Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relative file creation times for Process and DLL events #269

Merged
merged 6 commits into from Jul 20, 2022
Merged

Relative file creation times for Process and DLL events #269

merged 6 commits into from Jul 20, 2022

Conversation

gabriellandau
Copy link
Contributor

@gabriellandau gabriellandau commented Jul 7, 2022
edited

Change Summary

Add the EXE/DLL file's creation time, and file name modification time to process and DLL events, relative to the time of the event. They may be negative if the file's timestamps are in the future.

Release Target

8.4.0

Q/A

For mapping changes:

  • I ran make after making the schema changes, and committed all changes

@elasticmachine
Copy link
Contributor

elasticmachine commented Jul 7, 2022
edited

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-07-19T21:28:15.765+0000

  • Duration: 7 min 5 sec

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@gabriellandau gabriellandau marked this pull request as ready for review July 19, 2022 13:44
pzl
pzl approved these changes Jul 19, 2022
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔥

This looks good

package/endpoint/data_stream/library/sample_event.json
Comment on lines +44 to +45
"relative_file_creation_time": 48628704.4029488,
"relative_file_name_modify_time": 48628704.4029488
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you 🎆

nicholasberlin
nicholasberlin reviewed Jul 19, 2022
View reviewed changes
custom_schemas/custom_process.yml Outdated
- name: Ext.relative_file_creation_time
level: custom
type: double
short: Number of seconds since the DLL's file was created
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is DLL the correct terminology? Not executable or something. Not sure, just my copy-pasta spider sense is going off.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, it seems DLL is used for all three types. So, perhaps these comments are just noise.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Thanks. Fixed: 476b668

nicholasberlin
nicholasberlin approved these changes Jul 19, 2022
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM FWIW

@gabriellandau gabriellandau merged commit 2411fc4 into master Jul 20, 2022
@gabriellandau gabriellandau deleted the relative-creation-time branch July 20, 2022 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pzl pzl pzl approved these changes

@joeypoon joeypoon joeypoon approved these changes

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@gabriellandau @elasticmachine @pzl @joeypoon @nicholasberlin