Skip to content

[system.security,windows.forwarded] Add 'Group Membership' to category enrichment #12335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 11, 2025
Merged

[system.security,windows.forwarded] Add 'Group Membership' to category enrichment #12335

merged 5 commits into from
Feb 11, 2025

Conversation

ksctst
Copy link
Contributor

@ksctst ksctst commented Jan 13, 2025
edited by andrewkroh
Loading

Hello. Added missing audit subcategory - "Group Membership"

Proposed commit message

For the system.security and windows.forwarded data streams,
enrich group membership related events with an audit category 
and subcategory. The associated UUID was missing from the
enrichment table.

The UUID value is referenced in
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@ksctst ksctst requested a review from a team as a code owner January 13, 2025 13:57
@cla-checker-service CLA Checker Service
Copy link

cla-checker-service bot commented Jan 13, 2025
edited
Loading

💚 CLA has been signed

@andrewkroh andrewkroh added Integration:windows Windows needs CLA User must sign the Elastic Contributor License before review. Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Jan 13, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@ksctst
Copy link
Contributor Author

ksctst commented Jan 13, 2025

signed CLA

@andrewkroh andrewkroh removed the needs CLA User must sign the Elastic Contributor License before review. label Jan 13, 2025
@andrewkroh
Copy link
Member

/test

@andrewkroh andrewkroh changed the title Update security.yml [windows.{security,forwarded}] Add 'Group Membership' to category enrichment Jan 31, 2025
andrewkroh
andrewkroh previously requested changes Jan 31, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The windows integration's changelog.yml needs updated with a new entry, and then the version in the manifest.yml needs changed to match.

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 31, 2025
edited
Loading

🚀 Benchmarks report

Package system 👍(2) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
syslog 250000 200000 -50000 (-20%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh changed the title [windows.{security,forwarded}] Add 'Group Membership' to category enrichment [system.security,windows.forwarded] Add 'Group Membership' to category enrichment Jan 31, 2025
@andrewkroh andrewkroh requested review from a team, AndersonQ and VihasMakwana January 31, 2025 23:12
andrewkroh
andrewkroh reviewed Jan 31, 2025
View reviewed changes
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the system.security data stream, and added changelogs.

I'm not a Windows expert so I'll defer to @elastic/sec-windows-platform for a final approval of these changes.

@andrewkroh andrewkroh dismissed their stale review January 31, 2025 23:21

I pushed the one change I requested.

@andrewkroh andrewkroh requested a review from a team January 31, 2025 23:21
@qcorporation qcorporation requested review from a team as code owners February 4, 2025 03:56
@andrewkroh andrewkroh added Integration:1password 1Password (Partner supported) Integration:abnormal_security Abnormal AI labels Feb 4, 2025
@andrewkroh andrewkroh added Integration:windows Windows Integration:system System enhancement New feature or request and removed New Integration Issue or pull request for creating a new integration package. Integration:1password 1Password (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:abnormal_security Abnormal AI labels Feb 7, 2025
@andrewkroh
Copy link
Member

/test

@andrewkroh andrewkroh removed request for a team, AndersonQ and VihasMakwana February 7, 2025 21:41
@andrewkroh
Copy link
Member

andrewkroh commented Feb 7, 2025
edited
Loading

Since I had done some changes here, I just went ahead and rebased the branch.

@ksctst, can you please sync your fork's main.

andrewkroh
andrewkroh reviewed Feb 7, 2025
View reviewed changes
@andrewkroh
Copy link
Member

/test

@ksctst
Copy link
Contributor Author

ksctst commented Feb 7, 2025

Thanks, fork synced.

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Feb 10, 2025
@elasticmachine
Copy link

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@marc-gr
Copy link
Contributor

marc-gr commented Feb 11, 2025

/test

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

💚 Build Succeeded

History

@andrewkroh andrewkroh merged commit 5f6a456 into elastic:main Feb 11, 2025
6 checks passed
@elastic-vault-github-plugin-prod
Copy link

Package system - 1.66.1 containing this change is available at https://epr.elastic.co/package/system/1.66.1/

@elastic-vault-github-plugin-prod
Copy link

Package windows - 2.4.1 containing this change is available at https://epr.elastic.co/package/windows/2.4.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@intxgo intxgo intxgo approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request Integration:system System Integration:windows Windows Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ksctst @elasticmachine @andrewkroh @marc-gr @intxgo @pierrehilbert