-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] [Timeline] Endpoint row renderers (1st batch) #89810
[Security Solution] [Timeline] Endpoint row renderers (1st batch) #89810
Conversation
This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). The following Endpoint events will be rendered via row renderers in Timeline: | event.dataset | event.action | |--------------------------|---------------------| | endpoint.events.file | creation | | endpoint.events.file | deletion | | endpoint.events.process | start | | endpoint.events.process | end | | endpoint.events.network | lookup_requested | | endpoint.events.network | lookup_result | | endpoint.events.network | connection_accepted | | endpoint.events.network | disconnect_received | | endpoint.events.security | log_on | | endpoint.events.security | log_off | ## File (FIM) Creation events Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: creation ``` ### Sample rendered File (FIM) Creation event ![endpoint_file_creation](https://user-images.githubusercontent.com/4459398/106036793-ff522f80-6092-11eb-9e3b-c24538129bea.png) Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)` ### Fields in a File (FIM) Creation event `user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Deletion events Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: deletion ``` ### Sample rendered File (FIM) Deletion event ![endpoint_file_deletion](https://user-images.githubusercontent.com/4459398/106037520-088fcc00-6094-11eb-985d-ba8cead9fec9.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)` ### Fields in a File (FIM) Deletion event `user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)` ## Process Start events Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: start ``` ### Sample rendered Process Start event ![creation-event](https://user-images.githubusercontent.com/4459398/106061579-c7f37b00-60b2-11eb-9bc4-224e671baa4a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`) `sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63` `sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7` `md5 1b0e9b5fcb62de0787235ecca560b610` ### Fields in a Process Start event The following fields will be used to render a Process Start event: `user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Process End events Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: end ``` ### Sample rendered Process End event ![endpoint_process_end](https://user-images.githubusercontent.com/4459398/106076527-f1b99b80-60cc-11eb-8ff8-2da78a1fcb8f.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)` `7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6` `a1385ce20ad79f55df235effd9780c31442aa234` `8a0a29438052faed8a2532da50455756` ### Fields in a Process End event The following fields will be used to render a Process End event: `user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Network (DNS) Lookup Requested events Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_requested ``` ### Runtime matching criteria All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Requested event ![network_lookup_requested](https://user-images.githubusercontent.com/4459398/106191208-cdf76380-6167-11eb-9be7-aaf78e4cfdd3.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns` ### Fields in a Network Lookup Requested event The following fields will be used to render a Network Lookup Request event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Lookup Result events Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_result ``` ### Runtime matching criteria All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Result event ![network_lookup_result](https://user-images.githubusercontent.com/4459398/106192595-a43f3c00-6169-11eb-95bc-4ebe331f1231.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns` ### Fields in a Network Lookup Result event The following fields will be used to render a Network Lookup Result event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Connection Accepted events Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: connection_accepted ```` ### Sample rendered Network Connection Accepted event ![network_connection_accepted](https://user-images.githubusercontent.com/4459398/106200497-4f54f300-6174-11eb-8879-06b7bfc88edf.png) Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success` ### Fields in a Network Connection Accepted event `user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome` ## Network Disconnect Received events Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: disconnect_received ```` ### Sample rendered Network Disconnect Received event ![network_disconnect_received](https://user-images.githubusercontent.com/4459398/106205196-56cbca80-617b-11eb-83d3-26aa9670f114.png) Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)` ### Fields in a Network Disconnect Received event `user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)` ## Security Log On events Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_on ``` ### `event.outcome: "success"` vs `event.outcome: "failure"` The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success ``` vs events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure ``` ### Sample rendered Security Log On / `event.outcome: "success"` event ![security_log_on_success](https://user-images.githubusercontent.com/4459398/106210917-fcd00280-6184-11eb-9c1c-564cfb375539.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "success"` event `user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`) ### Sample rendered Security Log On / `event.outcome: "failure"` event ![security_log_on_failure](https://user-images.githubusercontent.com/4459398/106211893-b2e81c00-6186-11eb-9c34-43227c15a1f0.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "failure"` event `user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`) ################################################# ## Security Log Off events Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_off ``` ### Sample rendered Security Log Off event ![security_log_off](https://user-images.githubusercontent.com/4459398/106212499-0018bd80-6188-11eb-9e91-971f360ee87a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in a Security Log Off event `user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
...ty_solution/public/timelines/components/timeline/body/renderers/parent_process_draggable.tsx
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, I follow all of your instructions and everything work as described. it is a really clean PR.
Thanks a lot for that!
…9810) (#90499) ## [Security Solution] [Timeline] Endpoint row renderers (1st batch) This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). The following Endpoint events will be rendered via row renderers in Timeline: | event.dataset | event.action | |--------------------------|---------------------| | endpoint.events.file | creation | | endpoint.events.file | deletion | | endpoint.events.process | start | | endpoint.events.process | end | | endpoint.events.network | lookup_requested | | endpoint.events.network | lookup_result | | endpoint.events.network | connection_accepted | | endpoint.events.network | disconnect_received | | endpoint.events.security | log_on | | endpoint.events.security | log_off | ## File (FIM) Creation events Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: creation ``` ### Sample rendered File (FIM) Creation event ![endpoint_file_creation](https://user-images.githubusercontent.com/4459398/106036793-ff522f80-6092-11eb-9e3b-c24538129bea.png) Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)` ### Fields in a File (FIM) Creation event `user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Deletion events Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: deletion ``` ### Sample rendered File (FIM) Deletion event ![endpoint_file_deletion](https://user-images.githubusercontent.com/4459398/106037520-088fcc00-6094-11eb-985d-ba8cead9fec9.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)` ### Fields in a File (FIM) Deletion event `user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)` ## Process Start events Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: start ``` ### Sample rendered Process Start event ![creation-event](https://user-images.githubusercontent.com/4459398/106061579-c7f37b00-60b2-11eb-9bc4-224e671baa4a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`) `sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63` `sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7` `md5 1b0e9b5fcb62de0787235ecca560b610` ### Fields in a Process Start event The following fields will be used to render a Process Start event: `user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Process End events Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: end ``` ### Sample rendered Process End event ![endpoint_process_end](https://user-images.githubusercontent.com/4459398/106076527-f1b99b80-60cc-11eb-8ff8-2da78a1fcb8f.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)` `7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6` `a1385ce20ad79f55df235effd9780c31442aa234` `8a0a29438052faed8a2532da50455756` ### Fields in a Process End event The following fields will be used to render a Process End event: `user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Network (DNS) Lookup Requested events Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_requested ``` ### Runtime matching criteria All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Requested event ![network_lookup_requested](https://user-images.githubusercontent.com/4459398/106191208-cdf76380-6167-11eb-9be7-aaf78e4cfdd3.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns` ### Fields in a Network Lookup Requested event The following fields will be used to render a Network Lookup Request event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Lookup Result events Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_result ``` ### Runtime matching criteria All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Result event ![network_lookup_result](https://user-images.githubusercontent.com/4459398/106192595-a43f3c00-6169-11eb-95bc-4ebe331f1231.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns` ### Fields in a Network Lookup Result event The following fields will be used to render a Network Lookup Result event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Connection Accepted events Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: connection_accepted ```` ### Sample rendered Network Connection Accepted event ![network_connection_accepted](https://user-images.githubusercontent.com/4459398/106200497-4f54f300-6174-11eb-8879-06b7bfc88edf.png) Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success` ### Fields in a Network Connection Accepted event `user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome` ## Network Disconnect Received events Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: disconnect_received ```` ### Sample rendered Network Disconnect Received event ![network_disconnect_received](https://user-images.githubusercontent.com/4459398/106205196-56cbca80-617b-11eb-83d3-26aa9670f114.png) Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)` ### Fields in a Network Disconnect Received event `user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)` ## Security Log On events Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_on ``` ### `event.outcome: "success"` vs `event.outcome: "failure"` The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success ``` vs events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure ``` ### Sample rendered Security Log On / `event.outcome: "success"` event ![security_log_on_success](https://user-images.githubusercontent.com/4459398/106210917-fcd00280-6184-11eb-9c1c-564cfb375539.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "success"` event `user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`) ### Sample rendered Security Log On / `event.outcome: "failure"` event ![security_log_on_failure](https://user-images.githubusercontent.com/4459398/106211893-b2e81c00-6186-11eb-9c34-43227c15a1f0.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "failure"` event `user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`) ## Security Log Off events Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_off ``` ### Sample rendered Security Log Off event ![security_log_off](https://user-images.githubusercontent.com/4459398/106212499-0018bd80-6188-11eb-9e91-971f360ee87a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in a Security Log Off event `user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)
[Security Solution] [Timeline] Endpoint row renderers (1st batch)
This PR implements the 1st batch of Endpoint (
event.module: "endpoint"
) row renderers by updating and enhancing some of the existing "Endgame" (event.module: "endgame"
) row renderers to use the latest ECS fields.The following Endpoint events will be rendered via row renderers in Timeline:
File (FIM) Creation events
Endpoint File (FIM) Creation events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered File (FIM) Creation event
Each field with
this formatting
is draggable (to pivot a search) in the row-rendered event:SYSTEM
\NT AUTHORITY
@win2019-endpoint
created a fileWimProvider.dll
inC:\Windows\TEMP\F590BACBAE94\WimProvider.dll
viaMsMpEng.exe
(2424)
Fields in a File (FIM) Creation event
user.name
\user.domain
@host.name
created a filefile.name
infile.path
viaprocess.name
(process.pid)
File (FIM) Deletion events
Endpoint File (FIM) Deletion events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered File (FIM) Deletion event
SYSTEM
\NT AUTHORITY
@windows-endpoint-1
deleted a fileAM_Delta_Patch_1.329.2793.0.exe
inC:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe
viasvchost.exe
(1728)
Fields in a File (FIM) Deletion event
user.name
\user.domain
@host.name
deleted a filefile.name
infile.path
viaprocess.name
(process.pid)
Process Start events
Endpoint Process Start events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered Process Start event
SYSTEM
\NT AUTHORITY
@win2019-endpoint
started processconhost.exe
(376
)C:\Windows\system32\conhost.exe
0xffffffff
-ForceV1
via parent processsshd.exe
(6460
)sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63
sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7
md5 1b0e9b5fcb62de0787235ecca560b610
Fields in a Process Start event
The following fields will be used to render a Process Start event:
user.name
\user.domain
@host.name
started processprocess.name
(process.pid
)process.args
via parent processprocess.parent.name
(process.parent.pid
)process.hash.sha256
process.hash.sha1
process.hash.md5
Process End events
Endpoint Process End events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered Process End event
SYSTEM
\NT AUTHORITY
@win2019-endpoint
terminated processsvchost.exe
(10392
)C:\Windows\System32\svchost.exe
-k
netsvcs
-p
-s
NetSetupSvc
with exit code0
via parent processservices.exe
(568)
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
a1385ce20ad79f55df235effd9780c31442aa234
8a0a29438052faed8a2532da50455756
Fields in a Process End event
The following fields will be used to render a Process End event:
user.name
\user.domain
@host.name
terminated processprocess.name
(process.pid
) with exit codeprocess.exit_code
via parent processprocess.parent.name
(process.parent.pid
)process.hash.sha256
process.hash.sha1
process.hash.md5
Network (DNS) Lookup Requested events
Endpoint Network (DNS) Lookup Requested events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Runtime matching criteria
All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:
Sample rendered Network Lookup Requested event
SYSTEM
\NT AUTHORITY
@windows-endpoint-1
asked forlogging.googleapis.com
with question typeA
viagoogle_osconfig_agent.exe
(4064)
dns
Fields in a Network Lookup Requested event
The following fields will be used to render a Network Lookup Request event:
user.name
\user.domain
@host.name
asked fordns.question.name
with question typedns.question.type
viaprocess.name
(process.pid)
network.protocol
Network Lookup Result events
Endpoint Network (DNS) Lookup Result events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Runtime matching criteria
All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:
Sample rendered Network Lookup Result event
SYSTEM
\NT AUTHORITY
@windows-endpoint-1
asked forlogging.googleapis.com
with question typeAAAA
viaGCEWindowsAgent.exe
(684)
dns
Fields in a Network Lookup Result event
The following fields will be used to render a Network Lookup Result event:
user.name
\user.domain
@host.name
asked fordns.question.name
with question typedns.question.type
viaprocess.name
(process.pid)
network.protocol
Network Connection Accepted events
Endpoint Network Connection Accepted events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered Network Connection Accepted event
Network Connection Accepted events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.
NETWORK SERVICE
\NT AUTHORITY
@windows-endpoint-1
accepted a connection viasvchost.exe
(328)
with resultsuccess
Fields in a Network Connection Accepted event
user.name
\user.domain
@host.name
accepted a connection viaprocess.name
(process.pid)
with resultevent.outcome
Network Disconnect Received events
Endpoint Network Disconnect Received events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered Network Disconnect Received event
Network Disconnect Received events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.
NETWORK SERVICE
\NT AUTHORITY
@windows-endpoint-1
disconnected viasvchost.exe
(328)
Fields in a Network Disconnect Received event
user.name
\user.domain
@host.name
disconnected viaprocess.name
(process.pid)
Security Log On events
Endpoint Security Log On events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:event.outcome: "success"
vsevent.outcome: "failure"
The row renderer for Security Log On events uses the
event.outcome
field to display different results for events matching:vs events matching:
Sample rendered Security Log On /
event.outcome: "success"
eventSYSTEM
\NT AUTHORITY
@win2019-endpoint
successfully logged in viaC:\Program Files\OpenSSH-Win64\sshd.exe
Fields in an Security Log On /
event.outcome: "success"
eventuser.name
\user.domain
@host.name
successfully logged in viaprocess.name
(process.pid
)Sample rendered Security Log On /
event.outcome: "failure"
eventSYSTEM
\NT AUTHORITY
@win2019-endpoint
failed to log in viaC:\Program Files\OpenSSH-Win64\sshd.exe
Fields in an Security Log On /
event.outcome: "failure"
eventuser.name
\user.domain
@host.name
failed to log in viaprocess.name
(process.pid
)Security Log Off events
Endpoint Security Log Off events with the following
event.dataset
andevent.action
will be rendered in Timeline via row renderers:Sample rendered Security Log Off event
SYSTEM
\NT AUTHORITY
@win2019-endpoint
logged off viaC:\Program Files\OpenSSH-Win64\sshd.exe
Fields in a Security Log Off event
user.name
\user.domain
@host.name
logged off viaprocess.name
(process.pid
)