Skip to content

[System.Security] For Windows, store the split access list and mask values #9907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Oct 13, 2024
Merged

[System.Security] For Windows, store the split access list and mask values #9907

merged 12 commits into from
Oct 13, 2024

Conversation

@a03nikki
Copy link
Contributor

@a03nikki a03nikki commented May 16, 2024
edited
Loading

Proposed commit message

Added logic to store the individual winlog.event_data.AccessList and winlog.event_data.AccessMask values as a list of values instead of a multi-line string value.
This brings the format in alignment with the previous Winlogbeat v7 format of these values.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

  • My first integrations code change and pull request was done correctly

How to test this PR locally

elastic-package test

Related issues

Screenshots

This was found while comparing Winlogbeat 7.10.1 output to Elastic Agent v8.12.1 with System integration version approximate 1.48.1.

Winlogbeat v7.10.1 for event code 4674 documents had this

"AccessMask": ["1537", "1538", "1539", "1540", "1541", "4528", "4529"]

But Elastic Agent v8.12.1, had this

"AccessMask": "%%1537\n\t\t\t\t%%1538\n\t\t\t\t%%1539\n\t\t\t\t%%1540\n\t\t\t\t%%1541\n\t\t\t\t%%4528\n\t\t\t\t%%4529\n\t\t\t\t"

After this Elasticsearch ingest pipeline change, the Elastic Agent should return to be the list of values again like Winlogbeat.

@a03nikki a03nikki added bug Something isn't working, use only for issues Integration:system System labels May 16, 2024
@a03nikki a03nikki self-assigned this May 16, 2024
@a03nikki a03nikki requested review from a team as code owners May 16, 2024 23:27
@a03nikki a03nikki changed the title [System.Secuirty] For Windows, store the split access mask values [System.Security] For Windows, store the split access mask values May 16, 2024
@elasticmachine
Copy link

elasticmachine commented May 17, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@a03nikki
Copy link
Contributor Author

a03nikki commented May 17, 2024
edited
Loading

I'm finding out if AccessList should be fixed too per the user that I was talking with.

@a03nikki
Copy link
Contributor Author

a03nikki commented May 24, 2024

I'm finding out if AccessList should be fixed too per the user that I was talking with.

I confirmed they would like the AccessList to be brought back into alignment as well. Change has been pushed to this pull request now.

@a03nikki a03nikki changed the title [System.Security] For Windows, store the split access mask values [System.Security] For Windows, store the split access list and mask values May 24, 2024
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 24, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@botelastic
Copy link

botelastic bot commented Jun 23, 2024

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Jun 23, 2024
@andrewkroh andrewkroh added the Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] label Jul 19, 2024
@elasticmachine
Copy link

elasticmachine commented Jul 19, 2024

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@botelastic botelastic bot removed the Stalled label Jul 19, 2024
@andrewkroh andrewkroh added bugfix Pull request that fixes a bug issue and removed bug Something isn't working, use only for issues labels Aug 19, 2024
@botelastic
Copy link

botelastic bot commented Sep 18, 2024

Hi! We just realized that we haven't looked into this PR in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

@botelastic botelastic bot added the Stalled label Sep 18, 2024
@botelastic botelastic bot removed the Stalled label Oct 10, 2024
a03nikki
a03nikki commented Oct 10, 2024
View reviewed changes
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented Oct 10, 2024

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
7.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

elasticmachine commented Oct 10, 2024

💚 Build Succeeded

History

cc @a03nikki

@a03nikki a03nikki merged commit 4eec18d into main Oct 13, 2024
5 checks passed
@a03nikki a03nikki deleted the store-split-access-mask-values branch October 13, 2024 15:55
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Oct 13, 2024

Package system - 1.61.1 containing this change is available at https://epr.elastic.co/search?package=system

harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 4, 2025
@a03nikki
[System.Security] For Windows, store the split access list and mask v…
a8a2a82 
…alues (elastic#9907)

* Added logic to store the individual `winlog.event_data.AccessMask` values as a list of values instead of a multi-line string value.

* Updated test for winlog.event_data.AccessMask for split values.

* Updated the change log and manifest version.

* Updated the rest of the test cases for the new format of AccessMask.

* Updated changelog pull request number

* Fixed formatting on changelog.yaml

* Added failing test cases for expected output for AccessList.

* Added logic to the standard system security ingest pipeline to save the AccessList values.

* Increment version number.

* Update packages/system/changelog.yml
harnish-crest-data pushed a commit to chavdaharnish/integrations that referenced this pull request Feb 5, 2025
@a03nikki
[System.Security] For Windows, store the split access list and mask v…
d494e31 
…alues (elastic#9907)

* Added logic to store the individual `winlog.event_data.AccessMask` values as a list of values instead of a multi-line string value.

* Updated test for winlog.event_data.AccessMask for split values.

* Updated the change log and manifest version.

* Updated the rest of the test cases for the new format of AccessMask.

* Updated changelog pull request number

* Fixed formatting on changelog.yaml

* Added failing test cases for expected output for AccessList.

* Added logic to the standard system security ingest pipeline to save the AccessList values.

* Increment version number.

* Update packages/system/changelog.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr marc-gr approved these changes

Assignees

@a03nikki a03nikki

Labels

bugfix Pull request that fixes a bug issue Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@a03nikki @elasticmachine @marc-gr @andrewkroh