Skip to content

Commit

Permalink
[Enhancement] Add ".caseless" fields to process events (#10533)
Browse files Browse the repository at this point in the history
[Enhancement] Add ".caseless" fields to process events
  • Loading branch information
w0rk3r authored Jul 26, 2024
1 parent b2e2413 commit 154c06a
Show file tree
Hide file tree
Showing 9 changed files with 66 additions and 2 deletions.
5 changes: 5 additions & 0 deletions packages/system/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.60.0"
changes:
- description: Add caseless fields to process events.
type: enhancement
link: https://github.com/elastic/integrations/pull/10533
- version: "1.59.4"
changes:
- description: Mark system.diskio data stream as requires root
Expand Down
18 changes: 18 additions & 0 deletions packages/system/data_stream/security/fields/ecs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
- external: ecs
name: process.executable
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
- external: ecs
name: process.name
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
6 changes: 6 additions & 0 deletions packages/system/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -515,6 +515,12 @@ Please refer to the following [document](https://www.elastic.co/guide/en/ecs/cur
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| process.executable | Absolute path to the process executable. | keyword |
| process.executable.caseless | Multi-field of `process.executable`. | keyword |
| process.executable.text | Multi-field of `process.executable`. | match_only_text |
| process.name | Process name. Sometimes called program name or similar. | keyword |
| process.name.caseless | Multi-field of `process.name`. | keyword |
| process.name.text | Multi-field of `process.name`. | match_only_text |
| winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
| winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
| winlog.channel | The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. | keyword |
Expand Down
2 changes: 1 addition & 1 deletion packages/system/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.0.2
name: system
title: System
version: "1.59.4"
version: "1.60.0"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
Expand Down
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.47.0"
changes:
- description: Add caseless fields to process events.
type: enhancement
link: https://github.com/elastic/integrations/pull/10533
- version: "1.46.1"
changes:
- description: Convert error.code to string
Expand Down
14 changes: 14 additions & 0 deletions packages/windows/data_stream/forwarded/fields/ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,13 @@
name: process.entity_id
- external: ecs
name: process.executable
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
- external: ecs
name: process.hash.md5
- external: ecs
Expand All @@ -158,6 +165,13 @@
name: process.hash.sha512
- external: ecs
name: process.name
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
- external: ecs
name: process.parent.args
- external: ecs
Expand Down
14 changes: 14 additions & 0 deletions packages/windows/data_stream/sysmon_operational/fields/ecs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,13 @@
name: process.entity_id
- external: ecs
name: process.executable
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
- external: ecs
name: process.hash.md5
- external: ecs
Expand All @@ -148,6 +155,13 @@
name: process.hash.sha512
- external: ecs
name: process.name
multi_fields:
- name: caseless
ignore_above: 1024
normalizer: lowercase
type: keyword
- name: text
type: match_only_text
- external: ecs
name: process.parent.args
- external: ecs
Expand Down
2 changes: 2 additions & 0 deletions packages/windows/docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2530,12 +2530,14 @@ An example event for `sysmon_operational` looks as following:
| process.command_line.text | Multi-field of `process.command_line`. | match_only_text |
| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword |
| process.executable | Absolute path to the process executable. | keyword |
| process.executable.caseless | Multi-field of `process.executable`. | keyword |
| process.executable.text | Multi-field of `process.executable`. | match_only_text |
| process.hash.md5 | MD5 hash. | keyword |
| process.hash.sha1 | SHA1 hash. | keyword |
| process.hash.sha256 | SHA256 hash. | keyword |
| process.hash.sha512 | SHA512 hash. | keyword |
| process.name | Process name. Sometimes called program name or similar. | keyword |
| process.name.caseless | Multi-field of `process.name`. | keyword |
| process.name.text | Multi-field of `process.name`. | match_only_text |
| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword |
| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long |
Expand Down
2 changes: 1 addition & 1 deletion packages/windows/manifest.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: windows
title: Windows
version: 1.46.1
version: 1.47.0
description: Collect logs and metrics from Windows OS and services with Elastic Agent.
type: integration
categories:
Expand Down

0 comments on commit 154c06a

Please sign in to comment.