[SIEM] Adds process_started ECS fields to Uncommon Process Table (#45664)
## Summary Adds process_started ECS fields to the uncommon process table for any agents which support it. This removes duplicates from the uncommon process table as well in some cases where we were counting process started and process ended as two different counts. https://github.com/elastic/kibana/issues/45530 Anyone outside of beats implementing this will need these two fields to show up: ```ts event.type: process_start event.category: process, ``` Their ECS record should have this bare minimum: ```ts "event": { "type:": "process_start", "category": "process", }, ``` To show up ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. - [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) - [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios - [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist) ### For maintainers - [x] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) - [x] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
This commit is contained in:
Frank Hassanabad
GitHub
parent
5696b67c92
commit
c9a11ee971
|
|
@ -135,6 +135,11 @@ export const buildQuery = ({
|
|||
'event.dataset': 'process',
|
||||
},
|
||||
},
|
||||
{
|
||||
term: {
|
||||
'event.action': 'process_started',
|
||||
},
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
|
|
@ -170,6 +175,22 @@ export const buildQuery = ({
|
|||
],
|
||||
},
|
||||
},
|
||||
{
|
||||
bool: {
|
||||
filter: [
|
||||
{
|
||||
term: {
|
||||
'event.type': 'process_start',
|
||||
},
|
||||
},
|
||||
{
|
||||
term: {
|
||||
'event.category': 'process',
|
||||
},
|
||||
},
|
||||
],
|
||||
},
|
||||
},
|
||||
],
|
||||
minimum_should_match: 1,
|
||||
filter,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
|
||||
const expectedResult = {
|
||||
__typename: 'KpiNetworkData',
|
||||
networkEvents: 6157,
|
||||
networkEvents: 6158,
|
||||
uniqueFlowId: 712,
|
||||
uniqueSourcePrivateIps: 8,
|
||||
uniqueSourcePrivateIpsHistogram: [
|
||||
|
|
@ -103,7 +103,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
|
||||
const expectedResult = {
|
||||
__typename: 'KpiNetworkData',
|
||||
networkEvents: 6157,
|
||||
networkEvents: 6158,
|
||||
uniqueFlowId: 712,
|
||||
uniqueSourcePrivateIps: 8,
|
||||
uniqueSourcePrivateIpsHistogram: [
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
auditbeatProcess: 7,
|
||||
auditbeatUser: 6,
|
||||
filebeatSystemModule: 0,
|
||||
winlogbeat: 0,
|
||||
winlogbeat: 1,
|
||||
__typename: 'OverviewHostData',
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
.then(resp => {
|
||||
const sourceStatus = resp.data.source.status;
|
||||
// test data in x-pack/test/functional/es_archives/auditbeat_test_data/data.json.gz
|
||||
expect(sourceStatus.indexFields.length).to.be(349);
|
||||
expect(sourceStatus.indexFields.length).to.be(395);
|
||||
expect(sourceStatus.indicesExist).to.be(true);
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ const FROM = new Date('2000-01-01T00:00:00.000Z').valueOf();
|
|||
const TO = new Date('3000-01-01T00:00:00.000Z').valueOf();
|
||||
|
||||
// typical values that have to change after an update from "scripts/es_archiver"
|
||||
const TOTAL_COUNT = 80;
|
||||
const TOTAL_COUNT = 3;
|
||||
|
||||
export default function({ getService }: FtrProviderContext) {
|
||||
const esArchiver = getService('esArchiver');
|
||||
|
|
@ -78,7 +78,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
expect(UncommonProcesses.edges.length).to.be(2);
|
||||
});
|
||||
|
||||
it('should return a total count of 6 elements', async () => {
|
||||
it('should return a total count of elements', async () => {
|
||||
const {
|
||||
data: {
|
||||
source: { UncommonProcesses },
|
||||
|
|
@ -130,18 +130,11 @@ export default function({ getService }: FtrProviderContext) {
|
|||
},
|
||||
});
|
||||
const expected: GetUncommonProcessesQuery.Node = {
|
||||
_id: 'Ax5CB2kBR346wHgnUJ1s',
|
||||
_id: 'HCFxB2kBR346wHgnL4ik',
|
||||
instances: 1,
|
||||
process: {
|
||||
args: [
|
||||
'/usr/bin/suricata',
|
||||
'-c',
|
||||
'/etc/suricata/suricata.yaml',
|
||||
'-i',
|
||||
'eth0',
|
||||
'--init-errors-fatal',
|
||||
],
|
||||
name: ['Suricata-Main'],
|
||||
args: [],
|
||||
name: ['kworker/u2:0'],
|
||||
__typename: 'ProcessEcsFields',
|
||||
},
|
||||
user: {
|
||||
|
|
@ -151,7 +144,7 @@ export default function({ getService }: FtrProviderContext) {
|
|||
},
|
||||
hosts: [
|
||||
{
|
||||
name: ['suricata-zeek-sensor-toronto'],
|
||||
name: ['zeek-sensor-san-francisco'],
|
||||
__typename: 'HostEcsFields',
|
||||
},
|
||||
],
|
||||
|
|
|
|||
Binary file not shown.
Loading…
Reference in a new issue