From 0a327bb6dcb0b8e8dfb6f4756255e6245d11ecb8 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Thu, 7 May 2020 19:47:49 +0200 Subject: [PATCH] Add support for FileDelete events (event id 23) to sysmon module (#18340) FileDelete events were added in Sysmon v11. Prior to this change processing such events lead to an 'unexpected sysmon event_id' error message. Closes #18094 --- CHANGELOG.next.asciidoc | 2 + winlogbeat/docs/fields.asciidoc | 18 +++++ .../winlogbeat/module/sysmon/_meta/fields.yml | 8 ++ .../module/sysmon/config/winlogbeat-sysmon.js | 58 ++++++++++++++ x-pack/winlogbeat/module/sysmon/fields.go | 2 +- .../test/testdata/sysmon-11-filedelete.evtx | Bin 0 -> 69632 bytes .../sysmon-11-filedelete.evtx.golden.json | 74 ++++++++++++++++++ 7 files changed, 161 insertions(+), 1 deletion(-) create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx create mode 100644 x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 27b1701f875..64b008b97e8 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -44,6 +44,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Add support to Sysmon file delete events (event ID 23). {issue}18094[18094] + *Functionbeat* diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 3763ebc12db..092ad7516d1 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -7572,6 +7572,24 @@ type: keyword -- +*`sysmon.file.archived`*:: ++ +-- +Indicates if the deleted file was archived. + +type: boolean + +-- + +*`sysmon.file.is_executable`*:: ++ +-- +Indicates if the deleted file was an executable. + +type: boolean + +-- + [[exported-fields-winlog]] == Winlogbeat fields diff --git a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml index 8ba29416eb4..ff9db37db91 100644 --- a/x-pack/winlogbeat/module/sysmon/_meta/fields.yml +++ b/x-pack/winlogbeat/module/sysmon/_meta/fields.yml @@ -8,3 +8,11 @@ - name: sysmon.dns.status type: keyword description: Windows status code returned for the DNS query. + + - name: sysmon.file.archived + type: boolean + description: Indicates if the deleted file was archived. + + - name: sysmon.file.is_executable + type: boolean + description: Indicates if the deleted file was an executable. diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index 2e449580d87..d9d454ec1fe 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -1392,6 +1392,63 @@ var sysmon = (function () { .Add(removeEmptyEventData) .Build(); + // Event ID 23 - FileDelete (A file delete was detected). + var event23 = new processor.Chain() + .Add(parseUtcTime) + .AddFields({ + fields: { + "event.category": ["file"], // pipes are files + "event.type": ["deletion"], + }, + }) + .Convert({ + fields: [ + { + from: "winlog.event_data.UtcTime", + to: "@timestamp", + }, + { + from: "winlog.event_data.ProcessGuid", + to: "process.entity_id", + }, + { + from: "winlog.event_data.ProcessId", + to: "process.pid", + type: "long", + }, + { + from: "winlog.event_data.RuleName", + to: "rule.name", + }, + { + from: "winlog.event_data.TargetFilename", + to: "file.name", + }, + { + from: "winlog.event_data.Image", + to: "process.executable", + }, + { + from: "winlog.event_data.Archived", + to: "sysmon.file.archived", + type: "boolean", + }, + { + from: "winlog.event_data.IsExecutable", + to: "sysmon.file.is_executable", + type: "boolean", + }, + ], + mode: "rename", + ignore_missing: true, + fail_on_error: false, + }) + .Add(addUser) + .Add(splitHashes) + .Add(setProcessNameUsingExe) + .Add(removeEmptyEventData) + .Build(); + // Event ID 255 - Error report. var event255 = new processor.Chain() .Add(parseUtcTime) @@ -1436,6 +1493,7 @@ var sysmon = (function () { 20: event20.Run, 21: event21.Run, 22: event22.Run, + 23: event23.Run, 255: event255.Run, process: function (evt) { diff --git a/x-pack/winlogbeat/module/sysmon/fields.go b/x-pack/winlogbeat/module/sysmon/fields.go index eeb184deb3b..8fef032555d 100644 --- a/x-pack/winlogbeat/module/sysmon/fields.go +++ b/x-pack/winlogbeat/module/sysmon/fields.go @@ -19,5 +19,5 @@ func init() { // AssetSysmon returns asset data. // This is the base64 encoded gzipped contents of module/sysmon. func AssetSysmon() string { - return "eJxUzrFuwzAQA9BdX0Fkjz9AQ6fOXVKgs+qjEaG2zr07N9DfF1WTISsJEu+ML/YM775pS0DUWJlxuowAm8qx8pQAoc9W96jaMl4SALxf6UQxIq4Ef9gCS+UqDt8516XOCB3l092UAOPK4sz4ZJSE+y6ncXxGKxsfqkmaTx4lDh8tEH1n/oPf1OSePfk+ahO9Of5XmFUIYxzWKFjUhun17YLvg9an9BsAAP//OQhWnA==" + return "eJysjrFOKzEQRXt/xVX6+ANcvOo1NDRBokSOfVcZ4djBM5uwf49iEqGVIiraGd1zzhbvXAJ00WOrDjCxwoDNbhxwbHku3DggU1OXk0mrAf8cALwcqETshB0InlkNk7BkhZ6YZJIEa+O5wnkHdBZGZcCeFh1uu+AGeIsaj7xX+VzVq0WbdXwBW04M1/BL6/l2W/W9Ss3tovheIbVMdNrcKzOm1kfT/+cdPmb2xT+0TlLoY08HOTOvxPvWCmN9JH6qWVI0KmQaksxCu0qlEJeouBN/kYq+8ZNptrgv/ENzxQ/Wu68AAAD//xH3plw=" } diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx new file mode 100644 index 0000000000000000000000000000000000000000..4258ea01dd7caab6fc52b32362eccf8777dc8098 GIT binary patch literal 69632 zcmeI$TWl0n7zglgW@o3X=z2or58)Mid=*=YNag{+TGgSB9|yt zf*437K6pt;jN#3gn23=mF)=avWP(0vL=zv@|99pLy%<7BAN1iro7uUX zZ_ed+F4Jz;@L>1Q@PN$TTzg{zM@M2J70&FCIbT=IEB-L&Oqc-$C_n)UP=Epypa2CZ zKmiI+fC9G^=o%jE*puCd|MA1^X2%Il#*YG%Wg?GE9;w#Lxold_*wIs$rsuK1$IlFb z$RBZ$%ii=9kv804iJu{Ece`+lXHKC^-4>us-Tt)kXYGBxcN+HwXVqsFuK%(>lH5D1 zj1ilcKKr3PUys;s_xKVt5#+B<7ix<&XQNQK3`0}(IM9u|MA_jP-SloenMLl}; za3GsZ>HASuKcdEv+KRn98jNe-_GAMpJAy=!R7xEG89N?osyum8#?6yRN=rJHiOG6| z9kLPE`%0!^t&vWoJ&fJgA*b2YTujJQ$f6HqLumexse;m_Jn`LBOnlENlLv4k8tL;& zOJti38-i38X>O`aJP&=m5Es!9@4pb2bqLhH8a6?qL9Wcl#e6$XyAFG@#q`BK6XI%t zj#T49r+{uBFZ5+2I#9bsiL^LJbBfDiTtqWx@ArYMMe;%PTMmx>aM#edRC!?Egp0Rq zjw{|QL!m>)v;(07sDO4+KVl4z&LSOCj~!0T=)veA@c2?0a}pRWQ)@|gEICbkGcwdF zYfVCVH=9$wNsUF2&*q%7_+`&p#_g0}hyqkDG$R?(NZfpf^S9lK83A zj@exZ%;RHg5lG0+$gQ4G-zMD}4IWlg=c(<;RA zoMLe`0(4c=j$4rp4AcmQf>th^D{kCLgQHJ&qb$v%Ahl+~HsZS$_nJh-HKS-L{-7>E zr)uYnBRzx^xgQaJv?>p-^JObqre)aHmCKzmFI6dvJh=m*7=UKSc*ScgY)c?j5=bRd zG0<_QdmsrDhsVwR23%E0T6%CS^A;iIZhY)E@#3n}lTToEd=F!<4XY+zhGvUnO6V5X zqSvF&GncGd*^YZz^mPt{KaX~Y%gzX{v+`Wq==P;w|I+c*I{*66slR`|-RJAg>{AMz zCE?iA^&(ut-~auU1ugm;>3 z`*2@Z$95d`U96++M9#yCrG;whJ=lF+72{5T5k8I@4BS{5-6Xn1J9>$IUQKOu3A(ZX zv1szTNz_PVYi+FQ`Y`9RSwlNoUfrZCX?>=~K6Bqx{{Nm1{o*EL5@@{Ut?kiKVe8}F z7+P);gGi$m*(e<&HY$#Rr!T49Xr-HshjGm|PFrc?QfB!aGjRp!M*pZw7EkIM!%h0( zlMmV_tEQgxF$nb~sIS93B1^)^dK;;AvSpN`F8LWNL!Z20%5jr{B((*)Y-&4a^il?6 zMqjtOVChQaCQDIghH?d7%>}QRE>3TD~>%F&70AlEwV#;@qXHf zMJ0n{HRengQnn$j17{t`y?55U>Yed2XhvzhaM^F#sDD7{9}fd&{k+-JI*WAi)}=Fi z@#{NRdn|8ilS7KmEnT0cB70H8QGBAwp!JR-dl9X@sFOtB;VRvLdi3MEfP8xJY@@8i z-Uz)$q_tv{w8&~{#-|PKY=c||EpEkGGrl{K+JNs)T(_IEF5K@#OcSnKP0Vs*TRuf4pa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epy zpa2CZKmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+ zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O z0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O0SZun0u-PC z1t>rP3Q&Lo6rcbFC_n)UP=Epy_&*4EsKm8b`(#qiT*~7-IzBI-T+!?3D5I6X>9tJU zuixA#KmiI+fC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+ zfC3bt00k&O0SZun0u-PC1t>rP3Q&Lo6rcbFC_n)UP=Epypa2CZKmiI+fC3bt00k&O O0SZun0u=ZU1pWabzN3r) literal 0 HcmV?d00001 diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json new file mode 100644 index 00000000000..1e36d89016c --- /dev/null +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -0,0 +1,74 @@ +[ + { + "@timestamp": "2020-05-07T07:27:18.722Z", + "event": { + "code": 23, + "kind": "event", + "module": "sysmon", + "provider": "Microsoft-Windows-Sysmon" + }, + "fields": { + "event": { + "category": [ + "file" + ], + "type": [ + "deletion" + ] + } + }, + "file": { + "name": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" + }, + "hash": { + "sha1": "115106f5b338c87ae6836d50dd890de3da296367" + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "level": "information" + }, + "process": { + "entity_id": "{42f11c3b-b2b6-5eb3-18ab-000000000000}", + "executable": "C:\\Windows\\System32\\svchost.exe", + "name": "svchost.exe", + "pid": 776 + }, + "rule": { + "name": "-" + }, + "sysmon": { + "file": { + "archived": true, + "is_executable": false + } + }, + "user": { + "domain": "NT AUTHORITY", + "name": "LOCAL SERVICE" + }, + "winlog": { + "api": "wineventlog", + "channel": "Microsoft-Windows-Sysmon/Operational", + "computer_name": "vagrant-2012-r2", + "event_id": 23, + "process": { + "pid": 664, + "thread": { + "id": 2360 + } + }, + "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "provider_name": "Microsoft-Windows-Sysmon", + "record_id": 11, + "user": { + "domain": "NT AUTHORITY", + "identifier": "S-1-5-18", + "name": "SYSTEM", + "type": "Well Known Group" + }, + "version": 5 + } + } +] \ No newline at end of file