[windows] Windows Defender Data stream overhaul to GA

[nicpenning]

• Enhancement

Proposed commit message

Overhaul Windows Defender data stream in the Windows integration to make it GA.

Added many ECS fields and removed un-needed fields/processors

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Screenshots

[nicpenning]

Ready for review and tests.

[elasticmachine]

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

[elasticmachine]

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

[nicpenning]

Made a few corrections. Please review and test now.

[intxgo]

changes LGTM, but I guess this will fully process only a subset of Windows Defender events. Are the other IDs unimportant or there's just no documentation for them?

[nicpenning]

changes LGTM, but I guess this will fully process only a subset of Windows Defender events. Are the other IDs unimportant or there's just no documentation for them?

Great question! I targeted all the IDs I observed in my test environment. My hope is that after this beta version of the data stream is out there I can use it at a larger scale and narrow in on more IDs.

The problem is that I can't tell what fields and what type of data is expected in the data from the MS docs.

Also, this hits the primary ones of interest for sure (malware detected/prevented).

It will process most but there will be some casualties, I am sure. Without a full list of Event IDs and their actual field names to expect, it is hard to get this 100% :/

[taylor-swanson]

Couple of minor comments, otherwise seems good to me

[fearful-symmetry]

Logic looks fine, can't comment on the windows-specific fields though.

[rdner]

/test

[nicpenning]

Looks like pipeline tests failed. I will test locally to see what is going on.

[nicpenning]

Doesn't appear that the generated test files were pushed. I will get those pushed as soon as I can.

[nicpenning]

Ready for tests again!

[rdner]

/test

[rdner]

@taylor-swanson could you validate the changes in 3de2f48 please?

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

Package windows 👍(5) 💚(3) 💔(1)

Expand to view

Data stream	Previous EPS	New EPS	Diff (%)	Result
windows_defender	30303.03	16949.15	-13353.88 (-44.07%)	💔

To see the full report comment with /test benchmark fullreport

[elastic-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
89.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 3de2f48

History

• 💔 Build #17109 failed 22e796e

[taylor-swanson]

@taylor-swanson could you validate the changes in 3de2f48 please?

I think the test results are good.

• At first I thought an event was removed, but it was the git diff that tripped me up. It looks like one of the test cases (event ID 1116) was moved to the top and that can cause some misleading git diffs as a result. This includes extra lines showing up in the diff even though the results didn't really change. This is why I try to avoid reordering test cases, since the resulting git diffs tend to be misleading. Everything seems to check out, but feel free to point out something that's suspicious if I missed something.
• It looks like the user_data field was removed and was replaced with an enriched event_data field. The PR doesn't mention why this is the case, but I'll assume we have better sample data now and are including it in the tests.
• The rest of the changes to the expected test file are either from fields being sorted or updates from the changes in the pipeline.

[elastic-vault-github-plugin-prod]

Package windows - 2.2.0 containing this change is available at https://epr.elastic.co/search?package=windows

[nicpenning]

@taylor-swanson could you validate the changes in 3de2f48 please?

I think the test results are good.

• At first I thought an event was removed, but it was the git diff that tripped me up. It looks like one of the test cases (event ID 1116) was moved to the top and that can cause some misleading git diffs as a result. This includes extra lines showing up in the diff even though the results didn't really change. This is why I try to avoid reordering test cases, since the resulting git diffs tend to be misleading. Everything seems to check out, but feel free to point out something that's suspicious if I missed something.
• It looks like the user_data field was removed and was replaced with an enriched event_data field. The PR doesn't mention why this is the case, but I'll assume we have better sample data now and are including it in the tests.
• The rest of the changes to the expected test file are either from fields being sorted or updates from the changes in the pipeline.

Good observations.

I did reorder because I wanted the system test to use this more practical event in the docs. Also when I generated improved json that maps closer to the real world, I used it as is and didn't try to put them back in the right order.

As for the user fields, those were likely residual fields from other windows integrations that this one didn't really use so I capitalized on what actual event fields are being used in the event IDs I was able to generate for my tests.

I will be cautious next time keeping these event IDs in the proper order. Thanks for the review!