Skip to content

[windows] Add provider name check to forwarded/security conditional #2527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 19, 2022
Merged

[windows] Add provider name check to forwarded/security conditional #2527

merged 2 commits into from
Jan 19, 2022

Conversation

taylor-swanson
Copy link
Contributor

What does this PR do?

-Added a check to the forwarded/security conditional to ensure that only events with a provider of Microsoft-Windows-Eventlog or Microsoft-Windows-Security-Auditing are allowed through. Events not matching these providers will still be indexed, but won't receive additional enrichment that could lead to incorrect metadata being applied.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

How to test this PR locally

cd packages/windows && elastic-package test

Related issues

@taylor-swanson
[Windows] Add provider name check to forwarded/security conditional
4d6e891 
- Added a check to the forwarded/security conditional to ensure that only
events with a provider of Microsoft-Windows-Eventlog or
Microsoft-Windows-Security-Auditing are allowed through. Events not matching
these providers will still be indexed, but won't receive additional
enrichment that could lead to incorrect metadata being applied.
@taylor-swanson taylor-swanson added bug Something isn't working, use only for issues Team:Security-External Integrations labels Jan 13, 2022
@elasticmachine
Copy link

elasticmachine commented Jan 13, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2022-01-13T15:03:37.703+0000

  • Duration: 21 min 37 sec

  • Commit: 0ccf6f0

Test stats 🧪

Test Results
Failed 0
Passed 126
Skipped 0
Total 126

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@taylor-swanson taylor-swanson marked this pull request as ready for review January 14, 2022 14:42
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

efd6
efd6 reviewed Jan 16, 2022
View reviewed changes
packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml
@@ -3,7 +3,7 @@ description: Pipeline for Windows forwarded Event Logs
processors:
- pipeline:
name: '{{ IngestPipeline "security" }}'
if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security"
if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there cases where channel is "Security" but provider_name isn't /Microsoft-Windows-(Eventlog|Security-Auditing)/?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question. For forwarded events I'm not sure if this is the case or not. The other provider name we know of that can appear in the Security channel is AD FS, and we know we don't want it enriched with this pipeline. I was mostly replicating the logic from other pipelines here (the ones in System and Winlogbeat). I think this is still safe since we don't want to enrich any other providers other than the ones we know of. Those are listed here: https://windows-event-explorer.app.elstc.co/channel/Security

@taylor-swanson taylor-swanson merged commit b459efb into elastic:master Jan 19, 2022
@taylor-swanson taylor-swanson deleted the windows-security-guard branch January 19, 2022 15:23
@andrewkroh andrewkroh mentioned this pull request May 11, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 approved these changes

Assignees
No one assigned
Labels
bug Something isn't working, use only for issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@taylor-swanson @elasticmachine @efd6