Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[System.Security] For Windows, store the split access list and mask values #9907

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

[System.Security] For Windows, store the split access list and mask values #9907

wants to merge 8 commits into from
+49 −10

Conversation

a03nikki
Copy link

@a03nikki a03nikki commented May 16, 2024
edited

Proposed commit message

Added logic to store the individual winlog.event_data.AccessList and winlog.event_data.AccessMask values as a list of values instead of a multi-line string value.
This brings the format in alignment with the previous Winlogbeat v7 format of these values.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • My first integrations code change and pull request was done correctly

How to test this PR locally

elastic-package test

Related issues

Screenshots

This was found while comparing Winlogbeat 7.10.1 output to Elastic Agent v8.12.1 with System integration version approximate 1.48.1.

Winlogbeat v7.10.1 for event code 4674 documents had this

"AccessMask": ["1537", "1538", "1539", "1540", "1541", "4528", "4529"]

But Elastic Agent v8.12.1, had this

"AccessMask": "%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%1541\n\t\t\t\t%%4528\n\t\t\t\t%%4529\n\t\t\t\t"

After this Elasticsearch ingest pipeline change, the Elastic Agent should return to be the list of values again like Winlogbeat.

@a03nikki a03nikki added bug Something isn't working Integration:System labels May 16, 2024
@a03nikki a03nikki self-assigned this May 16, 2024
@a03nikki a03nikki requested review from a team as code owners May 16, 2024 23:27
@a03nikki a03nikki changed the title [System.Secuirty] For Windows, store the split access mask values [System.Security] For Windows, store the split access mask values May 16, 2024
@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@a03nikki
Copy link
Author

a03nikki commented May 17, 2024
edited

I'm finding out if AccessList should be fixed too per the user that I was talking with.

@a03nikki
Copy link
Author

I'm finding out if AccessList should be fixed too per the user that I was talking with.

I confirmed they would like the AccessList to be brought back into alignment as well. Change has been pushed to this pull request now.

@a03nikki a03nikki changed the title [System.Security] For Windows, store the split access mask values [System.Security] For Windows, store the split access list and mask values May 24, 2024
@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

cc @a03nikki

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@a03nikki a03nikki

Labels
bug Something isn't working Integration:System
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@a03nikki @elasticmachine