Sysmon Ingest Pipeline Issue with ProcessId #1918

El-Reno · 2020-11-13T18:29:45Z

El-Reno
Nov 13, 2020

I've noticed that Sysmon event logs are not properly renaming Process IDs from winlog.event_data.ProcessId. Looking at the Elasticsearch ingest file for Sysmon, the ingest does not correctly identify the true Sysmon field. The ingest pipeline is looking for ProcessID and processID. The correct Sysmon field should be ProcessId. Adding the following line after the last ProcessID line in sysmon ingest corrects the issue:
{ "rename": { "field": "winlog.event_data.ProcessId", "target_field": "process.pid", "ignore_missing": true } }

Answered by defensivedepth

Nov 17, 2020

Just merged in this fix, thanks for pointing this out!

#1954

View full answer

weslambert · 2020-11-17T13:57:07Z

weslambert
Nov 17, 2020

We'll take a look at this - thanks!

0 replies

defensivedepth · 2020-11-17T14:05:18Z

defensivedepth
Nov 17, 2020
Maintainer

Just merged in this fix, thanks for pointing this out!

#1954

1 reply

El-Reno Nov 18, 2020
Author

No problem! Thank you guys for making an awesome product!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sysmon Ingest Pipeline Issue with ProcessId #1918

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Sysmon Ingest Pipeline Issue with ProcessId #1918

Uh oh!

El-Reno Nov 13, 2020

Replies: 2 comments · 1 reply

Uh oh!

weslambert Nov 17, 2020

Uh oh!

defensivedepth Nov 17, 2020 Maintainer

Uh oh!

El-Reno Nov 18, 2020 Author

El-Reno
Nov 13, 2020

Replies: 2 comments 1 reply

weslambert
Nov 17, 2020

defensivedepth
Nov 17, 2020
Maintainer

El-Reno Nov 18, 2020
Author