[Security Solution] [Timeline] Endpoint row renderers (1st batch) #89810
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). The following Endpoint events will be rendered via row renderers in Timeline: | event.dataset | event.action | |--------------------------|---------------------| | endpoint.events.file | creation | | endpoint.events.file | deletion | | endpoint.events.process | start | | endpoint.events.process | end | | endpoint.events.network | lookup_requested | | endpoint.events.network | lookup_result | | endpoint.events.network | connection_accepted | | endpoint.events.network | disconnect_received | | endpoint.events.security | log_on | | endpoint.events.security | log_off | ## File (FIM) Creation events Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: creation ``` ### Sample rendered File (FIM) Creation event  Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)` ### Fields in a File (FIM) Creation event `user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Deletion events Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: deletion ``` ### Sample rendered File (FIM) Deletion event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)` ### Fields in a File (FIM) Deletion event `user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)` ## Process Start events Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: start ``` ### Sample rendered Process Start event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`) `sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63` `sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7` `md5 1b0e9b5fcb62de0787235ecca560b610` ### Fields in a Process Start event The following fields will be used to render a Process Start event: `user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Process End events Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: end ``` ### Sample rendered Process End event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)` `7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6` `a1385ce20ad79f55df235effd9780c31442aa234` `8a0a29438052faed8a2532da50455756` ### Fields in a Process End event The following fields will be used to render a Process End event: `user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Network (DNS) Lookup Requested events Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_requested ``` ### Runtime matching criteria All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Requested event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns` ### Fields in a Network Lookup Requested event The following fields will be used to render a Network Lookup Request event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Lookup Result events Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_result ``` ### Runtime matching criteria All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Result event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns` ### Fields in a Network Lookup Result event The following fields will be used to render a Network Lookup Result event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Connection Accepted events Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: connection_accepted ```` ### Sample rendered Network Connection Accepted event  Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success` ### Fields in a Network Connection Accepted event `user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome` ## Network Disconnect Received events Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: disconnect_received ```` ### Sample rendered Network Disconnect Received event  Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)` ### Fields in a Network Disconnect Received event `user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)` ## Security Log On events Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_on ``` ### `event.outcome: "success"` vs `event.outcome: "failure"` The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success ``` vs events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure ``` ### Sample rendered Security Log On / `event.outcome: "success"` event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "success"` event `user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`) ### Sample rendered Security Log On / `event.outcome: "failure"` event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "failure"` event `user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`) ################################################# ## Security Log Off events Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_off ``` ### Sample rendered Security Log Off event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in a Security Log Off event `user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)
andrew-goldstein
added
release_note:enhancement
v8.0.0
v7.12.0
Team:Threat Hunting
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
andrew-goldstein
added
the
release_note:feature
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
XavierM
reviewed
Feb 5, 2021
...ty_solution/public/timelines/components/timeline/body/renderers/parent_process_draggable.tsx
Show resolved
Hide resolved
XavierM
approved these changes
Feb 5, 2021
andrew-goldstein
added a commit
that referenced
this pull request
Feb 5, 2021
…9810) (#90499) ## [Security Solution] [Timeline] Endpoint row renderers (1st batch) This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). The following Endpoint events will be rendered via row renderers in Timeline: | event.dataset | event.action | |--------------------------|---------------------| | endpoint.events.file | creation | | endpoint.events.file | deletion | | endpoint.events.process | start | | endpoint.events.process | end | | endpoint.events.network | lookup_requested | | endpoint.events.network | lookup_result | | endpoint.events.network | connection_accepted | | endpoint.events.network | disconnect_received | | endpoint.events.security | log_on | | endpoint.events.security | log_off | ## File (FIM) Creation events Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: creation ``` ### Sample rendered File (FIM) Creation event  Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)` ### Fields in a File (FIM) Creation event `user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Deletion events Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: deletion ``` ### Sample rendered File (FIM) Deletion event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)` ### Fields in a File (FIM) Deletion event `user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)` ## Process Start events Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: start ``` ### Sample rendered Process Start event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`) `sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63` `sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7` `md5 1b0e9b5fcb62de0787235ecca560b610` ### Fields in a Process Start event The following fields will be used to render a Process Start event: `user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Process End events Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: end ``` ### Sample rendered Process End event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)` `7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6` `a1385ce20ad79f55df235effd9780c31442aa234` `8a0a29438052faed8a2532da50455756` ### Fields in a Process End event The following fields will be used to render a Process End event: `user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Network (DNS) Lookup Requested events Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_requested ``` ### Runtime matching criteria All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Requested event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns` ### Fields in a Network Lookup Requested event The following fields will be used to render a Network Lookup Request event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Lookup Result events Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_result ``` ### Runtime matching criteria All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Result event  `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns` ### Fields in a Network Lookup Result event The following fields will be used to render a Network Lookup Result event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Connection Accepted events Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: connection_accepted ```` ### Sample rendered Network Connection Accepted event  Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success` ### Fields in a Network Connection Accepted event `user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome` ## Network Disconnect Received events Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: disconnect_received ```` ### Sample rendered Network Disconnect Received event  Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)` ### Fields in a Network Disconnect Received event `user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)` ## Security Log On events Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_on ``` ### `event.outcome: "success"` vs `event.outcome: "failure"` The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success ``` vs events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure ``` ### Sample rendered Security Log On / `event.outcome: "success"` event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "success"` event `user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`) ### Sample rendered Security Log On / `event.outcome: "failure"` event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "failure"` event `user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`) ## Security Log Off events Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_off ``` ### Sample rendered Security Log Off event  `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in a Security Log Off event `user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] [Timeline] Endpoint row renderers (1st batch)
This PR implements the 1st batch of Endpoint (
event.module: "endpoint") row renderers by updating and enhancing some of the existing "Endgame" (event.module: "endgame") row renderers to use the latest ECS fields.The following Endpoint events will be rendered via row renderers in Timeline:
File (FIM) Creation events
Endpoint File (FIM) Creation events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered File (FIM) Creation event
Each field with
this formattingis draggable (to pivot a search) in the row-rendered event:SYSTEM\NT AUTHORITY@win2019-endpointcreated a fileWimProvider.dllinC:\Windows\TEMP\F590BACBAE94\WimProvider.dllviaMsMpEng.exe(2424)Fields in a File (FIM) Creation event
user.name\user.domain@host.namecreated a filefile.nameinfile.pathviaprocess.name(process.pid)File (FIM) Deletion events
Endpoint File (FIM) Deletion events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered File (FIM) Deletion event
SYSTEM\NT AUTHORITY@windows-endpoint-1deleted a fileAM_Delta_Patch_1.329.2793.0.exeinC:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exeviasvchost.exe(1728)Fields in a File (FIM) Deletion event
user.name\user.domain@host.namedeleted a filefile.nameinfile.pathviaprocess.name(process.pid)Process Start events
Endpoint Process Start events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered Process Start event
SYSTEM\NT AUTHORITY@win2019-endpointstarted processconhost.exe(376)C:\Windows\system32\conhost.exe0xffffffff-ForceV1via parent processsshd.exe(6460)sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7md5 1b0e9b5fcb62de0787235ecca560b610Fields in a Process Start event
The following fields will be used to render a Process Start event:
user.name\user.domain@host.namestarted processprocess.name(process.pid)process.argsvia parent processprocess.parent.name(process.parent.pid)process.hash.sha256process.hash.sha1process.hash.md5Process End events
Endpoint Process End events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered Process End event
SYSTEM\NT AUTHORITY@win2019-endpointterminated processsvchost.exe(10392)C:\Windows\System32\svchost.exe-knetsvcs-p-sNetSetupSvcwith exit code0via parent processservices.exe(568)7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6a1385ce20ad79f55df235effd9780c31442aa2348a0a29438052faed8a2532da50455756Fields in a Process End event
The following fields will be used to render a Process End event:
user.name\user.domain@host.nameterminated processprocess.name(process.pid) with exit codeprocess.exit_codevia parent processprocess.parent.name(process.parent.pid)process.hash.sha256process.hash.sha1process.hash.md5Network (DNS) Lookup Requested events
Endpoint Network (DNS) Lookup Requested events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Runtime matching criteria
All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:
Sample rendered Network Lookup Requested event
SYSTEM\NT AUTHORITY@windows-endpoint-1asked forlogging.googleapis.comwith question typeAviagoogle_osconfig_agent.exe(4064)dnsFields in a Network Lookup Requested event
The following fields will be used to render a Network Lookup Request event:
user.name\user.domain@host.nameasked fordns.question.namewith question typedns.question.typeviaprocess.name(process.pid)network.protocolNetwork Lookup Result events
Endpoint Network (DNS) Lookup Result events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Runtime matching criteria
All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:
Sample rendered Network Lookup Result event
SYSTEM\NT AUTHORITY@windows-endpoint-1asked forlogging.googleapis.comwith question typeAAAAviaGCEWindowsAgent.exe(684)dnsFields in a Network Lookup Result event
The following fields will be used to render a Network Lookup Result event:
user.name\user.domain@host.nameasked fordns.question.namewith question typedns.question.typeviaprocess.name(process.pid)network.protocolNetwork Connection Accepted events
Endpoint Network Connection Accepted events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered Network Connection Accepted event
Network Connection Accepted events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.
NETWORK SERVICE\NT AUTHORITY@windows-endpoint-1accepted a connection viasvchost.exe(328)with resultsuccessFields in a Network Connection Accepted event
user.name\user.domain@host.nameaccepted a connection viaprocess.name(process.pid)with resultevent.outcomeNetwork Disconnect Received events
Endpoint Network Disconnect Received events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered Network Disconnect Received event
Network Disconnect Received events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.
NETWORK SERVICE\NT AUTHORITY@windows-endpoint-1disconnected viasvchost.exe(328)Fields in a Network Disconnect Received event
user.name\user.domain@host.namedisconnected viaprocess.name(process.pid)Security Log On events
Endpoint Security Log On events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:event.outcome: "success"vsevent.outcome: "failure"The row renderer for Security Log On events uses the
event.outcomefield to display different results for events matching:vs events matching:
Sample rendered Security Log On /
event.outcome: "success"eventSYSTEM\NT AUTHORITY@win2019-endpointsuccessfully logged in viaC:\Program Files\OpenSSH-Win64\sshd.exeFields in an Security Log On /
event.outcome: "success"eventuser.name\user.domain@host.namesuccessfully logged in viaprocess.name(process.pid)Sample rendered Security Log On /
event.outcome: "failure"eventSYSTEM\NT AUTHORITY@win2019-endpointfailed to log in viaC:\Program Files\OpenSSH-Win64\sshd.exeFields in an Security Log On /
event.outcome: "failure"eventuser.name\user.domain@host.namefailed to log in viaprocess.name(process.pid)Security Log Off events
Endpoint Security Log Off events with the following
event.datasetandevent.actionwill be rendered in Timeline via row renderers:Sample rendered Security Log Off event
SYSTEM\NT AUTHORITY@win2019-endpointlogged off viaC:\Program Files\OpenSSH-Win64\sshd.exeFields in a Security Log Off event
user.name\user.domain@host.namelogged off viaprocess.name(process.pid)