Change log for ELASTIC_WINLOGBEAT
| Date | Changes |
|---|---|
| 2022-08-09 | Bug-fix
- Added conditions for extracting Target user details. - Reduced the generic percentage by changing the event_type from "GENERIC_EVENT" to "STATUS_UPDATE". |
| 2022-05-26 | Enhancement
- kind mapped to additional.fields. - ephemeral_id mapped to additional.fields. - cs.version mapped to metadata.product_version. - agent.name mapped to observer.user.userid. - agent.ephemeral_id mapped to additional.fields. - winlog.provider_guid mapped to additional.fields. - winlog.channel mapped to additional.fields. - winlog.api mapped to additional.fields. - winlog.process.pid mapped to principal.process.pid. - winlog.user.domain mapped to principal.administrative_domain. - winlog.user.identifier mapped to principal.user.windows_sid. - winlog.user.name mapped to target.user.userid. - winlog.user.type mapped to security_result.about.labels. - ip mapped to principal.ip. - mac mapped to principal.mac. - image mapped to target.process.file.full_path. - processGuid mapped to target.process.product_specific_process_id. - eventType mapped to target.registry.registry_key. - TargetObject mapped to target.registry.registry_value_name. - Action ID mapped to security_result.about.labels. - Action Name mapped to security_result.about.labels. |
| 2022-05-19 | Bug-Fix:
Mapped following fields for event_id = 1, 3, 5: "agent.name" mapped to "principal.hostname". "winlog.process.pid" mapped to "principal.process.pid". "winlog.event_data.Image" mapped to "target.process.file.full_path". Mapped following fields for event_id = 7, 11, 18, 17: "agent.name" mapped to "principal.hostname". "winlog.event_data.Image" mapped to "target.process.file.full_path". Mapped following fields for event_id = 4, 8, 9, 14, 13, 12, 10, 26, 16, 19, 20, 21: "agent.name" mapped to "principal.hostname": Mapped following fields for event_id = 6: "agent.name" mapped to "principal.hostname". "winlog.event_data.Hashes" mapped to target.process.file.sha1. Mapped following fields for event_id = 2, 15: "agent.name mapped" to "principal.hostname". "winlog.event_data.TargetFilename" mapped to "target.file.full_path". Added check for file.path in event_id=9. |
| 2022-05-04 | Enhancement
-Mapped timestamp. -Mapped winlog.event_data.TargetFilename and winlog.event_data.ProcessId for event_id 11. -Mapped winlog.event_data.SourcePort,winlog.event_data.DestinationPort, winlog.event_data.DestinationIp, winlog.event_data.SourceIp,winlog.event_data.Protocol for event_id 3. -Added conditional checks for the field process.pid. |
| 2022-04-27 | Enhancement-Added new field mapping.
mapped StartAddress to target.labels |
| 2022-04-13 | Enhancement
-Mapped ReferrerUrl, HostUrl from additional to security_result.rule_labels. -Mapped CallTrace field to security_result.detection_fields. Handled the below errors: "winlog.keywords.0" not found in state data "security_result" not found in state data "winlog.record_id": field not set "_event.provider": field not set "powershell.file.script_block_id": field not set "winlog.opcode": field not set "_event.action": field not set "auth_mechanism" must not be empty "winlog.process.pid": field not set "winlog.event_data.TargetUserName": field not set "agent.type": field not set "host.name": field not set "agent.version": field not set |
| 2022-03-25 | Enhancement
- Added check for event_type where event.code is either 11, 12, or 13. |