Skip to content

[system.security,windows.forwarded] Add 'Group Membership' to category enrichment#12335

Merged
andrewkroh merged 5 commits intoelastic:mainfrom
ksctst:patch-1
Feb 11, 2025
Merged

[system.security,windows.forwarded] Add 'Group Membership' to category enrichment#12335
andrewkroh merged 5 commits intoelastic:mainfrom
ksctst:patch-1

Conversation

@ksctst
Copy link
Copy Markdown
Contributor

@ksctst ksctst commented Jan 13, 2025
edited by andrewkroh
Loading

Hello. Added missing audit subcategory - "Group Membership"

Proposed commit message

For the system.security and windows.forwarded data streams,
enrich group membership related events with an audit category 
and subcategory. The associated UUID was missing from the
enrichment table.

The UUID value is referenced in
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpac/77878370-0712-47cd-997d-b07053429f6d

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@ksctst ksctst requested a review from a team as a code owner January 13, 2025 13:57
@cla-checker-service
Copy link
Copy Markdown

cla-checker-service bot commented Jan 13, 2025
edited
Loading

💚 CLA has been signed

@andrewkroh andrewkroh added Integration:windows Windows needs CLA User must sign the Elastic Contributor License before review. Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Jan 13, 2025
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 13, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@ksctst
Copy link
Copy Markdown
Contributor Author

ksctst commented Jan 13, 2025

signed CLA

@andrewkroh andrewkroh removed the needs CLA User must sign the Elastic Contributor License before review. label Jan 13, 2025
@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Jan 31, 2025

/test

@andrewkroh andrewkroh changed the title Update security.yml [windows.{security,forwarded}] Add 'Group Membership' to category enrichment Jan 31, 2025
andrewkroh
andrewkroh previously requested changes Jan 31, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The windows integration's changelog.yml needs updated with a new entry, and then the version in the manifest.yml needs changed to match.

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Jan 31, 2025
edited
Loading

🚀 Benchmarks report

Package system 👍(2) 💚(0) 💔(1)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
syslog 250000 200000 -50000 (-20%) 💔

To see the full report comment with /test benchmark fullreport

@andrewkroh andrewkroh changed the title [windows.{security,forwarded}] Add 'Group Membership' to category enrichment [system.security,windows.forwarded] Add 'Group Membership' to category enrichment Jan 31, 2025
@andrewkroh andrewkroh requested review from a team, AndersonQ and VihasMakwana January 31, 2025 23:12
andrewkroh
andrewkroh reviewed Jan 31, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed the system.security data stream, and added changelogs.

I'm not a Windows expert so I'll defer to @elastic/sec-windows-platform for a final approval of these changes.

@andrewkroh andrewkroh dismissed their stale review January 31, 2025 23:21

I pushed the one change I requested.

@andrewkroh andrewkroh requested a review from a team January 31, 2025 23:21
@qcorporation qcorporation requested review from a team as code owners February 4, 2025 03:56
@andrewkroh andrewkroh added Integration:1password 1Password (Partner supported) Integration:abnormal_security Abnormal AI labels Feb 4, 2025
@andrewkroh andrewkroh added Integration:windows Windows Integration:system System enhancement New feature or request and removed New Integration Issue or pull request for creating a new integration package. Integration:1password 1Password (Partner supported) Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:abnormal_security Abnormal AI labels Feb 7, 2025
@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Feb 7, 2025

/test

@andrewkroh andrewkroh removed request for a team, AndersonQ and VihasMakwana February 7, 2025 21:41
@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Feb 7, 2025
edited
Loading

Since I had done some changes here, I just went ahead and rebased the branch.

@ksctst, can you please sync your fork's main.

andrewkroh
andrewkroh reviewed Feb 7, 2025
View reviewed changes
@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Feb 7, 2025

/test

@ksctst
Copy link
Copy Markdown
Contributor Author

ksctst commented Feb 7, 2025

Thanks, fork synced.

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Feb 10, 2025
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 10, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@marc-gr
Copy link
Copy Markdown
Contributor

marc-gr commented Feb 11, 2025

/test

@elastic-sonarqube
Copy link
Copy Markdown

elastic-sonarqube bot commented Feb 11, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Feb 11, 2025

💚 Build Succeeded

History

@andrewkroh andrewkroh merged commit 5f6a456 into elastic:main Feb 11, 2025
@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Feb 11, 2025

Package system - 1.66.1 containing this change is available at https://epr.elastic.co/package/system/1.66.1/

@elastic-vault-github-plugin-prod
Copy link
Copy Markdown

elastic-vault-github-plugin-prod bot commented Feb 11, 2025

Package windows - 2.4.1 containing this change is available at https://epr.elastic.co/package/windows/2.4.1/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh left review comments

@intxgo intxgo intxgo approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request Integration:system System Integration:windows Windows Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@ksctst @elasticmachine @andrewkroh @marc-gr @intxgo @pierrehilbert