Skip to content

Commit

Permalink
x-pack/winlogbeat/module/sysmon: Add event.category and event.type to…
Browse files Browse the repository at this point in the history
… Sysmon (#35193)

* Add event.category and event.type to Sysmon

* Add changelog

* mage update
  • Loading branch information
kcreddy authored and chrisberkhout committed Jun 1, 2023
1 parent 48b2ab1 commit 4c504e4
Show file tree
Hide file tree
Showing 5 changed files with 206 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ https://github.com/elastic/beats/compare/v8.2.0\...main[Check the HEAD diff]
- Corrects issue with security events with source IP of "LOCAL" or "Unknown" failing to ingest {issue}19627[19627] {pull}34295[34295]
- Added processing for Windows Event ID's 4797, 5379, 5380, 5381, and 5382 for the Security Ingest Pipeline {issue}34293[34293] {pull}34294[34294]
- Added processing for Windows Event ID's 5140 and 5145 for the Security Ingest Pipeline {pull}34352[34352]
- Add "event.category" and "event.type" to Sysmon module for EventIDs 8, 9, 19, 20, 27, 28, 255 {pull}35193[35193]

*Functionbeat*

Expand Down
36 changes: 36 additions & 0 deletions winlogbeat/_meta/fields.common.yml
Original file line number Diff line number Diff line change
Expand Up @@ -93,8 +93,14 @@
type: keyword
- name: BuildVersion
type: keyword
- name: CallTrace
type: keyword
- name: ClientInfo
type: keyword
- name: Company
type: keyword
- name: Configuration
type: keyword
- name: CorruptionActionState
type: keyword
- name: CreationUtcTime
Expand Down Expand Up @@ -123,6 +129,10 @@
type: keyword
- name: EntryCount
type: keyword
- name: EventType
type: keyword
- name: EventNamespace
type: keyword
- name: ExtraInfo
type: keyword
- name: FailureName
Expand All @@ -133,6 +143,8 @@
type: keyword
- name: FinalStatus
type: keyword
- name: GrantedAccess
type: keyword
- name: Group
type: keyword
- name: IdleImplementation
Expand Down Expand Up @@ -177,12 +189,16 @@
type: keyword
- name: MinorVersion
type: keyword
- name: Name
type: keyword
- name: NewProcessId
type: keyword
- name: NewProcessName
type: keyword
- name: NewSchemeGuid
type: keyword
- name: NewThreadId
type: keyword
- name: NewTime
type: keyword
- name: NominalFrequency
Expand All @@ -193,6 +209,8 @@
type: keyword
- name: OldTime
type: keyword
- name: Operation
type: keyword
- name: OriginalFileName
type: keyword
- name: Path
Expand Down Expand Up @@ -221,6 +239,8 @@
type: keyword
- name: QfeVersion
type: keyword
- name: Query
type: keyword
- name: Reason
type: keyword
- name: SchemaVersion
Expand All @@ -231,6 +251,8 @@
type: keyword
- name: ServiceVersion
type: keyword
- name: Session
type: keyword
- name: ShutdownActionType
type: keyword
- name: ShutdownEventCode
Expand All @@ -243,6 +265,12 @@
type: keyword
- name: Signed
type: keyword
- name: StartAddress
type: keyword
- name: StartFunction
type: keyword
- name: StartModule
type: keyword
- name: StartTime
type: keyword
- name: State
Expand All @@ -263,12 +291,18 @@
type: keyword
- name: TargetDomainName
type: keyword
- name: TargetImage
type: keyword
- name: TargetInfo
type: keyword
- name: TargetLogonGuid
type: keyword
- name: TargetLogonId
type: keyword
- name: TargetProcessGUID
type: keyword
- name: TargetProcessId
type: keyword
- name: TargetServerName
type: keyword
- name: TargetUserName
Expand All @@ -281,6 +315,8 @@
type: keyword
- name: TransmittedServices
type: keyword
- name: Type
type: keyword
- name: UserSid
type: keyword
- name: Version
Expand Down
126 changes: 126 additions & 0 deletions winlogbeat/docs/fields.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -16410,13 +16410,34 @@ type: keyword
--
*`winlog.event_data.CallTrace`*::
+
--
type: keyword
--
*`winlog.event_data.ClientInfo`*::
+
--
type: keyword
--
*`winlog.event_data.Company`*::
+
--
type: keyword
--
*`winlog.event_data.Configuration`*::
+
--
type: keyword
--
*`winlog.event_data.CorruptionActionState`*::
+
--
Expand Down Expand Up @@ -16515,6 +16536,20 @@ type: keyword
--
*`winlog.event_data.EventType`*::
+
--
type: keyword
--
*`winlog.event_data.EventNamespace`*::
+
--
type: keyword
--
*`winlog.event_data.ExtraInfo`*::
+
--
Expand Down Expand Up @@ -16550,6 +16585,13 @@ type: keyword
--
*`winlog.event_data.GrantedAccess`*::
+
--
type: keyword
--
*`winlog.event_data.Group`*::
+
--
Expand Down Expand Up @@ -16704,6 +16746,13 @@ type: keyword
--
*`winlog.event_data.Name`*::
+
--
type: keyword
--
*`winlog.event_data.NewProcessId`*::
+
--
Expand All @@ -16725,6 +16774,13 @@ type: keyword
--
*`winlog.event_data.NewThreadId`*::
+
--
type: keyword
--
*`winlog.event_data.NewTime`*::
+
--
Expand Down Expand Up @@ -16760,6 +16816,13 @@ type: keyword
--
*`winlog.event_data.Operation`*::
+
--
type: keyword
--
*`winlog.event_data.OriginalFileName`*::
+
--
Expand Down Expand Up @@ -16858,6 +16921,13 @@ type: keyword
--
*`winlog.event_data.Query`*::
+
--
type: keyword
--
*`winlog.event_data.Reason`*::
+
--
Expand Down Expand Up @@ -16893,6 +16963,13 @@ type: keyword
--
*`winlog.event_data.Session`*::
+
--
type: keyword
--
*`winlog.event_data.ShutdownActionType`*::
+
--
Expand Down Expand Up @@ -16935,6 +17012,27 @@ type: keyword
--
*`winlog.event_data.StartAddress`*::
+
--
type: keyword
--
*`winlog.event_data.StartFunction`*::
+
--
type: keyword
--
*`winlog.event_data.StartModule`*::
+
--
type: keyword
--
*`winlog.event_data.StartTime`*::
+
--
Expand Down Expand Up @@ -17005,6 +17103,13 @@ type: keyword
--
*`winlog.event_data.TargetImage`*::
+
--
type: keyword
--
*`winlog.event_data.TargetInfo`*::
+
--
Expand All @@ -17026,6 +17131,20 @@ type: keyword
--
*`winlog.event_data.TargetProcessGUID`*::
+
--
type: keyword
--
*`winlog.event_data.TargetProcessId`*::
+
--
type: keyword
--
*`winlog.event_data.TargetServerName`*::
+
--
Expand Down Expand Up @@ -17068,6 +17187,13 @@ type: keyword
--
*`winlog.event_data.Type`*::
+
--
type: keyword
--
*`winlog.event_data.UserSid`*::
+
--
Expand Down
2 changes: 1 addition & 1 deletion winlogbeat/include/fields.go

Large diffs are not rendered by default.

Loading

0 comments on commit 4c504e4

Please sign in to comment.