[Winlogbeat] Add provider name to Security routing pipeline check (#2…

…9781) - Added the two provider names currently supported by the Security pipeline to the conditional check in the routing pipeline. These two providers are "Microsoft-Windows-Eventlog" and "Microsoft-Windows-Security-Auditing". - This will prevent unsupported providers such as "AD FS" from being enriched with incorrect information.
elastic · Jan 12, 2022 · 56423a0 · 56423a0
1 parent 3270ae1
commit 56423a0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -125,6 +125,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 *Winlogbeat*
 
+- Add provider names to Security pipeline conditional check in routing pipeline. {issue}27288[27288] {pull}29781[29781]
 
 *Functionbeat*
 

diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml
@@ -3,7 +3,7 @@ description: Winlogbeat Routing Pipeline
 processors:
   - pipeline:
       name: '{< IngestPipeline "security" >}'
-      if: ctx?.winlog?.channel == 'Security'
+      if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name)
   - pipeline:
       name: '{< IngestPipeline "sysmon" >}'
       if: ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational'