Skip to content

Commit

Permalink
[Security Solution] [Timeline] Endpoint row renderers (2nd batch) (el…
Browse files Browse the repository at this point in the history
…astic#91446) (elastic#91601)

## [Security Solution] [Timeline] Endpoint row renderers (2nd batch)

This PR implements the 2nd batch of Endpoint row renderers, **including the new Ransomware alerts**, by adding new row renderers for the following Endpoint alerts and events:

| event.dataset            | event.type | event.category | event.action    |
|--------------------------|------------|----------------|-----------------|
| endpoint.alerts          | denied     | file           | creation        |
| endpoint.alerts          | allowed    | file           | creation        |
| endpoint.alerts          | denied     | file           | files-encrypted |
| endpoint.alerts          | allowed    | file           | files-encrypted |
| endpoint.alerts          | denied     | file           | modification    |
| endpoint.alerts          | allowed    | file           | modification    |
| endpoint.alerts          | denied     | file           | rename          |
| endpoint.alerts          | allowed    | file           | rename          |
| endpoint.alerts          | denied     | process        | execution       |
| endpoint.alerts          | allowed    | process        | execution       |
| endpoint.events.file     | change     | file           | modification    |
| endpoint.events.file     | change     | file           | overwrite       |
| endpoint.events.file     | change     | file           | rename          |
| endpoint.events.registry | change     | registry       | modification    |
| endpoint.events.library  | start      | library        | load            |
| endpoint.events.network  | protocol   | network        | http_request    |
| endpoint.events.process  | start      | process        | exec            |
| endpoint.events.process  | start      | process        | fork            |

Other updates:

- All row renders will now only display the `file.hash.sha256` and `process.hash.sha256`. (The `sha1` and `md5` hashes will no longer be displayed)

## Malware File Creation Prevented alert

Malware File Creation Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation
```

### Sample Malware File Creation Prevented alert

![malware_file_creation_prevented](https://user-images.githubusercontent.com/4459398/107970084-e4762b00-6f6d-11eb-88c8-c9fd474d2de4.png)

`win2019-endpoint-1` was prevented from creating a malicious file `6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` in `C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` via `chrome.exe` (`8944`) `C:\Program Files\Google\Chrome\Application\chrome.exe` via parent process `explorer.exe` (`1008`) with result `success`

`7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30`

### Fields in a Malware File Creation Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Creation Detected alert

Malware File Creation Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation
```

### Sample Malware File Creation Detected alert

![malware_file_creation_detected](https://user-images.githubusercontent.com/4459398/107970897-f7d5c600-6f6e-11eb-83a8-7324e34506c1.png)

`DESKTOP-1` was detected creating a malicious file `mimikatz_write.exe` in `C:\temp\mimikatz_write.exe` via `python.exe` (`4400`) `C:\Python27\python.exe` `main.py` `-a` `execute` `-p` `c:\temp` via parent process `pythonservice.exe` (`2936`) with result `success`

`263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0`

### Fields in a Malware File Creation Detected alert

`user.name` \ `user.domain` @ `host.name` was detected creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Ransomware Files Encrypted Prevented alert

Ransomware Files Encrypted Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted
```

### Sample Ransomware Files Encrypted Prevented alert

![ransomware_files-encrypted_prevented](https://user-images.githubusercontent.com/4459398/107973327-56e90a00-6f72-11eb-8337-8bb15bd24ad2.png)

`DESKTOP-1` ransomware was prevented from encrypting files via `powershell.exe` (`6056`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`10680`) with result `success`

`e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7`

### Fields in a Ransomware Files Encrypted Prevented alert

`user.name` \ `user.domain` @ `host.name` ransomware was prevented from encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Ransomware Files Encrypted Detected alert

Ransomware Files Encrypted Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted
```

### Sample Ransomware Files Encrypted Detected alert

![ransomware_files-encrypted_detected](https://user-images.githubusercontent.com/4459398/107976086-42a70c00-6f76-11eb-8977-74ad47191d71.png)

`DESKTOP-1` ransomware was detected encrypting files via `powershell.exe` (`4684`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`8616`) with result `success`

`e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7`

### Fields in a Ransomware Files Encrypted Detected alert

`user.name` \ `user.domain` @ `host.name` ransomware was detected encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Malware File Modification Prevented alert

Malware File Modification Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification
```

### Sample Malware File Modification Prevented alert

![malware_file_modification_prevented](https://user-images.githubusercontent.com/4459398/107979686-3a51cf80-6f7c-11eb-92ff-f164536f6c70.png)

`win2019-endpoint-1` was prevented from modifying a malicious file `mimikatz - Copy.exe` in `C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc`

### Fields in a Malware File Modification Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Modification Detected alert

Malware File Modification Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification
```

### Sample Malware File Modification Detected alert

![malware_file_modification_detected](https://user-images.githubusercontent.com/4459398/107980920-55bdda00-6f7e-11eb-9d08-2aa02253a958.png)

`mac-1.local` was detected modifying a malicious file `aircrack` in `/private/var/root/write_malware/modules/write_malware/aircrack` via `Python` (`5995`) `/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python` `main.py` `-a` `modify` via parent process `Python` (`97`) with result `success`

`f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b`

### Fields in a Malware File Modification Detected alert

`user.name` \ `user.domain` @ `host.name` was detected modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Rename Prevented alert

Malware File Rename Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename
```

### Sample Malware File Rename Prevented alert

![malware_file_rename_prevented](https://user-images.githubusercontent.com/4459398/107981991-6e2ef400-6f80-11eb-8d48-3c9aa48c5d72.png)

`win2019-endpoint-1` was prevented from renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97`

### Fields in a Malware File Rename Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Rename Detected alert

Malware File Rename Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename
```

### Sample Malware File Rename Detected alert

![malware_file_rename_detected](https://user-images.githubusercontent.com/4459398/107983209-ab948100-6f82-11eb-893f-359fa0bd3a19.png)

`win2019-endpoint-1` was detected renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97`

### Fields in a Malware File Rename Detected alert

`user.name` \ `user.domain` @ `host.name` was detected renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware Process Execution Prevented alert

Malware Process Execution Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution
```

### Sample Malware Process Execution Prevented alert

![malware_process_execution_prevented](https://user-images.githubusercontent.com/4459398/107986073-8b67c080-6f88-11eb-89a5-95434639631e.png)

`win2019-endpoint-1` was prevented from executing a malicious process `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` (`6920`) `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` via parent process `explorer.exe` (`1008`) with result `success`

`3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb`

### Fields in a Sample Malware Process Execution Prevented alert

`host.name` was prevented from executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Malware Process Execution Detected alert

Malware Process Execution Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution
```

### Sample Malware Process Execution Detected alert

![malware_process_execution_detected](https://user-images.githubusercontent.com/4459398/107986475-590a9300-6f89-11eb-9dbc-373efe005c85.png)

`DESKTOP-1` was detected executing a malicious process `mimikatz_write.exe` (`8668`) `c:\temp\mimikatz_write.exe` via parent process `python.exe` (`4400`) with result `success`

`263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0`

### Fields in a Sample Malware Process Execution Detected alert

`host.name` was detected executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## File (FIM) Modification events

Endpoint File (FIM) Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: modification
```

### Sample rendered File (FIM) Modification event

Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event:

![file_modification](https://user-images.githubusercontent.com/4459398/106680191-641df600-657b-11eb-974e-e2afbc7698a3.png)

`admin` @ `test-Mac.local` modified a file `.dat.nosync01a5.6hoWv1` in `/Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1` via `diagnostics_agent` `(421)`

### Fields in a File (FIM) Modification event

`user.name` \ `user.domain` @ `host.name` modified a file `file.name` in `file.path` via `process.name` `(process.pid)`

## File (FIM) Overwrite events

Endpoint File (FIM) Overwrite events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: overwrite
```

### Sample rendered File (FIM) Overwrite event

![file_overwrite](https://user-images.githubusercontent.com/4459398/106675692-c9b9b480-6572-11eb-9f78-fb0b4bf0b05d.png)

`LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` overwrote a file `lastalive0.dat` in `C:\Windows\ServiceState\EventLog\Data\lastalive0.dat` via `svchost.exe` `(1228)`

### Fields in a File (FIM) Overwrite event

`user.name` \ `user.domain` @ `host.name` overwrote a file `file.name` in `file.path` via `process.name` `(process.pid)`

## File (FIM) Rename events

Endpoint File (FIM) Rename events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: rename
```

### Sample rendered File (FIM) Rename event

![file_rename](https://user-images.githubusercontent.com/4459398/106534633-c4e0fc00-64b1-11eb-8213-494b51e8cdf9.png)

`LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` renamed a file `SRU.log` in `C:\Windows\System32\sru\SRU.log` from its original path `C:\Windows\System32\sru\SRUtmp.log` via `svchost.exe` `(1204)`

### Fields in a File (FIM) Rename event

`user.name` \ `user.domain` @ `host.name` renamed a file `file.name` in `file.path` from its original path `file.Ext.original.path` via `process.name` `(process.pid)`

## Registry Modification events

Registry Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.registry and event.action: modification
```

### Sample Registry Modification event

![registry_modification](https://user-images.githubusercontent.com/4459398/107091637-56f14900-67bf-11eb-9c8b-7f748e848bac.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` modified registry key `SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState` with new value `HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue` via `GoogleUpdate.exe` `(7408)`

### Fields in a Registry Modification event

`user.name` \ `user.domain` @ `host.name` modified registry key `registry.key` with new value `registry.path` via `process.name` `(process.pid)`

## Library Load events

Library Load events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.library and event.action: load
```

### Sample Library Load event

![library_load](https://user-images.githubusercontent.com/4459398/107261734-ea638d80-69fc-11eb-8b2c-0a4f453b3f95.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` loaded library `bcrypt.dll` in `C:\Windows\System32\bcrypt.dll` via `sshd.exe` `(9644)`
`e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd`
`2c4ba5c1482987d50a182bad915f52cd6611ee63`
`00439016776de367bad087d739a03797`

### Fields in a Library Load event

`user.name` \ `user.domain` @ `host.name` loaded library `file.name` in `file.path` via `process.name` `(process.pid)`
`file.hash.sha256`
`file.hash.sha1`
`file.hash.md5`

## HTTP Request events

HTTP Request events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: http_request
```

### Sample HTTP Request event

![http_request](https://user-images.githubusercontent.com/4459398/107546591-c5505580-6b89-11eb-8081-fe492312cc12.png)

Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.

`NETWORK SERVICE` \ `NT AUTHORITY` @ `win2019-endpoint-1` made a http request via `svchost.exe` `(2232)`

### Fields in a HTTP Request event

`user.name` \ `user.domain` @ `host.name` made a http request via `process.name` `(process.pid)`

## Process Exec events

Endpoint Process Exec events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: exec
```

### Sample rendered Process Exec event

![process_exec](https://user-images.githubusercontent.com/4459398/107989163-de447680-6f8e-11eb-88e9-d8c72d77bc2d.png)

`admin` @ `test-mac.local` executed process `mdworker_shared` (`4454`) `/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared` `-s` `mdworker` `-c` `MDSImporterWorker` `-m` `com.apple.mdworker.shared` via parent process `launchd` (`1`)

`4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b`

### Fields in a Process Exec event

The following fields will be used to render a Process Exec event:

`user.name` @ `host.name` executed process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`

## Process Fork events

Endpoint Process Fork events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: fork
```

### Sample rendered Process Fork event

![process_fork](https://user-images.githubusercontent.com/4459398/107990678-29ac5400-6f92-11eb-893f-59bafa79cd53.png)

`admin` @ `test-mac.local` forked process `zoom.us` (`4042`) `/Applications/zoom.us.app/Contents/MacOS/zoom.us` via parent process `zoom.us` (`3961`)

`cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4`

### Fields in a Process Fork event

The following fields will be used to render a Process Exec event:

`user.name` @ `host.name` forked process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`
  • Loading branch information
andrew-goldstein authored Feb 17, 2021
1 parent 3aa4b06 commit f44a70f
Show file tree
Hide file tree
Showing 38 changed files with 2,905 additions and 290 deletions.
10 changes: 9 additions & 1 deletion x-pack/plugins/security_solution/common/ecs/file/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,22 @@
* 2.0.
*/

interface Original {
name?: string[];
path?: string[];
}

export interface CodeSignature {
subject_name: string[];
trusted: string[];
}
export interface Ext {
code_signature: CodeSignature[] | CodeSignature;
code_signature?: CodeSignature[] | CodeSignature;
original?: Original;
}
export interface Hash {
md5?: string[];
sha1?: string[];
sha256: string[];
}

Expand Down
2 changes: 2 additions & 0 deletions x-pack/plugins/security_solution/common/ecs/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ import { FileEcs } from './file';
import { GeoEcs } from './geo';
import { HostEcs } from './host';
import { NetworkEcs } from './network';
import { RegistryEcs } from './registry';
import { RuleEcs } from './rule';
import { SignalEcs } from './signal';
import { SourceEcs } from './source';
Expand All @@ -40,6 +41,7 @@ export interface Ecs {
geo?: GeoEcs;
host?: HostEcs;
network?: NetworkEcs;
registry?: RegistryEcs;
rule?: RuleEcs;
signal?: SignalEcs;
source?: SourceEcs;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ export interface ProcessHashData {

export interface ProcessParentData {
name?: string[];
pid?: number[];
}

export interface Thread {
Expand Down
13 changes: 13 additions & 0 deletions x-pack/plugins/security_solution/common/ecs/registry/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export interface RegistryEcs {
hive?: string[];
key?: string[];
path?: string[];
value?: string[];
}
Original file line number Diff line number Diff line change
Expand Up @@ -180,10 +180,13 @@ export type TimelineStatusLiteralWithNull = runtimeTypes.TypeOf<
>;

export enum RowRendererId {
alerts = 'alerts',
auditd = 'auditd',
auditd_file = 'auditd_file',
library = 'library',
netflow = 'netflow',
plain = 'plain',
registry = 'registry',
suricata = 'suricata',
system = 'system',
system_dns = 'system_dns',
Expand Down
Loading

0 comments on commit f44a70f

Please sign in to comment.