winlog.event_data.TaskContent XML data is not parsed in elasticsearch:
<?xml version="1.0" encoding="UTF-16"?>
DOMAIN\userDeze taak zorgt ervoor dat presentatie-instellingen worden uitgeschakeld als u zich opnieuw bij de computer aanmeldt.\PresentationSettingsTurnOff_DOMAIN_USERtrueDOMAIN\USERPT5SIgnoreNewfalsefalsetruefalsefalsePT10MPT1HtruefalsetruetruetruefalsefalsePT72H7%windir%\system32\PresentationSettings.exe/stopDOMAIN\USERInteractiveTokenLeastPrivilege
This change would start with elastic agent and/or winlogbeat, was thinking about a javascript processor that would run on the client:
function process(event) {
var xml = new XML(event.GetEvent());
var task = xml.Task;
however, this would also imply changes into the winlogbeat mappings.
Describe a specific use case for the enhancement or feature:
With the xml parsed we could create better exceptions in elasticsearch. Currently only the taskname is possible. While taskname is useful, i'm more interested in what commands the schedule task runs.
Describe the enhancement: https://www.elastic.co/guide/en/security/current/ .html
winlog.event_data.TaskContent XML data is not parsed in elasticsearch:
<?xml version="1.0" encoding="UTF-16"?>
This change would start with elastic agent and/or winlogbeat, was thinking about a javascript processor that would run on the client: function process(event) { var xml = new XML(event.GetEvent()); var task = xml.Task;
}
however, this would also imply changes into the winlogbeat mappings.
Describe a specific use case for the enhancement or feature: With the xml parsed we could create better exceptions in elasticsearch. Currently only the taskname is possible. While taskname is useful, i'm more interested in what commands the schedule task runs.