Skip to content

Properly populate file.* fields for network share events #18348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
brian-mckinney merged 6 commits into from
Apr 23, 2026
+283 −68
Merged

Properly populate file.* fields for network share events #18348

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
43d255c
Properly populate file.* fields for network share events
brian-mckinney Apr 10, 2026
e6b84b9
update PR link in changelog
brian-mckinney Apr 10, 2026
db65924
update changelog issue number
brian-mckinney Apr 13, 2026
8cc28b5
Merge remote-tracking branch 'origin/main' into sdh7064
brian-mckinney Apr 23, 2026
b1d91dd
fix changelog
brian-mckinney Apr 23, 2026
bb7d4c7
address macroscope comment
brian-mckinney Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/system/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "2.16.1"
changes:
- description: Fix file.path, file.name, and file.directory population for Windows Security events 5140 and 5145 by normalizing ShareLocalPath before combining with RelativeTargetName.
type: bugfix
link: https://github.com/elastic/integrations/pull/TODO
- version: "2.16.0"
changes:
- description: Extract user.name and source.address from PAM key-value log messages and password change events in the auth data stream.
Expand Down
6 changes: 3 additions & 3 deletions ...system/data_stream/security/_dev/test/pipeline/test-security-5140-5145.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
]
},
"file": {
"directory": "\\??\\C:\\Documents"
"directory": "C:\\Documents"
},
"host": {
"name": "DC01.contoso.local"
Expand Down Expand Up @@ -116,10 +116,10 @@
]
},
"file": {
"directory": "\\??\\C:\\Documents",
"directory": "C:\\Documents",
"extension": "exe",
"name": "Bginfo.exe",
"path": "\\\\??\\\\C:\\\\Documents\\Bginfo.exe",
"path": "C:\\Documents\\Bginfo.exe",
"target_path": "\\\\\\\\\\\\*\\\\Documents\\Bginfo.exe"
},
"host": {
Expand Down
66 changes: 46 additions & 20 deletions packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4986,35 +4986,61 @@ processors:
return;
}
ctx.network.put("transport", t)
- set:
field: file.name
copy_from: winlog.event_data.RelativeTargetName
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.RelativeTargetName != null &&
ctx.winlog.event_data.RelativeTargetName != ""
- set:
field: file.directory
copy_from: winlog.event_data.ShareLocalPath
- script:
description: Adds file information for file share events.
# Event codes 5140 (network share object accessed) and 5145 (network share object checked to see
# if client can be granted desired access) contain file information in the RelativeTargetName
# and ShareLocalPath fields. They need to be combined and normalized to populate file.path,
# file.name, and file.directory for ECS compliance.
lang: painless
if: |-
ctx.event?.code != null &&
["5140", "5142", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareLocalPath != null &&
ctx.winlog.event_data.ShareLocalPath != ""
- set:
field: file.path
value: "{{file.directory}}\\{{file.name}}"
if: ctx.file?.name != null && ctx.file?.directory != null
["5140", "5142", "5145"].contains(ctx.event.code)
source: |-
if (ctx.file == null) { ctx.file = new HashMap(); }
String rel = "";
if (ctx.winlog?.event_data?.RelativeTargetName != null) {
rel = ctx.winlog.event_data.RelativeTargetName;
}
String share = "";
if (ctx.winlog?.event_data?.ShareLocalPath != null) {
share = ctx.winlog.event_data.ShareLocalPath;
}
if (share.startsWith("\\??\\")) {
share = share.substring(4);
} else if (share.startsWith("\\?\\")) {
share = share.substring(3);
}
if (share.endsWith("\\")) {
share = share.substring(0, share.length() - 1);
}
if (rel.startsWith("\\")) {
rel = rel.substring(1);
}
if (rel != "") {
String path = share + "\\" + rel;
ctx.file.put("path", path);
int lastSep = path.lastIndexOf('\\');
if (lastSep >= 0) {
ctx.file.put("name", path.substring(lastSep + 1));
ctx.file.put("directory", path.substring(0, lastSep));
} else {
ctx.file.put("directory", share);
}
} else {
ctx.file.put("directory", share);
}

- set:
field: file.target_path
value: "{{winlog.event_data.ShareName}}\\{{file.name}}"
value: "{{winlog.event_data.ShareName}}\\{{winlog.event_data.RelativeTargetName}}"
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareName != null &&
ctx.winlog.event_data.ShareName != "" &&
ctx.file?.name != null
ctx.winlog?.event_data?.RelativeTargetName != null &&
ctx.winlog.event_data.RelativeTargetName != ""
- script:
description: Adds file information.
lang: painless
Expand Down
2 changes: 1 addition & 1 deletion packages/system/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.4.0
name: system
title: System
version: "2.16.0"
version: "2.16.1"
description: Collect system logs and metrics from your servers with Elastic Agent.
type: integration
categories:
Expand Down
5 changes: 5 additions & 0 deletions packages/windows/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "3.8.1"
changes:
- description: Fix file.path, file.name, and file.directory population for Windows Security events 5140 and 5145 by normalizing ShareLocalPath before combining with RelativeTargetName.
type: bugfix
link: https://github.com/elastic/integrations/pull/TODO
- version: "3.8.0"
changes:
- description: Add process.args_count to forwarded security process events (event 4688).
Expand Down
52 changes: 52 additions & 0 deletions packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
{
"events": [
{
"event": {
"code": "5145",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing"
},
"host": {
"name": "FS01.contoso.local"
},
"log": {
"level": "information"
},
"winlog": {
"channel": "Security",
"computer_name": "FS01.contoso.local",
"event_data": {
"SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104",
"SubjectUserName": "dadmin",
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x32004",
"ObjectType": "File",
"IpAddress": "192.168.1.50",
"IpPort": "49152",
"ShareName": "\\\\*\\Documents",
"ShareLocalPath": "C:\\Shares\\Documents",
"RelativeTargetName": "\\reports\\Q1\\summary.docx",
"AccessMask": "0x120089",
"AccessList": "%%1538\n\t\t\t\t%%1541\n\t\t\t\t%%4416\n\t\t\t\t%%4419\n\t\t\t\t%%4423",
"AccessReason": "%%1538:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%1541:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4416:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4419:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801 D:(A;;0x1200a9;;;WD)"
},
"event_id": "5145",
"keywords": [
"Audit Success"
],
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 312
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": 887623,
"time_created": "2021-06-10T14:22:35.123456700Z"
}
}
]
}
116 changes: 116 additions & 0 deletions ...es/windows/data_stream/forwarded/_dev/test/pipeline/test-security-5145.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
{
"expected": [
{
"@timestamp": "2021-06-10T14:22:35.123Z",
"ecs": {
"version": "8.17.0"
},
"event": {
"action": "network-share-object-access-checked",
"category": [
"network",
"file"
],
"code": "5145",
"kind": "event",
"outcome": "success",
"provider": "Microsoft-Windows-Security-Auditing",
"type": [
"info",
"access"
]
},
"file": {
"directory": "C:\\Shares\\Documents\\reports\\Q1",
"extension": "docx",
"name": "summary.docx",
"path": "C:\\Shares\\Documents\\reports\\Q1\\summary.docx",
"target_path": "\\\\\\\\*\\\\Documents\\\\\\reports\\\\Q1\\\\summary.docx"
Comment thread
macroscopeapp[bot] marked this conversation as resolved.
Outdated
},
"host": {
"name": "FS01.contoso.local",
"os": {
"family": "windows",
"type": "windows"
}
},
"log": {
"level": "information"
},
"related": {
"ip": [
"192.168.1.50"
],
"user": [
"dadmin"
]
},
"source": {
"ip": "192.168.1.50",
"port": 49152
},
"user": {
"domain": "CONTOSO",
"id": "S-1-5-21-3457937927-2839227994-823803824-1104",
"name": "dadmin"
},
"winlog": {
"channel": "Security",
"computer_name": "FS01.contoso.local",
"event_data": {
"AccessList": [
"1538",
"1541",
"4416",
"4419",
"4423"
],
"AccessListDescription": [
"READ_CONTROL",
"SYNCHRONIZE",
"ReadData (or ListDirectory)",
"ReadEA",
"ReadAttributes"
],
"AccessMask": [
"0x120089"
],
"AccessMaskDescription": [
"Create Child",
"SELF",
"List Object",
"READ_CONTROL",
"SYNCHRONIZE"
],
"AccessReason": "%%1538:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%1541:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4416:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4419:\t%%1801 D:(A;;0x1200a9;;;WD)\n\t\t\t\t%%4423:\t%%1801 D:(A;;0x1200a9;;;WD)",
"ObjectType": "File",
"RelativeTargetName": "\\reports\\Q1\\summary.docx",
"ShareLocalPath": "C:\\Shares\\Documents",
"ShareName": "\\\\*\\Documents",
"SubjectDomainName": "CONTOSO",
"SubjectLogonId": "0x32004",
"SubjectUserName": "dadmin",
"SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104"
},
"event_id": "5145",
"keywords": [
"Audit Success"
],
"logon": {
"id": "0x32004"
},
"opcode": "Info",
"process": {
"pid": 4,
"thread": {
"id": 312
}
},
"provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"provider_name": "Microsoft-Windows-Security-Auditing",
"record_id": "887623",
"time_created": "2021-06-10T14:22:35.123456700Z"
}
}
]
}
75 changes: 47 additions & 28 deletions packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4429,43 +4429,62 @@ processors:
}
ctx.network.put("transport", t)

- set:
field: file.name
copy_from: winlog.event_data.RelativeTargetName
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.RelativeTargetName != null &&
ctx.winlog.event_data.RelativeTargetName != ""
- set:
field: file.directory
copy_from: winlog.event_data.ShareLocalPath
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareLocalPath != null &&
ctx.winlog.event_data.ShareLocalPath != ""
- set:
field: file.path
value: "{{file.directory}}\\{{file.name}}"
if: ctx.file?.name != null && ctx.file?.directory != null
- set:
field: file.directory
copy_from: winlog.event_data.ShareLocalPath
- script:
description: Adds file information for file share events.
# Event codes 5140 (network share object accessed) and 5145 (network share object checked to see
# if client can be granted desired access) contain file information in the RelativeTargetName
# and ShareLocalPath fields. They need to be combined and normalized to populate file.path,
# file.name, and file.directory for ECS compliance.
lang: painless
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareLocalPath != null &&
ctx.winlog.event_data.ShareLocalPath != ""
["5140", "5142", "5145"].contains(ctx.event.code)
source: |-
if (ctx.file == null) { ctx.file = new HashMap(); }
String rel = "";
if (ctx.winlog?.event_data?.RelativeTargetName != null) {
rel = ctx.winlog.event_data.RelativeTargetName;
}
String share = "";
if (ctx.winlog?.event_data?.ShareLocalPath != null) {
share = ctx.winlog.event_data.ShareLocalPath;
}
if (share.startsWith("\\??\\")) {
share = share.substring(4);
} else if (share.startsWith("\\?\\")) {
share = share.substring(3);
}
if (share.endsWith("\\")) {
share = share.substring(0, share.length() - 1);
}
if (rel.startsWith("\\")) {
rel = rel.substring(1);
}
if (rel != "") {
String path = share + "\\" + rel;
ctx.file.put("path", path);
int lastSep = path.lastIndexOf('\\');
if (lastSep >= 0) {
ctx.file.put("name", path.substring(lastSep + 1));
ctx.file.put("directory", path.substring(0, lastSep));
} else {
ctx.file.put("directory", share);
}
} else {
ctx.file.put("directory", share);
}

- set:
field: file.target_path
value: "{{winlog.event_data.ShareName}}\\{{file.name}}"
value: "{{winlog.event_data.ShareName}}\\{{winlog.event_data.RelativeTargetName}}"
if: |-
ctx.event?.code != null &&
["5140", "5145"].contains(ctx.event.code) &&
ctx.winlog?.event_data?.ShareName != null &&
ctx.winlog.event_data.ShareName != "" &&
ctx.file?.name != null
ctx.winlog?.event_data?.RelativeTargetName != null &&
ctx.winlog.event_data.RelativeTargetName != ""

- script:
description: Adds file information.
lang: painless
Expand Down
Loading
Loading