diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 0f6214979de..79e83d16692 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.14.0" + changes: + - description: Use MemberSid to enrich for user name and domain where possible. + type: enhancement + link: https://github.com/elastic/integrations/pull/3707 - version: "1.13.0" changes: - description: Added Processors for service datatstream. diff --git a/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs index 965be31d600..3d1241f4091 100644 --- a/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/forwarded/agent/stream/winlog.yml.hbs @@ -21,7 +21,14 @@ include_xml: true {{#contains "forwarded" tags}} publisher_pipeline.disable_host: true {{/contains}} -{{#if processors.length}} processors: + - translate_sid: + field: winlog.event_data.MemberSid + account_name_target: winlog.event_data._MemberUserName + domain_target: winlog.event_data._MemberDomain + account_type_target: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true +{{#if processors.length}} {{processors}} {{/if}} diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml index 6a274d1d5a7..f63261eb8e2 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/default.yml @@ -13,6 +13,31 @@ processors: - pipeline: name: '{{ IngestPipeline "sysmon_operational" }}' if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational" + + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) + on_failure: - set: field: "error.message" diff --git a/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs index 8695fa23005..04490e72ae4 100644 --- a/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/powershell/agent/stream/winlog.yml.hbs @@ -18,7 +18,14 @@ tags: {{#if preserve_original_event}} include_xml: true {{/if}} -{{#if processors.length}} processors: + - translate_sid: + field: winlog.event_data.MemberSid + account_name_target: winlog.event_data._MemberUserName + domain_target: winlog.event_data._MemberDomain + account_type_target: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true +{{#if processors.length}} {{processors}} {{/if}} diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml index fc3c153fe15..576141f63eb 100644 --- a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -117,6 +117,29 @@ processors: ignore_failure: true allow_duplicates: false if: ctx?.user?.name != null + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) ## PowerShell fields. diff --git a/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs index 55799473ece..5628975e703 100644 --- a/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/powershell_operational/agent/stream/winlog.yml.hbs @@ -18,7 +18,13 @@ tags: {{#if preserve_original_event}} include_xml: true {{/if}} -{{#if processors.length}} processors: + - translate_sid: + account_name_target: winlog.event_data._MemberUserName + domain_target: winlog.event_data._MemberDomain + account_type_target: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true +{{#if processors.length}} {{processors}} {{/if}} diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index 16d21d8fe82..79c2948a4aa 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -171,6 +171,29 @@ processors: ignore_failure: true ignore_empty_value: true if: ctx?.source?.user != null + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) ## PowerShell fields. diff --git a/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs b/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs index 7795afb123d..0e0301e0cae 100644 --- a/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs +++ b/packages/windows/data_stream/sysmon_operational/agent/stream/winlog.yml.hbs @@ -18,7 +18,14 @@ tags: {{#if preserve_original_event}} include_xml: true {{/if}} -{{#if processors.length}} processors: + - translate_sid: + field: winlog.event_data.MemberSid + account_name_target: winlog.event_data._MemberUserName + domain_target: winlog.event_data._MemberDomain + account_type_target: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true +{{#if processors.length}} {{processors}} {{/if}} diff --git a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml index 843d73b827c..5eef7930485 100644 --- a/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml @@ -851,6 +851,29 @@ processors: ignore_failure: true ignore_empty_value: true if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2 + # Get user details from the translate_sid processor enrichment + # if they are available and we don't already have them. + - rename: + field: winlog.event_data._MemberUserName + target_field: user.name + ignore_failure: true + ignore_missing: true + - rename: + field: winlog.event_data._MemberDomain + target_field: user.domain + ignore_failure: true + ignore_missing: true + - append: + value: '{{{winlog.event_data._MemberAccountType}}}' + field: user.roles + ignore_failure: true + allow_duplicates: false + if: ctx.winlog?.event_data?._MemberAccountType != null + - remove: + field: winlog.event_data._MemberAccountType + ignore_missing: true + ignore_failure: true + if: ctx.user?.roles != null && ctx.winlog?.event_data?._MemberAccountType != null && ctx.user.roles.contains(ctx.winlog.event_data._MemberAccountType) ## Sysmon fields diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 8c592bda67a..086739c989c 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.13.0 +version: 1.14.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: