fix(system,windows): normalize SidList in event 4908#15797
Merged
andrewkroh merged 2 commits intoelastic:mainfrom Nov 18, 2025
Merged
fix(system,windows): normalize SidList in event 4908#15797andrewkroh merged 2 commits intoelastic:mainfrom
andrewkroh merged 2 commits intoelastic:mainfrom
Conversation
7cdc420 to
5cf077b
Compare
🚀 Benchmarks reportTo see the full report comment with |
Adds whitespace normalization for the SidList field in Windows Security event 4908 (Special Groups Logon table modified). The ingest pipeline now uses a gsub processor to normalize separators before parsing, and the Painless script handles the normalized format correctly. Test data originates from elastic/beats@dd7a1b3
5cf077b to
7f68393
Compare
andrewkroh
commented
Oct 29, 2025
| @@ -4260,7 +4265,8 @@ processors: | |||
|
|
|||
| void splitSidList(def sids, def params, def ctx) { | |||
| ArrayList al = new ArrayList(); | |||
Member
Author
There was a problem hiding this comment.
This highlights that that system/security and windows/forwarded pipelines are no longer in sync. We will need to address that separately, hopefully taking advantage of new tooling in elastic-package that avoids duplicating content.
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
mauri870
approved these changes
Oct 31, 2025
Contributor
|
@nfritts / @lalit-satapathy we need your review here. |
nfritts
approved these changes
Nov 18, 2025
ishleenk17
approved these changes
Nov 18, 2025
Member
ishleenk17
left a comment
There was a problem hiding this comment.
Giving codeowner approval.
💚 Build Succeeded
History
|
|
Package system - 2.7.2 containing this change is available at https://epr.elastic.co/package/system/2.7.2/ |
|
Package windows - 3.2.3 containing this change is available at https://epr.elastic.co/package/windows/3.2.3/ |
graphaelli
pushed a commit
to graphaelli/integrations
that referenced
this pull request
Nov 18, 2025
Adds whitespace normalization for the SidList field in Windows Security event 4908 (Special Groups Logon table modified). The ingest pipeline now uses a gsub processor to normalize separators before parsing, and the Painless script handles the normalized format correctly. Test data originates from elastic/beats@dd7a1b3
tehbooom
pushed a commit
to tehbooom/integrations
that referenced
this pull request
Nov 19, 2025
Adds whitespace normalization for the SidList field in Windows Security event 4908 (Special Groups Logon table modified). The ingest pipeline now uses a gsub processor to normalize separators before parsing, and the Painless script handles the normalized format correctly. Test data originates from elastic/beats@dd7a1b3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed commit message
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Related issues
Screenshots