Handle process.parent.command_line

Handle the parent process. Update golden files Add changelog
elastic · May 2, 2020 · a7a05fc · a7a05fc
1 parent f82f11f
commit a7a05fc
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 8 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -371,6 +371,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 - Add more DNS error codes to the Sysmon module. {issue}15685[15685]
 - Add experimental event log reader implementation that should be faster in most cases. {issue}6585[6585] {pull}16849[16849]
+- Set process.command_line and process.parent.command_line from Sysmon Event ID 1. {pull}17327[17327]
 
 ==== Deprecated
 

diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js
@@ -301,21 +301,20 @@ var sysmon = (function () {
         evt.Put(nameField, path.basename(exe));
     };
 
-    var splitCommandLine = function(evt, field) {
-        var commandLine = evt.Get(field);
+    var splitCommandLine = function(evt, source, target) {
+        var commandLine = evt.Get(source);
         if (!commandLine) {
             return;
         }
-        evt.Put(field, winlogbeat.splitCommandLine(commandLine));
-        evt.Put("process.command_line", commandLine);
+        evt.Put(target, winlogbeat.splitCommandLine(commandLine));
     };
 
     var splitProcessArgs = function(evt) {
-        splitCommandLine(evt, "process.args");
+        splitCommandLine(evt, "process.command_line", "process.args");
     };
 
     var splitParentProcessArgs = function(evt) {
-        splitCommandLine(evt, "process.parent.args");
+        splitCommandLine(evt, "process.parent.command_line", "process.parent.args");
     };
 
     var addUser = function(evt) {
@@ -470,12 +469,11 @@ var sysmon = (function () {
                 {from: "winlog.event_data.ProcessId", to: "process.pid", type: "long"},
                 {from: "winlog.event_data.Image", to: "process.executable"},
                 {from: "winlog.event_data.CommandLine", to: "process.command_line"},
-                {from: "winlog.event_data.CommandLine", to: "process.args"},
                 {from: "winlog.event_data.CurrentDirectory", to: "process.working_directory"},
                 {from: "winlog.event_data.ParentProcessGuid", to: "process.parent.entity_id"},
                 {from: "winlog.event_data.ParentProcessId", to: "process.parent.pid", type: "long"},
                 {from: "winlog.event_data.ParentImage", to: "process.parent.executable"},
-                {from: "winlog.event_data.ParentCommandLine", to: "process.parent.args"},
+                {from: "winlog.event_data.ParentCommandLine", to: "process.parent.command_line"},
             ],
             mode: "rename",
             ignore_missing: true,

diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json
@@ -101,13 +101,15 @@
       "args": [
         "C:\\Windows\\Sysmon.exe"
       ],
+      "command_line": "C:\\Windows\\Sysmon.exe",
       "entity_id": "{42f11c3b-ce01-5c8f-0000-0010c73e2a00}",
       "executable": "C:\\Windows\\Sysmon.exe",
       "name": "Sysmon.exe",
       "parent": {
         "args": [
           "C:\\Windows\\system32\\services.exe"
         ],
+        "command_line": "C:\\Windows\\system32\\services.exe",
         "entity_id": "{42f11c3b-6e1a-5c8c-0000-0010f14d0000}",
         "executable": "C:\\Windows\\System32\\services.exe",
         "name": "services.exe",
@@ -177,6 +179,7 @@
         "C:\\Windows\\system32\\wbem\\unsecapp.exe",
         "-Embedding"
       ],
+      "command_line": "C:\\Windows\\system32\\wbem\\unsecapp.exe -Embedding",
       "entity_id": "{42f11c3b-ce01-5c8f-0000-00102c412a00}",
       "executable": "C:\\Windows\\System32\\wbem\\unsecapp.exe",
       "name": "unsecapp.exe",
@@ -186,6 +189,7 @@
           "-k",
           "DcomLaunch"
         ],
+        "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch",
         "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}",
         "executable": "C:\\Windows\\System32\\svchost.exe",
         "name": "svchost.exe",
@@ -345,6 +349,7 @@
         "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
         "-Embedding"
       ],
+      "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding",
       "entity_id": "{42f11c3b-ce03-5c8f-0000-0010e9462a00}",
       "executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
       "name": "WmiPrvSE.exe",
@@ -354,6 +359,7 @@
           "-k",
           "DcomLaunch"
         ],
+        "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch",
         "entity_id": "{42f11c3b-6e1b-5c8c-0000-00102f610000}",
         "executable": "C:\\Windows\\System32\\svchost.exe",
         "name": "svchost.exe",