ECS: Converting winglogbeats for Sysmon/Security to Logstash

elkn00b · May 10, 2020, 6:55pm

I'm in the process of converting the winlogbeats javascript to Logstash, and I want to be sure I'm correctly interpreting some of the javascript.

In the snip below, is the winlogbeats.js template for Sysmon separating the binary from the file path and putting just the binary into the process.name, process.executable, process.parent.executable, and process.parent.name ECS fields?

    var setProcessNameUsingExe = function (evt) {
        setProcessNameFromPath(evt, "process.executable", "process.name");
    };

    var setParentProcessNameUsingExe = function (evt) {
        setProcessNameFromPath(
            evt,
            "process.parent.executable",
            "process.parent.name"
        );
    };

    var setProcessNameFromPath = function (evt, pathField, nameField) {
        var name = evt.Get(nameField);
        if (name) {
            return;
        }
        var exe = evt.Get(pathField);
        evt.Put(nameField, **path.basename(exe)**);
    };

Also, because the path.basename(exe) contains the 'exe' string, would it only do that for exe files?

Regards,

Matt

andrewkroh · May 11, 2020, 11:36pm

It sets the process.name field with the basename of the process.executable if and only if process.name is not set.

system · June 8, 2020, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.