[windows] Defender - Fix pipeline for Path and add missing fields. #11529
Conversation
pierrehilbert
added
the
Team:Elastic-Agent-Data-Plane
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
pierrehilbert
added
the
Team:Security-Windows Platform
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
andrewkroh
added
bugfix
|
Came across another wrench in the pipeline. Sometimes the Path may contain multiple "Files". Not sure what the deal with the parsing is, but this is the raw JSON captured in Kibana. Maybe that is the actual file name. More research needed: "Path": "file:_D:\\autorun.inf\\autorun.inf .exe; file:_D:\\autorun.inf\\Protection for Autorun\\Protection for Autorun .exe; file:_D:\\ \\ .exe", |
pierrehilbert
requested review from
leehinman
and removed request for
VihasMakwana
|
So this pipeline will still populate the first file.path found but won't include the others found. How should this be handled if related.file.name does not seem to exist and file.name is supposed to be a keyword? My thought is that I could have a custom field called Thoughts? Otherwise, good to review and test. |
|
Would related.file.name actually work? I'm concerned this doesn't fit within the bounds of ECS since it's not called out in the reference. I would do that in a heart beat if related can be applied to any logical ECS field. Thoughts? |
I was originally thinking a new field name, outside of ECS, but to use the But maybe this is a useful enough construct that an rfc to add it would be a good idea? |
|
Understood! I will create a new field. Should I stick with winlog.*? Or should we think about moving to something more specific for the windows defender fields like I noted before: windows_defender.* I could then migrate any others that were the generic winlog.eventdata and map to this new subfield. Also, that RFC process looks pretty daunting at this time so I won't pursue that but I do think it is a good idea to include related.file.* |
…st case, generate new expected and README
|
Alright, I had to sync other changes to the integration and then use a new windows_defender field. Please review! |
|
Please test. |
|
@leehinman are you ok to continue with the review here, or prefer if @marc-gr takes over as it's security releated? |
LGTM and approved but if @marc-gr could do a double check that would be good. I'm rusty when it comes to integrations :-) |
|
Hello, could we get some eyes on this again? Getting a bit stale :) |
|
/test |
|
💚 Build Succeeded
|
|
Package windows - 2.3.1 containing this change is available at https://epr.elastic.co/package/windows/2.3.1/ |
|
Thank you! |
…11529) * Fix pipeline for Path and add missing fields. * change log PR update * Add windows_defender.evidence paths for multiple hits, add anotehr test case, generate new expected and README
…lastic#11529) * Fix pipeline for Path and add missing fields. * change log PR update * Add windows_defender.evidence paths for multiple hits, add anotehr test case, generate new expected and README
…11529) * Fix pipeline for Path and add missing fields. * change log PR update * Add windows_defender.evidence paths for multiple hits, add anotehr test case, generate new expected and README
…lastic#11529) * Fix pipeline for Path and add missing fields. * change log PR update * Add windows_defender.evidence paths for multiple hits, add anotehr test case, generate new expected and README
It was reported in the community that the File Path will sometimes contain a process pid which is not currently processor correctly (see screenshots). This PR will resolve this issue and also add more fields that were missed in the last update.
I also added 2 more test documents to add the other potential data that would arrive.
Convo started here: https://elasticstack.slack.com/archives/C018PDGK6JU/p1729764392118379?thread_ts=1729593410.515049&cid=C018PDGK6JU
This will improve the integration further.
Checklist
changelog.ymlfile.Related issues
Screenshots