Skip to content

[system] Improve user mappings in security#1944

Merged
marc-gr merged 1 commit intoelastic:masterfrom
marc-gr:security-enhancements
Oct 19, 2021
Merged

[system] Improve user mappings in security#1944
marc-gr merged 1 commit intoelastic:masterfrom
marc-gr:security-enhancements

Conversation

@marc-gr
Copy link
Copy Markdown
Contributor

@marc-gr marc-gr commented Oct 19, 2021

What does this PR do?

Ports changes from elastic/beats#26509 to improve user mappings for security events.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • If I'm introducing a new feature, I have modified the Kibana version constraint in my package's manifest.yml file to point to the latest Elastic stack release (e.g. ^7.13.0).

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Oct 19, 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@marc-gr marc-gr force-pushed the security-enhancements branch from 1d30d3b to e7f9f30 Compare October 19, 2021 12:01
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Oct 19, 2021
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-10-19T12:01:35.767+0000

  • Duration: 30 min 6 sec

  • Commit: e7f9f30

Test stats 🧪

Test Results
Failed 0
Passed 267
Skipped 0
Total 267

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

P1llus
P1llus approved these changes Oct 19, 2021
View reviewed changes
Copy link
Copy Markdown
Member

@P1llus P1llus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small comments, else it looks LGTM

packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2578 to +2581
if (ctx?.event?.code == null ||
!["4648", "4688"].contains(ctx.event.code)) {
return;
}
Copy link
Copy Markdown
Member

@P1llus P1llus Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we maybe move this out of the script itself? That way it never has to actually execute if its part of the processor conditions.

packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml
Comment on lines +2869 to +2872
- set:
field: user.target.name
copy_from: winlog.event_data.OldTargetUserName
ignore_empty_value: true
Copy link
Copy Markdown
Member

@P1llus P1llus Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't this already set to another value higher up?

@marc-gr marc-gr merged commit bedab6d into elastic:master Oct 19, 2021
@marc-gr marc-gr deleted the security-enhancements branch October 19, 2021 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@P1llus P1llus P1llus approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request Integration:system System

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marc-gr @elasticmachine @P1llus