- Notifications
You must be signed in to change notification settings - Fork545
fix(system,windows): normalize SidList in event 4908#15797
Merged
andrewkroh merged 2 commits intoelastic:mainfromNov 18, 2025
Merged
fix(system,windows): normalize SidList in event 4908#15797andrewkroh merged 2 commits intoelastic:mainfrom
andrewkroh merged 2 commits intoelastic:mainfrom
Conversation
7cdc420 to5cf077bCompareelastic-vault-github-plugin-prodbot commentedOct 29, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
🚀 Benchmarks reportTo see the full report comment with |
Adds whitespace normalization for the SidList field in WindowsSecurity event 4908 (Special Groups Logon table modified). Theingest pipeline now uses a gsub processor to normalize separatorsbefore parsing, and the Painless script handles the normalizedformat correctly.Test data originates fromelastic/beats@dd7a1b3
5cf077b to7f68393Compare| @@ -4260,7 +4265,8 @@ processors: | |||
| void splitSidList(def sids, def params, def ctx) { | |||
| ArrayList al = new ArrayList(); | |||
MemberAuthor
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
This highlights that that system/security and windows/forwarded pipelines are no longer in sync. We will need to address that separately, hopefully taking advantage of new tooling in elastic-package that avoids duplicating content.
elasticmachine commentedOct 29, 2025
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
elasticmachine commentedOct 30, 2025
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
mauri870 approved these changesOct 31, 2025
Contributor
pierrehilbert commentedNov 12, 2025
@nfritts /@lalit-satapathy we need your review here. |
nfritts approved these changesNov 18, 2025
ishleenk17 approved these changesNov 18, 2025
Member
ishleenk17 left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Giving codeowner approval.
elasticmachine commentedNov 18, 2025
💚 Build Succeeded
History
|
95f5051 intoelastic:main 7 checks passed
Uh oh!
There was an error while loading.Please reload this page.
Package system - 2.7.2 containing this change is available athttps://epr.elastic.co/package/system/2.7.2/ |
Package windows - 3.2.3 containing this change is available athttps://epr.elastic.co/package/windows/3.2.3/ |
graphaelli pushed a commit to graphaelli/integrations that referenced this pull requestNov 18, 2025
Adds whitespace normalization for the SidList field in WindowsSecurity event 4908 (Special Groups Logon table modified). Theingest pipeline now uses a gsub processor to normalize separatorsbefore parsing, and the Painless script handles the normalizedformat correctly.Test data originates fromelastic/beats@dd7a1b3
tehbooom pushed a commit to tehbooom/integrations that referenced this pull requestNov 19, 2025
Adds whitespace normalization for the SidList field in WindowsSecurity event 4908 (Special Groups Logon table modified). Theingest pipeline now uses a gsub processor to normalize separatorsbefore parsing, and the Painless script handles the normalizedformat correctly.Test data originates fromelastic/beats@dd7a1b3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
bugfixPull request that fixes a bug issue Integration:systemSystem Integration:windowsWindows Team:Elastic-Agent-Data-PlaneAgent Data Plane team [elastic/elastic-agent-data-plane] Team:Obs-InfraObsObservability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] Team:Security-Windows PlatformSecurity Windows Platform team [elastic/sec-windows-platform]
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading.Please reload this page.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots