[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

andrew-goldstein · 2021-02-15T22:14:45Z

[Security Solution] [Timeline] Endpoint row renderers (2nd batch)

This PR implements the 2nd batch of Endpoint row renderers, including the new Ransomware alerts, by adding new row renderers for the following Endpoint alerts and events:

event.dataset	event.type	event.category	event.action
endpoint.alerts	denied	file	creation
endpoint.alerts	allowed	file	creation
endpoint.alerts	denied	file	files-encrypted
endpoint.alerts	allowed	file	files-encrypted
endpoint.alerts	denied	file	modification
endpoint.alerts	allowed	file	modification
endpoint.alerts	denied	file	rename
endpoint.alerts	allowed	file	rename
endpoint.alerts	denied	process	execution
endpoint.alerts	allowed	process	execution
endpoint.events.file	change	file	modification
endpoint.events.file	change	file	overwrite
endpoint.events.file	change	file	rename
endpoint.events.registry	change	registry	modification
endpoint.events.library	start	library	load
endpoint.events.network	protocol	network	http_request
endpoint.events.process	start	process	exec
endpoint.events.process	start	process	fork

Other updates:

All row renders will now only display the file.hash.sha256 and process.hash.sha256. (The sha1 and md5 hashes will no longer be displayed)

Malware File Creation Prevented alert

Malware File Creation Prevented alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation

Sample Malware File Creation Prevented alert

win2019-endpoint-1 was prevented from creating a malicious file 6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp in C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp via chrome.exe (8944) C:\Program Files\Google\Chrome\Application\chrome.exe via parent process explorer.exe (1008) with result success

7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30

Fields in a Malware File Creation Prevented alert

user.name \ user.domain @ host.name was prevented from creating a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Malware File Creation Detected alert

Malware File Creation Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation

Sample Malware File Creation Detected alert

DESKTOP-1 was detected creating a malicious file mimikatz_write.exe in C:\temp\mimikatz_write.exe via python.exe (4400) C:\Python27\python.exe main.py -a execute -p c:\temp via parent process pythonservice.exe (2936) with result success

263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0

Fields in a Malware File Creation Detected alert

user.name \ user.domain @ host.name was detected creating a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Ransomware Files Encrypted Prevented alert

Ransomware Files Encrypted Prevented alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted

Sample Ransomware Files Encrypted Prevented alert

DESKTOP-1 ransomware was prevented from encrypting files via powershell.exe (6056) powershell.exe -file mock_ransomware_v3.ps1 via parent process cmd.exe (10680) with result success

e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7

Fields in a Ransomware Files Encrypted Prevented alert

user.name \ user.domain @ host.name ransomware was prevented from encrypting files via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

process.hash.sha256

Ransomware Files Encrypted Detected alert

Ransomware Files Encrypted Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted

Sample Ransomware Files Encrypted Detected alert

DESKTOP-1 ransomware was detected encrypting files via powershell.exe (4684) powershell.exe -file mock_ransomware_v3.ps1 via parent process cmd.exe (8616) with result success

e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7

Fields in a Ransomware Files Encrypted Detected alert

user.name \ user.domain @ host.name ransomware was detected encrypting files via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

process.hash.sha256

Malware File Modification Prevented alert

Malware File Modification Prevented alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification

Sample Malware File Modification Prevented alert

win2019-endpoint-1 was prevented from modifying a malicious file mimikatz - Copy.exe in C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe via explorer.exe (1008) C:\Windows\Explorer.EXE via parent process C:\Windows\System32\userinit.exe (356) with result success

31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc

Fields in a Malware File Modification Prevented alert

user.name \ user.domain @ host.name was prevented from modifying a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Malware File Modification Detected alert

Malware File Modification Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification

Sample Malware File Modification Detected alert

mac-1.local was detected modifying a malicious file aircrack in /private/var/root/write_malware/modules/write_malware/aircrack via Python (5995) /usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python main.py -a modify via parent process Python (97) with result success

f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b

Fields in a Malware File Modification Detected alert

user.name \ user.domain @ host.name was detected modifying a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Malware File Rename Prevented alert

Malware File Rename Prevented alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename

Sample Malware File Rename Prevented alert

win2019-endpoint-1 was prevented from renaming a malicious file 23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe in C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe via explorer.exe (1008) C:\Windows\Explorer.EXE via parent process C:\Windows\System32\userinit.exe (356) with result success

23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97

Fields in a Malware File Rename Prevented alert

user.name \ user.domain @ host.name was prevented from renaming a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Malware File Rename Detected alert

Malware File Rename Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename

Sample Malware File Rename Detected alert

win2019-endpoint-1 was detected renaming a malicious file 23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe in C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe via explorer.exe (1008) C:\Windows\Explorer.EXE via parent process C:\Windows\System32\userinit.exe (356) with result success

23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97

Fields in a Malware File Rename Detected alert

user.name \ user.domain @ host.name was detected renaming a malicious file file.name in file.path via process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

file.hash.sha256

Malware Process Execution Prevented alert

Malware Process Execution Prevented alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution

Sample Malware Process Execution Prevented alert

win2019-endpoint-1 was prevented from executing a malicious process C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe (6920) C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe via parent process explorer.exe (1008) with result success

3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb

Fields in a Sample Malware Process Execution Prevented alert

host.name was prevented from executing a malicious process process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

process.hash.sha256

Malware Process Execution Detected alert

Malware Process Execution Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution

Sample Malware Process Execution Detected alert

DESKTOP-1 was detected executing a malicious process mimikatz_write.exe (8668) c:\temp\mimikatz_write.exe via parent process python.exe (4400) with result success

263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0

Fields in a Sample Malware Process Execution Detected alert

host.name was detected executing a malicious process process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

process.hash.sha256

File (FIM) Modification events

Endpoint File (FIM) Modification events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.file and event.action: modification

Sample rendered File (FIM) Modification event

Each field with this formatting is draggable (to pivot a search) in the row-rendered event:

admin @ test-Mac.local modified a file .dat.nosync01a5.6hoWv1 in /Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1 via diagnostics_agent (421)

Fields in a File (FIM) Modification event

user.name \ user.domain @ host.name modified a file file.name in file.path via process.name (process.pid)

File (FIM) Overwrite events

Endpoint File (FIM) Overwrite events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.file and event.action: overwrite

Sample rendered File (FIM) Overwrite event

LOCAL SERVICE \ NT AUTHORITY @ windows-endpoint-1 overwrote a file lastalive0.dat in C:\Windows\ServiceState\EventLog\Data\lastalive0.dat via svchost.exe (1228)

Fields in a File (FIM) Overwrite event

user.name \ user.domain @ host.name overwrote a file file.name in file.path via process.name (process.pid)

File (FIM) Rename events

Endpoint File (FIM) Rename events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.file and event.action: rename

Sample rendered File (FIM) Rename event

LOCAL SERVICE \ NT AUTHORITY @ windows-endpoint-1 renamed a file SRU.log in C:\Windows\System32\sru\SRU.log from its original path C:\Windows\System32\sru\SRUtmp.log via svchost.exe (1204)

Fields in a File (FIM) Rename event

user.name \ user.domain @ host.name renamed a file file.name in file.path from its original path file.Ext.original.path via process.name (process.pid)

Registry Modification events

Registry Modification events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.registry and event.action: modification

Sample Registry Modification event

SYSTEM \ NT AUTHORITY @ win2019-endpoint-1 modified registry key SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState with new value HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue via GoogleUpdate.exe (7408)

Fields in a Registry Modification event

user.name \ user.domain @ host.name modified registry key registry.key with new value registry.path via process.name (process.pid)

Library Load events

Library Load events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.library and event.action: load

Sample Library Load event

SYSTEM \ NT AUTHORITY @ win2019-endpoint-1 loaded library bcrypt.dll in C:\Windows\System32\bcrypt.dll via sshd.exe (9644)
e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd
2c4ba5c1482987d50a182bad915f52cd6611ee63
00439016776de367bad087d739a03797

Fields in a Library Load event

user.name \ user.domain @ host.name loaded library file.name in file.path via process.name (process.pid)
file.hash.sha256
file.hash.sha1
file.hash.md5

HTTP Request events

HTTP Request events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.network and event.action: http_request

Sample HTTP Request event

Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.

NETWORK SERVICE \ NT AUTHORITY @ win2019-endpoint-1 made a http request via svchost.exe (2232)

Fields in a HTTP Request event

user.name \ user.domain @ host.name made a http request via process.name (process.pid)

Process Exec events

Endpoint Process Exec events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.process and event.action: exec

Sample rendered Process Exec event

admin @ test-mac.local executed process mdworker_shared (4454) /System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared -s mdworker -c MDSImporterWorker -m com.apple.mdworker.shared via parent process launchd (1)

4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b

Fields in a Process Exec event

The following fields will be used to render a Process Exec event:

user.name @ host.name executed process process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid)

process.hash.sha256

Process Fork events

Endpoint Process Fork events with the following event.dataset and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.events.process and event.action: fork

Sample rendered Process Fork event

admin @ test-mac.local forked process zoom.us (4042) /Applications/zoom.us.app/Contents/MacOS/zoom.us via parent process zoom.us (3961)

cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4

Fields in a Process Fork event

The following fields will be used to render a Process Exec event:

user.name @ host.name forked process process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid)

process.hash.sha256

This PR implements the 2nd batch of Endpoint row renderers, **including the new Ransomware alerts**, by adding new row renderers for the following Endpoint alerts and events: | event.dataset | event.type | event.category | event.action | |--------------------------|------------|----------------|-----------------| | endpoint.alerts | denied | file | creation | | endpoint.alerts | allowed | file | creation | | endpoint.alerts | denied | file | files-encrypted | | endpoint.alerts | allowed | file | files-encrypted | | endpoint.alerts | denied | file | modification | | endpoint.alerts | allowed | file | modification | | endpoint.alerts | denied | file | rename | | endpoint.alerts | allowed | file | rename | | endpoint.alerts | denied | process | execution | | endpoint.alerts | allowed | process | execution | | endpoint.events.file | change | file | modification | | endpoint.events.file | change | file | overwrite | | endpoint.events.file | change | file | rename | | endpoint.events.registry | change | registry | modification | | endpoint.events.library | start | library | load | | endpoint.events.network | protocol | network | http_request | | endpoint.events.process | start | process | exec | | endpoint.events.process | start | process | fork | Other updates: - All row renders will now only display the `file.hash.sha256` and `process.hash.sha256`. (The `sha1` and `md5` hashes will no longer be displayed) ## Malware File Creation Prevented alert Malware File Creation Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation ``` ### Sample Malware File Creation Prevented alert ![malware_file_creation_prevented](https://user-images.githubusercontent.com/4459398/107970084-e4762b00-6f6d-11eb-88c8-c9fd474d2de4.png) `win2019-endpoint-1` was prevented from creating a malicious file `6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` in `C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` via `chrome.exe` (`8944`) `C:\Program Files\Google\Chrome\Application\chrome.exe` via parent process `explorer.exe` (`1008`) with result `success` `7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30` ### Fields in a Malware File Creation Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Creation Detected alert Malware File Creation Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation ``` ### Sample Malware File Creation Detected alert ![malware_file_creation_detected](https://user-images.githubusercontent.com/4459398/107970897-f7d5c600-6f6e-11eb-83a8-7324e34506c1.png) `DESKTOP-1` was detected creating a malicious file `mimikatz_write.exe` in `C:\temp\mimikatz_write.exe` via `python.exe` (`4400`) `C:\Python27\python.exe` `main.py` `-a` `execute` `-p` `c:\temp` via parent process `pythonservice.exe` (`2936`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Malware File Creation Detected alert `user.name` \ `user.domain` @ `host.name` was detected creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Ransomware Files Encrypted Prevented alert Ransomware Files Encrypted Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Prevented alert ![ransomware_files-encrypted_prevented](https://user-images.githubusercontent.com/4459398/107973327-56e90a00-6f72-11eb-8337-8bb15bd24ad2.png) `DESKTOP-1` ransomware was prevented from encrypting files via `powershell.exe` (`6056`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`10680`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Prevented alert `user.name` \ `user.domain` @ `host.name` ransomware was prevented from encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Ransomware Files Encrypted Detected alert Ransomware Files Encrypted Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Detected alert ![ransomware_files-encrypted_detected](https://user-images.githubusercontent.com/4459398/107976086-42a70c00-6f76-11eb-8977-74ad47191d71.png) `DESKTOP-1` ransomware was detected encrypting files via `powershell.exe` (`4684`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`8616`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Detected alert `user.name` \ `user.domain` @ `host.name` ransomware was detected encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware File Modification Prevented alert Malware File Modification Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification ``` ### Sample Malware File Modification Prevented alert ![malware_file_modification_prevented](https://user-images.githubusercontent.com/4459398/107979686-3a51cf80-6f7c-11eb-92ff-f164536f6c70.png) `win2019-endpoint-1` was prevented from modifying a malicious file `mimikatz - Copy.exe` in `C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc` ### Fields in a Malware File Modification Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Modification Detected alert Malware File Modification Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification ``` ### Sample Malware File Modification Detected alert ![malware_file_modification_detected](https://user-images.githubusercontent.com/4459398/107980920-55bdda00-6f7e-11eb-9d08-2aa02253a958.png) `mac-1.local` was detected modifying a malicious file `aircrack` in `/private/var/root/write_malware/modules/write_malware/aircrack` via `Python` (`5995`) `/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python` `main.py` `-a` `modify` via parent process `Python` (`97`) with result `success` `f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b` ### Fields in a Malware File Modification Detected alert `user.name` \ `user.domain` @ `host.name` was detected modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Prevented alert Malware File Rename Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename ``` ### Sample Malware File Rename Prevented alert ![malware_file_rename_prevented](https://user-images.githubusercontent.com/4459398/107981991-6e2ef400-6f80-11eb-8d48-3c9aa48c5d72.png) `win2019-endpoint-1` was prevented from renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Detected alert Malware File Rename Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename ``` ### Sample Malware File Rename Detected alert ![malware_file_rename_detected](https://user-images.githubusercontent.com/4459398/107983209-ab948100-6f82-11eb-893f-359fa0bd3a19.png) `win2019-endpoint-1` was detected renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Detected alert `user.name` \ `user.domain` @ `host.name` was detected renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware Process Execution Prevented alert Malware Process Execution Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Prevented alert ![malware_process_execution_prevented](https://user-images.githubusercontent.com/4459398/107986073-8b67c080-6f88-11eb-89a5-95434639631e.png) `win2019-endpoint-1` was prevented from executing a malicious process `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` (`6920`) `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` via parent process `explorer.exe` (`1008`) with result `success` `3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb` ### Fields in a Sample Malware Process Execution Prevented alert `host.name` was prevented from executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware Process Execution Detected alert Malware Process Execution Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Detected alert ![malware_process_execution_detected](https://user-images.githubusercontent.com/4459398/107986475-590a9300-6f89-11eb-9dbc-373efe005c85.png) `DESKTOP-1` was detected executing a malicious process `mimikatz_write.exe` (`8668`) `c:\temp\mimikatz_write.exe` via parent process `python.exe` (`4400`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Sample Malware Process Execution Detected alert `host.name` was detected executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## File (FIM) Modification events Endpoint File (FIM) Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: modification ``` ### Sample rendered File (FIM) Modification event Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: ![file_modification](https://user-images.githubusercontent.com/4459398/106680191-641df600-657b-11eb-974e-e2afbc7698a3.png) `admin` @ `test-Mac.local` modified a file `.dat.nosync01a5.6hoWv1` in `/Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1` via `diagnostics_agent` `(421)` ### Fields in a File (FIM) Modification event `user.name` \ `user.domain` @ `host.name` modified a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Overwrite events Endpoint File (FIM) Overwrite events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: overwrite ``` ### Sample rendered File (FIM) Overwrite event ![file_overwrite](https://user-images.githubusercontent.com/4459398/106675692-c9b9b480-6572-11eb-9f78-fb0b4bf0b05d.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` overwrote a file `lastalive0.dat` in `C:\Windows\ServiceState\EventLog\Data\lastalive0.dat` via `svchost.exe` `(1228)` ### Fields in a File (FIM) Overwrite event `user.name` \ `user.domain` @ `host.name` overwrote a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Rename events Endpoint File (FIM) Rename events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: rename ``` ### Sample rendered File (FIM) Rename event ![file_rename](https://user-images.githubusercontent.com/4459398/106534633-c4e0fc00-64b1-11eb-8213-494b51e8cdf9.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` renamed a file `SRU.log` in `C:\Windows\System32\sru\SRU.log` from its original path `C:\Windows\System32\sru\SRUtmp.log` via `svchost.exe` `(1204)` ### Fields in a File (FIM) Rename event `user.name` \ `user.domain` @ `host.name` renamed a file `file.name` in `file.path` from its original path `file.Ext.original.path` via `process.name` `(process.pid)` ## Registry Modification events Registry Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.registry and event.action: modification ``` ### Sample Registry Modification event ![registry_modification](https://user-images.githubusercontent.com/4459398/107091637-56f14900-67bf-11eb-9c8b-7f748e848bac.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` modified registry key `SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState` with new value `HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue` via `GoogleUpdate.exe` `(7408)` ### Fields in a Registry Modification event `user.name` \ `user.domain` @ `host.name` modified registry key `registry.key` with new value `registry.path` via `process.name` `(process.pid)` ## Library Load events Library Load events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.library and event.action: load ``` ### Sample Library Load event ![library_load](https://user-images.githubusercontent.com/4459398/107261734-ea638d80-69fc-11eb-8b2c-0a4f453b3f95.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` loaded library `bcrypt.dll` in `C:\Windows\System32\bcrypt.dll` via `sshd.exe` `(9644)` `e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd` `2c4ba5c1482987d50a182bad915f52cd6611ee63` `00439016776de367bad087d739a03797` ### Fields in a Library Load event `user.name` \ `user.domain` @ `host.name` loaded library `file.name` in `file.path` via `process.name` `(process.pid)` `file.hash.sha256` `file.hash.sha1` `file.hash.md5` ## HTTP Request events HTTP Request events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: http_request ``` ### Sample HTTP Request event ![http_request](https://user-images.githubusercontent.com/4459398/107546591-c5505580-6b89-11eb-8081-fe492312cc12.png) Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `win2019-endpoint-1` made a http request via `svchost.exe` `(2232)` ### Fields in a HTTP Request event `user.name` \ `user.domain` @ `host.name` made a http request via `process.name` `(process.pid)` ## Process Exec events Endpoint Process Exec events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: exec ``` ### Sample rendered Process Exec event ![process_exec](https://user-images.githubusercontent.com/4459398/107989163-de447680-6f8e-11eb-88e9-d8c72d77bc2d.png) `admin` @ `test-mac.local` executed process `mdworker_shared` (`4454`) `/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared` `-s` `mdworker` `-c` `MDSImporterWorker` `-m` `com.apple.mdworker.shared` via parent process `launchd` (`1`) `4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b` ### Fields in a Process Exec event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` executed process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` ## Process Fork events Endpoint Process Fork events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: fork ``` ### Sample rendered Process Fork event ![process_fork](https://user-images.githubusercontent.com/4459398/107990678-29ac5400-6f92-11eb-893f-59bafa79cd53.png) `admin` @ `test-mac.local` forked process `zoom.us` (`4042`) `/Applications/zoom.us.app/Contents/MacOS/zoom.us` via parent process `zoom.us` (`3961`) `cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4` ### Fields in a Process Fork event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` forked process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256`

elasticmachine · 2021-02-15T22:14:48Z

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

andrew-goldstein · 2021-02-16T01:35:20Z

@elasticmachine merge upstream

.../plugins/security_solution/public/timelines/components/timeline/body/renderers/file_hash.tsx

...ugins/security_solution/public/timelines/components/timeline/body/renderers/process_hash.tsx

…renderers_batch_2_v2

kibanamachine · 2021-02-17T03:49:32Z

💚 Build Succeeded

continuous-integration/kibana-ci/pull-request
Commit: 62fd1e6

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
`securitySolution`	2190	2197	+7

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
`securitySolution`	7.6MB	7.6MB	+45.5KB

History

💛 Build #106712 was flaky d6bee7f6c91dd2db35ceeae6e12f9f0e0b3a7910
💛 Build #106705 was flaky d2d08f7

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

…astic#91446) ## [Security Solution] [Timeline] Endpoint row renderers (2nd batch) This PR implements the 2nd batch of Endpoint row renderers, **including the new Ransomware alerts**, by adding new row renderers for the following Endpoint alerts and events: | event.dataset | event.type | event.category | event.action | |--------------------------|------------|----------------|-----------------| | endpoint.alerts | denied | file | creation | | endpoint.alerts | allowed | file | creation | | endpoint.alerts | denied | file | files-encrypted | | endpoint.alerts | allowed | file | files-encrypted | | endpoint.alerts | denied | file | modification | | endpoint.alerts | allowed | file | modification | | endpoint.alerts | denied | file | rename | | endpoint.alerts | allowed | file | rename | | endpoint.alerts | denied | process | execution | | endpoint.alerts | allowed | process | execution | | endpoint.events.file | change | file | modification | | endpoint.events.file | change | file | overwrite | | endpoint.events.file | change | file | rename | | endpoint.events.registry | change | registry | modification | | endpoint.events.library | start | library | load | | endpoint.events.network | protocol | network | http_request | | endpoint.events.process | start | process | exec | | endpoint.events.process | start | process | fork | Other updates: - All row renders will now only display the `file.hash.sha256` and `process.hash.sha256`. (The `sha1` and `md5` hashes will no longer be displayed) ## Malware File Creation Prevented alert Malware File Creation Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation ``` ### Sample Malware File Creation Prevented alert ![malware_file_creation_prevented](https://user-images.githubusercontent.com/4459398/107970084-e4762b00-6f6d-11eb-88c8-c9fd474d2de4.png) `win2019-endpoint-1` was prevented from creating a malicious file `6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` in `C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` via `chrome.exe` (`8944`) `C:\Program Files\Google\Chrome\Application\chrome.exe` via parent process `explorer.exe` (`1008`) with result `success` `7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30` ### Fields in a Malware File Creation Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Creation Detected alert Malware File Creation Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation ``` ### Sample Malware File Creation Detected alert ![malware_file_creation_detected](https://user-images.githubusercontent.com/4459398/107970897-f7d5c600-6f6e-11eb-83a8-7324e34506c1.png) `DESKTOP-1` was detected creating a malicious file `mimikatz_write.exe` in `C:\temp\mimikatz_write.exe` via `python.exe` (`4400`) `C:\Python27\python.exe` `main.py` `-a` `execute` `-p` `c:\temp` via parent process `pythonservice.exe` (`2936`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Malware File Creation Detected alert `user.name` \ `user.domain` @ `host.name` was detected creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Ransomware Files Encrypted Prevented alert Ransomware Files Encrypted Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Prevented alert ![ransomware_files-encrypted_prevented](https://user-images.githubusercontent.com/4459398/107973327-56e90a00-6f72-11eb-8337-8bb15bd24ad2.png) `DESKTOP-1` ransomware was prevented from encrypting files via `powershell.exe` (`6056`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`10680`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Prevented alert `user.name` \ `user.domain` @ `host.name` ransomware was prevented from encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Ransomware Files Encrypted Detected alert Ransomware Files Encrypted Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Detected alert ![ransomware_files-encrypted_detected](https://user-images.githubusercontent.com/4459398/107976086-42a70c00-6f76-11eb-8977-74ad47191d71.png) `DESKTOP-1` ransomware was detected encrypting files via `powershell.exe` (`4684`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`8616`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Detected alert `user.name` \ `user.domain` @ `host.name` ransomware was detected encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware File Modification Prevented alert Malware File Modification Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification ``` ### Sample Malware File Modification Prevented alert ![malware_file_modification_prevented](https://user-images.githubusercontent.com/4459398/107979686-3a51cf80-6f7c-11eb-92ff-f164536f6c70.png) `win2019-endpoint-1` was prevented from modifying a malicious file `mimikatz - Copy.exe` in `C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc` ### Fields in a Malware File Modification Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Modification Detected alert Malware File Modification Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification ``` ### Sample Malware File Modification Detected alert ![malware_file_modification_detected](https://user-images.githubusercontent.com/4459398/107980920-55bdda00-6f7e-11eb-9d08-2aa02253a958.png) `mac-1.local` was detected modifying a malicious file `aircrack` in `/private/var/root/write_malware/modules/write_malware/aircrack` via `Python` (`5995`) `/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python` `main.py` `-a` `modify` via parent process `Python` (`97`) with result `success` `f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b` ### Fields in a Malware File Modification Detected alert `user.name` \ `user.domain` @ `host.name` was detected modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Prevented alert Malware File Rename Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename ``` ### Sample Malware File Rename Prevented alert ![malware_file_rename_prevented](https://user-images.githubusercontent.com/4459398/107981991-6e2ef400-6f80-11eb-8d48-3c9aa48c5d72.png) `win2019-endpoint-1` was prevented from renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Detected alert Malware File Rename Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename ``` ### Sample Malware File Rename Detected alert ![malware_file_rename_detected](https://user-images.githubusercontent.com/4459398/107983209-ab948100-6f82-11eb-893f-359fa0bd3a19.png) `win2019-endpoint-1` was detected renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Detected alert `user.name` \ `user.domain` @ `host.name` was detected renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware Process Execution Prevented alert Malware Process Execution Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Prevented alert ![malware_process_execution_prevented](https://user-images.githubusercontent.com/4459398/107986073-8b67c080-6f88-11eb-89a5-95434639631e.png) `win2019-endpoint-1` was prevented from executing a malicious process `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` (`6920`) `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` via parent process `explorer.exe` (`1008`) with result `success` `3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb` ### Fields in a Sample Malware Process Execution Prevented alert `host.name` was prevented from executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware Process Execution Detected alert Malware Process Execution Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Detected alert ![malware_process_execution_detected](https://user-images.githubusercontent.com/4459398/107986475-590a9300-6f89-11eb-9dbc-373efe005c85.png) `DESKTOP-1` was detected executing a malicious process `mimikatz_write.exe` (`8668`) `c:\temp\mimikatz_write.exe` via parent process `python.exe` (`4400`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Sample Malware Process Execution Detected alert `host.name` was detected executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## File (FIM) Modification events Endpoint File (FIM) Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: modification ``` ### Sample rendered File (FIM) Modification event Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: ![file_modification](https://user-images.githubusercontent.com/4459398/106680191-641df600-657b-11eb-974e-e2afbc7698a3.png) `admin` @ `test-Mac.local` modified a file `.dat.nosync01a5.6hoWv1` in `/Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1` via `diagnostics_agent` `(421)` ### Fields in a File (FIM) Modification event `user.name` \ `user.domain` @ `host.name` modified a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Overwrite events Endpoint File (FIM) Overwrite events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: overwrite ``` ### Sample rendered File (FIM) Overwrite event ![file_overwrite](https://user-images.githubusercontent.com/4459398/106675692-c9b9b480-6572-11eb-9f78-fb0b4bf0b05d.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` overwrote a file `lastalive0.dat` in `C:\Windows\ServiceState\EventLog\Data\lastalive0.dat` via `svchost.exe` `(1228)` ### Fields in a File (FIM) Overwrite event `user.name` \ `user.domain` @ `host.name` overwrote a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Rename events Endpoint File (FIM) Rename events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: rename ``` ### Sample rendered File (FIM) Rename event ![file_rename](https://user-images.githubusercontent.com/4459398/106534633-c4e0fc00-64b1-11eb-8213-494b51e8cdf9.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` renamed a file `SRU.log` in `C:\Windows\System32\sru\SRU.log` from its original path `C:\Windows\System32\sru\SRUtmp.log` via `svchost.exe` `(1204)` ### Fields in a File (FIM) Rename event `user.name` \ `user.domain` @ `host.name` renamed a file `file.name` in `file.path` from its original path `file.Ext.original.path` via `process.name` `(process.pid)` ## Registry Modification events Registry Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.registry and event.action: modification ``` ### Sample Registry Modification event ![registry_modification](https://user-images.githubusercontent.com/4459398/107091637-56f14900-67bf-11eb-9c8b-7f748e848bac.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` modified registry key `SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState` with new value `HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue` via `GoogleUpdate.exe` `(7408)` ### Fields in a Registry Modification event `user.name` \ `user.domain` @ `host.name` modified registry key `registry.key` with new value `registry.path` via `process.name` `(process.pid)` ## Library Load events Library Load events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.library and event.action: load ``` ### Sample Library Load event ![library_load](https://user-images.githubusercontent.com/4459398/107261734-ea638d80-69fc-11eb-8b2c-0a4f453b3f95.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` loaded library `bcrypt.dll` in `C:\Windows\System32\bcrypt.dll` via `sshd.exe` `(9644)` `e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd` `2c4ba5c1482987d50a182bad915f52cd6611ee63` `00439016776de367bad087d739a03797` ### Fields in a Library Load event `user.name` \ `user.domain` @ `host.name` loaded library `file.name` in `file.path` via `process.name` `(process.pid)` `file.hash.sha256` `file.hash.sha1` `file.hash.md5` ## HTTP Request events HTTP Request events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: http_request ``` ### Sample HTTP Request event ![http_request](https://user-images.githubusercontent.com/4459398/107546591-c5505580-6b89-11eb-8081-fe492312cc12.png) Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `win2019-endpoint-1` made a http request via `svchost.exe` `(2232)` ### Fields in a HTTP Request event `user.name` \ `user.domain` @ `host.name` made a http request via `process.name` `(process.pid)` ## Process Exec events Endpoint Process Exec events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: exec ``` ### Sample rendered Process Exec event ![process_exec](https://user-images.githubusercontent.com/4459398/107989163-de447680-6f8e-11eb-88e9-d8c72d77bc2d.png) `admin` @ `test-mac.local` executed process `mdworker_shared` (`4454`) `/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared` `-s` `mdworker` `-c` `MDSImporterWorker` `-m` `com.apple.mdworker.shared` via parent process `launchd` (`1`) `4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b` ### Fields in a Process Exec event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` executed process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` ## Process Fork events Endpoint Process Fork events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: fork ``` ### Sample rendered Process Fork event ![process_fork](https://user-images.githubusercontent.com/4459398/107990678-29ac5400-6f92-11eb-893f-59bafa79cd53.png) `admin` @ `test-mac.local` forked process `zoom.us` (`4042`) `/Applications/zoom.us.app/Contents/MacOS/zoom.us` via parent process `zoom.us` (`3961`) `cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4` ### Fields in a Process Fork event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` forked process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256`

…1446) (#91601) ## [Security Solution] [Timeline] Endpoint row renderers (2nd batch) This PR implements the 2nd batch of Endpoint row renderers, **including the new Ransomware alerts**, by adding new row renderers for the following Endpoint alerts and events: | event.dataset | event.type | event.category | event.action | |--------------------------|------------|----------------|-----------------| | endpoint.alerts | denied | file | creation | | endpoint.alerts | allowed | file | creation | | endpoint.alerts | denied | file | files-encrypted | | endpoint.alerts | allowed | file | files-encrypted | | endpoint.alerts | denied | file | modification | | endpoint.alerts | allowed | file | modification | | endpoint.alerts | denied | file | rename | | endpoint.alerts | allowed | file | rename | | endpoint.alerts | denied | process | execution | | endpoint.alerts | allowed | process | execution | | endpoint.events.file | change | file | modification | | endpoint.events.file | change | file | overwrite | | endpoint.events.file | change | file | rename | | endpoint.events.registry | change | registry | modification | | endpoint.events.library | start | library | load | | endpoint.events.network | protocol | network | http_request | | endpoint.events.process | start | process | exec | | endpoint.events.process | start | process | fork | Other updates: - All row renders will now only display the `file.hash.sha256` and `process.hash.sha256`. (The `sha1` and `md5` hashes will no longer be displayed) ## Malware File Creation Prevented alert Malware File Creation Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: creation ``` ### Sample Malware File Creation Prevented alert ![malware_file_creation_prevented](https://user-images.githubusercontent.com/4459398/107970084-e4762b00-6f6d-11eb-88c8-c9fd474d2de4.png) `win2019-endpoint-1` was prevented from creating a malicious file `6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` in `C:\Users\sean\Downloads\6a5eabd6-1c79-4962-b411-a5e7d9e967d4.tmp` via `chrome.exe` (`8944`) `C:\Program Files\Google\Chrome\Application\chrome.exe` via parent process `explorer.exe` (`1008`) with result `success` `7cc42618e580f233fee47e82312cc5c3476cb5de9219ba3f9eb7f99ac0659c30` ### Fields in a Malware File Creation Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Creation Detected alert Malware File Creation Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: creation ``` ### Sample Malware File Creation Detected alert ![malware_file_creation_detected](https://user-images.githubusercontent.com/4459398/107970897-f7d5c600-6f6e-11eb-83a8-7324e34506c1.png) `DESKTOP-1` was detected creating a malicious file `mimikatz_write.exe` in `C:\temp\mimikatz_write.exe` via `python.exe` (`4400`) `C:\Python27\python.exe` `main.py` `-a` `execute` `-p` `c:\temp` via parent process `pythonservice.exe` (`2936`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Malware File Creation Detected alert `user.name` \ `user.domain` @ `host.name` was detected creating a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Ransomware Files Encrypted Prevented alert Ransomware Files Encrypted Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Prevented alert ![ransomware_files-encrypted_prevented](https://user-images.githubusercontent.com/4459398/107973327-56e90a00-6f72-11eb-8337-8bb15bd24ad2.png) `DESKTOP-1` ransomware was prevented from encrypting files via `powershell.exe` (`6056`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`10680`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Prevented alert `user.name` \ `user.domain` @ `host.name` ransomware was prevented from encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Ransomware Files Encrypted Detected alert Ransomware Files Encrypted Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: files-encrypted ``` ### Sample Ransomware Files Encrypted Detected alert ![ransomware_files-encrypted_detected](https://user-images.githubusercontent.com/4459398/107976086-42a70c00-6f76-11eb-8977-74ad47191d71.png) `DESKTOP-1` ransomware was detected encrypting files via `powershell.exe` (`4684`) `powershell.exe` `-file` `mock_ransomware_v3.ps1` via parent process `cmd.exe` (`8616`) with result `success` `e9fa973eb5ad446e0be31c7b8ae02d48281319e7f492e1ddaadddfbdd5b480c7` ### Fields in a Ransomware Files Encrypted Detected alert `user.name` \ `user.domain` @ `host.name` ransomware was detected encrypting files via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware File Modification Prevented alert Malware File Modification Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: modification ``` ### Sample Malware File Modification Prevented alert ![malware_file_modification_prevented](https://user-images.githubusercontent.com/4459398/107979686-3a51cf80-6f7c-11eb-92ff-f164536f6c70.png) `win2019-endpoint-1` was prevented from modifying a malicious file `mimikatz - Copy.exe` in `C:\Users\sean\Downloads\mimikatz_trunk (1)\x64\mimikatz - Copy.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `31eb1de7e840a342fd468e558e5ab627bcb4c542a8fe01aec4d5ba01d539a0fc` ### Fields in a Malware File Modification Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Modification Detected alert Malware File Modification Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: modification ``` ### Sample Malware File Modification Detected alert ![malware_file_modification_detected](https://user-images.githubusercontent.com/4459398/107980920-55bdda00-6f7e-11eb-9d08-2aa02253a958.png) `mac-1.local` was detected modifying a malicious file `aircrack` in `/private/var/root/write_malware/modules/write_malware/aircrack` via `Python` (`5995`) `/usr/local/Cellar/python/2.7.14/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python` `main.py` `-a` `modify` via parent process `Python` (`97`) with result `success` `f0954d9673878b2223b00b7ec770c7b438d876a9bb44ec78457e5c618f31f52b` ### Fields in a Malware File Modification Detected alert `user.name` \ `user.domain` @ `host.name` was detected modifying a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Prevented alert Malware File Rename Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: file and event.action: rename ``` ### Sample Malware File Rename Prevented alert ![malware_file_rename_prevented](https://user-images.githubusercontent.com/4459398/107981991-6e2ef400-6f80-11eb-8d48-3c9aa48c5d72.png) `win2019-endpoint-1` was prevented from renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Prevented alert `user.name` \ `user.domain` @ `host.name` was prevented from renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware File Rename Detected alert Malware File Rename Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: file and event.action: rename ``` ### Sample Malware File Rename Detected alert ![malware_file_rename_detected](https://user-images.githubusercontent.com/4459398/107983209-ab948100-6f82-11eb-893f-359fa0bd3a19.png) `win2019-endpoint-1` was detected renaming a malicious file `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` in `C:\Users\sean\Downloads\23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97.exe` via `explorer.exe` (`1008`) `C:\Windows\Explorer.EXE` via parent process `C:\Windows\System32\userinit.exe` (`356`) with result `success` `23361f8f413dd9258545030e42056a352fe35f66bac376d49954551c9b4bcf97` ### Fields in a Malware File Rename Detected alert `user.name` \ `user.domain` @ `host.name` was detected renaming a malicious file `file.name` in `file.path` via `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `file.hash.sha256` ## Malware Process Execution Prevented alert Malware Process Execution Prevented alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: denied and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Prevented alert ![malware_process_execution_prevented](https://user-images.githubusercontent.com/4459398/107986073-8b67c080-6f88-11eb-89a5-95434639631e.png) `win2019-endpoint-1` was prevented from executing a malicious process `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` (`6920`) `C:\Users\sean\Downloads\3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb.exe` via parent process `explorer.exe` (`1008`) with result `success` `3be13acde2f4dcded4fd8d518a513bfc9882407a6e384ffb17d12710db7d76fb` ### Fields in a Sample Malware Process Execution Prevented alert `host.name` was prevented from executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## Malware Process Execution Detected alert Malware Process Execution Detected alerts with the following `event.dataset`, `event.type`, `event.category`, and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution ``` ### Sample Malware Process Execution Detected alert ![malware_process_execution_detected](https://user-images.githubusercontent.com/4459398/107986475-590a9300-6f89-11eb-9dbc-373efe005c85.png) `DESKTOP-1` was detected executing a malicious process `mimikatz_write.exe` (`8668`) `c:\temp\mimikatz_write.exe` via parent process `python.exe` (`4400`) with result `success` `263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0` ### Fields in a Sample Malware Process Execution Detected alert `host.name` was detected executing a malicious process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) with result `event.outcome` `process.hash.sha256` ## File (FIM) Modification events Endpoint File (FIM) Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: modification ``` ### Sample rendered File (FIM) Modification event Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: ![file_modification](https://user-images.githubusercontent.com/4459398/106680191-641df600-657b-11eb-974e-e2afbc7698a3.png) `admin` @ `test-Mac.local` modified a file `.dat.nosync01a5.6hoWv1` in `/Users/admin/Library/Application Support/CrashReporter/.dat.nosync01a5.6hoWv1` via `diagnostics_agent` `(421)` ### Fields in a File (FIM) Modification event `user.name` \ `user.domain` @ `host.name` modified a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Overwrite events Endpoint File (FIM) Overwrite events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: overwrite ``` ### Sample rendered File (FIM) Overwrite event ![file_overwrite](https://user-images.githubusercontent.com/4459398/106675692-c9b9b480-6572-11eb-9f78-fb0b4bf0b05d.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` overwrote a file `lastalive0.dat` in `C:\Windows\ServiceState\EventLog\Data\lastalive0.dat` via `svchost.exe` `(1228)` ### Fields in a File (FIM) Overwrite event `user.name` \ `user.domain` @ `host.name` overwrote a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Rename events Endpoint File (FIM) Rename events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: rename ``` ### Sample rendered File (FIM) Rename event ![file_rename](https://user-images.githubusercontent.com/4459398/106534633-c4e0fc00-64b1-11eb-8213-494b51e8cdf9.png) `LOCAL SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` renamed a file `SRU.log` in `C:\Windows\System32\sru\SRU.log` from its original path `C:\Windows\System32\sru\SRUtmp.log` via `svchost.exe` `(1204)` ### Fields in a File (FIM) Rename event `user.name` \ `user.domain` @ `host.name` renamed a file `file.name` in `file.path` from its original path `file.Ext.original.path` via `process.name` `(process.pid)` ## Registry Modification events Registry Modification events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.registry and event.action: modification ``` ### Sample Registry Modification event ![registry_modification](https://user-images.githubusercontent.com/4459398/107091637-56f14900-67bf-11eb-9c8b-7f748e848bac.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` modified registry key `SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState` with new value `HKLM\SOFTWARE\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}\CurrentState\StateValue` via `GoogleUpdate.exe` `(7408)` ### Fields in a Registry Modification event `user.name` \ `user.domain` @ `host.name` modified registry key `registry.key` with new value `registry.path` via `process.name` `(process.pid)` ## Library Load events Library Load events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.library and event.action: load ``` ### Sample Library Load event ![library_load](https://user-images.githubusercontent.com/4459398/107261734-ea638d80-69fc-11eb-8b2c-0a4f453b3f95.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint-1` loaded library `bcrypt.dll` in `C:\Windows\System32\bcrypt.dll` via `sshd.exe` `(9644)` `e70f5d8f87aab14e3160227d38387889befbe37fa4f8f5adc59eff52804b35fd` `2c4ba5c1482987d50a182bad915f52cd6611ee63` `00439016776de367bad087d739a03797` ### Fields in a Library Load event `user.name` \ `user.domain` @ `host.name` loaded library `file.name` in `file.path` via `process.name` `(process.pid)` `file.hash.sha256` `file.hash.sha1` `file.hash.md5` ## HTTP Request events HTTP Request events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: http_request ``` ### Sample HTTP Request event ![http_request](https://user-images.githubusercontent.com/4459398/107546591-c5505580-6b89-11eb-8081-fe492312cc12.png) Network HTTP Request events, like the one in the screenshot above, are also rendered by the Netflow row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `win2019-endpoint-1` made a http request via `svchost.exe` `(2232)` ### Fields in a HTTP Request event `user.name` \ `user.domain` @ `host.name` made a http request via `process.name` `(process.pid)` ## Process Exec events Endpoint Process Exec events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: exec ``` ### Sample rendered Process Exec event ![process_exec](https://user-images.githubusercontent.com/4459398/107989163-de447680-6f8e-11eb-88e9-d8c72d77bc2d.png) `admin` @ `test-mac.local` executed process `mdworker_shared` (`4454`) `/System/Library/Frameworks/CoreServices.framework/Frameworks/Metadata.framework/Versions/A/Support/mdworker_shared` `-s` `mdworker` `-c` `MDSImporterWorker` `-m` `com.apple.mdworker.shared` via parent process `launchd` (`1`) `4bc018ac461706496302d1faab0a8bb39aad974eb432758665103165f3a2dd2b` ### Fields in a Process Exec event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` executed process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` ## Process Fork events Endpoint Process Fork events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: fork ``` ### Sample rendered Process Fork event ![process_fork](https://user-images.githubusercontent.com/4459398/107990678-29ac5400-6f92-11eb-893f-59bafa79cd53.png) `admin` @ `test-mac.local` forked process `zoom.us` (`4042`) `/Applications/zoom.us.app/Contents/MacOS/zoom.us` via parent process `zoom.us` (`3961`) `cbf3d059cc9f9c0adff5ef15bf331b95ab381837fa0adecd965a41b5846f4bd4` ### Fields in a Process Fork event The following fields will be used to render a Process Exec event: `user.name` @ `host.name` forked process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256`

* master: (157 commits) [DOCS] Adds machine learning to the security section of alerting (elastic#91501) [Uptime] Ping list step screenshot caption formatting (elastic#91403) [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483) [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464) Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194) [APM] Wrap Elasticsearch client errors (elastic#91125) [APM] Fix optimize-tsconfig script (elastic#91487) [Discover][docs] Add searchFieldsFromSource description (elastic#90980) Adds support for 'ip' data type (elastic#85087) [Detection Rules] Add updates from 7.11.2 rules (elastic#91553) [SECURITY SOLUTION] Eql in timeline (elastic#90816) [APM] Correlations Beta (elastic#86477) (elastic#89952) [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258) [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446) skip flaky suite (elastic#91450) skip flaky suite (elastic#91592) [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870) [ML] Add better UI support for runtime fields Transforms (elastic#90363) [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167) [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260) ...

andrew-goldstein added release_note:enhancement v8.0.0 v7.12.0 Team:Threat Hunting Security Solution Threat Hunting Team Feature:Timeline Security Solution Timeline feature release_note:feature Makes this part of the condensed release notes labels Feb 15, 2021

andrew-goldstein requested a review from XavierM February 15, 2021 22:14

andrew-goldstein requested a review from a team as a code owner February 15, 2021 22:14

andrew-goldstein self-assigned this Feb 15, 2021

XavierM reviewed Feb 16, 2021

View reviewed changes

.../plugins/security_solution/public/timelines/components/timeline/body/renderers/file_hash.tsx Outdated Show resolved Hide resolved

XavierM reviewed Feb 16, 2021

View reviewed changes

...ugins/security_solution/public/timelines/components/timeline/body/renderers/process_hash.tsx Outdated Show resolved Hide resolved

XavierM approved these changes Feb 16, 2021

View reviewed changes

andrew-goldstein added 2 commits February 16, 2021 17:56

Merge branch 'master' of github.com:elastic/kibana into endpoint_row_…

da97f16

…renderers_batch_2_v2

- pr feedback

62fd1e6

andrew-goldstein force-pushed the endpoint_row_renderers_batch_2_v2 branch from d6bee7f to 62fd1e6 Compare February 17, 2021 01:38

andrew-goldstein merged commit adc50dd into elastic:master Feb 17, 2021

andrew-goldstein deleted the endpoint_row_renderers_batch_2_v2 branch February 17, 2021 03:51

andrew-goldstein mentioned this pull request Feb 17, 2021

[7.x] [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (#91446) #91601

Merged

cyrille-leclerc mentioned this pull request Mar 11, 2021

Observability alerts should expose a "reason" #94456

Closed

graphaelli mentioned this pull request Mar 26, 2021

SIEM APM Trace Row Renderer #95595

Closed

andrew-goldstein mentioned this pull request Apr 13, 2022

[Security Solution] No arguments displayed for Memory Alert under rendered view #109794

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

andrew-goldstein commented Feb 15, 2021

elasticmachine commented Feb 15, 2021

andrew-goldstein commented Feb 16, 2021

kibanamachine commented Feb 17, 2021

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

[Security Solution] [Timeline] Endpoint row renderers (2nd batch) #91446

Conversation

andrew-goldstein commented Feb 15, 2021