elastic · efd6 · Jul 15, 2022 · Jul 14, 2022 · Jul 14, 2022
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.14.0"
+  changes:
+    - description: Use MemberSid to enrich for user name and domain where possible.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3707
 - version: "1.13.0"
   changes:
     - description: Added Processors for service datatstream.

@@ -21,7 +21,13 @@ include_xml: true
 {{#contains "forwarded" tags}}
 publisher_pipeline.disable_host: true
 {{/contains}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: _user.name
+      domain_target: _user.domain
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}
@@ -13,6 +13,23 @@ processors:
   - pipeline:
       name: '{{ IngestPipeline "sysmon_operational" }}'
       if: ctx?.winlog?.channel != null && ctx?.winlog?.channel == "Microsoft-Windows-Sysmon/Operational"
+
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: _user.name
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: _user.domain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
+  - remove:
+      field: _user
+      ignore_missing: true
+
 on_failure:
   - set:
       field: "error.message"

@@ -18,7 +18,13 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: _user.name
+      domain_target: _user.domain
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}
@@ -117,6 +117,18 @@ processors:
       ignore_failure: true
       allow_duplicates: false
       if: ctx?.user?.name != null
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: _user.name
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: _user.domain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
 
   ## PowerShell fields.
 
@@ -402,6 +414,7 @@ processors:
   - remove:
       field:
         - _temp
+        - _user
         - winlog.event_data.param1
         - winlog.event_data.param2
         - winlog.event_data.param3

@@ -18,7 +18,13 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: _user.name
+      domain_target: _user.domain
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}
@@ -171,6 +171,18 @@ processors:
       ignore_failure: true
       ignore_empty_value: true
       if: ctx?.source?.user != null
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: _user.name
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: _user.domain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
 
   ## PowerShell fields.
 
@@ -460,6 +472,7 @@ processors:
   - remove:
       field:
         - _temp
+        - _user
         - winlog.event_data.SequenceNumber
         - winlog.event_data.User
         - winlog.event_data.ConnectedUser

@@ -18,7 +18,13 @@ tags:
 {{#if preserve_original_event}}
 include_xml: true
 {{/if}}
-{{#if processors.length}}
 processors:
+  - translate_sid:
+      field: winlog.event_data.MemberSid
+      account_name_target: _user.name
+      domain_target: _user.domain
+      ignore_missing: true
+      ignore_failure: true
+{{#if processors.length}}
 {{processors}}
 {{/if}}
@@ -851,6 +851,18 @@ processors:
       ignore_failure: true
       ignore_empty_value: true
       if: ctx?._temp?.user_parts != null && ctx._temp.user_parts.size() == 2
+  # Get user details from the translate_sid processor enrichment
+  # if they are available and we don't already have them.
+  - rename:
+      field: _user.name
+      target_field: user.name
+      ignore_failure: true
+      ignore_missing: true
+  - rename:
+      field: _user.domain
+      target_field: user.domain
+      ignore_failure: true
+      ignore_missing: true
 
 ## Sysmon fields
 
@@ -1199,6 +1211,7 @@ processors:
   - remove:
       field:
         - _temp
+        - _user
         - winlog.event_data.ProcessId
         - winlog.event_data.ParentProcessId
         - winlog.event_data.SourceProcessId

@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 1.13.0
+version: 1.14.0
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: