[windows] Add Windows AppLocker Data Stream (MSI and Script) #7279
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
💚 Build Succeeded
Expand to view the summary
Build stats
Test stats 🧪
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
4 tasks
…ing/integrations into applocker_msi_and_script
…ing/integrations into applocker_msi_and_script
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
/test |
1 similar comment
|
/test |
🌐 Coverage report
|
efd6
reviewed
Aug 9, 2023
There was a problem hiding this comment.
Can you provide screen shots showing the dashboard changes.
Also, please make the following change to CODEOWNERS
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index ddcfae883..aacc76f5a 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -243,6 +243,7 @@
/packages/websphere_application_server @elastic/obs-infraobs-integrations
/packages/windows @elastic/elastic-agent-data-plane @elastic/security-external-integrations
/packages/windows/data_stream/applocker_exe_and_dll @elastic/security-external-integrations
+/packages/windows/data_stream/applocker_msi_and_script @elastic/security-external-integrations
/packages/windows/data_stream/forwarded @elastic/security-external-integrations
/packages/windows/data_stream/perfmon @elastic/elastic-agent-data-plane
/packages/windows/data_stream/powershell @elastic/security-external-integrations
packages/windows/data_stream/applocker_msi_and_script/agent/stream/httpjson.yml.hbs
Show resolved
Hide resolved
packages/windows/data_stream/applocker_msi_and_script/elasticsearch/ingest_pipeline/default.yml
Outdated
Show resolved
Hide resolved
|
/test |
Do you mean update the .png in the package or add those screenshots to this PR for review? |
|
I added these: And removed the "-" in the title of the dashboard between [Windows Applocker] - Audited Blocked Applications |
|
/test |
|
Package windows - 1.30.0 containing this change is available at https://epr.elastic.co/search?package=windows |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
This PR adds the Windows AppLocker MSI and Script data stream which allows the ingestion of those events from the Windows Event Log. This also updates the dashboard with a better title and adds 4 new visualizations to explore the data.
Resolves Part of - #6979
Checklist
changelog.ymlfile.