From 81dfe6109976ab99161f6bb592afd19828e0ff80 Mon Sep 17 00:00:00 2001 From: Lee Hinman <57081003+leehinman@users.noreply.github.com> Date: Wed, 29 Apr 2020 16:35:27 -0500 Subject: [PATCH] [Filebeat] Improve ECS field mappings in santa module (#17982) * Improve ECS field mappings in santa module - move certificate.common_name to santa.certificate.common_name (breaking change) - move certificate.sha256 to santa.certificate.sha256 (breaking change) - move hash.sha256 to process.hash.sha256 (breaking change) - event.action - event.category - event.kind - event.type - event.outcome - log.level - add full path to executable to process.args - related.hash - related.user - Add new default file path Closes #16180 --- CHANGELOG.next.asciidoc | 1 + filebeat/docs/fields.asciidoc | 4 +- filebeat/module/santa/_meta/fields.yml | 12 +- filebeat/module/santa/fields.go | 2 +- .../module/santa/log/ingest/pipeline.json | 71 ------ filebeat/module/santa/log/ingest/pipeline.yml | 91 ++++++++ filebeat/module/santa/log/manifest.yml | 3 +- .../santa/log/test/santa.log-expected.json | 216 ++++++++++++++++-- 8 files changed, 294 insertions(+), 106 deletions(-) delete mode 100644 filebeat/module/santa/log/ingest/pipeline.json create mode 100644 filebeat/module/santa/log/ingest/pipeline.yml diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 5d81c48f7e1..6080145eb21 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -22,6 +22,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d *Filebeat* - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer is now lowercase & http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] +- Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982] *Heartbeat* diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index 488cab967ff..05f4677f138 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -28708,7 +28708,7 @@ The disk volume path. -- -*`certificate.common_name`*:: +*`santa.certificate.common_name`*:: + -- Common name from code signing certificate. @@ -28717,7 +28717,7 @@ type: keyword -- -*`certificate.sha256`*:: +*`santa.certificate.sha256`*:: + -- SHA256 hash of code signing certificate. diff --git a/filebeat/module/santa/_meta/fields.yml b/filebeat/module/santa/_meta/fields.yml index fea0b03a78c..57255dd76c8 100644 --- a/filebeat/module/santa/_meta/fields.yml +++ b/filebeat/module/santa/_meta/fields.yml @@ -56,10 +56,10 @@ - name: mount description: The disk volume path. - - name: certificate.common_name - type: keyword - description: Common name from code signing certificate. + - name: certificate.common_name + type: keyword + description: Common name from code signing certificate. - - name: certificate.sha256 - type: keyword - description: SHA256 hash of code signing certificate. + - name: certificate.sha256 + type: keyword + description: SHA256 hash of code signing certificate. diff --git a/filebeat/module/santa/fields.go b/filebeat/module/santa/fields.go index 06b53e41d84..cd3f44d3647 100644 --- a/filebeat/module/santa/fields.go +++ b/filebeat/module/santa/fields.go @@ -32,5 +32,5 @@ func init() { // AssetSanta returns asset data. // This is the base64 encoded gzipped contents of module/santa. func AssetSanta() string { - return "eJyUk82O2jAQgO88xWhP7WFRl4o95FAphfRHBS0iK7W3yhtPiJXEE9lOW96+spMFk8QtcCJj+/s8npl7KPEYgWbSsBmAEabCCO4+Ex0qhNSG72YAHHWmRGMEyQg+zACgW4Mt8bbCGUAusOI6ckv3IFmNZ6r9mWODERwUtU0fmWCeMf3nmcUyu/EUfgWWePxNintx/MPqxiaR/EhWXvxCF3e0kYVjJvSNnnizefoeEq17IJiCme5BOBiicj6WK2T6NvUq2T+HzHtHg5wUmAJtZtrdZEJcE8dbtNuQ86lBxYyQB4cEyrsumVByocuR0u+OEfuT6wyXz/pr+i3e7ZJ437eFnnun/E4can9R1dZ4sTTQPBfY73JHvKv7nJdW/w9iM7T7oFFkKKMqgNKoBKuuonVbQbb1C6rQzTS3fwa8U+ks50G/v0r3MV3/6w1siYf3Pg/FbrdJIE3XkG7fLR8Wm6uMDhnQ5cMXP7lYM1qbxvd1LYXk8CYXFeqjNli77nsbzLKV5hZ6w0zRs14ZGSojcpExg/OM6prkT69GU+N2YVi5I44FuaIaMjtcWhyknTQfHtbqgi2Wj9ca0y/xYvkIBdOFHeKw728AAAD//5mnu+4=" + return "eJyUk82O2jAQgO88xWhP7WFRl4o9cKiUQvqjghaRldpb5Y0nxErsiWynLW9f2UkhJPGWcCJj+/tm7Jl7KPC0AsOUZTMAK2yJK7j7THQsERIXvpsBcDSpFpUVpFbwYQYAzRrsiNclzgAygSU3K790D4pJvFDdz54qXMFRU121kRHmBdN+XlgsdRvP4X/AAk+/SfNOHP8wWbki4h/xuhO/0kUNbWDhmAoz0RNtt0/fQ6JNCwSbM9tcCAdLVMyHco3MTFOv48NzyHzwNMhIg83RVWZ8JiNiSRynaHch51OFmlmhjh4JlDVdMqLkwhQDZbc7BuxPvjN8PZuvybdov4+jQ9sWZt451e3EvvYXlbXEq6We5jnHdpc/0km9y3mpzf8grkK3DypNllIqAyiDWrDyJlqzFVQtX1CHMjPc/enxzk/nOA/m/U26j8nmtTtwT9zP+zIU+/02hiTZQLJ7t3xYbG8yemRAl/Vv/Oxi1WBtHN++ayEUhzeZKNGcjEXpu+9tsMpa2Sn0itl8pOFT1FZkImUW5ylJSepn751CY3dlW/ujngmZJgmpGzQjjspNXVfyegomZ4vl41R78iVaLB8hZyZ3wx12/w0AAP//xDi+7g==" } diff --git a/filebeat/module/santa/log/ingest/pipeline.json b/filebeat/module/santa/log/ingest/pipeline.json deleted file mode 100644 index 4eaddc753a6..00000000000 --- a/filebeat/module/santa/log/ingest/pipeline.json +++ /dev/null @@ -1,71 +0,0 @@ -{ - "description": "Pipeline for parsing Google Santa logs.", - "processors": [ - { - "grok": { - "field": "message", - "patterns": [ - "\\[%{TIMESTAMP_ISO8601:process.start}\\] I santad: action=%{NOT_SEPARATOR:santa.action}\\|decision=%{NOT_SEPARATOR:santa.decision}\\|reason=%{NOT_SEPARATOR:santa.reason}\\|sha256=%{NOT_SEPARATOR:hash.sha256}\\|path=%{NOT_SEPARATOR:process.executable}(\\|args=%{NOT_SEPARATOR:process.args})?(\\|cert_sha256=%{NOT_SEPARATOR:certificate.sha256})?(\\|cert_cn=%{NOT_SEPARATOR:certificate.common_name})?\\|pid=%{NUMBER:process.pid:long}\\|ppid=%{NUMBER:process.ppid:long}\\|uid=%{NUMBER:user.id}\\|user=%{NOT_SEPARATOR:user.name}\\|gid=%{NUMBER:group.id}\\|group=%{NOT_SEPARATOR:group.name}\\|mode=%{WORD:santa.mode}", - "\\[%{TIMESTAMP_ISO8601:timestamp}\\] I santad: action=%{NOT_SEPARATOR:santa.action}\\|mount=%{NOT_SEPARATOR:santa.disk.mount}\\|volume=%{NOT_SEPARATOR:santa.disk.volume}\\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\\|fs=%{NOT_SEPARATOR:santa.disk.fs}\\|model=%{NOT_SEPARATOR:santa.disk.model}\\|serial=%{NOT_SEPARATOR:santa.disk.serial}\\|bus=%{NOT_SEPARATOR:santa.disk.bus}\\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?" - ], - "pattern_definitions": { - "NOT_SEPARATOR": "[^\\|]+" - } - } - }, - { - "rename": { - "field": "message", - "target_field": "log.original" - } - }, - { - "date": { - "field": "process.start", - "target_field": "process.start", - "formats": [ - "ISO8601" - ], - "ignore_failure": true - } - }, - { - "set": { - "field": "@timestamp", - "value": "{{ process.start }}", - "ignore_failure": true - } - }, - { - "split": { - "field": "process.args", - "separator": " ", - "ignore_failure": true - } - }, - { - "date": { - "field": "timestamp", - "target_field": "@timestamp", - "formats": [ - "ISO8601" - ], - "ignore_failure": true - } - }, - { - "remove": { - "field": "timestamp", - "ignore_missing": true - } - } - ], - "on_failure": [ - { - "set": { - "field": "error.message", - "value": "{{ _ingest.on_failure_message }}" - } - } - ] -} diff --git a/filebeat/module/santa/log/ingest/pipeline.yml b/filebeat/module/santa/log/ingest/pipeline.yml new file mode 100644 index 00000000000..11ad4cead6c --- /dev/null +++ b/filebeat/module/santa/log/ingest/pipeline.yml @@ -0,0 +1,91 @@ +description: Pipeline for parsing Google Santa logs. +processors: +- grok: + field: message + patterns: + - '\[%{TIMESTAMP_ISO8601:process.start}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|decision=%{NOT_SEPARATOR:santa.decision}\|reason=%{NOT_SEPARATOR:santa.reason}\|sha256=%{NOT_SEPARATOR:process.hash.sha256}\|path=%{NOT_SEPARATOR:process.executable}(\|args=%{NOT_SEPARATOR:santa.args})?(\|cert_sha256=%{NOT_SEPARATOR:santa.certificate.sha256})?(\|cert_cn=%{NOT_SEPARATOR:santa.certificate.common_name})?\|pid=%{NUMBER:process.pid:long}\|ppid=%{NUMBER:process.ppid:long}\|uid=%{NUMBER:user.id}\|user=%{NOT_SEPARATOR:user.name}\|gid=%{NUMBER:group.id}\|group=%{NOT_SEPARATOR:group.name}\|mode=%{WORD:santa.mode}' + - '\[%{TIMESTAMP_ISO8601:timestamp}\] %{NOT_SEPARATOR:log.level} santad: action=%{NOT_SEPARATOR:santa.action}\|mount=%{NOT_SEPARATOR:santa.disk.mount}\|volume=%{NOT_SEPARATOR:santa.disk.volume}\|bsdname=%{NOT_SEPARATOR:santa.disk.bsdname}\|fs=%{NOT_SEPARATOR:santa.disk.fs}\|model=%{NOT_SEPARATOR:santa.disk.model}\|serial=%{NOT_SEPARATOR:santa.disk.serial}\|bus=%{NOT_SEPARATOR:santa.disk.bus}\|dmgpath=%{NOT_SEPARATOR:santa.disk.dmgpath}?' + pattern_definitions: + NOT_SEPARATOR: '[^\|]+' +- rename: + field: message + target_field: log.original +- date: + field: process.start + target_field: process.start + formats: + - ISO8601 + ignore_failure: true +- set: + field: '@timestamp' + value: '{{ process.start }}' + ignore_failure: true +- split: + field: santa.args + separator: ' ' + ignore_failure: true +- date: + field: timestamp + target_field: '@timestamp' + formats: + - ISO8601 + ignore_failure: true +- remove: + field: timestamp + ignore_missing: true +- append: + field: process.args + value: "{{process.executable}}" + if: "ctx?.process?.executable != null" +- foreach: + field: santa.args + processor: + append: + field: process.args + value: "{{_ingest._value}}" + ignore_missing: true +- remove: + field: santa.args + ignore_missing: true +- set: + field: event.kind + value: event +- append: + field: event.category + value: process + if: "ctx?.santa?.action == 'EXEC'" +- append: + field: event.type + value: start + if: "ctx?.santa?.action == 'EXEC'" +- set: + field: event.outcome + value: success + if: "ctx?.santa?.decision == 'ALLOW'" +- set: + field: event.outcome + value: failure + if: "ctx?.santa?.decision == 'DENY'" +- set: + field: event.action + value: "{{santa.action}}" + if: "ctx?.santa?.action != null" +- lowercase: + field: event.action + ignore_missing: true +- append: + field: related.user + value: "{{user.name}}" + if: "ctx?.user?.name != null" +- append: + field: related.hash + value: "{{santa.certificate.sha256}}" + if: "ctx?.santa?.certificate?.sha256 != null" +- append: + field: related.hash + value: "{{process.hash.sha256}}" + if: "ctx?.process?.hash != null" +on_failure: +- set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/filebeat/module/santa/log/manifest.yml b/filebeat/module/santa/log/manifest.yml index d0369930490..43cad6e1934 100644 --- a/filebeat/module/santa/log/manifest.yml +++ b/filebeat/module/santa/log/manifest.yml @@ -4,8 +4,9 @@ var: - name: paths default: - /var/log/santa.log + - /var/db/santa/santa.log - name: input default: file -ingest_pipeline: ingest/pipeline.json +ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/filebeat/module/santa/log/test/santa.log-expected.json b/filebeat/module/santa/log/test/santa.log-expected.json index ab94261c13a..6c1fbe81184 100644 --- a/filebeat/module/santa/log/test/santa.log-expected.json +++ b/filebeat/module/santa/log/test/santa.log-expected.json @@ -1,25 +1,43 @@ [ { "@timestamp": "2018-12-10T06:45:16.802Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "input.type": "log", + "log.level": "I", "log.offset": 0, "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/libexec/xpcproxy", "/usr/sbin/newsyslog" ], "process.executable": "/usr/libexec/xpcproxy", + "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "process.pid": 29678, "process.ppid": 1, "process.start": "2018-12-10T06:45:16.802Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -29,26 +47,44 @@ }, { "@timestamp": "2018-12-10T06:45:16.802Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "input.type": "log", + "log.level": "I", "log.offset": 360, "log.original": "[2018-12-10T06:45:16.802Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.systemstats.daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/libexec/xpcproxy", "xpcproxy", "com.apple.systemstats.daily" ], "process.executable": "/usr/libexec/xpcproxy", + "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "process.pid": 29679, "process.ppid": 1, "process.start": "2018-12-10T06:45:16.802Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -58,25 +94,43 @@ }, { "@timestamp": "2018-12-10T06:45:16.851Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d", "input.type": "log", + "log.level": "I", "log.offset": 737, "log.original": "[2018-12-10T06:45:16.851Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d|path=/usr/sbin/newsyslog|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29678|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/sbin/newsyslog", "/usr/sbin/newsyslog" ], "process.executable": "/usr/sbin/newsyslog", + "process.hash.sha256": "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d", "process.pid": 29678, "process.ppid": 1, "process.start": "2018-12-10T06:45:16.851Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "746f0dbafb7e675d5ce67131e5544772ee612b894e8ab51d3ce2d21f7cb7332d" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -86,26 +140,44 @@ }, { "@timestamp": "2018-12-10T06:45:16.859Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f", "input.type": "log", + "log.level": "I", "log.offset": 1095, "log.original": "[2018-12-10T06:45:16.859Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f|path=/usr/sbin/systemstats|args=/usr/sbin/systemstats --daily|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29679|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/sbin/systemstats", "/usr/sbin/systemstats", "--daily" ], "process.executable": "/usr/sbin/systemstats", + "process.hash.sha256": "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f", "process.pid": 29679, "process.ppid": 1, "process.start": "2018-12-10T06:45:16.859Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "d6be9bfbd777ac5dcd30488014acc787a2df5ce840f1fe4d5742d323ee00392f" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -115,25 +187,43 @@ }, { "@timestamp": "2018-12-10T08:45:27.810Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "input.type": "log", + "log.level": "I", "log.offset": 1465, "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=/usr/sbin/newsyslog|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29681|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/libexec/xpcproxy", "/usr/sbin/newsyslog" ], "process.executable": "/usr/libexec/xpcproxy", + "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "process.pid": 29681, "process.ppid": 1, "process.start": "2018-12-10T08:45:27.810Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -143,26 +233,44 @@ }, { "@timestamp": "2018-12-10T08:45:27.810Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "input.type": "log", + "log.level": "I", "log.offset": 1825, "log.original": "[2018-12-10T08:45:27.810Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4|path=/usr/libexec/xpcproxy|args=xpcproxy com.adobe.AAM.Scheduler-1.0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=29680|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/libexec/xpcproxy", "xpcproxy", "com.adobe.AAM.Scheduler-1.0" ], "process.executable": "/usr/libexec/xpcproxy", + "process.hash.sha256": "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4", "process.pid": 29680, "process.ppid": 1, "process.start": "2018-12-10T08:45:27.810Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "c4bc09fd2f248534552f517acf3edb9a635aba2b02e46f49df683ea9b778e5b4" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -172,24 +280,41 @@ }, { "@timestamp": "2018-12-10T21:37:27.247Z", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "0", "group.name": "wheel", - "hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1", "input.type": "log", + "log.level": "I", "log.offset": 2202, "log.original": "[2018-12-10T21:37:27.247Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1|path=/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd|args=/usr/local/bin/osqueryd --flagfile=/private/var/osquery/osquery.flags --logger_min_stderr=1|pid=45084|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M", "process.args": [ + "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", "/usr/local/bin/osqueryd", "--flagfile=/private/var/osquery/osquery.flags", "--logger_min_stderr=1" ], "process.executable": "/usr/local/Cellar/osquery/3.3.0_1/bin/osqueryd", + "process.hash.sha256": "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1", "process.pid": 45084, "process.ppid": 1, "process.start": "2018-12-10T21:37:27.247Z", + "related.hash": [ + "08bd61582657cd6d78c9e071d34d79a32bb59e7210077a44919d2c5477e988a1" + ], + "related.user": [ + "root" + ], "santa.action": "EXEC", "santa.decision": "ALLOW", "santa.mode": "M", @@ -200,22 +325,42 @@ }, { "@timestamp": "2018-12-10T16:24:43.992Z", - "certificate.common_name": "Software Signing", - "certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "20", "group.name": "staff", - "hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106", "input.type": "log", + "log.level": "I", "log.offset": 2560, "log.original": "[2018-12-10T16:24:43.992Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106|path=/usr/bin/basename|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=40757|ppid=40756|uid=501|user=akroh|gid=20|group=staff|mode=M", + "process.args": [ + "/usr/bin/basename" + ], "process.executable": "/usr/bin/basename", + "process.hash.sha256": "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106", "process.pid": 40757, "process.ppid": 40756, "process.start": "2018-12-10T16:24:43.992Z", + "related.hash": [ + "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", + "63b6a54848d7b4adf726d68f11409a4ac05b43926cb0f2792f7d41dc0221c106" + ], + "related.user": [ + "akroh" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Software Signing", + "santa.certificate.sha256": "2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "CERT", @@ -225,18 +370,26 @@ }, { "@timestamp": "2018-12-14T05:35:38.313Z", - "certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", - "certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", + "event.action": "exec", + "event.category": [ + "process" + ], "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", + "event.outcome": "success", + "event.type": [ + "start" + ], "fileset.name": "log", "group.id": "20", "group.name": "staff", - "hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7", "input.type": "log", + "log.level": "I", "log.offset": 2899, "log.original": "[2018-12-14T05:35:38.313Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7|path=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper|args=/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=utility --field-trial-handle=120122713615061869,9401617251746517350,131072 --lang=en-US --service-sandbox-type=utility --service-request-channel-token=10458143409865682077 --seatbelt-client=262|cert_sha256=345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5|cert_cn=Developer ID Application: Google, Inc. (EQHXZ8M8AV)|pid=89238|ppid=704|uid=501|user=akroh|gid=20|group=staff|mode=M", "process.args": [ + "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", "/Applications/Google", "Chrome.app/Contents/Versions/70.0.3538.110/Google", "Chrome", @@ -251,10 +404,20 @@ "--seatbelt-client=262" ], "process.executable": "/Applications/Google Chrome.app/Contents/Versions/70.0.3538.110/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper", + "process.hash.sha256": "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7", "process.pid": 89238, "process.ppid": 704, "process.start": "2018-12-14T05:35:38.313Z", + "related.hash": [ + "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", + "a8defc1b24c45f6dabeb8298af5f8e1daf39e1504e16f878345f15ac94ae96d7" + ], + "related.user": [ + "akroh" + ], "santa.action": "EXEC", + "santa.certificate.common_name": "Developer ID Application: Google, Inc. (EQHXZ8M8AV)", + "santa.certificate.sha256": "345a8e098bd04794aaeefda8c9ef56a0bf3d3706d67d35bc0e23f11bb3bffce5", "santa.decision": "ALLOW", "santa.mode": "M", "santa.reason": "UNKNOWN", @@ -264,10 +427,13 @@ }, { "@timestamp": "2018-12-17T03:03:52.337Z", + "event.action": "diskappear", "event.dataset": "santa.log", + "event.kind": "event", "event.module": "santa", "fileset.name": "log", "input.type": "log", + "log.level": "I", "log.offset": 3712, "log.original": "[2018-12-17T03:03:52.337Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512L|serial=C026495006UHCHH1Q|bus=PCI-Express|dmgpath=", "santa.action": "DISKAPPEAR",