[auditbeat] New ETW backend for FIM

[marc-gr]

Proposed commit message

Introduces a new backend for File Integrity Monitoring (FIM) on Windows, built on Event Tracing for Windows (ETW).

Motivation

• Rich Context: Kernel-level tracing provides detailed context for every operation, including the specific process responsible for the change.

Implementation Details

1. ETW Consumer: A new consumer subscribes to the Kernel-FileIo ETW provider to receive a raw stream of file system activity events.

2. Event Correlator: Raw ETW events are extremely granular (e.g., a simple file modification can generate fileCreate, fileWrite, fileSetInformation, and fileClose events). The correlator:

   • Groups these low-level events by file handle and process.
   • Analyzes the events within a group to determine a single, meaningful, user-facing action (created, updated, deleted, moved, etc.).
   • Handles timeouts for operations that are never formally closed.
   • This turns a noisy, high-volume stream of kernel events into concise, actionable FIM data.

3. Rich Metadata Collection: The implementation collects rich metadata for each event, including:

   • File ownership and permissions.
   • Support for Alternate Data Streams (ADS) and Extended Attributes (EA).

Testing

Added a test to generate samples for both Windows backends for the sake of comparison. This tests can't be enabled to run on CI since their output may vary due to system load, etw buffer flushing, etc. but is still useful for reference and to see how both implementations behave.

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Related issues

• Relates Add support for collecting user name on FIM (File Integrity Monitoring) #36934
• Closes File Integrity Monitoring | User Information - Windows integrations#8312

[github-actions]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[github-actions]

🔍 Preview links for changed docs

• docs/reference/auditbeat/auditbeat-module-file_integrity.md
• docs/reference/auditbeat/exported-fields-common.md

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[belimawr]

Approving the changes in the files that belong to the data-plane.

[andrewkroh]

Nice addition. There's a lot here to review. I think this needs another reviewer.

Can you ensure that buildkits run the auditbeat tests on Windows with RACE_DETECTOR=true set in the environment.

[chemamartinez]

LGTM, mostly focused on the part related with the ETW interface.

[colleenmcginnis]

Approving to unblock, but I left the tiniest suggestion below. I believe you will also need to rerun make update and commit any changes to get check-docs to pass.