Skip to content

Commit

Permalink
Change event.code and winlog.event_id type (elastic#25176)
Browse files Browse the repository at this point in the history
  • Loading branch information
marc-gr authored Apr 21, 2021
1 parent 4052c69 commit ee5ed90
Show file tree
Hide file tree
Showing 111 changed files with 694 additions and 692 deletions.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -533,6 +533,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
- Add source.ip validation for event ID 4778 in the Security module. {issue}19627[19627]
- Protect against accessing undefined variables in Sysmon module. {issue}22219[22219] {pull}22236[22236]
- Protect against accessing an undefined variable in Security module. {pull}22937[22937]
- Change `event.code` and `winlog.event_id` from int to keyword. {pull}25176[25176]

*Functionbeat*

Expand Down
3 changes: 2 additions & 1 deletion libbeat/processors/decode_xml_wineventlog/processor.go
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,9 @@ func fields(evt winevent.Event) (common.MapStr, common.MapStr) {

ecs := common.MapStr{}

eventCode, _ := win.GetValue("event_id")
ecs.Put("event.code", eventCode)
ecs.Put("event.kind", "event")
ecs.Put("event.code", evt.EventIdentifier.ID)
ecs.Put("event.provider", evt.Provider.Name)
winevent.AddOptional(ecs, "event.action", evt.Task)
winevent.AddOptional(ecs, "host.name", evt.Computer)
Expand Down
6 changes: 3 additions & 3 deletions libbeat/processors/decode_xml_wineventlog/processor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ func TestProcessor(t *testing.T) {
Output: common.MapStr{
"event": common.MapStr{
"action": "Special Logon",
"code": uint32(4672),
"code": "4672",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
Expand All @@ -71,7 +71,7 @@ func TestProcessor(t *testing.T) {
"outcome": "success",
"activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
"level": "information",
"event_id": uint32(4672),
"event_id": "4672",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": uint64(11303),
"computer_name": "vagrant",
Expand Down Expand Up @@ -129,7 +129,7 @@ func TestProcessor(t *testing.T) {
"outcome": "success",
"activity_id": "{ffb23523-1f32-0000-c335-b2ff321fd701}",
"level": "information",
"event_id": uint32(4672),
"event_id": "4672",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": uint64(11303),
"computer_name": "vagrant",
Expand Down
3 changes: 2 additions & 1 deletion winlogbeat/eventlog/eventlog.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,8 +92,9 @@ func (e Record) ToEvent() beat.Event {
// ECS data
m.Put("event.created", time.Now())

eventCode, _ := win.GetValue("event_id")
m.Put("event.code", eventCode)
m.Put("event.kind", "event")
m.Put("event.code", e.EventIdentifier.ID)
m.Put("event.provider", e.Provider.Name)

rename(m, "winlog.outcome", "event.outcome")
Expand Down
2 changes: 1 addition & 1 deletion winlogbeat/sys/winevent/event.go
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@ func (e Event) Fields() common.MapStr {
win := common.MapStr{}

AddOptional(win, "channel", e.Channel)
AddOptional(win, "event_id", e.EventIdentifier.ID)
AddOptional(win, "event_id", fmt.Sprint(e.EventIdentifier.ID))
AddOptional(win, "provider_name", e.Provider.Name)
AddOptional(win, "record_id", e.RecordID)
AddOptional(win, "task", e.Task)
Expand Down
17 changes: 8 additions & 9 deletions winlogbeat/tests/system/test_wineventlog.py
Original file line number Diff line number Diff line change
Expand Up @@ -68,11 +68,10 @@ def test_read_unknown_event_id(self):
wineventlog - Read unknown event ID
"""
msg = "Unknown event ID"
event_id = 1111
self.write_event_log(msg, eventID=event_id)
self.write_event_log(msg, eventID=1111)
evts = self.read_events()
self.assertTrue(len(evts), 1)
self.assert_common_fields(evts[0], eventID=event_id, extra={
self.assert_common_fields(evts[0], eventID="1111", extra={
"winlog.keywords": ["Classic"],
"winlog.opcode": "Info",
})
Expand Down Expand Up @@ -199,10 +198,10 @@ def test_query_event_id(self):
]
}, expected_events=4)
self.assertTrue(len(evts), 4)
self.assertEqual(evts[0]["winlog.event_id"], 50)
self.assertEqual(evts[1]["winlog.event_id"], 100)
self.assertEqual(evts[2]["winlog.event_id"], 175)
self.assertEqual(evts[3]["winlog.event_id"], 200)
self.assertEqual(evts[0]["winlog.event_id"], "50")
self.assertEqual(evts[1]["winlog.event_id"], "100")
self.assertEqual(evts[2]["winlog.event_id"], "175")
self.assertEqual(evts[3]["winlog.event_id"], "200")

def test_query_level_single(self):
"""
Expand Down Expand Up @@ -270,8 +269,8 @@ def test_query_ignore_older(self):
]
})
self.assertTrue(len(evts), 1)
self.assertEqual(evts[0]["winlog.event_id"], 10)
self.assertEqual(evts[0]["event.code"], 10)
self.assertEqual(evts[0]["winlog.event_id"], "10")
self.assertEqual(evts[0]["event.code"], "10")

def test_query_provider(self):
"""
Expand Down
2 changes: 1 addition & 1 deletion winlogbeat/tests/system/winlogbeat.py
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def read_registry(self, requireBookmark=False):

return event_logs

def assert_common_fields(self, evt, msg=None, eventID=10, sid=None,
def assert_common_fields(self, evt, msg=None, eventID="10", sid=None,
level="information", extra=None):

assert host_name(evt["winlog.computer_name"]).lower() == host_name(platform.node()).lower()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"category": [
"process"
],
"code": 400,
"code": "400",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -46,7 +46,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 400,
"event_id": "400",
"keywords": [
"Classic"
],
Expand All @@ -63,7 +63,7 @@
"category": [
"process"
],
"code": 400,
"code": "400",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -105,7 +105,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 400,
"event_id": "400",
"keywords": [
"Classic"
],
Expand All @@ -122,7 +122,7 @@
"category": [
"process"
],
"code": 400,
"code": "400",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -162,7 +162,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 400,
"event_id": "400",
"keywords": [
"Classic"
],
Expand All @@ -179,7 +179,7 @@
"category": [
"process"
],
"code": 400,
"code": "400",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -213,7 +213,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 400,
"event_id": "400",
"keywords": [
"Classic"
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"category": [
"process"
],
"code": 403,
"code": "403",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -45,7 +45,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 403,
"event_id": "403",
"keywords": [
"Classic"
],
Expand All @@ -62,7 +62,7 @@
"category": [
"process"
],
"code": 403,
"code": "403",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -102,7 +102,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 403,
"event_id": "403",
"keywords": [
"Classic"
],
Expand All @@ -119,7 +119,7 @@
"category": [
"process"
],
"code": 403,
"code": "403",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -166,7 +166,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 403,
"event_id": "403",
"keywords": [
"Classic"
],
Expand All @@ -183,7 +183,7 @@
"category": [
"process"
],
"code": 403,
"code": "403",
"kind": "event",
"module": "powershell",
"provider": "PowerShell",
Expand Down Expand Up @@ -217,7 +217,7 @@
"api": "wineventlog",
"channel": "Windows PowerShell",
"computer_name": "vagrant",
"event_id": 403,
"event_id": "403",
"keywords": [
"Classic"
],
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"category": [
"process"
],
"code": 4103,
"code": "4103",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -94,7 +94,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4103,
"event_id": "4103",
"opcode": "To be used when operation is just executing a method",
"process": {
"pid": 3984,
Expand All @@ -119,7 +119,7 @@
"category": [
"process"
],
"code": 4103,
"code": "4103",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -217,7 +217,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4103,
"event_id": "4103",
"opcode": "To be used when operation is just executing a method",
"process": {
"pid": 5032,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"category": [
"process"
],
"code": 4104,
"code": "4104",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -36,7 +36,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4104,
"event_id": "4104",
"opcode": "On create calls",
"process": {
"pid": 4844,
Expand All @@ -61,7 +61,7 @@
"category": [
"process"
],
"code": 4104,
"code": "4104",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -96,7 +96,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4104,
"event_id": "4104",
"opcode": "On create calls",
"process": {
"pid": 4844,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"category": [
"process"
],
"code": 4105,
"code": "4105",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -34,7 +34,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4105,
"event_id": "4105",
"opcode": "On create calls",
"process": {
"pid": 4204,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"category": [
"process"
],
"code": 4106,
"code": "4106",
"kind": "event",
"module": "powershell",
"provider": "Microsoft-Windows-PowerShell",
Expand Down Expand Up @@ -34,7 +34,7 @@
"api": "wineventlog",
"channel": "Microsoft-Windows-PowerShell/Operational",
"computer_name": "vagrant",
"event_id": 4106,
"event_id": "4106",
"opcode": "On create calls",
"process": {
"pid": 4776,
Expand Down
Loading

0 comments on commit ee5ed90

Please sign in to comment.