Skip to content

Fix Kerberos ticket StatusDescription case-sensitivity in Security pipelines#19919

Open
brian-mckinney wants to merge 3 commits into
elastic:mainfrom
brian-mckinney:fix/kerberos-status-code-case-sensitivity
Open

Fix Kerberos ticket StatusDescription case-sensitivity in Security pipelines#19919
brian-mckinney wants to merge 3 commits into
elastic:mainfrom
brian-mckinney:fix/kerberos-status-code-case-sensitivity

Conversation

@brian-mckinney

Copy link
Copy Markdown
Contributor

Summary

  • winlog.event_data.Status is matched case-sensitively against the Kerbero status code lookup table in both the system and windows (forwarded) Security ingest pipelines. Every key with a hex letter is upper case (e.g. 0x1B), so a lower-case value like 0x1b fails to match and StatusDescription is left null.
  • Normalizes the lookup with .toUpperCase(), mirroring how the neighboring TicketEncryptionType processor already normalizes case.
  • Bumps system to 2.20.1 and windows to 3.8.4 with changelog entries.

Reported by a customer in https://github.com/elastic/sdh-beats/issues/7310. The same processor logic is also duplicated in elastic/beats (winlogbeat); a companion fix is up at https://github.com/brian-mckinney/beats/tree/fix/kerberos-status-code-case-sensitivity.

Test plan

  • Verify pipeline simulate with a sample 4769 event where Status is 0x1b (lower case) now populates StatusDescription as KDC_ERR_MUST_USE_USER2USER.
  • Confirm existing pipeline tests still pass for both packages.

…lines

winlog.event_data.Status is matched case-sensitively against a lookup
table whose hex keys are all upper case (e.g. 0x1B), so a lower-case
value like 0x1b silently fails to resolve StatusDescription. Normalize
the lookup with toUpperCase() in both the system and windows packages,
mirroring how TicketEncryptionType is already normalized nearby.

Reported in elastic/sdh-beats#7310
@brian-mckinney brian-mckinney requested review from a team as code owners July 1, 2026 19:42
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!


The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@andrewkroh andrewkroh added Integration:system System Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform] labels Jul 1, 2026
@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

The previous fix uppercased the entire Status string, turning "0x1b"
into "0X1B" and "0x0" into "0X0" -- neither matches the params table,
whose keys use a lowercase "0x" prefix. Preserve the prefix and
uppercase only the hex digits after it.
@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

✅ All changelog entries have the correct PR link.

@elastic-vault-github-plugin-prod

Copy link
Copy Markdown

🚀 Benchmarks report

Package windows 👍(4) 💚(3) 💔(3)

Expand to view
Data stream Previous EPS New EPS Diff (%) Result
powershell_operational 2475.25 1278.77 -1196.48 (-48.34%) 💔
applocker_packaged_app_execution 11627.91 9708.74 -1919.17 (-16.5%) 💔
sysmon_operational 2155.17 1751.31 -403.86 (-18.74%) 💔

To see the full report comment with /test benchmark fullreport

@infra-vault-gh-plugin-prod

Copy link
Copy Markdown

💚 Build Succeeded

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Integration:system System Integration:windows Windows Team:Security-Windows Platform Security Windows Platform team [elastic/sec-windows-platform]

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants