Skip to content

Commit bea876f

Browse files
efd6efd6
authored
carbon_black_cloud: fix mapping for process lineage (#15772)
1 parent d9f7ac6 commit bea876f

File tree

9 files changed

+483
-319
lines changed

9 files changed

+483
-319
lines changed

packages/carbon_black_cloud/changelog.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,14 @@
11
# newer versions go on top
2+
- version: "4.0.0"
3+
changes:
4+
- description: Fix handling mapping of process lineage for `endpoint.event.procstart` events.
5+
type: bugfix
6+
link: https://github.com/elastic/integrations/pull/15772
7+
- description: >-
8+
Process identity fields are changed for `endpoint.event.procstart` events, with the lineage
9+
shifted to be process, parent and grand parent, instead of child, process and parent.
10+
type: breaking-change
11+
link: https://github.com/elastic/integrations/pull/15772
212
- version: "3.2.1"
313
changes:
414
- description: Add temporary processor to remove the fields added by the Agentless policy.

packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-common-config.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,5 @@
11
fields:
22
tags:
33
- preserve_original_event
4+
numeric_keyword_fields:
5+
- carbon_black_cloud.endpoint_event.process.grandparent.pid

packages/carbon_black_cloud/data_stream/endpoint_event/_dev/test/pipeline/test-endpoint-event.log-expected.json

Lines changed: 87 additions & 83 deletions
Original file line numberDiff line numberDiff line change
@@ -734,29 +734,6 @@
734734
"backend": {
735735
"timestamp": "2022-02-10 11:52:50 +0000 UTC"
736736
},
737-
"childproc": {
738-
"guid": "XXXXXXXX-003d902d-00001244-00000000-1d81e748f8b0d13",
739-
"hash": {
740-
"md5": "2445dece99deedbd701dc6dfe10e648e",
741-
"sha256": "5a780d6630639ffb7fd3d295c182eaa2a7cad2c70248c5ba8f334bb3803353ca"
742-
},
743-
"name": "c:\\windows\\system32\\netstat.exe",
744-
"pid": 4676,
745-
"publisher": [
746-
{
747-
"name": "Microsoft Windows",
748-
"state": [
749-
"FILE_SIGNATURE_STATE_SIGNED",
750-
"FILE_SIGNATURE_STATE_VERIFIED",
751-
"FILE_SIGNATURE_STATE_TRUSTED",
752-
"FILE_SIGNATURE_STATE_OS",
753-
"FILE_SIGNATURE_STATE_CATALOG_SIGNED"
754-
]
755-
}
756-
],
757-
"reputation": "REP_RESOLVING",
758-
"username": "NT AUTHORITY\\SYSTEM"
759-
},
760737
"device": {
761738
"external_ip": "67.43.156.13",
762739
"os": "WINDOWS",
@@ -765,22 +742,45 @@
765742
"event_origin": "EDR",
766743
"organization_key": "XXXXXXXX",
767744
"process": {
768-
"parent": {
745+
"grandparent": {
746+
"command_line": "C:\\windows\\system32\\services.exe",
747+
"entity_id": "XXXXXXXX-003d902d-00000280-00000000-1d74d6bb1e536c7",
748+
"executable": "c:\\windows\\system32\\services.exe",
749+
"hash": {
750+
"md5": "fae441a6ec7fd8f55a404797a25c8910",
751+
"sha256": "70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4"
752+
},
753+
"pid": 640,
769754
"reputation": "REP_RESOLVING"
770755
},
756+
"parent": {
757+
"publisher": [
758+
{
759+
"name": "Microsoft Corporation",
760+
"state": [
761+
"FILE_SIGNATURE_STATE_SIGNED",
762+
"FILE_SIGNATURE_STATE_VERIFIED",
763+
"FILE_SIGNATURE_STATE_TRUSTED"
764+
]
765+
}
766+
],
767+
"reputation": "REP_RESOLVING",
768+
"terminated": false,
769+
"username": "NT AUTHORITY\\SYSTEM"
770+
},
771771
"publisher": [
772772
{
773-
"name": "Microsoft Corporation",
773+
"name": "Microsoft Windows",
774774
"state": [
775775
"FILE_SIGNATURE_STATE_SIGNED",
776776
"FILE_SIGNATURE_STATE_VERIFIED",
777-
"FILE_SIGNATURE_STATE_TRUSTED"
777+
"FILE_SIGNATURE_STATE_TRUSTED",
778+
"FILE_SIGNATURE_STATE_OS",
779+
"FILE_SIGNATURE_STATE_CATALOG_SIGNED"
778780
]
779781
}
780782
],
781-
"reputation": "REP_RESOLVING",
782-
"terminated": false,
783-
"username": "NT AUTHORITY\\SYSTEM"
783+
"reputation": "REP_RESOLVING"
784784
},
785785
"schema": 1,
786786
"sensor_action": "ACTION_ALLOW",
@@ -813,24 +813,26 @@
813813
}
814814
},
815815
"process": {
816-
"command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
817-
"entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
818-
"executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
816+
"entity_id": "XXXXXXXX-003d902d-00001244-00000000-1d81e748f8b0d13",
817+
"executable": "c:\\windows\\system32\\netstat.exe",
819818
"hash": {
820-
"md5": "03dd698da2671383c9b4f868c9931879",
821-
"sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5"
819+
"md5": "2445dece99deedbd701dc6dfe10e648e",
820+
"sha256": "5a780d6630639ffb7fd3d295c182eaa2a7cad2c70248c5ba8f334bb3803353ca"
822821
},
823822
"parent": {
824-
"command_line": "C:\\windows\\system32\\services.exe",
825-
"entity_id": "XXXXXXXX-003d902d-00000280-00000000-1d74d6bb1e536c7",
826-
"executable": "c:\\windows\\system32\\services.exe",
823+
"command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
824+
"entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
825+
"executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
827826
"hash": {
828-
"md5": "fae441a6ec7fd8f55a404797a25c8910",
829-
"sha256": "70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4"
827+
"md5": "03dd698da2671383c9b4f868c9931879",
828+
"sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5"
830829
},
831-
"pid": 640
830+
"pid": 1684
832831
},
833-
"pid": 1684
832+
"pid": 4676,
833+
"user": {
834+
"name": "NT AUTHORITY\\SYSTEM"
835+
}
834836
},
835837
"related": {
836838
"hash": [
@@ -862,29 +864,6 @@
862864
"backend": {
863865
"timestamp": "2022-02-10 11:52:50 +0000 UTC"
864866
},
865-
"childproc": {
866-
"guid": "XXXXXXXX-003d902d-0000030c-00000000-1d81e748e552c86",
867-
"hash": {
868-
"md5": "70cc03d968b1e7446d30af1037c228bf",
869-
"sha256": "28aba00ae4f5f93b6b60ffcd9037167880eff26ff8116086342a22841d69fd6b"
870-
},
871-
"name": "c:\\windows\\system32\\arp.exe",
872-
"pid": 780,
873-
"publisher": [
874-
{
875-
"name": "Microsoft Windows",
876-
"state": [
877-
"FILE_SIGNATURE_STATE_SIGNED",
878-
"FILE_SIGNATURE_STATE_VERIFIED",
879-
"FILE_SIGNATURE_STATE_TRUSTED",
880-
"FILE_SIGNATURE_STATE_OS",
881-
"FILE_SIGNATURE_STATE_CATALOG_SIGNED"
882-
]
883-
}
884-
],
885-
"reputation": "REP_RESOLVING",
886-
"username": "NT AUTHORITY\\SYSTEM"
887-
},
888867
"device": {
889868
"external_ip": "67.43.156.13",
890869
"os": "WINDOWS",
@@ -893,22 +872,45 @@
893872
"event_origin": "EDR",
894873
"organization_key": "XXXXXXXX",
895874
"process": {
896-
"parent": {
875+
"grandparent": {
876+
"command_line": "C:\\windows\\system32\\services.exe",
877+
"entity_id": "XXXXXXXX-003d902d-00000280-00000000-1d74d6bb1e536c7",
878+
"executable": "c:\\windows\\system32\\services.exe",
879+
"hash": {
880+
"md5": "fae441a6ec7fd8f55a404797a25c8910",
881+
"sha256": "70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4"
882+
},
883+
"pid": 640,
897884
"reputation": "REP_RESOLVING"
898885
},
886+
"parent": {
887+
"publisher": [
888+
{
889+
"name": "Microsoft Corporation",
890+
"state": [
891+
"FILE_SIGNATURE_STATE_SIGNED",
892+
"FILE_SIGNATURE_STATE_VERIFIED",
893+
"FILE_SIGNATURE_STATE_TRUSTED"
894+
]
895+
}
896+
],
897+
"reputation": "REP_RESOLVING",
898+
"terminated": false,
899+
"username": "NT AUTHORITY\\SYSTEM"
900+
},
899901
"publisher": [
900902
{
901-
"name": "Microsoft Corporation",
903+
"name": "Microsoft Windows",
902904
"state": [
903905
"FILE_SIGNATURE_STATE_SIGNED",
904906
"FILE_SIGNATURE_STATE_VERIFIED",
905-
"FILE_SIGNATURE_STATE_TRUSTED"
907+
"FILE_SIGNATURE_STATE_TRUSTED",
908+
"FILE_SIGNATURE_STATE_OS",
909+
"FILE_SIGNATURE_STATE_CATALOG_SIGNED"
906910
]
907911
}
908912
],
909-
"reputation": "REP_RESOLVING",
910-
"terminated": false,
911-
"username": "NT AUTHORITY\\SYSTEM"
913+
"reputation": "REP_RESOLVING"
912914
},
913915
"schema": 1,
914916
"sensor_action": "ACTION_ALLOW",
@@ -941,24 +943,26 @@
941943
}
942944
},
943945
"process": {
944-
"command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
945-
"entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
946-
"executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
946+
"entity_id": "XXXXXXXX-003d902d-0000030c-00000000-1d81e748e552c86",
947+
"executable": "c:\\windows\\system32\\arp.exe",
947948
"hash": {
948-
"md5": "03dd698da2671383c9b4f868c9931879",
949-
"sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5"
949+
"md5": "70cc03d968b1e7446d30af1037c228bf",
950+
"sha256": "28aba00ae4f5f93b6b60ffcd9037167880eff26ff8116086342a22841d69fd6b"
950951
},
951952
"parent": {
952-
"command_line": "C:\\windows\\system32\\services.exe",
953-
"entity_id": "XXXXXXXX-003d902d-00000280-00000000-1d74d6bb1e536c7",
954-
"executable": "c:\\windows\\system32\\services.exe",
953+
"command_line": "C:\\WindowsAzure\\GuestAgent_2.7.41491.1010_2021-05-11_233023\\GuestAgent\\WindowsAzureGuestAgent.exe",
954+
"entity_id": "XXXXXXXX-003d902d-00000694-00000000-1d7540221dedd62",
955+
"executable": "c:\\windowsazure\\guestagent_2.7.41491.1010_2021-05-11_233023\\guestagent\\windowsazureguestagent.exe",
955956
"hash": {
956-
"md5": "fae441a6ec7fd8f55a404797a25c8910",
957-
"sha256": "70d7571253e091f646f78a4dd078ce7fe8d796625bfa3c0a466df03971175fb4"
957+
"md5": "03dd698da2671383c9b4f868c9931879",
958+
"sha256": "44a1975b2197484bb22a0eb673e67e7ee9ec20265e9f6347f5e06b6447ac82c5"
958959
},
959-
"pid": 640
960+
"pid": 1684
960961
},
961-
"pid": 1684
962+
"pid": 780,
963+
"user": {
964+
"name": "NT AUTHORITY\\SYSTEM"
965+
}
962966
},
963967
"related": {
964968
"hash": [
@@ -2587,4 +2591,4 @@
25872591
]
25882592
}
25892593
]
2590-
}
2594+
}

0 commit comments

Comments
 (0)