Fix Kerberos ticket StatusDescription case-sensitivity in Security pipelines#19919
Open
brian-mckinney wants to merge 3 commits into
Open
Fix Kerberos ticket StatusDescription case-sensitivity in Security pipelines#19919brian-mckinney wants to merge 3 commits into
brian-mckinney wants to merge 3 commits into
Conversation
…lines winlog.event_data.Status is matched case-sensitively against a lookup table whose hex keys are all upper case (e.g. 0x1B), so a lower-case value like 0x1b silently fails to resolve StatusDescription. Normalize the lookup with toUpperCase() in both the system and windows packages, mirroring how TicketEncryptionType is already normalized nearby. Reported in elastic/sdh-beats#7310
Contributor
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
Merged
2 tasks
leehinman
approved these changes
Jul 1, 2026
|
Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform) |
The previous fix uppercased the entire Status string, turning "0x1b" into "0X1B" and "0x0" into "0X0" -- neither matches the params table, whose keys use a lowercase "0x" prefix. Preserve the prefix and uppercase only the hex digits after it.
|
✅ All changelog entries have the correct PR link. |
🚀 Benchmarks reportPackage
|
| Data stream | Previous EPS | New EPS | Diff (%) | Result |
|---|---|---|---|---|
powershell_operational |
2475.25 | 1278.77 | -1196.48 (-48.34%) | 💔 |
applocker_packaged_app_execution |
11627.91 | 9708.74 | -1919.17 (-16.5%) | 💔 |
sysmon_operational |
2155.17 | 1751.31 | -403.86 (-18.74%) | 💔 |
To see the full report comment with /test benchmark fullreport
💚 Build Succeeded
History
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
winlog.event_data.Statusis matched case-sensitively against the Kerbero status code lookup table in both thesystemandwindows(forwarded) Security ingest pipelines. Every key with a hex letter is upper case (e.g.0x1B), so a lower-case value like0x1bfails to match andStatusDescriptionis left null..toUpperCase(), mirroring how the neighboringTicketEncryptionTypeprocessor already normalizes case.systemto 2.20.1 andwindowsto 3.8.4 with changelog entries.Reported by a customer in https://github.com/elastic/sdh-beats/issues/7310. The same processor logic is also duplicated in
elastic/beats(winlogbeat); a companion fix is up at https://github.com/brian-mckinney/beats/tree/fix/kerberos-status-code-case-sensitivity.Test plan
Statusis0x1b(lower case) now populatesStatusDescriptionasKDC_ERR_MUST_USE_USER2USER.