8000 [System] Add pipeline for AD FS Auditing to security data stream. by jvalente-salemstate · Pull Request #13765 · elastic/integrations · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

[System] Add pipeline for AD FS Auditing to security data stream. #13765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

[System] Add pipeline for AD FS Auditing to security data stream. #13765

wants to merge 17 commits into from

Conversation

jvalente-salemstate
Copy link
Contributor

Proposed commit message

This PR adds support for AD FS Auditing (event.provider: "AD FS Auditing") to system.security. These events have an event.code of 1200-1207. Most of the information in the event logs is found in an XML object stored in winlog.event_data.param2.

Rather than trying to parse the XML, I am using the grok processor to extract most of this information.

Rather than using the script in standard.yml, I chose to place an additional painless script processor for ECS categorization within the ADFS pipeline because it seems that these codes may not be exclusive to ADFS. This avoids setting values when not appropriate.

  • All four ECS categorization fields have been set as completely as possible
  • Additionally, event.action and event.reason are set wherever possible.
  • I've tested with roughly 4900 exported events from our production environment with no pipeline failures. event.code: 1207 has not been tested.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Related issues

Closes #11539

@jvalente-salemstate jvalente-salemstate requested review from a team as code owners May 2, 2025 15:36
@andrewkroh andrewkroh added Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels May 2, 2025
@elasticmachine
Copy link

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

@andrewkroh andrewkroh added the enhancement New feature or request label Jun 2, 2025
@yannickwellens
Copy link

Any chance this can be pushed through?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request Integration:system System Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support processing of AD FS logs with the system integration
4 participants
@jvalente-salemstate @elasticmachine @yannickwellens @andrewkroh
0