[Winlogbeat] Update Sysmon module for v12/13 #21172
Comments
botelastic
bot
added
the
needs_team
|
Pinging @elastic/siem (Team:SIEM) |
botelastic
bot
removed
the
needs_team
|
@andrewkroh In the meantime Sysmon13 has been released. This update to Sysmon adds a process image tampering event that reports when the mapped image of a process doesn’t match the on-disk image file, or the image file is locked for exclusive access. These indicators are triggered by process hollowing and process herpaderping. This release also includes several bug fixes, including fixes for minor memory leaks. |
|
@jamiehynds Is this on your radar? |
jamiehynds
changed the title
|
@MikePaquette absolutely - I've added it to our planning board. @andrewkroh what do we need to proceed we adding support for new events added in Sysmon v12/13? I assume some sample events in XML? |
|
#18094 can be used as a guide for this update. Basically add support for the two new event IDs and then diff the schema to look for changes to the existing IDs. For any event IDs that are new or changed, export sample events to an .evtx file to create tests for. Then lastly, sync the changes to the package in elastic/integrations. |
jamiehynds
added
7.13 candidate
Team: Security-External Integrations
and removed
Team:SIEM
labels
botelastic
bot
added
needs_team
|
This issue doesn't have a |
jamiehynds
added
Team:Security-External Integrations
and removed
Team: Security-External Integrations
labels
|
Pinging @elastic/security-external-integrations (Team:Security-External Integrations) |
|
Closing this issue in favor of: #24217 |
Sysmon v12 added event ID 24 which is a ClipboardChanged event. The Winlogbeat Sysmon module should be updated to handle this event ID.
When the clipboard changes the contents are archived to file and an event is generated with information about the activity. The event includes a hash that can be used to access the archived file.
The text was updated successfully, but these errors were encountered: