Hi Elastic Team,
I'm writing to request an update to the winlogbeat Windows Security module to add the parent process ID value for Windows Security event 4688.
Lines 2132 to 2142 handle field renames for parent/child process fields in 4688:
var renameNewProcessFields = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.NewProcessName", to: "process.executable"},
{from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
The parent process ID is missing from the function, which affects Windows Security Event 4688. Looking at a raw sample for a 4688, the parent process in friendly view is re-labeled by Microsoft as Creator Process ID. However, the XML shows the parent process ID structured as ProcessId:
The winlogbeat security module variable event4688 references the renameNewProcessFields function and is the only variable that does, so I propose the renameNewProcessFields function be updated to include the parent process PID:
var renameNewProcessFields = new processor.Chain()
.Convert({
fields: [
{from: "winlog.event_data.NewProcessId", to: "process.pid", type: "long"},
{from: "winlog.event_data.NewProcessName", to: "process.executable"},
{from: "winlog.event_data.ParentProcessName", to: "process.parent.executable"}
{from: "winlog.event_data.ProcessId", to: "process.parent.pid"} //<---updated line
],
mode: "rename",
ignore_missing: true,
fail_on_error: false,
})
Since it's an event-dependent variable reference, the context will only be invoked for 4688s and not conflict with any others.
Please advise if this can be submitted via Github as well, or how the request process flows from the discussion area.
Thank you!