diff --git a/x-pack/plugins/security_solution/cypress/screens/session_view.ts b/x-pack/plugins/security_solution/cypress/screens/session_view.ts index 132263fd60a97e..8bf92b653ec3a4 100644 --- a/x-pack/plugins/security_solution/cypress/screens/session_view.ts +++ b/x-pack/plugins/security_solution/cypress/screens/session_view.ts @@ -23,7 +23,7 @@ export const SESSION_VIEW_CLOSE_BUTTON = '[data-test-subj="session-view-close-bu export const PROCESS_TREE = '[data-test-subj="sessionViewProcessTree"]'; export const PROCESS_TREE_NODE_ALERT = '[data-test-subj="processTreeNodeAlertButton"]'; export const SEARCH_BAR = '[data-test-subj="sessionViewProcessEventsSearch"]'; -export const SESSION_COMMANDS = '[data-test-subj="processTreeNode"' +export const SESSION_COMMANDS = '[data-test-subj="processTreeNode"'; // Details panel elements export const DETAILS_PANEL = '[data-test-subj="sessionViewDetailPanel"]'; diff --git a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts index b3b2757e461c60..ecec86bc6e29bd 100644 --- a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts +++ b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts @@ -43,7 +43,7 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:04.210Z') + start: new Date('2021-11-23T15:25:04.210Z'), }, session: { pid: 2442, @@ -59,7 +59,7 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:04.210Z') + start: new Date('2021-11-23T15:25:04.210Z'), }, entry: { pid: 2442, @@ -75,13 +75,13 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:04.210Z') + start: new Date('2021-11-23T15:25:04.210Z'), }, name: '', args_count: 0, args: [], working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:04.210Z') + start: new Date('2021-11-23T15:25:04.210Z'), }, event: { action: EventAction.fork, @@ -187,7 +187,7 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:05.202Z') + start: new Date('2021-11-23T15:25:05.202Z'), }, session: { pid: 2442, @@ -203,7 +203,7 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:05.202Z') + start: new Date('2021-11-23T15:25:05.202Z'), }, entry: { pid: 2442, @@ -219,7 +219,7 @@ const mockEvents = [ args: [], args_count: 0, working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:05.202Z') + start: new Date('2021-11-23T15:25:05.202Z'), }, start: new Date('2021-11-23T15:25:05.202Z'), name: '', @@ -431,9 +431,9 @@ export const mockAlerts: ProcessEvent[] = [ export const mockData: ProcessEventsPage[] = [ { events: mockEvents, - cursor: '2021-11-23T15:25:04.210Z' - } -] + cursor: '2021-11-23T15:25:04.210Z', + }, +]; export const processMock: Process = { id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', @@ -448,30 +448,30 @@ export const processMock: Process = { hasExec: () => false, getOutput: () => '', getDetails: () => - ({ - '@timestamp': new Date('2021-11-23T15:25:04.210Z'), - event: { - kind: EventKind.event, - category: 'process', - action: EventAction.exec, - }, - process: { - args: [], - args_count: 0, - entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - executable: '', - interactive: false, - name: '', - working_directory: '/home/vagrant', - start: new Date('2021-11-23T15:25:04.210Z'), - pid: 1, - pgid: 1, - user: {} as User, - parent: {} as ProcessFields, - session: {} as ProcessFields, - entry: {} as ProcessFields, - }, - } as ProcessEvent), + ({ + '@timestamp': new Date('2021-11-23T15:25:04.210Z'), + event: { + kind: EventKind.event, + category: 'process', + action: EventAction.exec, + }, + process: { + args: [], + args_count: 0, + entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', + executable: '', + interactive: false, + name: '', + working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z'), + pid: 1, + pgid: 1, + user: {} as User, + parent: {} as ProcessFields, + session: {} as ProcessFields, + entry: {} as ProcessFields, + }, + } as ProcessEvent), isUserEntered: () => false, getMaxAlertLevel: () => null, }; diff --git a/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts index d5062e69636eb1..d6406332366511 100644 --- a/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts +++ b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts @@ -6,1899 +6,1901 @@ */ export const sessionViewProcessEventsMock = { - events: [{ - _index: 'cmd', - _id: 'FMUGTX0BGGlsPv9flMF7', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:16.528Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - user: { name: 'vagrant', id: 1000 }, - pgid: 51547, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674816528], - }, - { - _index: 'cmd', - _id: 'FsUGTX0BGGlsPv9flMGF', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:16.541Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674816541], - }, - { - _index: 'cmd', - _id: 'H8UGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.392Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674821392], - }, - { - _index: 'cmd', - _id: 'HsUGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.392Z', - process: { - pid: 51749, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674821392], - }, - { - _index: 'cmd', - _id: 'HcUGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.393Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674821393], - }, - { - _index: 'cmd', - _id: 'IsUGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.743Z', - process: { - pid: 51752, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674823743], - }, - { - _index: 'cmd', - _id: 'IcUGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.744Z', - process: { - pid: 51752, - pgid: 51752, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-la'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637674823744], - }, - { - _index: 'cmd', - _id: 'I8UGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.748Z', - process: { - pid: 51752, - pgid: 51752, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-la'], - working_directory: '/home/vagrant', + events: [ + { + _index: 'cmd', + _id: 'FMUGTX0BGGlsPv9flMF7', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:16.528Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + user: { name: 'vagrant', id: 1000 }, + pgid: 51547, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674816528], }, - sort: [1637674823748], - }, - { - _index: 'cmd', - _id: 'JMUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.270Z', - process: { - pid: 51753, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'FsUGTX0BGGlsPv9flMGF', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:16.541Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674816541], }, - sort: [1637674825270], - }, - { - _index: 'cmd', - _id: 'JcUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.271Z', - process: { - pid: 51753, - pgid: 51753, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-ll'], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'H8UGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.392Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674821392], }, - sort: [1637674825271], - }, - { - _index: 'cmd', - _id: 'JsUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.274Z', - process: { - pid: 51753, - pgid: 51753, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, + { + _index: 'cmd', + _id: 'HsUGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.392Z', + process: { + pid: 51749, pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, + user: { name: 'vagrant', id: -1 }, executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-ll'], - working_directory: '/home/vagrant', + interactive: false, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', + }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674821392], }, - sort: [1637674825274], - }, - { - _index: 'cmd', - _id: 'e8UTTX0BGGlsPv9fwMFw', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.889Z', - process: { - pid: 52427, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'HcUGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.393Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674821393], }, - sort: [1637675679889], - }, - { - _index: 'cmd', - _id: 'fsUTTX0BGGlsPv9fwMF2', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 52427, - pgid: 52427, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/clear_console', - interactive: true, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, + { + _index: 'cmd', + _id: 'IsUGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.743Z', + process: { + pid: 51752, pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, + user: { name: 'vagrant', id: -1 }, executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['/usr/bin/clear_console', '-q'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - }, - sort: [1637675679890], - }, - { - _index: 'cmd', - _id: 'gMUTTX0BGGlsPv9fwMF4', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - parent: { - pid: 51546, - pgid: 51458, - user: { name: 'root', id: -1 }, - executable: '/usr/sbin/sshd', interactive: false, - entity_id: '5ffedee8-3d3f-55fb-9353-7ec6ee5fee85', - }, - session: { - pid: 51458, - pgid: 51458, - user: { name: 'root', id: 0 }, - executable: '/usr/sbin/sshd', - interactive: false, - entity_id: '2bcf9d69-1c8a-5300-94cf-b823cf5a8df0', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 1, - args: ['-bash'], - working_directory: '/home/vagrant', + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', + }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674823743], }, - sort: [1637675679890], - }, - { - _index: 'cmd', - _id: 'fMUTTX0BGGlsPv9fwMFz', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 52427, - pgid: 52427, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/clear_console', - interactive: true, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['/usr/bin/clear_console', '-q'], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'IcUGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.744Z', + process: { + pid: 51752, + pgid: 51752, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-la'], + working_directory: '/home/vagrant', + }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + sort: [1637674823744], }, - sort: [1637675679890], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'isUGTX0BGGlsPv9fcL-A', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:07.304Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.759Z', - process: { - pid: 51568, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: false, - entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', - parent: { - pid: 51564, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', '/home/vagrant/.nvm/alias/default'], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'I8UGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.748Z', + process: { + pid: 51752, + pgid: 51752, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-la'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + sort: [1637674823748], }, - sort: [1637674906759], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'iMUGTX0BGGlsPv9fcL9_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:07.307Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.760Z', - process: { - pid: 51568, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: false, - entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', - parent: { - pid: 51564, + { + _index: 'cmd', + _id: 'JMUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.270Z', + process: { + pid: 51753, pgid: 51547, user: { name: 'vagrant', id: -1 }, executable: '/bin/bash', interactive: false, - entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', '/home/vagrant/.nvm/alias/default'], - working_directory: '/home/vagrant', + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', + }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + sort: [1637674825270], }, - sort: [1637674906760], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: '9cUGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:10.355Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.768Z', - process: { - pid: 51731, - pgid: 51731, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '85752b94-1c86-5540-9a61-743429d5a206', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + { + _index: 'cmd', + _id: 'JcUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.271Z', + process: { + pid: 51753, + pgid: 51753, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-ll'], + working_directory: '/home/vagrant', + }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + sort: [1637674825271], }, - sort: [1637674906768], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: '88UGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:10.363Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', - }, - space_ids: ['default'], + { + _index: 'cmd', + _id: 'JsUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.274Z', + process: { + pid: 51753, + pgid: 51753, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-ll'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.769Z', - process: { - pid: 51731, - pgid: 51731, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '85752b94-1c86-5540-9a61-743429d5a206', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, + sort: [1637674825274], + }, + { + _index: 'cmd', + _id: 'e8UTTX0BGGlsPv9fwMFw', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.889Z', + process: { + pid: 52427, pgid: 51547, - user: { name: 'vagrant', id: 1000 }, + user: { name: 'vagrant', id: -1 }, executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + interactive: false, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', + }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + sort: [1637675679889], }, - sort: [1637674906769], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'BsUGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:11.397Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', - }, - space_ids: ['default'], + { + _index: 'cmd', + _id: 'fsUTTX0BGGlsPv9fwMF2', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { + pid: 52427, + pgid: 52427, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/clear_console', + interactive: true, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['/usr/bin/clear_console', '-q'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.770Z', - process: { - pid: 51734, - pgid: 51734, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { + sort: [1637675679890], + }, + { + _index: 'cmd', + _id: 'gMUTTX0BGGlsPv9fwMF4', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { pid: 51547, pgid: 51547, user: { name: 'vagrant', id: 1000 }, executable: '/bin/bash', interactive: true, entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + parent: { + pid: 51546, + pgid: 51458, + user: { name: 'root', id: -1 }, + executable: '/usr/sbin/sshd', + interactive: false, + entity_id: '5ffedee8-3d3f-55fb-9353-7ec6ee5fee85', + }, + session: { + pid: 51458, + pgid: 51458, + user: { name: 'root', id: 0 }, + executable: '/usr/sbin/sshd', + interactive: false, + entity_id: '2bcf9d69-1c8a-5300-94cf-b823cf5a8df0', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 1, + args: ['-bash'], + working_directory: '/home/vagrant', + }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + sort: [1637675679890], }, - sort: [1637674906770], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'B8UGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:11.398Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', - }, - space_ids: ['default'], + { + _index: 'cmd', + _id: 'fMUTTX0BGGlsPv9fwMFz', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { + pid: 52427, + pgid: 52427, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/clear_console', + interactive: true, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['/usr/bin/clear_console', '-q'], + working_directory: '/home/vagrant', + }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.772Z', - process: { - pid: 51734, - pgid: 51734, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + sort: [1637675679890], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'isUGTX0BGGlsPv9fcL-A', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:07.304Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', + }, + space_ids: ['default'], }, - session: { - pid: 51547, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.759Z', + process: { + pid: 51568, pgid: 51547, user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + executable: '/usr/bin/cat', + interactive: false, + entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', + parent: { + pid: 51564, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', '/home/vagrant/.nvm/alias/default'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906759], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'iMUGTX0BGGlsPv9fcL9_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:07.307Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', + }, + space_ids: ['default'], }, - entry: { - pid: 51547, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.760Z', + process: { + pid: 51568, pgid: 51547, user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + executable: '/usr/bin/cat', + interactive: false, + entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', + parent: { + pid: 51564, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', '/home/vagrant/.nvm/alias/default'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + sort: [1637674906760], }, - sort: [1637674906772], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'FMUGTX0BGGlsPv9flMF7', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:16.528Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', - }, - space_ids: ['default'], + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: '9cUGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:10.355Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.768Z', + process: { + pid: 51731, + pgid: 51731, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '85752b94-1c86-5540-9a61-743429d5a206', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.773Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', + sort: [1637674906768], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: '88UGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:10.363Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.769Z', + process: { + pid: 51731, + pgid: 51731, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '85752b94-1c86-5540-9a61-743429d5a206', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + sort: [1637674906769], }, - sort: [1637674906773], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'FsUGTX0BGGlsPv9flMGF', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:16.541Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', - }, - space_ids: ['default'], + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'BsUGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:11.397Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.770Z', + process: { + pid: 51734, + pgid: 51734, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.775Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', + sort: [1637674906770], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'B8UGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:11.398Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.772Z', + process: { + pid: 51734, + pgid: 51734, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + sort: [1637674906772], }, - sort: [1637674906775], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'H8UGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:21.392Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', - }, - space_ids: ['default'], + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'FMUGTX0BGGlsPv9flMF7', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:16.528Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.773Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.777Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + sort: [1637674906773], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'FsUGTX0BGGlsPv9flMGF', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:16.541Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.775Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + sort: [1637674906775], }, - sort: [1637674906777], - }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'HcUGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:21.393Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', - }, - space_ids: ['default'], + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'H8UGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:21.392Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.777Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.780Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + sort: [1637674906777], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'HcUGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:21.393Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.780Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + sort: [1637674906780], }, - sort: [1637674906780], - }] + ], }; diff --git a/x-pack/plugins/session_view/common/types/process_tree/index.ts b/x-pack/plugins/session_view/common/types/process_tree/index.ts index d22c366a9f87ec..799c95f5a01819 100644 --- a/x-pack/plugins/session_view/common/types/process_tree/index.ts +++ b/x-pack/plugins/session_view/common/types/process_tree/index.ts @@ -114,8 +114,8 @@ export interface ProcessEvent { } export interface ProcessEventsPage { - events: ProcessEvent[], - cursor: string, + events: ProcessEvent[]; + cursor: string; } export interface Process { diff --git a/x-pack/plugins/session_view/common/utils/sort_processes.ts b/x-pack/plugins/session_view/common/utils/sort_processes.ts index fed117ace763ce..881ad63a498846 100644 --- a/x-pack/plugins/session_view/common/utils/sort_processes.ts +++ b/x-pack/plugins/session_view/common/utils/sort_processes.ts @@ -1,3 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + import { Process } from '../types/process_tree'; export const sortProcesses = (a: Process, b: Process) => { @@ -13,4 +20,4 @@ export const sortProcesses = (a: Process, b: Process) => { } return 0; -} +}; diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts index 4ce71096b37517..af670a09285885 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts @@ -139,7 +139,13 @@ export const processNewEvents = ( } const updatedProcessMap = updateProcessMap(eventsProcessMap, events); - const newOrphans = buildProcessTree(updatedProcessMap, events, orphans, sessionEntityId, backwardDirection); + const newOrphans = buildProcessTree( + updatedProcessMap, + events, + orphans, + sessionEntityId, + backwardDirection + ); return [autoExpandProcessTree(updatedProcessMap), newOrphans]; }; diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts b/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts index a5139da16cb432..b6eb3f9ad83342 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts @@ -106,11 +106,7 @@ export class ProcessImpl implements Process { } } -export const useProcessTree = ({ - sessionEntityId, - data, - searchQuery, -}: UseProcessTreeDeps) => { +export const useProcessTree = ({ sessionEntityId, data, searchQuery }: UseProcessTreeDeps) => { // initialize map, as well as a placeholder for session leader process // we add a fake session leader event, sourced from wide event data. // this is because we might not always have a session leader event @@ -135,23 +131,21 @@ export const useProcessTree = ({ useEffect(() => { let eventsProcessMap: ProcessMap = processMap; let newOrphans: Process[] = orphans; - let newProcessedPages: ProcessEventsPage[] = []; + const newProcessedPages: ProcessEventsPage[] = []; data.forEach((page, i) => { - const processed = processedPages.find(processed => processed.cursor === page.cursor); + const processed = processedPages.find((p) => p.cursor === page.cursor); if (!processed) { - console.log('processing page of events'); - const backwards = i < processedPages.length; - const result = <[ProcessMap, Process[]]>processNewEvents( + const result = processNewEvents( eventsProcessMap, page.events, orphans, sessionEntityId, backwards - ) + ) as [ProcessMap, Process[]]; eventsProcessMap = result[0]; newOrphans = result[1]; @@ -161,7 +155,7 @@ export const useProcessTree = ({ }); setProcessMap({ ...eventsProcessMap }); - setProcessedPages([...processedPages, ...newProcessedPages]) + setProcessedPages([...processedPages, ...newProcessedPages]); setOrphans(newOrphans); // eslint-disable-next-line react-hooks/exhaustive-deps }, [data]); diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx b/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx index 8ffeb71a91e831..030da5c457a7d0 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx @@ -30,7 +30,8 @@ describe('ProcessTree component', () => { hasNextPage={false} fetchPreviousPage={() => true} hasPreviousPage={false} - />); + /> + ); expect(renderResult.queryByTestId('sessionViewProcessTree')).toBeTruthy(); expect(renderResult.queryByTestId('processTreeNode')).toBeTruthy(); }); diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx b/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx index c031f1ee880a00..1f1d5a91cc30cb 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx @@ -124,7 +124,8 @@ export const ProcessTree = ({ if (searchResults.length > 0) { selectProcess(searchResults[0]); } - }, [searchResults]) + // eslint-disable-next-line react-hooks/exhaustive-deps + }, [searchResults]); useEffect(() => { if (jumpToEvent && data.length === 2) { @@ -134,7 +135,8 @@ export const ProcessTree = ({ selectProcess(process); } } - }, [jumpToEvent, processMap]) + // eslint-disable-next-line react-hooks/exhaustive-deps + }, [jumpToEvent, processMap]); function renderLoadMoreButton(text: JSX.Element, func: FetchFunction) { return ( diff --git a/x-pack/plugins/session_view/public/components/ProcessTreeAlerts/index.test.tsx b/x-pack/plugins/session_view/public/components/ProcessTreeAlerts/index.test.tsx index 2b4ac578fcca9b..4ab14abefb9639 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTreeAlerts/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTreeAlerts/index.test.tsx @@ -31,6 +31,9 @@ describe('ProcessTreeAlerts component', () => { expect(renderResult.queryByTestId('sessionViewAlertDetails')).toBeTruthy(); mockAlerts.forEach((alert) => { + if (!alert.kibana) { + return; + } const { uuid, rule, original_event: event, workflow_status: status } = alert.kibana.alert; const { name, query, severity } = rule; diff --git a/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx b/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx index 77d370c3fe648e..3c050f23cece9e 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx @@ -90,7 +90,7 @@ export function ProcessTreeNode({ const renderChildren = () => { let { children } = process; - // we pass an array of orphans to the session leader + // we pass an array of orphans to the session leader // for lack of a better approach, we just mix the orphans with its children and re-sort by timestamp. // we could just add orphans to the children of the session leader in useProcessTree, but // it makes it difficult to re-parent them when their parent actually shows up (e.g in the case of reverse pagination) diff --git a/x-pack/plugins/session_view/public/components/SessionLeaderTable/styles.ts b/x-pack/plugins/session_view/public/components/SessionLeaderTable/styles.ts index 80c9348c4ab7b5..26fb8edf56c6ff 100644 --- a/x-pack/plugins/session_view/public/components/SessionLeaderTable/styles.ts +++ b/x-pack/plugins/session_view/public/components/SessionLeaderTable/styles.ts @@ -6,12 +6,9 @@ */ import { useMemo } from 'react'; -import { useEuiTheme } from '@elastic/eui'; import { CSSObject } from '@emotion/react'; export const useStyles = () => { - const { euiTheme } = useEuiTheme(); - const cached = useMemo(() => { const rowButtonContainer: CSSObject = { display: 'flex', @@ -26,7 +23,7 @@ export const useStyles = () => { rowButtonContainer, rowCheckbox, }; - }, [euiTheme]); + }, []); return cached; }; diff --git a/x-pack/plugins/session_view/public/components/SessionLeaderTablePage/index.tsx b/x-pack/plugins/session_view/public/components/SessionLeaderTablePage/index.tsx index 2eae0fd7e26835..9e4908b5aa1e3e 100644 --- a/x-pack/plugins/session_view/public/components/SessionLeaderTablePage/index.tsx +++ b/x-pack/plugins/session_view/public/components/SessionLeaderTablePage/index.tsx @@ -45,8 +45,8 @@ export const SessionLeaderTablePage = (props: RouteComponentProps) => { - + - - ) + + ); }; diff --git a/x-pack/plugins/session_view/public/components/SessionView/hooks.ts b/x-pack/plugins/session_view/public/components/SessionView/hooks.ts index 46c90f20058d2e..829c29567551b3 100644 --- a/x-pack/plugins/session_view/public/components/SessionView/hooks.ts +++ b/x-pack/plugins/session_view/public/components/SessionView/hooks.ts @@ -23,7 +23,8 @@ export const useFetchSessionViewProcessEvents = ( const query = useInfiniteQuery( 'sessionViewProcessEvents', async ({ pageParam = {} }) => { - let { cursor, forward } = pageParam; + let { cursor } = pageParam; + const { forward } = pageParam; if (!cursor && jumpToCursor) { cursor = jumpToCursor; @@ -68,6 +69,7 @@ export const useFetchSessionViewProcessEvents = ( if (jumpToEvent && query.data?.pages.length === 1) { query.fetchPreviousPage(); } + // eslint-disable-next-line react-hooks/exhaustive-deps }, [query.data]); return query; diff --git a/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx b/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx index a5e45fa0c0f35a..b1f91fc2c3b8f3 100644 --- a/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx @@ -30,7 +30,7 @@ describe('SessionView component', () => { describe('And no data exists', () => { beforeEach(async () => { mockedApi.mockResolvedValue({ - events: [] + events: [], }); }); diff --git a/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx b/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx index 674f68a2355552..894e36141ec3ce 100644 --- a/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx +++ b/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx @@ -21,97 +21,94 @@ interface RecentSessionResults { } const jumpToEvent: ProcessEvent = { - "@timestamp": new Date("2022-01-04T19:18:47.143Z"), - "event": { - "kind": EventKind.event, - "action": EventAction.exec, - "category": "process", + '@timestamp': new Date('2022-01-04T19:18:47.143Z'), + event: { + kind: EventKind.event, + action: EventAction.exec, + category: 'process', }, - "host": { - "architecture": "x86_64", - "hostname": "mock-host-name", - "id": "48c1b3f1ac5da4e0057fc9f60f4d1d5d", - "ip": "127.0.0.1", - "mac": "42:01:0a:84:00:32", - "name": "mock-host", - "os": { - "type": "", - "family": "centos", - "full": "CentOS 7.9.2009", - "kernel": "3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021", - "name": "Linux", - "platform": "centos", - "version": "7.9.2009" - } + host: { + architecture: 'x86_64', + hostname: 'mock-host-name', + id: '48c1b3f1ac5da4e0057fc9f60f4d1d5d', + ip: '127.0.0.1', + mac: '42:01:0a:84:00:32', + name: 'mock-host', + os: { + type: '', + family: 'centos', + full: 'CentOS 7.9.2009', + kernel: '3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021', + name: 'Linux', + platform: 'centos', + version: '7.9.2009', + }, }, - "process": { - "start": new Date("2022-01-04T19:18:47.143Z"), - "pid": 11197, - "pgid": 6699, - "user": { - "name": "kg", - "id": "1000" + process: { + start: new Date('2022-01-04T19:18:47.143Z'), + pid: 11197, + pgid: 6699, + user: { + name: 'kg', + id: '1000', }, - "executable": "/bin/echo", - "interactive": true, - "entity_id": "9b40fa52-fccf-52fa-9164-13a11903ee4d", - "parent": { - "pid": 6699, - "pgid": 6699, - "user": { - "name": "kg", - "id": "1000" + executable: '/bin/echo', + interactive: true, + entity_id: '9b40fa52-fccf-52fa-9164-13a11903ee4d', + parent: { + pid: 6699, + pgid: 6699, + user: { + name: 'kg', + id: '1000', }, - "executable": "/usr/bin/bash", - "args": ["/usr/bin/bash"], - "working_directory": "/", - "name": "bash", - "args_count": 1, - "interactive": true, - "entity_id": "1ba32ad9-1ae1-54e9-899a-d5bd4fa5f6ed", - "start": new Date("2022-01-04T18:33:23.490Z"), + executable: '/usr/bin/bash', + args: ['/usr/bin/bash'], + working_directory: '/', + name: 'bash', + args_count: 1, + interactive: true, + entity_id: '1ba32ad9-1ae1-54e9-899a-d5bd4fa5f6ed', + start: new Date('2022-01-04T18:33:23.490Z'), }, - "session": { - "pid": 6379, - "pgid": 6379, - "user": { - "name": "kg", - "id": "1000" + session: { + pid: 6379, + pgid: 6379, + user: { + name: 'kg', + id: '1000', }, - "executable": "/usr/bin/zsh", - "args": ["/usr/bin/zsh"], - "working_directory": "/", - "name": "zsh", - "args_count": 1, - "interactive": true, - "entity_id": "354b317e-4037-50db-a83f-fab4a32a085c", - "start": new Date("2022-01-04T18:33:23.490Z"), + executable: '/usr/bin/zsh', + args: ['/usr/bin/zsh'], + working_directory: '/', + name: 'zsh', + args_count: 1, + interactive: true, + entity_id: '354b317e-4037-50db-a83f-fab4a32a085c', + start: new Date('2022-01-04T18:33:23.490Z'), }, - "entry": { - "pid": 6379, - "pgid": 6379, - "user": { - "name": "kg", - "id": "1000" + entry: { + pid: 6379, + pgid: 6379, + user: { + name: 'kg', + id: '1000', }, - "executable": "/usr/bin/zsh", - "args": ["/usr/bin/zsh"], - "args_count": 1, - "working_directory": "/", - "name": "zsh", - "interactive": true, - "entity_id": "354b317e-4037-50db-a83f-fab4a32a085c", - "start": new Date("2022-01-04T18:33:23.490Z") + executable: '/usr/bin/zsh', + args: ['/usr/bin/zsh'], + args_count: 1, + working_directory: '/', + name: 'zsh', + interactive: true, + entity_id: '354b317e-4037-50db-a83f-fab4a32a085c', + start: new Date('2022-01-04T18:33:23.490Z'), }, - "name": "echo", - "args_count": 2, - "args": [ - "/bin/echo", - "8715" - ], - "working_directory": "/" + name: 'echo', + args_count: 2, + args: ['/bin/echo', '8715'], + working_directory: '/', }, -} +}; export const SessionViewPage = (props: RouteComponentProps) => { const { chrome, http } = useKibana().services; @@ -124,17 +121,21 @@ export const SessionViewPage = (props: RouteComponentProps) => { chrome.docTitle.change('Process Tree'); // loads the entity_id of most recent 'interactive' session - const { data } = useQuery(['recent-session', 'recent_session'], () => { - return http.get(RECENT_SESSION_ROUTE, { - query: { - indexes: ['cmd*', '.siem-signals*'], - }, - }) - }, { - refetchOnWindowFocus: false, - refetchOnMount: false, - refetchOnReconnect: false - }); + const { data } = useQuery( + ['recent-session', 'recent_session'], + () => { + return http.get(RECENT_SESSION_ROUTE, { + query: { + indexes: ['cmd*', '.siem-signals*'], + }, + }); + }, + { + refetchOnWindowFocus: false, + refetchOnMount: false, + refetchOnReconnect: false, + } + ); const [sessionEntityId, setSessionEntityId] = useState(''); @@ -158,7 +159,9 @@ export const SessionViewPage = (props: RouteComponentProps) => { description="Session view showing the most recent interactive session." /> - {sessionEntityId && } + {sessionEntityId && ( + + )} diff --git a/x-pack/plugins/session_view/public/components/SessionViewTableProcessTree/index.test.tsx b/x-pack/plugins/session_view/public/components/SessionViewTableProcessTree/index.test.tsx index ad724f7ace9847..c551c2f89794c3 100644 --- a/x-pack/plugins/session_view/public/components/SessionViewTableProcessTree/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/SessionViewTableProcessTree/index.test.tsx @@ -36,11 +36,7 @@ const mockActionProps: ActionProps = { jest.mock('../SessionView/index.tsx', () => { return { SessionView: () => { - return ( -
- Mock -
- ); + return
Mock
; }, }; }); @@ -50,7 +46,8 @@ jest.mock('../SessionLeaderTable/index.tsx', () => { SessionLeaderTable: (props: SessionLeaderTableProps) => { const { onOpenSessionViewer = () => {} } = props; return ( -
onOpenSessionViewer(mockActionProps)} > @@ -93,8 +90,8 @@ describe('SessionViewTableProcessTree component', () => { it('Switches to session view when the user picks a session', async () => { renderResult = mockedContext.render(); - const sessionLeaderTable = renderResult.queryByTestId('SessionLeaderTable'); - sessionLeaderTable && fireEvent.click(sessionLeaderTable); + const sessionLeaderTable = renderResult.getByTestId('SessionLeaderTable'); + fireEvent.click(sessionLeaderTable); await waitForApiCall(); // Now that we fetched the entity id, session view should be visible @@ -104,15 +101,15 @@ describe('SessionViewTableProcessTree component', () => { it('Close button works', async () => { renderResult = mockedContext.render(); - const sessionLeaderTable = renderResult.queryByTestId('SessionLeaderTable'); - sessionLeaderTable && fireEvent.click(sessionLeaderTable); + const sessionLeaderTable = renderResult.getByTestId('SessionLeaderTable'); + fireEvent.click(sessionLeaderTable); await waitForApiCall(); expect(renderResult.queryByTestId('SessionView')).toBeTruthy(); expect(renderResult.queryByTestId('SessionLeaderTable')).toBeNull(); - const closeButton = renderResult.queryByTestId('session-view-close-button'); - closeButton && fireEvent.click(closeButton); + const closeButton = renderResult.getByTestId('session-view-close-button'); + fireEvent.click(closeButton); expect(renderResult.queryByTestId('SessionLeaderTable')).toBeTruthy(); expect(renderResult.queryByTestId('SessionView')).toBeNull(); diff --git a/x-pack/plugins/session_view/server/routes/index.ts b/x-pack/plugins/session_view/server/routes/index.ts index c12841e7d5ef0f..7da631f59512ea 100644 --- a/x-pack/plugins/session_view/server/routes/index.ts +++ b/x-pack/plugins/session_view/server/routes/index.ts @@ -4,14 +4,13 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ - +import type { Logger } from 'kibana/server'; import { IRouter } from '../../../../../src/core/server'; import { registerTestRoute } from './test_route'; import { registerTestSavedObjectsRoute } from './test_saved_objects_route'; import { registerProcessEventsRoute } from './process_events_route'; import { registerRecentSessionRoute } from './recent_session_route'; import { sessionEntryLeadersRoute } from './session_entry_leaders_route'; -import type { Logger } from 'kibana/server'; export const registerRoutes = (router: IRouter, logger: Logger) => { registerTestRoute(router); diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index e456f9a024cec9..6871560424a9ae 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -5,9 +5,8 @@ * 2.0. */ import { schema } from '@kbn/config-schema'; -import type { Logger } from 'kibana/server'; +import type { ElasticsearchClient, Logger } from 'kibana/server'; import { IRouter } from '../../../../../src/core/server'; -import { ElasticsearchClient } from '../../../../../src/core/server/elasticsearch'; import { PROCESS_EVENTS_ROUTE, PROCESS_EVENTS_PER_PAGE } from '../../common/constants'; import { expandDottedObject } from '../../common/utils/expand_dotted_object'; diff --git a/x-pack/plugins/session_view/server/routes/session_entry_leaders_route.ts b/x-pack/plugins/session_view/server/routes/session_entry_leaders_route.ts index 58791926e0c732..68f8facab25e90 100644 --- a/x-pack/plugins/session_view/server/routes/session_entry_leaders_route.ts +++ b/x-pack/plugins/session_view/server/routes/session_entry_leaders_route.ts @@ -32,6 +32,6 @@ export const sessionEntryLeadersRoute = (router: IRouter) => { session_entry_leader: result?.body?._source, }, }); - }, + } ); };