From 760f0e7172c1ee42e31bf932682710f56add0fce Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Mon, 10 Jan 2022 08:59:09 -0600 Subject: [PATCH 1/2] [Winlogbeat] Add provider name to Security routing pipeline check - Added the two provider names currently supported by the Security pipeline to the conditional check in the routing pipeline. These two providers are "Microsoft-Windows-Eventlog" and "Microsoft-Windows-Security-Auditing". - This will prevent unsupported providers such as "AD FS" from being enriched with incorrect information. --- x-pack/winlogbeat/module/routing/ingest/routing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/winlogbeat/module/routing/ingest/routing.yml b/x-pack/winlogbeat/module/routing/ingest/routing.yml index 7566be69943..52f8825f1ef 100644 --- a/x-pack/winlogbeat/module/routing/ingest/routing.yml +++ b/x-pack/winlogbeat/module/routing/ingest/routing.yml @@ -3,7 +3,7 @@ description: Winlogbeat Routing Pipeline processors: - pipeline: name: '{< IngestPipeline "security" >}' - if: ctx?.winlog?.channel == 'Security' + if: ctx?.winlog?.channel == 'Security' && ['Microsoft-Windows-Eventlog', 'Microsoft-Windows-Security-Auditing'].contains(ctx?.winlog?.provider_name) - pipeline: name: '{< IngestPipeline "sysmon" >}' if: ctx?.winlog?.channel == 'Microsoft-Windows-Sysmon/Operational' From ab5ec38a436b83a14e294da9fecc0823000d4d66 Mon Sep 17 00:00:00 2001 From: Taylor Swanson Date: Mon, 10 Jan 2022 14:43:41 -0600 Subject: [PATCH 2/2] Update changelog --- CHANGELOG.next.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 439d1278732..62d2b9e11f1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -118,6 +118,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Winlogbeat* +- Add provider names to Security pipeline conditional check in routing pipeline. {issue}27288[27288] {pull}29781[29781] *Functionbeat*