Skip to content

Commit

Permalink
[Winlogbeat] Add provider name to Security routing pipeline check (#2…
Browse files Browse the repository at this point in the history
…9781)

- Added the two provider names currently supported by the Security pipeline
to the conditional check in the routing pipeline. These two providers are
"Microsoft-Windows-Eventlog" and "Microsoft-Windows-Security-Auditing".
- This will prevent unsupported providers such as "AD FS" from being
enriched with incorrect information.
  • Loading branch information
taylor-swanson authored Jan 12, 2022
1 parent 3270ae1 commit 56423a0
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d

*Winlogbeat*

- Add provider names to Security pipeline conditional check in routing pipeline. {issue}27288[27288] {pull}29781[29781]

*Functionbeat*

Expand Down
2 changes: 1 addition & 1 deletion x-pack/winlogbeat/module/routing/ingest/routing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ description: Winlogbeat Routing Pipeline
processors:
- pipeline:
name: '{< IngestPipeline "security" >}'
if: ctx?.winlog?.channel == 'Security'
if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)
- pipeline:
name: '{< IngestPipeline "sysmon" >}'
if: ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'
Expand Down

0 comments on commit 56423a0

Please sign in to comment.