From ea3dfcff1289220b37f44f1c39ff22185f2e652d Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 19 Aug 2020 16:40:45 +0200 Subject: [PATCH] [Winlogbeat][Sysmon] Remove top level hash property from sysmon events (#20653) * Remove top level hash property from sysmon events * Add CHANGELOG entry --- CHANGELOG.next.asciidoc | 1 + .../module/sysmon/config/winlogbeat-sysmon.js | 3 --- .../testdata/sysmon-11-filedelete.evtx.golden.json | 10 ---------- .../sysmon/test/testdata/sysmon-9.01.evtx.golden.json | 9 --------- 4 files changed, 1 insertion(+), 22 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2112a664a64d..e94b224985bf 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -97,6 +97,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add Powershell module. Support for event ID's: `400`, `403`, `600`, `800`, `4103`, `4014`, `4105`, `4106`. {issue}16262[16262] {pull}18526[18526] - Fix Powershell processing of downgraded engine events. {pull}18966[18966] - Fix unprefixed fields in `fields.yml` for Powershell module {issue}18984[18984] +- Remove top level `hash` property from sysmon events {pull}20653[20653] *Functionbeat* diff --git a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js index a491a1e67be5..5fcedb9e40e5 100644 --- a/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js +++ b/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js @@ -424,9 +424,6 @@ var sysmon = (function () { evt.Put(path, value); evt.AppendTo("related.hash", value); - - // TODO: remove in 8.0, see (https://github.com/elastic/beats/issues/18364). - evt.Put("hash." + key, value); }); }; diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json index 7e393e6c7ef8..b9c6e245940a 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-11-filedelete.evtx.golden.json @@ -19,10 +19,6 @@ "name": "test.test.exe", "path": "C:\\Users\\vagrant\\AppData\\Local\\Temp\\1\\go-build583768550\\b001\\test.test.exe" }, - "hash": { - "imphash": "d90d8c7812aec8da0fa173afa1293ab2", - "md5": "199e1cf5b2250bd515ecccf4ca686301" - }, "host": { "name": "vagrant-2012-r2" }, @@ -104,9 +100,6 @@ "name": "lastalive0.dat", "path": "C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\lastalive0.dat" }, - "hash": { - "sha1": "115106f5b338c87ae6836d50dd890de3da296367" - }, "host": { "name": "vagrant-2012-r2" }, @@ -181,9 +174,6 @@ "name": "8b34f644-f627-47e7-98e0-957ba1c5eb6d", "path": "C:\\Windows\\System32\\LogFiles\\Scm\\8b34f644-f627-47e7-98e0-957ba1c5eb6d" }, - "hash": { - "md5": "5a9bddf83be530b481f0fd24db28a6ff" - }, "host": { "name": "vagrant-2012-r2" }, diff --git a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json index feb8d830da74..0ba347499a8a 100644 --- a/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json +++ b/x-pack/winlogbeat/module/sysmon/test/testdata/sysmon-9.01.evtx.golden.json @@ -99,9 +99,6 @@ "process_start" ] }, - "hash": { - "sha1": "ac93c3b38e57a2715572933dbcb2a1c2892dbc5e" - }, "host": { "name": "vagrant-2012-r2" }, @@ -188,9 +185,6 @@ "process_start" ] }, - "hash": { - "sha1": "6df8163a6320b80b60733f9d62e2f39b4b16b678" - }, "host": { "name": "vagrant-2012-r2" }, @@ -380,9 +374,6 @@ "process_start" ] }, - "hash": { - "sha1": "5a4c0e82ff95c9fb762d46a696ef9f1b68001c21" - }, "host": { "name": "vagrant-2012-r2" },