Skip to content

[windows] forwarded datastream incorrect indentation of translate_sid processor #4631

Closed
#4634
Closed
[windows] forwarded datastream incorrect indentation of translate_sid processor#4631
#4634
Assignees
efd6
Labels
bugSomething isn't working, use only for issues
@leehinman

Description

@leehinman
leehinman
opened on Nov 14, 2022

In windows package, forwarded data_stream, the current winlog.yml.hbs has:

processors:
  - translate_sid:
      field: winlog.event_data.MemberSid
      account_name_target: winlog.event_data._MemberUserName
      domain_target: winlog.event_data._MemberDomain
      account_type_target: winlog.event_data._MemberAccountType
      ignore_missing: true
      ignore_failure: true
{{#if processors.length}}
{{processors}}
{{/if}}

translate_sid processor needs to be indented like this:

processors:
- translate_sid:
    field: winlog.event_data.MemberSid
    account_name_target: winlog.event_data._MemberUserName
    domain_target: winlog.event_data._MemberDomain
    account_type_target: winlog.event_data._MemberAccountType
    ignore_missing: true
    ignore_failure: true
{{#if processors.length}}
{{processors}}
{{/if}}

If a user specifies a processor, the indentation in the list is inconsistent and policy can't be compiled.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working, use only for issues

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions