elasticmachine
commented
4 years ago Pinging @elastic/siem (Team:SIEM)
Closed andrewkroh closed 4 years ago
elasticmachine
commented
4 years ago Pinging @elastic/siem (Team:SIEM)
andrewkroh
commented
4 years ago Here's a sample from Event ID 23 under the current Sysmon module (note the error):
{
"@timestamp": "2020-04-29T18:54:08.273Z",
"agent": {
"ephemeral_id": "04b7fb0c-af8b-4505-a602-6469112f53c3",
"hostname": "myhost",
"id": "019d02af-40d1-41cf-9233-fc7250dda03d",
"type": "winlogbeat",
"version": "8.0.0"
},
"cloud": {
"availability_zone": "us-central1-a",
"instance": {
"id": "123",
"name": "myhost"
},
"machine": {
"type": "g1-small"
},
"project": {
"id": "project"
},
"provider": "gcp"
},
"ecs": {
"version": "1.5.0"
},
"error": {
"message": "unexpected sysmon event_id at C:\\Program Files\\Winlogbeat/module/sysmon/config/winlogbeat-sysmon.js:958:23(18)"
},
"event": {
"action": "File Delete (rule: FileDelete)",
"code": 23,
"created": "2020-04-29T18:54:09.191Z",
"kind": "event",
"provider": "Microsoft-Windows-Sysmon"
},
"host": {
"architecture": "x86_64",
"hostname": "myhost",
"id": "xyz",
"ip": [
"fe80::f18d:e1d8:d3cf:da36",
"10.200.0.12"
],
"mac": [
"42:01:0a:c8:00:0c"
],
"name": "myhost",
"os": {
"build": "17763.1039",
"family": "windows",
"kernel": "10.0.17763.1039 (WinBuild.160101.0800)",
"name": "Windows Server 2019 Datacenter",
"platform": "windows",
"version": "10.0"
}
},
"log": {
"level": "information"
},
"message": "File Delete:\nRuleName: -\nUtcTime: 2020-04-29 18:54:08.259\nProcessGuid: {edd932b7-cb4b-5ea9-2b00-000000000800}\nProcessId: 1792\nUser: NT AUTHORITY\\SYSTEM\nImage: C:\\Windows\\System32\\spoolsv.exe\nTargetFilename: C:\\Windows\\System32\\spool\\drivers\\x64\\{4A2BB754-6413-4445-8D8B-6F42020CAAAD}\\tsprint.dll\nHashes: SHA1=64132E602E62EE91151E0CEA4E84C3A6A29DF0E7,MD5=F5BC6B2FBCE0BDDB1532E23D45739443,SHA256=A50A37ED1AD64B0304A5E94B5CA8A326507575727AB7C4B450F2BC110B0E323A,IMPHASH=C83D0EDEB4A96A1E299D9AEB65CD81ED\nIsExecutable: true\nArchived: true",
"tags": [
"_js_exception"
],
"winlog": {
"api": "wineventlog",
"channel": "Microsoft-Windows-Sysmon/Operational",
"computer_name": "myhost",
"event_data": {
"Archived": "true",
"Hashes": "SHA1=64132E602E62EE91151E0CEA4E84C3A6A29DF0E7,MD5=F5BC6B2FBCE0BDDB1532E23D45739443,SHA256=A50A37ED1AD64B0304A5E94B5CA8A326507575727AB7C4B450F2BC110B0E323A,IMPHASH=C83D0EDEB4A96A1E299D9AEB65CD81ED",
"Image": "C:\\Windows\\System32\\spoolsv.exe",
"IsExecutable": "true",
"ProcessGuid": "{edd932b7-cb4b-5ea9-2b00-000000000800}",
"ProcessId": "1792",
"RuleName": "-",
"TargetFilename": "C:\\Windows\\System32\\spool\\drivers\\x64\\{4A2BB754-6413-4445-8D8B-6F42020CAAAD}\\tsprint.dll",
"User": "NT AUTHORITY\\SYSTEM",
"UtcTime": "2020-04-29 18:54:08.259"
},
"event_id": 23,
"opcode": "Info",
"process": {
"pid": 2368,
"thread": {
"id": 1360
}
},
"provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}",
"provider_name": "Microsoft-Windows-Sysmon",
"record_id": 1405,
"task": "File Delete (rule: FileDelete)",
"user": {
"domain": "NT AUTHORITY",
"identifier": "S-1-5-18",
"name": "SYSTEM",
"type": "User"
},
"version": 5
}
}
marc-gr
commented
4 years ago Here's the diff between 10.4 and 11 schemas
https://gist.github.com/marc-gr/bb1f6208b0b761f6f4b9d59939f6e3c8
marc-gr
commented
4 years ago After commenting it with @andrewkroh it is likely that we do not need to do anything about Empty strings are replaced with “-“ to work around a WEF bug since it seems unlikely to cause any issues and is not clear which ones might come like that.
Sysmon v11.0 was released on April 28, 2020 and includes a new Event ID and few other minor changes. The Symon module in Winlogbeat should be updated.
References
TODO