Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[windows] Add provider name check to forwarded/security conditional#2527

Merged
taylor-swanson merged 2 commits intoelastic:masterfrom
taylor-swanson:windows-security-guard
Jan 19, 2022
Merged

[windows] Add provider name check to forwarded/security conditional#2527
taylor-swanson merged 2 commits intoelastic:masterfrom
taylor-swanson:windows-security-guard

Conversation

@taylor-swanson
Copy link
Contributor

What does this PR do?

-Added a check to the forwarded/security conditional to ensure that only events with a provider ofMicrosoft-Windows-Eventlog orMicrosoft-Windows-Security-Auditing are allowed through. Events not matching these providers will still be indexed, but won't receive additional enrichment that could lead to incorrect metadata being applied.

Checklist

  • I have reviewedtips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package'schangelog.yml file.
  • I have verified that Kibana version constraints are current according toguidelines.

How to test this PR locally

cd packages/windows && elastic-package test

Related issues

willemdh reacted with heart emoji
- Added a check to the forwarded/security conditional to ensure that onlyevents with a provider of Microsoft-Windows-Eventlog orMicrosoft-Windows-Security-Auditing are allowed through. Events not matchingthese providers will still be indexed, but won't receive additionalenrichment that could lead to incorrect metadata being applied.
@taylor-swansontaylor-swanson added bugSomething isn't working, use only for issues Team:Security-External Integrations labelsJan 13, 2022
@elasticmachine
Copy link

elasticmachine commentedJan 13, 2022
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline ViewTest ViewChangesArtifactspreviewpreview

Expand to view the summary

Build stats

  • Start Time: 2022-01-13T15:03:37.703+0000

  • Duration: 21 min 37 sec

  • Commit:0ccf6f0

Test stats 🧪

TestResults
Failed0
Passed126
Skipped0
Total126

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@taylor-swansontaylor-swanson marked this pull request as ready for reviewJanuary 14, 2022 14:42
@elasticmachine
Copy link

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

- pipeline:
name: '{{ IngestPipeline "security" }}'
if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security"
if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Security" && ctx?.winlog?.provider_name != null && ["Microsoft-Windows-Eventlog", "Microsoft-Windows-Security-Auditing"].contains(ctx?.winlog?.provider_name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Are there cases wherechannel is "Security" butprovider_name isn't /Microsoft-Windows-(Eventlog|Security-Auditing)/?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Good question. For forwarded events I'm not sure if this is the case or not. The other provider name we know of that can appear in theSecurity channel isAD FS, and we know we don't want it enriched with this pipeline. I was mostly replicating the logic from other pipelines here (the ones in System and Winlogbeat). I think this is still safe since we don't want to enrich any other providers other than the ones we know of. Those are listed here:https://windows-event-explorer.app.elstc.co/channel/Security

efd6 reacted with thumbs up emoji
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@efd6efd6efd6 approved these changes

Assignees

No one assigned

Labels

bugSomething isn't working, use only for issues

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@taylor-swanson@elasticmachine@efd6

Comments

[8]ページ先頭
©2009-2026 Movatter.jp