Skip to content

windows: add file hash fields for the new Sysmon EID 29 #7015

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jul 31, 2023
Merged

windows: add file hash fields for the new Sysmon EID 29 #7015

merged 5 commits into from
Jul 31, 2023

Conversation

fopson
Copy link
Contributor

@fopson fopson commented Jul 19, 2023
edited
Loading

The current pipeline does not create the "file.hash" field for the new sysmon Event ID 29. As a result, that information is lost and does not end up on the event.

  • Enhancement

What does this PR do?

It makes sure the file hash information from the new sysmon EID 29 is not lost when the "_temp" field is deleted.

Checklist

  • [x ] I have reviewed tips for building integrations and this pull request is aligned with them.
  • [x ] I have verified that all data streams collect metrics or logs.
  • [x ] I have added an entry to my package's changelog.yml file.
  • [x ] I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • Update the Sysmon ingest pipeline
  • Generate Sysmon EID 29
  • Verify that the appropriate hashes are being store under file.hash.*

How to test this PR locally

  • Update the Sysmon ingest pipeline, Generate a Sysmon EID 29 and

Sample Event


<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Events>
  <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
    <System>
      <Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' />
      <EventID>29</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>29</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime='2023-07-19T17:01:17.8516659Z' />
      <EventRecordID>71035898</EventRecordID>
      <Correlation />
      <Execution ProcessID='6164' ThreadID='6268' />
      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
      <Computer>REDACTED</Computer>
      <Security UserID='S-1-5-18' />
    </System>
    <EventData>
      <Data Name='RuleName'>-</Data>
      <Data Name='UtcTime'>2023-07-19 17:01:17.843</Data>
      <Data Name='ProcessGuid'>{56a10975-16dd-64b8-0407-000000005d00}</Data>
      <Data Name='ProcessId'>6900</Data>
      <Data Name='User'>NT AUTHORITY\SYSTEM</Data>
      <Data Name='Image'>C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe</Data>
      <Data Name='TargetFilename'>
        C:\Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b25cbabe3057c96a57c7361a596cc89a\XsdBuildTask.ni.dll</Data>
      <Data Name='Hashes'>
        SHA1=2D263CA9EDE0B59CA3105B3261730000441EF4D9,MD5=AC0E7A24551EB981D5DCF6EDAE582A58,SHA256=AD7DD6CD1117A6CD50A8EDC3D4594264D60CD11BAA3747C3CBCCEF17CE706A7C,IMPHASH=00000000000000000000000000000000</Data>
    </EventData>
  </Event>
</Events>

Screenshots

image

@fopson
File hash fields for the new Sysmon EID 29 (default.yml)
69a261c 
The current pipeline does not create the "file.hash" field for the new sysmon Event ID 29. As a result, that information is lost and does not end up on the event.
@fopson fopson requested review from a team as code owners July 19, 2023 18:14
@fopson fopson requested review from belimawr and faec July 19, 2023 18:14
@cla-checker-service
Copy link

cla-checker-service bot commented Jul 19, 2023
edited
Loading

💚 CLA has been signed

@elasticmachine
Copy link

elasticmachine commented Jul 19, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-07-31T18:57:17.395+0000

  • Duration: 20 min 42 sec

Test stats 🧪

Test Results
Failed 0
Passed 134
Skipped 0
Total 134

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@efd6
Copy link
Contributor

efd6 commented Jul 20, 2023

@fopson, please sign the CLA so that we can take a look at this. If you believe you have signed it, please check that the email address that you used agrees with the email address in the commits.

@fopson
Copy link
Contributor Author

fopson commented Jul 20, 2023
edited
Loading

Hi @efd6, I have signed the agreement twice now, but it is still showing up as unsigned. Not sure why.

@efd6
Copy link
Contributor

efd6 commented Jul 23, 2023

@fopson Looks good now.

efd6
efd6 reviewed Jul 23, 2023
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fopson Please add an entry to the changelog and update the manifest for the package. I expect that this change will require that the test expectations will need to be updated. Are you able to do this?

@fopson
Copy link
Contributor Author

fopson commented Jul 29, 2023

@fopson Please add an entry to the changelog and update the manifest for the package. I expect that this change will require that the test expectations will need to be updated. Are you able to do this?

Done.

@efd6 efd6 changed the title File hash fields for the new Sysmon EID 29 (default.yml) windows: add file hash fields for the new Sysmon EID 29 Jul 30, 2023
@efd6
Copy link
Contributor

efd6 commented Jul 30, 2023

@fopson This also needs a change to the manifest here.

@fopson
Copy link
Contributor Author

fopson commented Jul 31, 2023

@fopson This also needs a change to the manifest here.

Done

@efd6
Copy link
Contributor

efd6 commented Jul 31, 2023

/test

@elasticmachine
Copy link

elasticmachine commented Jul 31, 2023
edited
Loading

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (5/5) 💚
Files 88.889% (8/9)
Classes 88.889% (8/9)
Methods 82.178% (83/101)
Lines 91.91% (5328/5797)
Conditionals 100.0% (0/0) 💚

@andrewkroh andrewkroh merged commit 3f3154a into elastic:main Jul 31, 2023
@fopson fopson deleted the patch-1 branch July 31, 2023 19:49
@elasticmachine
Copy link

Package windows - 1.28.0 containing this change is available at https://epr.elastic.co/search?package=windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@efd6 efd6 efd6 left review comments

@andrewkroh andrewkroh andrewkroh approved these changes

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees
No one assigned
Labels
Integration:windows Windows
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@fopson @elasticmachine @efd6 @andrewkroh