[winlogbeat] Fix ServiceType translation values #40588

jeff-bb · 2024-08-22T15:26:36Z

service.type, as populated by x-pack/winlogbeat/module/security/ingest/security.yml, is doing a lookup table versus being treated as an access mask.

https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea
https://learn.microsoft.com/en-us/windows/win32/api/winsvc/ns-winsvc-service_status
https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-enumservicesstatusexa
https://learn.microsoft.com/en-us/windows/application-management/per-user-services-in-windows
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4697
https://docs.rs/windows-sys/latest/windows_sys/Win32/System/Services/index.html
https://helgeklein.com/blog/per-user-services-in-windows-info-and-configuration/

I'm not comfortable submitting a PR directly, but have mocked up the bulk of the (untested) code to make this easier to accept.

ServiceTypeDescriptions:
  "0x00000001": SERVICE_KERNEL_DRIVER
  "0x00000002": SERVICE_FILE_SYSTEM_DRIVER
  "0x00000004": SERVICE_ADAPTER
  "0x00000008": SERVICE_RECOGNIZER_DRIVER
  "0x00000010": SERVICE_WIN32_OWN_PROCESS
  "0x00000020": SERVICE_WIN32_SHARE_PROCESS
  "0x00000040": SERVICE_USER_SERVICE
  "0x00000080": SERVICE_USERSERVICE_INSTANCE
  "0x00000100": SERVICE_INTERACTIVE_PROCESS
  "0x00000200": SERVICE_PKG_SERVICE

and

if (ctx?.winlog?.event_data?.ServiceType != null) {
          ArrayList list = new ArrayList();
          long serviceType = 0L;
          for (elem in split(ctx.winlog.event_data.ServiceType)) {
            if (elem.length() == 0) {
              continue;
            }
            list.add(elem);
            def code = elem.replace("%%","").trim();
            serviceType |= Long.decode(code).longValue();
          }
          if (list.length > 0) {
            ctx.winlog.event_data.put("ServiceType", list);
          }

          ArrayList desc = new ArrayList();
          for (long b = 0; b < 32; b++) {
            long flag = 1L << b;
            if ((serviceType & flag) == flag) {
              def fDesc = params.ServiceTypeDescriptions[String.format("0x%08X", w)];
              if (fDesc != null) {
                desc.add(fDesc);
              }
            }
          }
          if (desc.length > 0) {
            ctx.winlog.event_data.put("ServiceTypeDescription", desc);
          }
	}

It feels odd that these are being inserted into service., since the definition of that isn't quit this. The bulk of this feels better placed in file. and process.*. As such, I'm having ServiceTypeDescription stamped back into the winlog.event_data as a new value similar to how other various lookup tables / access masks are handled.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2024-08-22T17:33:13Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Aug 22, 2024

ycombinator added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Aug 22, 2024

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Aug 22, 2024

jeff-bb closed this as not planned Won't fix, can't repro, duplicate, stale Oct 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[winlogbeat] Fix ServiceType translation values #40588

[winlogbeat] Fix ServiceType translation values #40588

jeff-bb commented Aug 22, 2024

elasticmachine commented Aug 22, 2024

[winlogbeat] Fix ServiceType translation values #40588

[winlogbeat] Fix ServiceType translation values #40588

Comments

jeff-bb commented Aug 22, 2024

elasticmachine commented Aug 22, 2024