[Windows] Prevent pipeline failure in Windows AppLocker/EXE and DLL logs when signed by common name.#17188
Conversation
…igned by common name only.
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
….subject.common_name into esc fields
|
Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane) |
Adding link to current PR.
|
@VihasMakwana Could you please let @BrendanNurmi know if there is anything needed for this fix? |
| - append: | ||
| field: file.x509.subject.common_name | ||
| value: "{{tmp.file.x509.subject.common_name}}" | ||
| ignore_failure: true |
There was a problem hiding this comment.
@BrendanNurmi IMO we should set ignore_empty_values to true here.
Right now, the pipeline will set file.x509.subject.common_name to "" if any of the other patterns match.
Enabling ignore_empty_values will not cause empty fields on your ES.
You'll also need to update test-events-applocker-exe-8003.json-expected.json.
| ignore_failure: true | |
| ignore_failure: true | |
| ignore_empty_values: true |
There was a problem hiding this comment.
Thanks for the feedback, added for all appends, retested.
I've added it for all since the FQBN can be just the CN or the locality and/or CN could also not be present within the FQBN.
b@pi5-a:~/integrations/packages/windows/data_stream/applocker_exe_and_dll$ elastic-package test pipeline
Run pipeline tests for the package
2026/02/09 22:43:27 INFO elastic-package v0.118.0 version-hash 816ceecf (build time: 2025-12-30T13:03:37Z)
2026/02/09 22:43:27 INFO elastic-stack: 9.2.3
--- Test results for package: windows - START ---
╭─────────┬───────────────────────────────────┬───────────┬─────────────────────────────────────────────────────────────────────────────────────────────────┬────────┬──────────────╮
│ PACKAGE │ DATA STREAM │ TEST TYPE │ TEST NAME │ RESULT │ TIME ELAPSED │
├─────────┼───────────────────────────────────┼───────────┼─────────────────────────────────────────────────────────────────────────────────────────────────┼────────┼──────────────┤
│ windows │ applocker_exe_and_dll │ pipeline │ (ingest pipeline warnings test-events-applocker-exe-8003-common-name.json) │ PASS │ 546.253384ms │
│ windows │ applocker_exe_and_dll │ pipeline │ (ingest pipeline warnings test-events-applocker-exe-8003.json) │ PASS │ 455.685091ms │
│ windows │ applocker_exe_and_dll │ pipeline │ test-events-applocker-exe-8003-common-name.json │ PASS │ 283.37205ms │
│ windows │ applocker_exe_and_dll │ pipeline │ test-events-applocker-exe-8003.json │ PASS │ 213.922322ms │There was a problem hiding this comment.
@BrendanNurmi Looks like ignore_empty_values was only added in 9.x+ versions of ElasticSearch. Could you please revert this change and remove ignore_empty_values?
I'll address this later with a "breaking" change.
For now, let's just revert to the previous version.
Sorry for inconvenience. I had no idea about it 😓
There was a problem hiding this comment.
You're all good, I should have tested a backport against v8, i'm still learning here, at least the cicd caught it.
VihasMakwana
left a comment
There was a problem hiding this comment.
I have asked a question related to the append processor. Looks good otherwise.
|
@nfritts , Could please you have a look at/help with a reviewer from your team? |
|
/test |
|
@BrendanNurmi Could you run |
|
Recommitted; apologies, I missed this one. |
|
/test |
|
@BrendanNurmi Could you take a look https://github.com/elastic/integrations/pull/17188/changes#r2792665842? |
Head branch was pushed to by a user without write access
|
Should be fixed; I've updated the pipeline, removed the extra comment from the changelog and corrected the test cases. Both complete without error:
|
|
/test |
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
windows_defender |
9615.38 | 7575.76 | -2039.62 (-21.21%) | 💔 |
powershell_operational |
3086.42 | 1605.65 | -1480.77 (-47.98%) | 💔 |
applocker_exe_and_dll |
5747.13 | 4166.67 | -1580.46 (-27.5%) | 💔 |
applocker_packaged_app_execution |
12820.51 | 9900.99 | -2919.52 (-22.77%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
History
cc @marc-gr |
|
Package windows - 3.4.1 containing this change is available at https://epr.elastic.co/package/windows/3.4.1/ |
…ogs when signed by common name. (elastic#17188) * Resolve defect where grok failure occurs because applocker event is signed by common name only. * Changelog entry, updating manifest with new version and add file.x509.subject.common_name into esc fields * Update changelog.yml Adding link to current PR. * ignore_emtpy_values to prevent empty fields. * Adding exported field reference. * Removing the ignore_empty_values as it doesn't function pre v9, and this will work for both 8 & 9. * Update changelog to remove the part that no longer exists. --------- Co-authored-by: Vihas Makwana <121151420+VihasMakwana@users.noreply.github.com>
Proposed commit message
Prevent pipeline failure in Windows AppLocker/EXE and DLL logs when signed by common name.
At present the Windows Integration for AppLocker/EXE and DLL logs fails when the Fully Qualified Binary Name is a Common Name (CN).
{ "error": { "message": [ "Provided Grok expressions do not match field value: [CN=58D26209-1D57-482C-B403-B655571B5C7B\\\\DOLBYACCESSOEM\\\\DOLBYACCESSOEM.EXE\\\\1.0.0.00]" ] } }To address this:
Checklist
changelog.ymlfile.Author's Checklist
How to test this PR locally
Using the Pipeline Testing Guide
Related issues
Screenshots