[Filebeat] ETW input - Fix keywords fields representation in output events #43724

chemamartinez · 2025-04-07T08:13:11Z

As has been reported in this thread, the keywords field in events delivered by the ETW input is represented as a large integer instead of an hexadecimal bit mask.

This field is represented as a ULONGLONG by the Microsoft API.

The ETW input maps this keywords field here ,converting the uint64 into a string, using base 10 instead of 16.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2025-04-09T07:31:35Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

chemamartinez added Filebeat Filebeat Input:etw Related issues to the Event Tracing for Windows input labels Apr 7, 2025

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 7, 2025

chemamartinez mentioned this issue Apr 7, 2025

[Microsoft DNS Server] Map keywords output field to human-readable format elastic/integrations#13438

Open

chemamartinez added the Team:Security-Windows Platform Windows Platform Team in Security Solution label Apr 9, 2025

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 9, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Filebeat] ETW input - Fix keywords fields representation in output events #43724

[Filebeat] ETW input - Fix keywords fields representation in output events #43724

chemamartinez commented Apr 7, 2025

elasticmachine commented Apr 9, 2025

[Filebeat] ETW input - Fix keywords fields representation in output events #43724

[Filebeat] ETW input - Fix keywords fields representation in output events #43724

Comments

chemamartinez commented Apr 7, 2025

elasticmachine commented Apr 9, 2025