Skip to content

[Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) is mapping Process Hashes instead of File Hashes#8879

Merged
efd6 merged 12 commits intoelastic:mainfrom
nicpenning:patch-1
Jan 19, 2024
Merged

[Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) is mapping Process Hashes instead of File Hashes#8879
efd6 merged 12 commits intoelastic:mainfrom
nicpenning:patch-1

Conversation

@nicpenning
Copy link
Copy Markdown
Contributor

@nicpenning nicpenning commented Jan 14, 2024
edited
Loading

  • Breaking change

Should resolve #8878

Proposed commit message

Fix file hash parsing for file delete detected

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

To be continued... More work needed before merging. This was a quick PR to show potential changes.

@nicpenning nicpenning requested a review from a team as a code owner January 14, 2024 04:37
@nicpenning nicpenning requested a review from a team as a code owner January 14, 2024 04:41
@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Jan 14, 2024

I did not run tests but am curious to see if it passes them. Surgically updated expected tests, changelog, manifest and of course pipeline. Not ideal but won't have access to a IDE for awhile. Feel free to rip and replace as needed. 🧑🏻‍⚕️

@nicpenning nicpenning changed the title Fix file hash parsing for file delete detected [Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) mapping Process Hashes instead of File Hashes Jan 14, 2024
@nicpenning nicpenning changed the title [Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) mapping Process Hashes instead of File Hashes [Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) is mapping Process Hashes instead of File Hashes Jan 14, 2024
@pierrehilbert pierrehilbert added the Team:Elastic-Agent Platform - Ingest - Agent [elastic/elastic-agent] label Jan 14, 2024
@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 14, 2024

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 14, 2024

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Jan 14, 2024

/test

efd6
efd6 reviewed Jan 14, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests pass locally after the changelog is fixed.

nicpenning and others added 3 commits January 14, 2024 17:09
@nicpenning @efd6
Update packages/windows/changelog.yml
04a1089 
Co-authored-by: Dan Kortschak <90160302+efd6@users.noreply.github.com>
@nicpenning
Add files via upload
ea1f121
@nicpenning
Add files via upload
7c072a7
efd6
efd6 reviewed Jan 15, 2024
View reviewed changes
packages/windows/changelog.yml Outdated
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "1.44.0"
Copy link
Copy Markdown
Contributor

@efd6 efd6 Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this requires discussion; if this is a breaking change, then the version should be bumped in major. ISTM that it is a bug though.

Copy link
Copy Markdown
Contributor Author

@nicpenning nicpenning Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh yeah - I just said breaking because if dashboards, rules and other resource used these fields in error then they will no longer be working, hence broken. But it was a stretch. I am good with this being a bug and we increment a minor. I am happy with whatever you think is best.

Copy link
Copy Markdown
Contributor Author

@nicpenning nicpenning Jan 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I went ahead and went the bugfix route. If this isn't ideal, then we can go enhancement and leave it at the 1.44 and update the category as needed.

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Jan 15, 2024

/test

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 15, 2024
edited
Loading

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Jan 15, 2024

/test

efd6
efd6 approved these changes Jan 15, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Logic LGTM. Leaving decision of breaking change/bug fix categorization to elastic-agent team.

leehinman
leehinman approved these changes Jan 18, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@leehinman leehinman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I'm ok bugfix.

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Jan 18, 2024

@nicpenning Would you mind resolving the conflict?

@nicpenning
Copy link
Copy Markdown
Contributor Author

nicpenning commented Jan 18, 2024

Yes. How does it look now?

@efd6
Copy link
Copy Markdown
Contributor

efd6 commented Jan 18, 2024

/test

@elasticmachine
Copy link
Copy Markdown

elasticmachine commented Jan 19, 2024

💚 Build Succeeded

@efd6 efd6 merged commit ff2150c into elastic:main Jan 19, 2024
@nicpenning nicpenning deleted the patch-1 branch January 26, 2024 03:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leehinman leehinman leehinman approved these changes

@efd6 efd6 efd6 approved these changes

@fearful-symmetry fearful-symmetry Awaiting requested review from fearful-symmetry fearful-symmetry is a code owner automatically assigned from elastic/elastic-agent-data-plane

@faec faec Awaiting requested review from faec faec is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees

No one assigned

Labels

Integration:windows Windows Team:Elastic-Agent Platform - Ingest - Agent [elastic/elastic-agent]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Windows] Sysmon Event ID 26: FileDeleteDetected (File Delete logged) is mapping Process Hashes instead of File Hashes

6 participants

@nicpenning @elasticmachine @efd6 @leehinman @pierrehilbert @jamiehynds