[System.Security] For Windows, store the split access list and mask v…

…alues (#9907) * Added logic to store the individual `winlog.event_data.AccessMask` values as a list of values instead of a multi-line string value. * Updated test for winlog.event_data.AccessMask for split values. * Updated the change log and manifest version. * Updated the rest of the test cases for the new format of AccessMask. * Updated changelog pull request number * Fixed formatting on changelog.yaml * Added failing test cases for expected output for AccessList. * Added logic to the standard system security ingest pipeline to save the AccessList values. * Increment version number. * Update packages/system/changelog.yml
elastic · Oct 13, 2024 · 4eec18d · 4eec18d
1 parent d6e8d56
commit 4eec18d
Show file tree

Hide file tree

Showing 7 changed files with 49 additions and 10 deletions.
diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.61.1"
+  changes:
+    - description: Parse `winlog.event_data.AccessList` and `winlog.event_data.AccessMask` into a list of values
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/9907
 - version: "1.61.0"
   changes:
     - description: Tighten IPv4 extraction from IPv4-mapped IPv6 addresses.

diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json
@@ -40,7 +40,9 @@
                 "channel": "Security",
                 "computer_name": "DC01.contoso.local",
                 "event_data": {
-                    "AccessMask": "0x10000",
+                    "AccessMask": [
+                        "0x10000"
+                    ],
                     "AccessMaskDescription": [
                         "DELETE"
                     ],

diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json
@@ -36,12 +36,17 @@
                 "channel": "Security",
                 "computer_name": "DC01.contoso.local",
                 "event_data": {
-                    "AccessList": "%%4417 %%4418",
+                    "AccessList": [
+                        "4417",
+                        "4418"
+                    ],
                     "AccessListDescription": [
                         "WriteData (or AddFile)",
                         "AppendData (or AddSubdirectory or CreatePipeInstance)"
                     ],
-                    "AccessMask": "0x6",
+                    "AccessMask": [
+                        "0x6"
+                    ],
                     "AccessMaskDescription": [
                         "Delete Child",
                         "List Contents"

diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json
@@ -58,7 +58,9 @@
                 "channel": "Security",
                 "computer_name": "DC01.contoso.local",
                 "event_data": {
-                    "AccessMask": "16777216",
+                    "AccessMask": [
+                        "16777216"
+                    ],
                     "AccessMaskDescription": [
                         "ADS_RIGHT_ACCESS_SYSTEM_SECURITY"
                     ],
@@ -140,7 +142,10 @@
                 "channel": "Security",
                 "computer_name": "DC_TEST2k12.TEST.SAAS",
                 "event_data": {
-                    "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t",
+                    "AccessMask": [
+                        "1538",
+                        "1542"
+                    ],
                     "AccessMaskDescription": [
                         "Delete Child",
                         "List Contents"

diff --git a/...system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json b/...system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json
@@ -52,11 +52,15 @@
                 "channel": "Security",
                 "computer_name": "DC01.contoso.local",
                 "event_data": {
-                    "AccessList": "%%4416",
+                    "AccessList": [
+                        "4416"
+                    ],
                     "AccessListDescription": [
                         "ReadData (or ListDirectory)"
                     ],
-                    "AccessMask": "0x1",
+                    "AccessMask": [
+                        "0x1"
+                    ],
                     "AccessMaskDescription": [
                         "Create Child"
                     ],
@@ -146,13 +150,19 @@
                 "channel": "Security",
                 "computer_name": "DC01.contoso.local",
                 "event_data": {
-                    "AccessList": "%%1541 %%4416 %%4423",
+                    "AccessList": [
+                        "1541",
+                        "4416",
+                        "4423"
+                    ],
                     "AccessListDescription": [
                         "SYNCHRONIZE",
                         "ReadData (or ListDirectory)",
                         "ReadAttributes"
                     ],
-                    "AccessMask": "0x100081",
+                    "AccessMask": [
+                        "0x100081"
+                    ],
                     "AccessMaskDescription": [
                         "List Object",
                         "Create Child",

diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
@@ -2220,13 +2220,20 @@ processors:
           }
         }
         if (ctx.winlog?.event_data?.AccessList != null) {
+          ArrayList codes = new ArrayList();
           ArrayList results = new ArrayList();
           for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) {
             def code = elem.replace("%%","").trim();
+            if (code != "") {
+              codes.add(code);
+            }
             if (params.descriptions.containsKey(code)) {
               results.add(params.descriptions[code]);
             }
           }
+          if (codes.length > 0) {
+            ctx.winlog.event_data.AccessList = codes;
+          }
           if (results.length > 0) {
             ctx.winlog.event_data.put("AccessListDescription", results);
           }
@@ -2244,12 +2251,14 @@ processors:
           }
         }
         if (ctx.winlog?.event_data?.AccessMask != null) {
+          ArrayList masks = new ArrayList();
           ArrayList results = new ArrayList();
           for (elem in split(ctx.winlog.event_data.AccessMask)) {
             def mask = elem.replace("%%","").trim();
             if (mask == "") {
               continue;
             }
+            masks.add(mask);
             Long accessMask = Long.decode(mask);
             for (entry in params.AccessMaskDescriptions.entrySet()) {
               Long accessFlag = Long.decode(entry.getKey());
@@ -2258,6 +2267,9 @@ processors:
               }
             }
           }
+          if (masks.length > 0) {
+            ctx.winlog.event_data.AccessMask = masks;
+          }
           if (results.length > 0) {
             ctx.winlog.event_data.put("_AccessMaskDescription", results);
           }

diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml
@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "1.61.0"
+version: "1.61.1"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories: