Skip to content

[Enhancement] Makes Sysmon Library Load events compatible with DLL ECS fields#16442

Merged
marc-gr merged 2 commits intomainfrom
sysmon_dll
Dec 10, 2025
Merged

[Enhancement] Makes Sysmon Library Load events compatible with DLL ECS fields#16442
marc-gr merged 2 commits intomainfrom
sysmon_dll

Conversation

@w0rk3r
Copy link
Copy Markdown
Contributor

@w0rk3r w0rk3r commented Dec 9, 2025

Proposed commit message

Makes Sysmon Library Load events compatible with the DLL ECS fields (https://www.elastic.co/docs/reference/ecs/ecs-dll), by adding `dll.*` fields while maintaining the current fields for backwards compatibility.

Summary

Resolves https://github.com/elastic/ia-trade-team/issues/687

This PR aims to make Sysmon Library load events compatible with DLL ECS fields, aligning the fields with other similar data sources like Elastic Defend, MDE, and Crowdstrike.

Currently, to support Sysmon in detection rules, we need to do a lot of workarounds with EQL optional fields, which is not possible/supported when using ES|QL. So fixing the data source would make it easier to support and maintain Sysmon-related rules.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@w0rk3r w0rk3r self-assigned this Dec 9, 2025
@w0rk3r w0rk3r requested review from a team as code owners December 9, 2025 16:40
@w0rk3r w0rk3r added the enhancement New feature or request label Dec 9, 2025
@w0rk3r w0rk3r requested review from belimawr and rdner December 9, 2025 16:40
@w0rk3r w0rk3r added the Integration:windows Windows label Dec 9, 2025
w0rk3r
w0rk3r commented Dec 9, 2025
View reviewed changes
packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/sysmon_operational.yml
Comment on lines -663 to +673
field: file.code_signature.signed
field: file.code_signature.trusted
value: true
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == 'true'
- set:
field: file.code_signature.trusted
value: false
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed != 'true'
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This wasn't working, so I fixed it. Renamed from file.code_signature.signed to file.code_signature.trusted as signed is not a valid ECS field. ref: https://www.elastic.co/docs/reference/ecs/ecs-code_signature

w0rk3r
w0rk3r commented Dec 9, 2025
View reviewed changes
packages/windows/data_stream/sysmon_operational/elasticsearch/ingest_pipeline/default.yml
Comment on lines -663 to +673
field: file.code_signature.signed
field: file.code_signature.trusted
value: true
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == true
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed == 'true'
- set:
field: file.code_signature.trusted
value: false
if: ctx.winlog?.event_data?.Signed != null && ctx.winlog.event_data.Signed != 'true'
Copy link
Copy Markdown
Contributor Author

@w0rk3r w0rk3r Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/elastic/integrations/pull/16442/files#r2603456717

@andrewkroh andrewkroh added the Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] label Dec 9, 2025
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 9, 2025

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 9, 2025

💚 Build Succeeded

cc @w0rk3r

@pierrehilbert pierrehilbert added the Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] label Dec 10, 2025
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Dec 10, 2025

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@marc-gr marc-gr merged commit 42581ea into main Dec 10, 2025
7 checks passed
@marc-gr marc-gr deleted the sysmon_dll branch December 10, 2025 14:34
@mrodm
Copy link
Copy Markdown
Collaborator

mrodm commented Dec 10, 2025

Package windows - 3.3.0 containing this change is available at https://epr.elastic.co/package/windows/3.3.0/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marc-gr marc-gr marc-gr approved these changes

@belimawr belimawr Awaiting requested review from belimawr belimawr is a code owner automatically assigned from elastic/elastic-agent-data-plane

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

@w0rk3r w0rk3r

Labels

enhancement New feature or request Integration:windows Windows Team:Elastic-Agent-Data-Plane Agent Data Plane team [elastic/elastic-agent-data-plane] Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@w0rk3r @elasticmachine @mrodm @marc-gr @pierrehilbert @andrewkroh