Hi Everybody
I'm not much of a programmer, but I'm tempted to try to learn to submit some changes to winlogbeat, but would be interested in finding out if I'm doing this right. Newer versions of sysmon added event_id 22, which is a DNS query by a specific process.
I've modified the winlogbeat-sysmon.js file to rename fields based on https://www.elastic.co/guide/en/beats/packetbeat/current/exported-fields-dns.html. Here's what I've changed winlogbeat\sysmon\config\winlogbeat-sysmon.js, added:
var event22 = new processor.Chain()
.Add(parseUtcTime)
.Convert({
fields: [
{from: "winlog.event_data.UtcTime", to: "@timestamp"},
{from: "winlog.event_data.ProcessGuid", to: "process.entity_id"},
{from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.Image", to: "process.executable"},
{from: "winlog.event_data.QueryName", to: "dns.question.name"},
{from: "winlog.event_data.QueryResults", to: "dns.answers"},
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
.Add(setProcessNameUsingExe)
.Add(removeEmptyEventData)
.Build();
-snip-
// Event ID 22 - Dns Query
22: event22.Run,
Does this look good? I'm not sure if this complies with the ECS format. I'd also like to get this contributed to the github repo, but that might take too much time for me.
