Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

Merged
merged 3 commits into from
Feb 17, 2021
Merged

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

merged 3 commits into from
Feb 17, 2021

Commits on Feb 15, 2021

  1. ## [Security Solution] [Timeline] Endpoint row renderers (2nd batch) 

    This PR implements the 2nd batch of Endpoint row renderers, **including the new Ransomware alerts**, by adding new row renderers for the following Endpoint alerts and events:

| event.dataset            | event.type | event.category | event.action    |
|--------------------------|------------|----------------|-----------------|
| endpoint.alerts          | denied     | file           | creation        |
| endpoint.alerts          | allowed    | file           | creation        |
| endpoint.alerts          | denied     | file           | files-encrypted |
| endpoint.alerts          | allowed    | file           | files-encrypted |
| endpoint.alerts          | denied     | file           | modification    |
| endpoint.alerts          | allowed    | file           | modification    |
| endpoint.alerts          | denied     | file           | rename          |
| endpoint.alerts          | allowed    | file           | rename          |
| endpoint.alerts          | denied     | process        | execution       |
| endpoint.alerts          | allowed    | process        | execution       |
| endpoint.events.file     | change     | file           | modification    |
| endpoint.events.file     | change     | file           | overwrite       |
| endpoint.events.file     | change     | file           | rename          |
| endpoint.events.registry | change     | registry       | modification    |
| endpoint.events.library  | start      | library        | load            |
| endpoint.events.network  | protocol   | network        | http_request    |
| endpoint.events.process  | start      | process        | exec            |
| endpoint.events.process  | start      | process        | fork            |

Other updates:

- All row renders will now only display the `file.hash.sha256` and `process.hash.sha256`. (The `sha1` and `md5` hashes will no longer be displayed)

## Malware File Creation Prevented alert

Malware File Creation Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation
```

### Sample Malware File Creation Prevented alert

![malware_file_creation_prevented](https://user-images.githubusercontent.com/4459398/107970084-e4762b00-6f6d-11eb-88c8-c9fd474d2de4.png)

`win2019-endpoint-1` was prevented from creating a malicious file `6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` in `C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` via `chrome.exe` (`8944`) `C:\Program Files\Google\Chrome\Application\chrome.exe` via parent process `explorer.exe` (`1008`) with result `success`

`7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30`

### Fields in a Malware File Creation Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Creation Detected alert

Malware File Creation Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation
```

### Sample Malware File Creation Detected alert

![malware_file_creation_detected](https://user-images.githubusercontent.com/4459398/107970897-f7d5c600-6f6e-11eb-83a8-7324e34506c1.png)

`DESKTOP-1` was detected creating a malicious file `mimikatz_write.exe` in `C:\temp\mimikatz_write.exe` via `python.exe` (`4400`) `C:\Python27\python.exe` `main.py` `-a` `execute` `-p` `c:\temp` via parent process `pythonservice.exe` (`2936`) with result `success`

`263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0`

### Fields in a Malware File Creation Detected alert

`user.name` \ `user.domain` @ `host.name` was detected creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Ransomware Files Encrypted Prevented alert

Ransomware Files Encrypted Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted
```

### Sample Ransomware Files Encrypted Prevented alert

![ransomware_files-encrypted_prevented](https://user-images.githubusercontent.com/4459398/107973327-56e90a00-6f72-11eb-8337-8bb15bd24ad2.png)

`DESKTOP-1` ransomware was prevented from encrypting files via `powershell.exe` (`6056`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`10680`) with result `success`

`e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7`

### Fields in a Ransomware Files Encrypted Prevented alert

`user.name` \ `user.domain` @ `host.name` ransomware was prevented from encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Ransomware Files Encrypted Detected alert

Ransomware Files Encrypted Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted
```

### Sample Ransomware Files Encrypted Detected alert

![ransomware_files-encrypted_detected](https://user-images.githubusercontent.com/4459398/107976086-42a70c00-6f76-11eb-8977-74ad47191d71.png)

`DESKTOP-1` ransomware was detected encrypting files via `powershell.exe` (`4684`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`8616`) with result `success`

`e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7`

### Fields in a Ransomware Files Encrypted Detected alert

`user.name` \ `user.domain` @ `host.name` ransomware was detected encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Malware File Modification Prevented alert

Malware File Modification Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification
```

### Sample Malware File Modification Prevented alert

![malware_file_modification_prevented](https://user-images.githubusercontent.com/4459398/107979686-3a51cf80-6f7c-11eb-92ff-f164536f6c70.png)

`win2019-endpoint-1` was prevented from modifying a malicious file `mimikatz - Copy.exe` in `C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc`

### Fields in a Malware File Modification Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Modification Detected alert

Malware File Modification Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification
```

### Sample Malware File Modification Detected alert

![malware_file_modification_detected](https://user-images.githubusercontent.com/4459398/107980920-55bdda00-6f7e-11eb-9d08-2aa02253a958.png)

`mac-1.local` was detected modifying a malicious file `aircrack` in `/private/var/root/write_malware/modules/write_malware/aircrack` via `Python` (`5995`) `/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python` `main.py` `-a` `modify` via parent process `Python` (`97`) with result `success`

`f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b`

### Fields in a Malware File Modification Detected alert

`user.name` \ `user.domain` @ `host.name` was detected modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Rename Prevented alert

Malware File Rename Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename
```

### Sample Malware File Rename Prevented alert

![malware_file_rename_prevented](https://user-images.githubusercontent.com/4459398/107981991-6e2ef400-6f80-11eb-8d48-3c9aa48c5d72.png)

`win2019-endpoint-1` was prevented from renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97`

### Fields in a Malware File Rename Prevented alert

`user.name` \ `user.domain` @ `host.name` was prevented from renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware File Rename Detected alert

Malware File Rename Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename
```

### Sample Malware File Rename Detected alert

![malware_file_rename_detected](https://user-images.githubusercontent.com/4459398/107983209-ab948100-6f82-11eb-893f-359fa0bd3a19.png)

`win2019-endpoint-1` was detected renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success`

`23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97`

### Fields in a Malware File Rename Detected alert

`user.name` \ `user.domain` @ `host.name` was detected renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`file.hash.sha256`

## Malware Process Execution Prevented alert

Malware Process Execution Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution
```

### Sample Malware Process Execution Prevented alert

![malware_process_execution_prevented](https://user-images.githubusercontent.com/4459398/107986073-8b67c080-6f88-11eb-89a5-95434639631e.png)

`win2019-endpoint-1` was prevented from executing a malicious process `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` (`6920`) `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` via parent process `explorer.exe` (`1008`) with result `success`

`3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb`

### Fields in a Sample Malware Process Execution Prevented alert

`host.name` was prevented from executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## Malware Process Execution Detected alert

Malware Process Execution Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution
```

### Sample Malware Process Execution Detected alert

![malware_process_execution_detected](https://user-images.githubusercontent.com/4459398/107986475-590a9300-6f89-11eb-9dbc-373efe005c85.png)

`DESKTOP-1` was detected executing a malicious process `mimikatz_write.exe` (`8668`) `c:\temp\mimikatz_write.exe` via parent process `python.exe` (`4400`) with result `success`

`263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0`

### Fields in a Sample Malware Process Execution Detected alert

`host.name` was detected executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome`

`process.hash.sha256`

## File (FIM) Modification events

Endpoint File (FIM) Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: modification
```

### Sample rendered File (FIM) Modification event

Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event:

![file_modification](https://user-images.githubusercontent.com/4459398/106680191-641df600-657b-11eb-974e-e2afbc7698a3.png)

`admin` @ `test-Mac.local` modified a file `.dat.nosync01a5.6hoWv1` in `/Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1` via `diagnostics_agent` `(421)`

### Fields in a File (FIM) Modification event

`user.name` \ `user.domain` @ `host.name` modified a file `file.name` in `file.path` via `process.name` `(process.pid)`

## File (FIM) Overwrite events

Endpoint File (FIM) Overwrite events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: overwrite
```

### Sample rendered File (FIM) Overwrite event

![file_overwrite](https://user-images.githubusercontent.com/4459398/106675692-c9b9b480-6572-11eb-9f78-fb0b4bf0b05d.png)

`LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` overwrote a file `lastalive0.dat` in `C:\Windows\ServiceState\EventLog\Data\lastalive0.dat` via `svchost.exe` `(1228)`

### Fields in a File (FIM) Overwrite event

`user.name` \ `user.domain` @ `host.name` overwrote a file `file.name` in `file.path` via `process.name` `(process.pid)`

## File (FIM) Rename events

Endpoint File (FIM) Rename events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: rename
```

### Sample rendered File (FIM) Rename event

![file_rename](https://user-images.githubusercontent.com/4459398/106534633-c4e0fc00-64b1-11eb-8213-494b51e8cdf9.png)

`LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` renamed a file `SRU.log` in `C:\Windows\System32\sru\SRU.log` from its original path `C:\Windows\System32\sru\SRUtmp.log` via `svchost.exe` `(1204)`

### Fields in a File (FIM) Rename event

`user.name` \ `user.domain` @ `host.name` renamed a file `file.name` in `file.path` from its original path `file.Ext.original.path` via `process.name` `(process.pid)`

## Registry Modification events

Registry Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.registry and event.action: modification
```

### Sample Registry Modification event

![registry_modification](https://user-images.githubusercontent.com/4459398/107091637-56f14900-67bf-11eb-9c8b-7f748e848bac.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` modified registry key `SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState` with new value `HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue` via `GoogleUpdate.exe` `(7408)`

### Fields in a Registry Modification event

`user.name` \ `user.domain` @ `host.name` modified registry key `registry.key` with new value `registry.path` via `process.name` `(process.pid)`

## Library Load events

Library Load events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.library and event.action: load
```

### Sample Library Load event

![library_load](https://user-images.githubusercontent.com/4459398/107261734-ea638d80-69fc-11eb-8b2c-0a4f453b3f95.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` loaded library `bcrypt.dll` in `C:\Windows\System32\bcrypt.dll` via `sshd.exe` `(9644)`
`e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd`
`2c4ba5c1482987d50a182bad915f52cd6611ee63`
`00439016776de367bad087d739a03797`

### Fields in a Library Load event

`user.name` \ `user.domain` @ `host.name` loaded library `file.name` in `file.path` via `process.name` `(process.pid)`
`file.hash.sha256`
`file.hash.sha1`
`file.hash.md5`

## HTTP Request events

HTTP Request events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: http_request
```

### Sample HTTP Request event

![http_request](https://user-images.githubusercontent.com/4459398/107546591-c5505580-6b89-11eb-8081-fe492312cc12.png)

Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.

`NETWORK SERVICE` \ `NT AUTHORITY` @ `win2019-endpoint-1` made a http request via `svchost.exe` `(2232)`

### Fields in a HTTP Request event

`user.name` \ `user.domain` @ `host.name` made a http request via `process.name` `(process.pid)`

## Process Exec events

Endpoint Process Exec events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: exec
```

### Sample rendered Process Exec event

![process_exec](https://user-images.githubusercontent.com/4459398/107989163-de447680-6f8e-11eb-88e9-d8c72d77bc2d.png)

`admin` @ `test-mac.local` executed process `mdworker_shared` (`4454`) `/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared` `-s` `mdworker` `-c` `MDSImporterWorker` `-m` `com.apple.mdworker.shared` via parent process `launchd` (`1`)

`4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b`

### Fields in a Process Exec event

The following fields will be used to render a Process Exec event:

`user.name` @ `host.name` executed process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`

## Process Fork events

Endpoint Process Fork events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: fork
```

### Sample rendered Process Fork event

![process_fork](https://user-images.githubusercontent.com/4459398/107990678-29ac5400-6f92-11eb-893f-59bafa79cd53.png)

`admin` @ `test-mac.local` forked process `zoom.us` (`4042`) `/Applications/zoom.us.app/Contents/MacOS/zoom.us` via parent process `zoom.us` (`3961`)

`cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4`

### Fields in a Process Fork event

The following fields will be used to render a Process Exec event:

`user.name` @ `host.name` forked process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`
    @andrew-goldstein
    andrew-goldstein committed Feb 15, 2021
    Configuration menu
    Copy the full SHA
    d2d08f7 View commit details
    Browse the repository at this point in the history

Commits on Feb 17, 2021

  1. Merge branch 'master' of github.com:elastic/kibana into endpoint_row_… 

    …renderers_batch_2_v2
    @andrew-goldstein
    andrew-goldstein committed Feb 17, 2021
    Configuration menu
    Copy the full SHA
    da97f16 View commit details
    Browse the repository at this point in the history

  2. - pr feedback

    @andrew-goldstein
    andrew-goldstein committed Feb 17, 2021
    Configuration menu
    Copy the full SHA
    62fd1e6 View commit details
    Browse the repository at this point in the history