elasticmachine
commented
1 month ago Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)
Open jamiehynds opened 1 month ago
elasticmachine
commented
1 month ago Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)
jamiehynds
commented
1 month ago Hey @marc-gr - would you mind looking at this one?
jeff-bb
commented
4 weeks ago This would be great. For now, we've been just using a processor to handle it.
processors:
- decode_xml:
when.or:
- equals.event.code: "4698"
- equals.event.code: "4699"
- equals.event.code: "4700"
- equals.event.code: "4701"
field: winlog.event_data.TaskContent
target_field: winlog.event_data
ignore_missing: true
ignore_failure: false
- decode_xml:
when.or:
- equals.event.code: "4702"
field: winlog.event_data.TaskContentNew
target_field: winlog.event_data
ignore_missing: true
ignore_failure: falseSo many of the fields within the xml would map amazingly to ECS. I'm a little surprised to not find something in ECS to handle "future scheduled events', like cron or windows scheduled tasks. Something to hold the future schedule of the event.
winlog.event_data.task.actions.exec.arguments -> process.args / process.command_line winlog.event_data.task.actions.exec.command -> process.name, process.executable winlog.event_data.task.registrationinfo.author -> user.domain, user.name winlog.event_data.task.principals.principal.userid -> user.domain, user.name (sid?)
Windows event ID 4698 (sample data here) is triggered when a scheduled task is created.
The system/security pipeline does not current parse/map the scheduled task process name, executable and command line - all useful fields for malware detection.
Can we please update the pipeline to ensure these fields are mapped to ECS? A sample event from a customer is also available internally, which I can provide.