Skip to content

[windows] AppLocker - Add more ECS fields, remove beta flag, add dashboard#7229

Merged
andrewkroh merged 33 commits intoelastic:mainfrom
nicpenning:applocker_exe_and_dll_pipeline_and_dashboard_ga
Aug 4, 2023
Merged

[windows] AppLocker - Add more ECS fields, remove beta flag, add dashboard#7229
andrewkroh merged 33 commits intoelastic:mainfrom
nicpenning:applocker_exe_and_dll_pipeline_and_dashboard_ga

Conversation

@nicpenning
Copy link
Copy Markdown
Contributor

@nicpenning nicpenning commented Aug 2, 2023

  • Enhancement

What does this PR do?

This PR extends the initial applocker data stream for exes and dlls by adding some more ECS fields, cleanup of uneeded processors, adds a dashboard and removes the [beta] flag.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

nicpenning added 24 commits July 26, 2023 20:27
@nicpenning
Update ecs.yml
3ced19d
@nicpenning
Update winlog.yml
75d0320
@nicpenning
Update default.yml
d2f443f
@nicpenning
Update test-events-applocker-exe-8003.json-expected.json
54115c2
@nicpenning
Update default.yml
a9c5a8b
@nicpenning
Update test-events-applocker-exe-8003.json
809cb75
@nicpenning
Update test-events-applocker-exe-8003.json-expected.json
6b87c71
@nicpenning
Merge branch 'elastic:main' into applocker_exe_and_dll_pipeline_and_d…
9ca89d0 
…ashboard_ga
@nicpenning
Update default.yml
a7aee22
@nicpenning
Merge branch 'elastic:main' into applocker_exe_and_dll_pipeline_and_d…
0885814 
…ashboard_ga
@nicpenning
Add files via upload
0553ee5
@nicpenning
Merge branch 'elastic:main' into applocker_exe_and_dll_pipeline_and_d…
25c80cb 
…ashboard_ga
@nicpenning
Update windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json
08f3355
@nicpenning
Update windows-b28aaad0-2f2d-11ee-acdc-45d0efa0889d.json
79cb5a1
@nicpenning
Add files via upload
a920bb9
@nicpenning
Update manifest.yml
ceda7f3
@nicpenning
Update changelog.yml
0495d35
@nicpenning
Update README.md
92f16f3
@nicpenning
Delete applocker-windows-audit-and-blocked.png
d7cee05
@nicpenning
Add files via upload
732a8fc
@nicpenning
Update manifest.yml
3cf9a25
@nicpenning
Update manifest.yml
6c7a81b
@nicpenning
Remove un-needed processing for user name, domain, and sequence
abe0336
@nicpenning
Remove event codes from the default
a921a64
@nicpenning nicpenning requested review from a team as code owners August 2, 2023 23:01
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 2, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-08-04T16:12:37.603+0000

  • Duration: 18 min 9 sec

Test stats 🧪

Test Results
Failed 0
Passed 135
Skipped 0
Total 135

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@nicpenning nicpenning changed the title [windows] Add more ECS fields, remove beta flag, add dashboard [windows] AppLocker - Add more ECS fields, remove beta flag, add dashboard Aug 3, 2023
@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Aug 3, 2023

Any chance I can request @efd6 to assist in reviewing? He did a good job on the initial data stream creation for this Integration and this PR is a continuation of that.

@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Aug 3, 2023

Please let me know what you think about the new fields. In the meanwhile, this should be good to test.

@nicpenning nicpenning mentioned this pull request Aug 3, 2023
Closed
4 tasks
@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Aug 4, 2023

Just checking in on this 😀

andrewkroh
andrewkroh reviewed Aug 4, 2023
View reviewed changes
Copy link
Copy Markdown
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this data fits perfectly with the descriptions for these fields. I thinking we could use these fields instead of winlog.fqbn. WDYT?

  • file.pe.file_version
  • file.pe.original_file_name
  • file.pe.product

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 4, 2023

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Aug 4, 2023

I think this data fits perfectly with the descriptions for these fields. I thinking we could use these fields instead of winlog.fqbn. WDYT?

  • file.pe.file_version
  • file.pe.original_file_name
  • file.pe.product

Pushed these changes.

@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Aug 4, 2023

/test

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 4, 2023

🌐 Coverage report

Name Metrics % (covered/total) Diff
Packages 100.0% (5/5) 💚
Files 88.889% (8/9) 👎 -11.111
Classes 88.889% (8/9) 👎 -11.111
Methods 84.158% (85/101) 👍 10.825
Lines 92.751% (5323/5739) 👎 -7.249
Conditionals 100.0% (0/0) 💚

@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Aug 4, 2023

Thank you, Andrew! Next up, AppLocker MSI/Script data stream 😀

nicpenning and others added 3 commits August 4, 2023 11:05
@andrewkroh
Copy link
Copy Markdown
Member

andrewkroh commented Aug 4, 2023

/test

@andrewkroh andrewkroh merged commit b50c740 into elastic:main Aug 4, 2023
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Aug 4, 2023

Package windows - 1.29.0 containing this change is available at https://epr.elastic.co/search?package=windows

@nicpenning nicpenning deleted the applocker_exe_and_dll_pipeline_and_dashboard_ga branch August 4, 2023 21:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

@rdner rdner Awaiting requested review from rdner rdner is a code owner automatically assigned from elastic/elastic-agent-data-plane

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

No one assigned

Labels

enhancement New feature or request Integration:windows Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nicpenning @elasticmachine @andrewkroh