[Security Solution] Visual Event Analyzer not available for sysmon events ingested with Elastic Agent #148043
Comments
kowalczyk-p
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@kowalczyk-p are you sure these events are coming from winlogbeat + sysmon? The sample fields are from a filebeat event, which won't have the requisite process and parent process information needed to build the visual event analyzer, it's just file info. Do you have a full sample event? |
|
@kqualters-elastic events are from sysmon but I am currently in process of migrating from Windows Event Forwarding + winlogbeat to Elastic Agent. Currently every event generated by sysmon is ingested in my Elasticsearch twice:
|
MadameSheema
added
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
michaelolo24
added
enhancement
|
Thanks for opening this issue @kowalczyk-p ! Currently, we explicitly check for a given |
|
Thanks, I hope you will find it easy to solve as the event source (Sysmon) is same and only way of indexing it into Elasticsearch is changed (winlogbeat vs elastic agent). |
|
@kowalczyk-p that linked pr should fix this issue, sorry that happened, and even more sorry for the delay in getting it fixed, your issue + the mentions on discuss were the first time we became aware of it, was a breaking change on agent side. The reason that we have to be so restrictive in trying to render the analyzer in the first place, and not just any time an event has a process.entity_id, is because some places in agent use entity_id to be a unique id for the process that is shipping the data, and not as a unique id for the underlying observed processes creating data. I wish this was not the case, but the Ecs docs even mention that the exact meaning of the field is dependent on the data source: https://www.elastic.co/guide/en/ecs/current/ecs-process.html#field-process-entity-id This can result in a basically useless set of information, with all events having the same id, and we want to be sure that we are dealing with a dataset that is using entity_id as expected. Thanks for filing the issue! |
## Summary Related issue: #148043 With the switch from beats to elastic agent, analyzer broke for sysmon data ingested via elastic agent, as some fields the code expects to exist became slightly different, this pr updates the frontend and server side api of analyzer to work with both old winlogbeat style sysmom ingestion and new elastic agent + filebeat shipping sysmon generated data. https://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov Video with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon vm ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Related issue: elastic#148043 With the switch from beats to elastic agent, analyzer broke for sysmon data ingested via elastic agent, as some fields the code expects to exist became slightly different, this pr updates the frontend and server side api of analyzer to work with both old winlogbeat style sysmom ingestion and new elastic agent + filebeat shipping sysmon generated data. https://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov Video with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon vm ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios (cherry picked from commit a9313ee)
…#152492) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution] Analyzer with sysmon via filebeat (#152418)](#152418) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Kevin Qualters","email":"56408403+kqualters-elastic@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-03-01T18:07:05Z","message":"[Security Solution] Analyzer with sysmon via filebeat (#152418)\n\n## Summary\r\n\r\nRelated issue: https://github.com/elastic/kibana/issues/148043\r\n\r\nWith the switch from beats to elastic agent, analyzer broke for sysmon\r\ndata ingested via elastic agent, as some fields the code expects to\r\nexist became slightly different, this pr updates the frontend and server\r\nside api of analyzer to work with both old winlogbeat style sysmom\r\ningestion and new elastic agent + filebeat shipping sysmon generated\r\ndata.\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov\r\n\r\nVideo with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon\r\nvm\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"a9313eefe0799d032e5176b1de8d3f1608e4e914","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:fix","Team:Threat Hunting:Investigations","v8.7.0","v8.8.0"],"number":152418,"url":"https://github.com/elastic/kibana/pull/152418","mergeCommit":{"message":"[Security Solution] Analyzer with sysmon via filebeat (#152418)\n\n## Summary\r\n\r\nRelated issue: https://github.com/elastic/kibana/issues/148043\r\n\r\nWith the switch from beats to elastic agent, analyzer broke for sysmon\r\ndata ingested via elastic agent, as some fields the code expects to\r\nexist became slightly different, this pr updates the frontend and server\r\nside api of analyzer to work with both old winlogbeat style sysmom\r\ningestion and new elastic agent + filebeat shipping sysmon generated\r\ndata.\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov\r\n\r\nVideo with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon\r\nvm\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"a9313eefe0799d032e5176b1de8d3f1608e4e914"}},"sourceBranch":"main","suggestedTargetBranches":["8.7"],"targetPullRequestStates":[{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/152418","number":152418,"mergeCommit":{"message":"[Security Solution] Analyzer with sysmon via filebeat (#152418)\n\n## Summary\r\n\r\nRelated issue: https://github.com/elastic/kibana/issues/148043\r\n\r\nWith the switch from beats to elastic agent, analyzer broke for sysmon\r\ndata ingested via elastic agent, as some fields the code expects to\r\nexist became slightly different, this pr updates the frontend and server\r\nside api of analyzer to work with both old winlogbeat style sysmom\r\ningestion and new elastic agent + filebeat shipping sysmon generated\r\ndata.\r\n\r\n\r\n\r\nhttps://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov\r\n\r\nVideo with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon\r\nvm\r\n\r\n### Checklist\r\n\r\n- [x] [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere updated or added to match the most common scenarios","sha":"a9313eefe0799d032e5176b1de8d3f1608e4e914"}}]}] BACKPORT--> Co-authored-by: Kevin Qualters <56408403+kqualters-elastic@users.noreply.github.com>
|
@kqualters-elastic Thank You! I,m looking forward for version 8.7. |
## Summary Related issue: elastic#148043 With the switch from beats to elastic agent, analyzer broke for sysmon data ingested via elastic agent, as some fields the code expects to exist became slightly different, this pr updates the frontend and server side api of analyzer to work with both old winlogbeat style sysmom ingestion and new elastic agent + filebeat shipping sysmon generated data. https://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov Video with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon vm ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Related issue: elastic#148043 With the switch from beats to elastic agent, analyzer broke for sysmon data ingested via elastic agent, as some fields the code expects to exist became slightly different, this pr updates the frontend and server side api of analyzer to work with both old winlogbeat style sysmom ingestion and new elastic agent + filebeat shipping sysmon generated data. https://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov Video with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon vm ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
## Summary Related issue: #148043 With the switch from beats to elastic agent, analyzer broke for sysmon data ingested via elastic agent, as some fields the code expects to exist became slightly different, this pr updates the frontend and server side api of analyzer to work with both old winlogbeat style sysmom ingestion and new elastic agent + filebeat shipping sysmon generated data. https://user-images.githubusercontent.com/56408403/222063497-64b2853e-5d09-4178-b336-1007886c396b.mov Video with 8.6 agent/fleet + latest main kibana/es + windows 10 w/sysmon vm ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
|
@kowalczyk-p - Just wanted to check in. If you've had a chance to upgrade to 8.7, can you confirm your issue was resolved? Thanks! |
|
@michaelolo24 not yet, we have some delay in upgrading our cluster. Currently we are on 8.5 so it will take us some time to reach 8.7. |
|
In an effort of triaging/cleaning up old tickets, I'm just checking here @kowalczyk-p if the upgrade was done and you were able to check if this was correctly fixed for you? |
|
@PhilippeOberti we are half way there. I expect to be updated to 8.7 in two weeks. |
|
Hey @kowalczyk-p - Just checking back in on this 😄, how did the upgrade go? |
|
Upgrade completed today and analyzer is working :) Thank you very much! |
Describe the bug:
Visual event analyzer does not work from events ingested from sysmon with Elastic Agent
Kibana/Elasticsearch Stack version:
8.4.3
Server OS version:
Docker
Elastic Agent version:
8.4.3
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Visual Events Analyzer
Docs available at https://www.elastic.co/guide/en/security/current/visual-event-analyzer.html states that:
Problem is systmon events ingested with Elastic Agent windows integration have following values:
Visual events analyzer works for sysmon events ingested with winlogbeat but does not work for same events ingested with Elastic Agent.
The text was updated successfully, but these errors were encountered: