6 @@ "process" ], "code": "5", - "ingested": "2022-06-08T05:43:59.545253700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -1964,7 +1940,6 @@ "process" ], "code": "5", - "ingested": "2022-06-08T05:43:59.545265200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2021,7 +1996,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545276400Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2088,7 +2062,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545287700Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2155,7 +2128,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545299200Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2222,7 +2194,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545310500Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2289,7 +2260,6 @@ "process" ], "code": "5", - "ingested": "2022-06-08T05:43:59.545321800Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2346,7 +2316,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545333100Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", @@ -2413,7 +2382,6 @@ "file" ], "code": "2", - "ingested": "2022-06-08T05:43:59.545344600Z", "kind": "event", "module": "sysmon", "provider": "Microsoft-Windows-Sysmon", diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json new file mode 100644 index 00000000000..88d10867792 --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json @@ -0,0 +1,106 @@ +[ + { + "dns": { + "answers": [ + { + "data": "", + "type": "SRV" + }, + { + "data": "", + "type": "SRV" + }, + { + "data": "1:2:3::3", + "type": "AAAA" + }, + { + "data": "1.2.3.3", + "type": "A" + } + ], + "question": { + "name": "some.other.domain.com", + "registered_domain": "domain.com", + "subdomain": "some.other", + "top_level_domain": "com" + }, + "resolved_ip": [ + "1:2:3::3", + "1.2.3.3" + ] + }, + "ecs": { + "version": "1.12.0" + }, + "event": { + "category": [ + "network" + ], + "code": "22", + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon", + "type": [ + "connection", + "protocol", + "info" + ] + }, + "host": { + "name": "internal.network.org" + }, + "log": { + "level": "information" + }, + "network": { + "protocol": "dns" + }, + "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", + "name": "lsass.exe", + "pid": 500 + }, + "related": { + "hosts": [ + "some.other.domain.com" + ], + "ip": [ + "1:2:3::3", + "1.2.3.3" + ], + "user": [ + "SYSTEM" + ] + }, + "sysmon": { + "dns": { + "status": "SUCCESS" + } + }, + "user": { + "domain": "NT AUTHORITY", + "id": "A-0-0-00", + "name": "SYSTEM" + }, + "winlog": { + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "internal.network.org", + "event_id": "22", + "opcode": "Info", + "process": { + "pid": 1000, + "thread": { + "id": 2000 + } + }, + "provider_guid": "{00000000-0000-0000-0000-000000000000}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": "1111", + "user": { + "identifier": "A-0-0-00" + }, + "version": 5 + } + } +] \ No newline at end of file diff --git a/x-pack/winlogbeat/module/testing.go b/x-pack/winlogbeat/module/testing.go index 69490fa3f91..8e402c03090 100644 --- a/x-pack/winlogbeat/module/testing.go +++ b/x-pack/winlogbeat/module/testing.go @@ -50,7 +50,7 @@ func WithFieldFilter(filter []string) Option { } // TestIngestPipeline tests the partial pipeline by reading events from the .json files -// and processing them the ingest pipeline. Then it compares the results against +// and processing them through the ingest pipeline. Then it compares the results against // a saved golden file. Use -update to regenerate the golden files. func TestIngestPipeline(t *testing.T, pipeline, json string, opts ...Option) { var p params From e17e0d0007d8b8e56d65d72dd0f8e15968dd30d1 Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Thu, 8 Jun 2023 11:06:39 +0200 Subject: [PATCH 4/6] Incorporate feedback --- CHANGELOG.next.asciidoc | 1 - x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml | 12 +++++------- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 8460333fba5..901df348d4b 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -34,7 +34,6 @@ https://github.com/elastic/beats/compare/v8.7.1\...main[Check the HEAD diff] - Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest {issue}19627[19627] {pull}34295[34295] - Added processing for Windows Event ID's 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline {issue}34293[34293] {pull}34294[34294] - Added processing for Windows Event ID's 5140 and 5145 for the Security Ingest Pipeline {pull}34352[34352] -- Handle empty DNS answer data in QueryResults for the Sysmon Pipeline {pull}35207[35207] *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml index 154f2956c3c..6cd70ee7bd5 100644 --- a/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml +++ b/x-pack/winlogbeat/module/sysmon/ingest/sysmon.yml @@ -782,21 +782,19 @@ processors: if (answer.startsWith("type:")) { def parts = /\s+/.split(answer); - + if (parts.length < 2) { + throw new Exception("unexpected QueryResult format"); + } if (parts.length == 3) { answers.add([ "type": params[parts[1]], "data": parts[2] ]); relatedHosts.add(parts[2]); - } else if (parts.length == 2) { - // Missing data, for example with "type: 33 ;" + } else { answers.add([ - "type": params[parts[1]], - "data": "" + "type": params[parts[1]] ]); - } else { - throw new Exception("unexpected QueryResult format"); } } else { answer = answer.replace("::ffff:", ""); From 37ab88dbeae0ad6d309bd2dbda1ac6628003dc8a Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Thu, 8 Jun 2023 11:20:31 +0200 Subject: [PATCH 5/6] Fix bad changelog rebase --- CHANGELOG.next.asciidoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 901df348d4b..56dd930baed 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -31,9 +31,6 @@ https://github.com/elastic/beats/compare/v8.7.1\...main[Check the HEAD diff] *Winlogbeat* - Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193] -- Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest {issue}19627[19627] {pull}34295[34295] -- Added processing for Windows Event ID's 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline {issue}34293[34293] {pull}34294[34294] -- Added processing for Windows Event ID's 5140 and 5145 for the Security Ingest Pipeline {pull}34352[34352] *Functionbeat* @@ -355,6 +352,7 @@ automatic splitting at root level, if root level element is an array. {pull}3415 *Winlogbeat* - Set `host.os.type` and `host.os.family` to "windows" if not already set. {pull}35435[35435] +- Handle empty DNS answer data in QueryResults for the Sysmon Pipeline {pull}35207[35207] *Elastic Log Driver* From a1fddf260ebbc3ee143241285dfcac352d060645 Mon Sep 17 00:00:00 2001 From: Technici4n <13494793+Technici4n@users.noreply.github.com> Date: Thu, 8 Jun 2023 18:20:47 +0200 Subject: [PATCH 6/6] Remove empty data from test --- .../sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json index 88d10867792..93a011fed42 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/ingest/sysmon-no-evtx.golden.json @@ -3,11 +3,9 @@ "dns": { "answers": [ { - "data": "", "type": "SRV" }, { - "data": "", "type": "SRV" }, {