Hi Elastic Team ,
Github issue approval noted in Elastic Discussion Forums.
I'm writing to request an update to the winlogbeat Windows Security module to add the parent process ID value for Windows Security event 4688.
Lines 2132 to 2142 handle field renames for parent/child process fields in 4688:
.Convert({
fields: [
{from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.NewProcessName", to: "process.executable"},
{from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
The parent process ID is missing from the function, which affects Windows Security Event 4688. Looking at a raw sample for a 4688, the parent process in friendly view is re-labeled by Microsoft as Creator Process ID. However, the XML shows the parent process ID structured as ProcessId:
The winlogbeat security module variable event4688 references the renameNewProcessFields function and is the only variable that does, so I propose the renameNewProcessFields function be updated to include the parent process PID:
.Convert({
fields: [
{from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.NewProcessName", to: "process.executable"},
{from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
{from: "winlog.event_data.ProcessId", to: "process.parent.pid"} //<---updated line
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
Since it's an event-dependent variable reference, the context will only be invoked for 4688s and not conflict with any others.
label:Team:Elastic-Agent
Hi Elastic Team ,
Github issue approval noted in Elastic Discussion Forums.
I'm writing to request an update to the winlogbeat Windows Security module to add the parent process ID value for Windows Security event 4688.
Lines 2132 to 2142 handle field renames for parent/child process fields in 4688:
The parent process ID is missing from the function, which affects Windows Security Event 4688. Looking at a raw sample for a 4688, the parent process in friendly view is re-labeled by Microsoft as Creator Process ID. However, the XML shows the parent process ID structured as ProcessId:
The winlogbeat security module variable event4688 references the renameNewProcessFields function and is the only variable that does, so I propose the renameNewProcessFields function be updated to include the parent process PID:
Since it's an event-dependent variable reference, the context will only be invoked for 4688s and not conflict with any others.
label:Team:Elastic-Agent