Skip to content

Properly populate file.* fields for network share events#18348

Merged
brian-mckinney merged 6 commits intoelastic:mainfrom
brian-mckinney:sdh7064
Apr 23, 2026
Merged

Properly populate file.* fields for network share events#18348
brian-mckinney merged 6 commits intoelastic:mainfrom
brian-mckinney:sdh7064

Conversation

@brian-mckinney
Copy link
Copy Markdown
Contributor

Proposed commit message

Network share events were not correctly populating the file.* fields according to the ECS Schema.

These fields have a ShareLocalPath and a RelativeTargetName, we were simply using those fields for file.directory and file.name respectively. RelativeTargetName however is all parts of the path after the share name, including the filename. For example:

  "ShareLocalPath": "C:\\Shares\\Documents",
  "RelativeTargetName": "\\reports\\Q1\\summary.docx",

ECS Schema says file.name should be the name of the file including extension. This PR applies logic to the two fields to construct the full path and use that to populate the fields accordingly

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Fixes: https://github.com/elastic/sdh-beats/issues/7064

@brian-mckinney brian-mckinney self-assigned this Apr 10, 2026
@brian-mckinney brian-mckinney added the bug Something isn't working, use only for issues label Apr 10, 2026
@brian-mckinney brian-mckinney requested review from a team as code owners April 10, 2026 18:30
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod Bot commented Apr 10, 2026

🚀 Benchmarks report

Package windows 👍(6) 💚(2) 💔(2)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
powershell_operational 2570.69 1561.52 -1009.17 (-39.26%) 💔
powershell_operational 2570.69 2118.64 -452.05 (-17.58%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh added Integration:system System Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Apr 10, 2026
@elasticmachine
Copy link
Copy Markdown

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

Copy link
Copy Markdown
Member

@rdner rdner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

The macroscope comment should be double-checked.

@brian-mckinney brian-mckinney enabled auto-merge (squash) April 23, 2026 15:47
@brian-mckinney brian-mckinney disabled auto-merge April 23, 2026 15:56
@elasticmachine
Copy link
Copy Markdown

💚 Build Succeeded

History

cc @brian-mckinney

@brian-mckinney brian-mckinney merged commit 0234328 into elastic:main Apr 23, 2026
10 checks passed
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package system - 2.16.2 containing this change is available at https://epr.elastic.co/package/system/2.16.2/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

Package windows - 3.8.2 containing this change is available at https://epr.elastic.co/package/windows/3.8.2/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working, use only for issues Integration:system System Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants