From 4eec18d7576504b48c98b2d66108e96cb16d2ce8 Mon Sep 17 00:00:00 2001 From: Nicole Albee <2642763+a03nikki@users.noreply.github.com> Date: Sun, 13 Oct 2024 10:55:48 -0500 Subject: [PATCH] [System.Security] For Windows, store the split access list and mask values (#9907) * Added logic to store the individual `winlog.event_data.AccessMask` values as a list of values instead of a multi-line string value. * Updated test for winlog.event_data.AccessMask for split values. * Updated the change log and manifest version. * Updated the rest of the test cases for the new format of AccessMask. * Updated changelog pull request number * Fixed formatting on changelog.yaml * Added failing test cases for expected output for AccessList. * Added logic to the standard system security ingest pipeline to save the AccessList values. * Increment version number. * Update packages/system/changelog.yml --- packages/system/changelog.yml | 5 +++++ .../test/pipeline/test-4662.json-expected.json | 4 +++- .../test/pipeline/test-4663.json-expected.json | 9 +++++++-- .../test/pipeline/test-4674.json-expected.json | 9 +++++++-- .../test-security-5140-5145.json-expected.json | 18 ++++++++++++++---- .../elasticsearch/ingest_pipeline/standard.yml | 12 ++++++++++++ packages/system/manifest.yml | 2 +- 7 files changed, 49 insertions(+), 10 deletions(-) diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index c731da433e6a..246ba6f964f8 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.61.1" + changes: + - description: Parse `winlog.event_data.AccessList` and `winlog.event_data.AccessMask` into a list of values + type: bugfix + link: https://github.com/elastic/integrations/pull/9907 - version: "1.61.0" changes: - description: Tighten IPv4 extraction from IPv4-mapped IPv6 addresses. diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json index 6350a92d3bc0..f21a5473f267 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4662.json-expected.json @@ -40,7 +40,9 @@ "channel": "Security", "computer_name": "DC01.contoso.local", "event_data": { - "AccessMask": "0x10000", + "AccessMask": [ + "0x10000" + ], "AccessMaskDescription": [ "DELETE" ], diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json index 49580ed94d9c..55a15f183155 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -36,12 +36,17 @@ "channel": "Security", "computer_name": "DC01.contoso.local", "event_data": { - "AccessList": "%%4417 %%4418", + "AccessList": [ + "4417", + "4418" + ], "AccessListDescription": [ "WriteData (or AddFile)", "AppendData (or AddSubdirectory or CreatePipeInstance)" ], - "AccessMask": "0x6", + "AccessMask": [ + "0x6" + ], "AccessMaskDescription": [ "Delete Child", "List Contents" diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json index 5c7dd19c2ad8..bc8ace70b74c 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -58,7 +58,9 @@ "channel": "Security", "computer_name": "DC01.contoso.local", "event_data": { - "AccessMask": "16777216", + "AccessMask": [ + "16777216" + ], "AccessMaskDescription": [ "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" ], @@ -140,7 +142,10 @@ "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", "event_data": { - "AccessMask": "%%1538\n\t\t\t\t%%1542\n\t\t\t\t", + "AccessMask": [ + "1538", + "1542" + ], "AccessMaskDescription": [ "Delete Child", "List Contents" diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json index 9a9d502a4d33..74ae5bee83dd 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json @@ -52,11 +52,15 @@ "channel": "Security", "computer_name": "DC01.contoso.local", "event_data": { - "AccessList": "%%4416", + "AccessList": [ + "4416" + ], "AccessListDescription": [ "ReadData (or ListDirectory)" ], - "AccessMask": "0x1", + "AccessMask": [ + "0x1" + ], "AccessMaskDescription": [ "Create Child" ], @@ -146,13 +150,19 @@ "channel": "Security", "computer_name": "DC01.contoso.local", "event_data": { - "AccessList": "%%1541 %%4416 %%4423", + "AccessList": [ + "1541", + "4416", + "4423" + ], "AccessListDescription": [ "SYNCHRONIZE", "ReadData (or ListDirectory)", "ReadAttributes" ], - "AccessMask": "0x100081", + "AccessMask": [ + "0x100081" + ], "AccessMaskDescription": [ "List Object", "Create Child", diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml index d54389828487..360ae1e8fff7 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -2220,13 +2220,20 @@ processors: } } if (ctx.winlog?.event_data?.AccessList != null) { + ArrayList codes = new ArrayList(); ArrayList results = new ArrayList(); for (elem in ctx.winlog.event_data.AccessList.splitOnToken(" ")) { def code = elem.replace("%%","").trim(); + if (code != "") { + codes.add(code); + } if (params.descriptions.containsKey(code)) { results.add(params.descriptions[code]); } } + if (codes.length > 0) { + ctx.winlog.event_data.AccessList = codes; + } if (results.length > 0) { ctx.winlog.event_data.put("AccessListDescription", results); } @@ -2244,12 +2251,14 @@ processors: } } if (ctx.winlog?.event_data?.AccessMask != null) { + ArrayList masks = new ArrayList(); ArrayList results = new ArrayList(); for (elem in split(ctx.winlog.event_data.AccessMask)) { def mask = elem.replace("%%","").trim(); if (mask == "") { continue; } + masks.add(mask); Long accessMask = Long.decode(mask); for (entry in params.AccessMaskDescriptions.entrySet()) { Long accessFlag = Long.decode(entry.getKey()); @@ -2258,6 +2267,9 @@ processors: } } } + if (masks.length > 0) { + ctx.winlog.event_data.AccessMask = masks; + } if (results.length > 0) { ctx.winlog.event_data.put("_AccessMaskDescription", results); } diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 88f9096e2389..91af582999bc 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.2 name: system title: System -version: "1.61.0" +version: "1.61.1" description: Collect system logs and metrics from your servers with Elastic Agent. type: integration categories: