Skip to content

[Enhancement] Update winlog.event_data.AttributeValue mappings #9515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 15, 2024
Merged

[Enhancement] Update winlog.event_data.AttributeValue mappings #9515

merged 5 commits into from
May 15, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Apr 3, 2024

Summary

Attempts to resolve #7381

Proposed commit message

Adjusts the ignore_above parameter to make Active Directory DACLs searchable, adds a wildcard multi-field to winlog.event_data.AttributeValue.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Related issues

#7381

@w0rk3r w0rk3r added the enhancement New feature or request label Apr 3, 2024
@w0rk3r w0rk3r requested a review from andrewkroh April 3, 2024 20:58
@w0rk3r w0rk3r self-assigned this Apr 3, 2024
@w0rk3r w0rk3r requested review from a team as code owners April 3, 2024 20:58
@w0rk3r w0rk3r marked this pull request as draft April 3, 2024 20:58
@terrancedejesus terrancedejesus marked this pull request as ready for review April 3, 2024 21:26
@terrancedejesus
Copy link
Contributor

/test

@w0rk3r
Copy link
Contributor Author

w0rk3r commented Apr 9, 2024

cc @jamiehynds

@jamiehynds jamiehynds added the Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] label Apr 9, 2024
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@jamiehynds
Copy link

@marc-gr would you mind helping with the review for this enhancement to unblock the TRADE team from building some new detection rules?

@marc-gr
Copy link
Contributor

marc-gr commented Apr 15, 2024

/test

@marc-gr
Copy link
Contributor

marc-gr commented Apr 15, 2024

@w0rk3r the README needs to be updated. It should be alright after commiting the changes after elastic-package check

@elasticmachine
Copy link

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@w0rk3r w0rk3r enabled auto-merge (squash) May 9, 2024 22:38
@w0rk3r w0rk3r requested a review from ishleenk17 May 9, 2024 22:48
@w0rk3r w0rk3r disabled auto-merge May 12, 2024 16:11
@w0rk3r w0rk3r removed the request for review from ishleenk17 May 12, 2024 16:12
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @w0rk3r

@elastic-sonarqube Elastic SonarQube
Copy link

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

@w0rk3r w0rk3r enabled auto-merge (squash) May 12, 2024 16:31
@w0rk3r w0rk3r requested review from ishleenk17 and a team May 12, 2024 16:31
ishleenk17
ishleenk17 approved these changes May 15, 2024
View reviewed changes
Copy link
Member

@ishleenk17 ishleenk17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing the build error.
Looks good!

@w0rk3r w0rk3r merged commit 568fe69 into main May 15, 2024
@elasticmachine
Copy link

Package system - 1.57.0 containing this change is available at https://epr.elastic.co/search?package=system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@marc-gr marc-gr marc-gr approved these changes

@ishleenk17 ishleenk17 ishleenk17 approved these changes

Assignees

@w0rk3r w0rk3r

Labels
Area: RAD enhancement New feature or request Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement] Update the mapping for the winlog.event_data.AttributeValue field
7 participants
@w0rk3r @terrancedejesus @elasticmachine @jamiehynds @marc-gr @andrewkroh @ishleenk17