elastic · marc-gr · Apr 25, 2025 · Apr 16, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.8.1"
+ changes:
+ - description: Handle events without event_data
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/13571
 - version: "1.8.0"
  changes:
  - description: Add 9.0.0 constraint and update to ECS 8.17.0

@@ -5,11 +5,12 @@ processors:
 
  - set:
  field: ecs.version
- value: '8.17.0' 
+ value: '8.17.0'
  - script:
  description: Remove all empty values from event_data.
  lang: painless
- source: ctx.winlog?.event_data?.entrySet()?.removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue()))
+ source: ctx.winlog?.event_data?.entrySet().removeIf(entry -> [null, "", "-", "{00000000-0000-0000-0000-000000000000}"].contains(entry.getValue()))
+ if: ctx.winlog?.event_data != null
  - rename:
  field: winlog.level
  target_field: log.level

@@ -1,6 +1,6 @@
 name: sysmon_linux
 title: Sysmon for Linux
-version: "1.8.0"
+version: "1.8.1"
 description: Collect Sysmon Linux logs with Elastic Agent.
 type: integration
 categories:

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.68.2"
+ changes:
+ - description: Handle events without event_data
+ type: bugfix
+ link: https://github.com/elastic/integrations/pull/13571
 - version: "1.68.1"
  changes:
  - description: Change security pipeline to be defensive against different data types.

@@ -57,4 +57,4 @@
  }
  }
  ]
-}
+}
@@ -78,4 +78,4 @@
  }
  }
  ]
-}
+}
@@ -57,4 +57,4 @@
  }
  }
  ]
-}
+}
@@ -62,4 +62,4 @@
  }
  }
  ]
-}
+}
@@ -75,4 +75,4 @@
  }
  }
  ]
-}
+}
@@ -87,4 +87,4 @@
  }
  }
  ]
-}
+}
@@ -60,7 +60,6 @@
  "NewSdDacl0": "Local system :Access Allowed ([Generic All])",
  "NewSdDacl1": "OW :Access Allowed ([Read Permissions])",
  "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])",
- "ObjectName": "-",
  "ObjectServer": "Security",
  "ObjectType": "Token",
  "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)",
@@ -94,4 +93,4 @@
  }
  }
  ]
-}
+}
@@ -65,9 +65,7 @@
  "ADS_RIGHT_ACCESS_SYSTEM_SECURITY"
  ],
  "HandleId": "0x0",
- "ObjectName": "-",
  "ObjectServer": "LSA",
- "ObjectType": "-",
  "PrivilegeList": [
  "SeSecurityPrivilege"
  ],

@@ -86,4 +86,4 @@
  }
  }
  ]
-}
+}
@@ -78,4 +78,4 @@
  }
  }
  ]
-}
+}
@@ -78,4 +78,4 @@
  }
  }
  ]
-}
+}
@@ -49,9 +49,7 @@
  "channel": "Security",
  "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
  "event_data": {
- "DomainName": "-",
  "DomainSid": "S-1-0-0",
- "SidFilteringEnabled": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x6a868",
  "SubjectUserName": "Administrator",
@@ -86,4 +84,4 @@
  }
  }
  ]
-}
+}
@@ -81,4 +81,4 @@
  }
  }
  ]
-}
+}
@@ -81,4 +81,4 @@
  }
  }
  ]
-}
+}
@@ -88,4 +88,4 @@
  }
  }
  ]
-}
+}
@@ -89,4 +89,4 @@
  }
  }
  ]
-}
+}
@@ -46,33 +46,14 @@
  "channel": "Security",
  "computer_name": "DC_TEST2k12",
  "event_data": {
- "AccountExpires": "-",
- "AllowedToDelegateTo": "-",
- "DisplayName": "-",
- "Dummy": "-",
- "HomeDirectory": "-",
- "HomePath": "-",
- "LogonHours": "-",
- "NewUacValue": "-",
- "OldUacValue": "-",
- "PasswordLastSet": "-",
- "PrimaryGroupId": "-",
- "PrivilegeList": "-",
- "ProfilePath": "-",
- "SamAccountName": "-",
- "ScriptPath": "-",
- "SidHistory": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x5e2887",
  "SubjectUserName": "at_adm",
  "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794",
  "TargetDomainName": "TEST",
  "TargetSid": "S-1-5-21-1717121054-434620538-60925301-8884",
  "TargetUserName": "anatest1",
- "UserAccountControl": "-",
- "UserParameters": "-",
- "UserPrincipalName": "anatest12@TEST",
- "UserWorkstations": "-"
+ "UserPrincipalName": "anatest12@TEST"
  },
  "event_id": "4738",
  "keywords": [
@@ -98,4 +79,4 @@
  }
  }
  ]
-}
+}
@@ -48,15 +48,9 @@
  "channel": "Security",
  "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
  "event_data": {
- "DomainBehaviorVersion": "-",
  "DomainName": "TEST",
  "DomainPolicyChanged": "Password Policy",
  "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786",
- "MachineAccountQuota": "-",
- "MixedDomainMode": "-",
- "OemInformation": "-",
- "PasswordHistoryLength": "-",
- "PrivilegeList": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x3e7",
  "SubjectUserName": "WIN-BVM4LI1L1Q6$",
@@ -85,4 +79,4 @@
  }
  }
  ]
-}
+}
@@ -45,37 +45,14 @@
  },
  "computer_name": "DC_TEST2k12.TEST.",
  "event_data": {
- "AccountExpires": "-",
- "AllowedToDelegateTo": "-",
- "ComputerAccountChange": "-",
- "DisplayName": "-",
- "DnsHostName": "-",
- "HomeDirectory": "-",
- "HomePath": "-",
- "LogonHours": "-",
- "NewUacValue": "-",
- "OldUacValue": "-",
  "PasswordLastSet": "01/08/2022 10:56:47",
- "PrimaryGroupId": "-",
- "PrivilegeList": [
- "-"
- ],
- "ProfilePath": "-",
- "SamAccountName": "-",
- "ScriptPath": "-",
- "ServicePrincipalNames": "-",
- "SidHistory": "-",
  "SubjectDomainName": "NT AUTHORITY",
  "SubjectLogonId": "0x3e6",
  "SubjectUserName": "ANONYMOUS LOGON",
  "SubjectUserSid": "S-1-5-7",
  "TargetDomainName": "TEST",
  "TargetSid": "S-1-5-21-1717121054-434620538-60925301-11556",
- "TargetUserName": "TEST4642$",
- "UserAccountControl": "-",
- "UserParameters": "-",
- "UserPrincipalName": "-",
- "UserWorkstations": "-"
+ "TargetUserName": "TEST4642$"
  },
  "event_id": "4742",
  "keywords": [
@@ -101,4 +78,4 @@
  }
  }
  ]
-}
+}
@@ -54,9 +54,6 @@
  },
  "computer_name": "DC_TEST2k12.TEST.SAAS",
  "event_data": {
- "PrivilegeList": [
- "-"
- ],
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -88,4 +85,4 @@
  }
  }
  ]
-}
+}
@@ -54,9 +54,7 @@
  "channel": "Security",
  "computer_name": "DC_TEST2k12.TEST.SAAS",
  "event_data": {
- "PrivilegeList": "-",
  "SamAccountName": "testdistlocal",
- "SidHistory": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -88,4 +86,4 @@
  }
  }
  ]
-}
+}
@@ -54,9 +54,7 @@
  "channel": "Security",
  "computer_name": "DC_TEST2k12.TEST.SAAS",
  "event_data": {
- "PrivilegeList": "-",
  "SamAccountName": "testdistlocal1",
- "SidHistory": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -88,4 +86,4 @@
  }
  }
  ]
-}
+}
@@ -66,7 +66,6 @@
  "event_data": {
  "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS",
  "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500",
- "PrivilegeList": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -98,4 +97,4 @@
  }
  }
  ]
-}
+}
@@ -66,7 +66,6 @@
  "event_data": {
  "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS",
  "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500",
- "PrivilegeList": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -98,4 +97,4 @@
  }
  }
  ]
-}
+}
@@ -54,7 +54,6 @@
  "channel": "Security",
  "computer_name": "DC_TEST2k12.TEST.SAAS",
  "event_data": {
- "PrivilegeList": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -86,4 +85,4 @@
  }
  }
  ]
-}
+}
@@ -54,9 +54,7 @@
  "channel": "Security",
  "computer_name": "DC_TEST2k12.TEST.SAAS",
  "event_data": {
- "PrivilegeList": "-",
  "SamAccountName": "testglobal",
- "SidHistory": "-",
  "SubjectDomainName": "TEST",
  "SubjectLogonId": "0x2e67800",
  "SubjectUserName": "at_adm",
@@ -88,4 +86,4 @@
  }
  }
  ]
-}
+}
-Original file line number
+Diff line change
@@ Expand Up / @@ -57,4 +57,4 @@ @@
   }
   }
   ]
- }
+ }