Skip to content

Add process.command_line #599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 18, 2019
Merged

Add process.command_line #599

merged 4 commits into from
Nov 18, 2019

Conversation

@webmat
Copy link
Contributor

@webmat webmat commented Oct 29, 2019

No description provided.

andrewkroh
andrewkroh reviewed Oct 31, 2019
View reviewed changes
schemas/process.yml
to the executable, and all arguments.
Some arguments may be filtered to protect sensitive information.
example: "/usr/bin/ssh -l user 10.0.0.16"
Copy link
Member

@andrewkroh andrewkroh Oct 31, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When do we use process.command_line vs process.args? They seem a little redundant.

Copy link
Contributor Author

@webmat webmat Nov 13, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I totally agree they are redundant.

Having the args as an array is exceptionally powerful (more than I initially realized) when detections are looking for an exact term in a command.

However especially in the context of endpoint detections, many of them will still have to rely on fuzzier searches e.g. with wildcards, to detect some attack patterns such as obfuscated commands, base64 decoding, webshells & so on.

So both fields are actually needed, in order to perform each class of detections.

Also unrelated to detections, displaying process.command_line in Kibana will be much nicer :-)

cc @rw-access @randomuserid

Copy link
Contributor

@rw-access rw-access Nov 14, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah exactly.
I think process.args will have more utility for search than process.command_line, but process.command_line gives us full recoverability of the original command line as presented to the OS. For one odd edge case, cmd.exe essentially puts 2 spaces between arg[0] and arg[1], but arg parsing is lossy, so we lose that artifact.

@webmat webmat merged commit 23d9ea9 into elastic:master Nov 18, 2019
@rw-access rw-access mentioned this pull request Nov 26, 2019
Closed
40 tasks
dcode pushed a commit to dcode/ecs that referenced this pull request Apr 15, 2020
@dcode
Add process.command_line (elastic#599)
1871e31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrewkroh andrewkroh andrewkroh approved these changes

+1 more reviewer

@rw-access rw-access rw-access left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@webmat @andrewkroh @rw-access