Skip to content

Commit 096b88e

Browse files
marc-grmarc-gr
authored
Improve ECS field mappings in Sysmon module. (#18381)
- related.hash, related.ip, and related.user are now populated. - hashes are now also populated to the corresponding process.hash, process.pe.imphash, file.hash or file.pe.imphash - file.name, file.directory, and file.extension are now populated. - rule.name is populated for all events when present. Closes #18364
1 parent 6cbd8cb commit 096b88e

File tree

5 files changed

+456
-12
lines changed

5 files changed

+456
-12
lines changed

CHANGELOG.next.asciidoc

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,10 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
4646
*Winlogbeat*
4747

4848
- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094]
49+
- Improve ECS field mappings in Sysmon module. `related.hash`, `related.ip`, and `related.user` are now populated. {issue}18364[18364]
50+
- Improve ECS field mappings in Sysmon module. Hashes are now also populated to the corresponding `process.hash`, `process.pe.imphash`, `file.hash`, or `file.pe.imphash`. {issue}18364[18364]
51+
- Improve ECS field mappings in Sysmon module. `file.name`, `file.directory`, and `file.extension` are now populated. {issue}18364[18364]
52+
- Improve ECS field mappings in Sysmon module. `rule.name` is populated for all events when present. {issue}18364[18364]
4953

5054
*Functionbeat*
5155

x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js

Lines changed: 120 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -332,10 +332,21 @@ var sysmon = (function () {
332332
evt.Delete("user");
333333
evt.Put("user.domain", userParts[0]);
334334
evt.Put("user.name", userParts[1]);
335+
evt.AppendTo("related.user", userParts[1]);
335336
evt.Delete("winlog.event_data.User");
336337
}
337338
};
338339

340+
var setRuleName = function (evt) {
341+
var ruleName = evt.Get("winlog.event_data.RuleName");
342+
if (!ruleName || ruleName === "-") {
343+
return;
344+
}
345+
346+
evt.Put("rule.name", ruleName);
347+
evt.Delete("winlog.event_data.RuleName");
348+
};
349+
339350
var addNetworkDirection = function (evt) {
340351
switch (evt.Get("winlog.event_data.Initiated")) {
341352
case "true":
@@ -361,7 +372,39 @@ var sysmon = (function () {
361372
evt.Delete("winlog.event_data.DestinationIsIpv6");
362373
};
363374

364-
var addHashes = function (evt, hashField) {
375+
var setRelatedIP = function (evt) {
376+
var sourceIP = evt.Get("source.ip");
377+
if (sourceIP) {
378+
evt.AppendTo("related.ip", sourceIP);
379+
}
380+
381+
var destIP = evt.Get("destination.ip");
382+
if (destIP) {
383+
evt.AppendTo("related.ip", destIP);
384+
}
385+
};
386+
387+
var getHashPath = function (namespace, hashKey) {
388+
if (hashKey === "imphash") {
389+
return namespace + ".pe.imphash";
390+
}
391+
392+
return namespace + ".hash." + hashKey;
393+
};
394+
395+
var emptyHashRegex = /^0*$/;
396+
397+
var hashIsEmpty = function (value) {
398+
if (!value) {
399+
return true;
400+
}
401+
402+
return emptyHashRegex.test(value);
403+
}
404+
405+
// Adds hashes from the given hashField in the event to the 'hash' key
406+
// in the specified namespace. It also adds all the hashes to 'related.hash'.
407+
var addHashes = function (evt, namespace, hashField) {
365408
var hashes = evt.Get(hashField);
366409
evt.Delete(hashField);
367410
hashes.split(",").forEach(function (hash) {
@@ -372,16 +415,31 @@ var sysmon = (function () {
372415

373416
var key = parts[0].toLowerCase();
374417
var value = parts[1].toLowerCase();
418+
419+
if (hashIsEmpty(value)) {
420+
return;
421+
}
422+
423+
var path = getHashPath(namespace, key);
424+
425+
evt.Put(path, value);
426+
evt.AppendTo("related.hash", value);
427+
428+
// TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364).
375429
evt.Put("hash." + key, value);
376430
});
377431
};
378432

379-
var splitHashes = function (evt) {
380-
addHashes(evt, "winlog.event_data.Hashes");
433+
var splitFileHashes = function (evt) {
434+
addHashes(evt, "file", "winlog.event_data.Hashes");
381435
};
382436

383-
var splitHash = function (evt) {
384-
addHashes(evt, "winlog.event_data.Hash");
437+
var splitFileHash = function (evt) {
438+
addHashes(evt, "file", "winlog.event_data.Hash");
439+
};
440+
441+
var splitProcessHashes = function (evt) {
442+
addHashes(evt, "process", "winlog.event_data.Hashes");
385443
};
386444

387445
var removeEmptyEventData = function (evt) {
@@ -477,6 +535,28 @@ var sysmon = (function () {
477535
evt.Put("file.code_signature.valid", signatureStatus === "Valid");
478536
};
479537

538+
var setAdditionalFileFieldsFromPath = function (evt) {
539+
var filePath = evt.Get("file.path");
540+
if (!filePath) {
541+
return;
542+
}
543+
544+
evt.Put("file.name", path.basename(filePath));
545+
evt.Put("file.directory", path.dirname(filePath));
546+
547+
// path returns extensions with a preceding ., e.g.: .tmp, .png
548+
// according to ecs the expected format is without it, so we need to remove it.
549+
var ext = path.extname(filePath);
550+
if (!ext) {
551+
return;
552+
}
553+
554+
if (ext.charAt(0) === ".") {
555+
ext = ext.substr(1);
556+
}
557+
evt.Put("file.extension", ext);
558+
};
559+
480560
// https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives
481561
var commonRegistryHives = {
482562
HKEY_CLASSES_ROOT: "HKCR",
@@ -606,10 +686,11 @@ var sysmon = (function () {
606686
ignore_missing: true,
607687
fail_on_error: false,
608688
})
689+
.Add(setRuleName)
609690
.Add(setProcessNameUsingExe)
610691
.Add(splitProcessArgs)
611692
.Add(addUser)
612-
.Add(splitHashes)
693+
.Add(splitProcessHashes)
613694
.Add(setParentProcessNameUsingExe)
614695
.Add(splitParentProcessArgs)
615696
.Add(removeEmptyEventData)
@@ -652,6 +733,8 @@ var sysmon = (function () {
652733
ignore_missing: true,
653734
fail_on_error: false,
654735
})
736+
.Add(setRuleName)
737+
.Add(setAdditionalFileFieldsFromPath)
655738
.Add(setProcessNameUsingExe)
656739
.Add(removeEmptyEventData)
657740
.Build();
@@ -727,6 +810,8 @@ var sysmon = (function () {
727810
ignore_missing: true,
728811
fail_on_error: false,
729812
})
813+
.Add(setRuleName)
814+
.Add(setRelatedIP)
730815
.Add(setProcessNameUsingExe)
731816
.Add(addUser)
732817
.Add(addNetworkDirection)
@@ -792,6 +877,7 @@ var sysmon = (function () {
792877
ignore_missing: true,
793878
fail_on_error: false,
794879
})
880+
.Add(setRuleName)
795881
.Add(setProcessNameUsingExe)
796882
.Add(removeEmptyEventData)
797883
.Build();
@@ -833,8 +919,10 @@ var sysmon = (function () {
833919
],
834920
fail_on_error: false,
835921
})
922+
.Add(setRuleName)
923+
.Add(setAdditionalFileFieldsFromPath)
836924
.Add(setAdditionalSignatureFields)
837-
.Add(splitHashes)
925+
.Add(splitFileHashes)
838926
.Add(removeEmptyEventData)
839927
.Build();
840928

@@ -888,9 +976,11 @@ var sysmon = (function () {
888976
],
889977
fail_on_error: false,
890978
})
979+
.Add(setRuleName)
980+
.Add(setAdditionalFileFieldsFromPath)
891981
.Add(setAdditionalSignatureFields)
892982
.Add(setProcessNameUsingExe)
893-
.Add(splitHashes)
983+
.Add(splitFileHashes)
894984
.Add(removeEmptyEventData)
895985
.Build();
896986

@@ -921,6 +1011,7 @@ var sysmon = (function () {
9211011
ignore_missing: true,
9221012
fail_on_error: false,
9231013
})
1014+
.Add(setRuleName)
9241015
.Add(setProcessNameUsingExe)
9251016
.Add(removeEmptyEventData)
9261017
.Build();
@@ -956,6 +1047,8 @@ var sysmon = (function () {
9561047
ignore_missing: true,
9571048
fail_on_error: false,
9581049
})
1050+
.Add(setRuleName)
1051+
.Add(setAdditionalFileFieldsFromPath)
9591052
.Add(setProcessNameUsingExe)
9601053
.Add(removeEmptyEventData)
9611054
.Build();
@@ -998,6 +1091,7 @@ var sysmon = (function () {
9981091
ignore_missing: true,
9991092
fail_on_error: false,
10001093
})
1094+
.Add(setRuleName)
10011095
.Add(setProcessNameUsingExe)
10021096
.Add(removeEmptyEventData)
10031097
.Build();
@@ -1039,6 +1133,8 @@ var sysmon = (function () {
10391133
ignore_missing: true,
10401134
fail_on_error: false,
10411135
})
1136+
.Add(setRuleName)
1137+
.Add(setAdditionalFileFieldsFromPath)
10421138
.Add(setProcessNameUsingExe)
10431139
.Add(removeEmptyEventData)
10441140
.Build();
@@ -1070,6 +1166,7 @@ var sysmon = (function () {
10701166
ignore_missing: true,
10711167
fail_on_error: false,
10721168
})
1169+
.Add(setRuleName)
10731170
.Add(setRegistryFields)
10741171
.Add(setProcessNameUsingExe)
10751172
.Add(removeEmptyEventData)
@@ -1102,6 +1199,7 @@ var sysmon = (function () {
11021199
ignore_missing: true,
11031200
fail_on_error: false,
11041201
})
1202+
.Add(setRuleName)
11051203
.Add(setRegistryFields)
11061204
.Add(setProcessNameUsingExe)
11071205
.Add(removeEmptyEventData)
@@ -1134,6 +1232,7 @@ var sysmon = (function () {
11341232
ignore_missing: true,
11351233
fail_on_error: false,
11361234
})
1235+
.Add(setRuleName)
11371236
.Add(setRegistryFields)
11381237
.Add(setProcessNameUsingExe)
11391238
.Add(removeEmptyEventData)
@@ -1176,8 +1275,10 @@ var sysmon = (function () {
11761275
ignore_missing: true,
11771276
fail_on_error: false,
11781277
})
1278+
.Add(setRuleName)
1279+
.Add(setAdditionalFileFieldsFromPath)
11791280
.Add(setProcessNameUsingExe)
1180-
.Add(splitHash)
1281+
.Add(splitFileHash)
11811282
.Add(removeEmptyEventData)
11821283
.Build();
11831284

@@ -1235,6 +1336,7 @@ var sysmon = (function () {
12351336
ignore_missing: true,
12361337
fail_on_error: false,
12371338
})
1339+
.Add(setRuleName)
12381340
.Add(setProcessNameUsingExe)
12391341
.Add(removeEmptyEventData)
12401342
.Build();
@@ -1276,6 +1378,7 @@ var sysmon = (function () {
12761378
ignore_missing: true,
12771379
fail_on_error: false,
12781380
})
1381+
.Add(setRuleName)
12791382
.Add(setProcessNameUsingExe)
12801383
.Add(removeEmptyEventData)
12811384
.Build();
@@ -1294,6 +1397,7 @@ var sysmon = (function () {
12941397
ignore_missing: true,
12951398
fail_on_error: false,
12961399
})
1400+
.Add(setRuleName)
12971401
.Add(addUser)
12981402
.Add(removeEmptyEventData)
12991403
.Build();
@@ -1316,6 +1420,7 @@ var sysmon = (function () {
13161420
ignore_missing: true,
13171421
fail_on_error: false,
13181422
})
1423+
.Add(setRuleName)
13191424
.Add(addUser)
13201425
.Add(setProcessNameUsingExe)
13211426
.Add(removeEmptyEventData)
@@ -1335,6 +1440,7 @@ var sysmon = (function () {
13351440
ignore_missing: true,
13361441
fail_on_error: false,
13371442
})
1443+
.Add(setRuleName)
13381444
.Add(addUser)
13391445
.Add(removeEmptyEventData)
13401446
.Build();
@@ -1389,6 +1495,7 @@ var sysmon = (function () {
13891495
field: "dns.question.name",
13901496
target_field: "dns.question.registered_domain",
13911497
})
1498+
.Add(setRuleName)
13921499
.Add(translateDnsQueryStatus)
13931500
.Add(splitDnsQueryResults)
13941501
.Add(setProcessNameUsingExe)
@@ -1425,7 +1532,7 @@ var sysmon = (function () {
14251532
},
14261533
{
14271534
from: "winlog.event_data.TargetFilename",
1428-
to: "file.name",
1535+
to: "file.path",
14291536
},
14301537
{
14311538
from: "winlog.event_data.Image",
@@ -1446,9 +1553,11 @@ var sysmon = (function () {
14461553
ignore_missing: true,
14471554
fail_on_error: false,
14481555
})
1556+
.Add(setRuleName)
14491557
.Add(addUser)
1450-
.Add(splitHashes)
1558+
.Add(splitProcessHashes)
14511559
.Add(setProcessNameUsingExe)
1560+
.Add(setAdditionalFileFieldsFromPath)
14521561
.Add(removeEmptyEventData)
14531562
.Build();
14541563

x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx

0 Bytes
Binary file not shown.

0 commit comments

Comments
 (0)