search

elastic / beats

:tropical_fish: Beats - Lightweight shippers for Elasticsearch & Logstash
https://www.elastic.co/products/beats
Other
12.07k stars 4.89k forks source link

Parsing XML data in schedule tasks (a scheduled task was created) #39905

Open willemri opened 1 month ago

willemri commented 1 month ago

Describe the enhancement: https://www.elastic.co/guide/en/security/current/ .html

winlog.event_data.TaskContent XML data is not parsed in elasticsearch:

<?xml version="1.0" encoding="UTF-16"?>

DOMAIN\user Deze taak zorgt ervoor dat presentatie-instellingen worden uitgeschakeld als u zich opnieuw bij de computer aanmeldt. \PresentationSettingsTurnOff_DOMAIN_USER true DOMAIN\USER PT5S IgnoreNew false false true false false PT10M PT1H true false true true true false false PT72H 7 %windir%\system32\PresentationSettings.exe /stop DOMAIN\USER InteractiveToken LeastPrivilege

This change would start with elastic agent and/or winlogbeat, was thinking about a javascript processor that would run on the client: function process(event) { var xml = new XML(event.GetEvent()); var task = xml.Task;

event.Put("task_version", task.@version);
event.Put("author", task.RegistrationInfo.Author);
event.Put("description", task.RegistrationInfo.Description);
event.Put("uri", task.RegistrationInfo.URI);
event.Put("logon_trigger_enabled", task.Triggers.LogonTrigger.Enabled);
event.Put("user_id", task.Triggers.LogonTrigger.UserId);
event.Put("delay", task.Triggers.LogonTrigger.Delay);
event.Put("multiple_instances_policy", task.Settings.MultipleInstancesPolicy);
event.Put("disallow_start_if_on_batteries", task.Settings.DisallowStartIfOnBatteries);
event.Put("stop_if_going_on_batteries", task.Settings.StopIfGoingOnBatteries);
event.Put("allow_hard_terminate", task.Settings.AllowHardTerminate);
event.Put("start_when_available", task.Settings.StartWhenAvailable);
event.Put("run_only_if_network_available", task.Settings.RunOnlyIfNetworkAvailable);
event.Put("idle_duration", task.Settings.IdleSettings.Duration);
event.Put("idle_wait_timeout", task.Settings.IdleSettings.WaitTimeout);
event.Put("idle_stop_on_idle_end", task.Settings.IdleSettings.StopOnIdleEnd);
event.Put("idle_restart_on_idle", task.Settings.IdleSettings.RestartOnIdle);
event.Put("allow_start_on_demand", task.Settings.AllowStartOnDemand);
event.Put("enabled", task.Settings.Enabled);
event.Put("hidden", task.Settings.Hidden);
event.Put("run_only_if_idle", task.Settings.RunOnlyIfIdle);
event.Put("wake_to_run", task.Settings.WakeToRun);
event.Put("execution_time_limit", task.Settings.ExecutionTimeLimit);
event.Put("priority", task.Settings.Priority);
event.Put("command", task.Actions.Exec.Command);
event.Put("arguments", task.Actions.Exec.Arguments);
event.Put("principal_user_id", task.Principals.Principal.UserId);
event.Put("principal_logon_type", task.Principals.Principal.LogonType);
event.Put("principal_run_level", task.Principals.Principal.RunLevel);

return event;

}

however, this would also imply changes into the winlogbeat mappings.

Describe a specific use case for the enhancement or feature: With the xml parsed we could create better exceptions in elasticsearch. Currently only the taskname is possible. While taskname is useful, i'm more interested in what commands the schedule task runs.

botelastic[bot] commented 1 month ago

This issue doesn't have a Team:<team> label.