Go to file

Andrew Goldstein e202ceab29 [Security Solution] [Timeline] Endpoint row renderers (1st batch) (#89810 ) ## [Security Solution] [Timeline] Endpoint row renderers (1st batch) This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). The following Endpoint events will be rendered via row renderers in Timeline: \| event.dataset \| event.action \| \|--------------------------\|---------------------\| \| endpoint.events.file \| creation \| \| endpoint.events.file \| deletion \| \| endpoint.events.process \| start \| \| endpoint.events.process \| end \| \| endpoint.events.network \| lookup_requested \| \| endpoint.events.network \| lookup_result \| \| endpoint.events.network \| connection_accepted \| \| endpoint.events.network \| disconnect_received \| \| endpoint.events.security \| log_on \| \| endpoint.events.security \| log_off \| ## File (FIM) Creation events Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: creation ``` ### Sample rendered File (FIM) Creation event ![endpoint_file_creation](https://user-images.githubusercontent.com/4459398/106036793-ff522f80-6092-11eb-9e3b-c24538129bea.png) Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event: `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)` ### Fields in a File (FIM) Creation event `user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)` ## File (FIM) Deletion events Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.file and event.action: deletion ``` ### Sample rendered File (FIM) Deletion event ![endpoint_file_deletion](https://user-images.githubusercontent.com/4459398/106037520-088fcc00-6094-11eb-985d-ba8cead9fec9.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)` ### Fields in a File (FIM) Deletion event `user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)` ## Process Start events Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: start ``` ### Sample rendered Process Start event ![creation-event](https://user-images.githubusercontent.com/4459398/106061579-c7f37b00-60b2-11eb-9bc4-224e671baa4a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`) `sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63` `sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7` `md5 1b0e9b5fcb62de0787235ecca560b610` ### Fields in a Process Start event The following fields will be used to render a Process Start event: `user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Process End events Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.process and event.action: end ``` ### Sample rendered Process End event ![endpoint_process_end](https://user-images.githubusercontent.com/4459398/106076527-f1b99b80-60cc-11eb-8ff8-2da78a1fcb8f.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)` `7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6` `a1385ce20ad79f55df235effd9780c31442aa234` `8a0a29438052faed8a2532da50455756` ### Fields in a Process End event The following fields will be used to render a Process End event: `user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`) `process.hash.sha256` `process.hash.sha1` `process.hash.md5` ## Network (DNS) Lookup Requested events Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_requested ``` ### Runtime matching criteria All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Requested event ![network_lookup_requested](https://user-images.githubusercontent.com/4459398/106191208-cdf76380-6167-11eb-9be7-aaf78e4cfdd3.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns` ### Fields in a Network Lookup Requested event The following fields will be used to render a Network Lookup Request event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Lookup Result events Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: lookup_result ``` ### Runtime matching criteria All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered: ``` dns.question.type: * and dns.question.name: * ``` ### Sample rendered Network Lookup Result event ![network_lookup_result](https://user-images.githubusercontent.com/4459398/106192595-a43f3c00-6169-11eb-95bc-4ebe331f1231.png) `SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns` ### Fields in a Network Lookup Result event The following fields will be used to render a Network Lookup Result event: `user.name` \ `user.domain` @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol` ## Network Connection Accepted events Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: connection_accepted ```` ### Sample rendered Network Connection Accepted event ![network_connection_accepted](https://user-images.githubusercontent.com/4459398/106200497-4f54f300-6174-11eb-8879-06b7bfc88edf.png) Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success` ### Fields in a Network Connection Accepted event `user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome` ## Network Disconnect Received events Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.network and event.action: disconnect_received ```` ### Sample rendered Network Disconnect Received event ![network_disconnect_received](https://user-images.githubusercontent.com/4459398/106205196-56cbca80-617b-11eb-83d3-26aa9670f114.png) Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details. `NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)` ### Fields in a Network Disconnect Received event `user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)` ## Security Log On events Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_on ``` ### `event.outcome: "success"` vs `event.outcome: "failure"` The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success ``` vs events matching: ``` event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure ``` ### Sample rendered Security Log On / `event.outcome: "success"` event ![security_log_on_success](https://user-images.githubusercontent.com/4459398/106210917-fcd00280-6184-11eb-9c1c-564cfb375539.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "success"` event `user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`) ### Sample rendered Security Log On / `event.outcome: "failure"` event ![security_log_on_failure](https://user-images.githubusercontent.com/4459398/106211893-b2e81c00-6186-11eb-9c34-43227c15a1f0.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in an Security Log On / `event.outcome: "failure"` event `user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`) ## Security Log Off events Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers: ``` event.dataset: endpoint.events.security and event.action: log_off ``` ### Sample rendered Security Log Off event ![security_log_off](https://user-images.githubusercontent.com/4459398/106212499-0018bd80-6188-11eb-9e91-971f360ee87a.png) `SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe` ### Fields in a Security Log Off event `user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)		2021-02-05 12:15:44 -07:00
.ci	[CI] Remove TeamCity code (#90041 )	2021-02-02 16:31:48 -05:00
.github	[CI] Remove TeamCity code (#90041 )	2021-02-02 16:31:48 -05:00
common/graphql
config	Add `server.publicBaseUrl` config (#85075 )	2020-12-08 17:02:39 -07:00
dev_docs	fix bad link (#89222 )	2021-01-25 15:06:09 -08:00
docs	[DOCS] Update more installation details (#90469 )	2021-02-05 10:44:16 -08:00
examples	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
licenses	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
packages	Fix issue where logs fail to calculate size of gunzip streams. (#90353 )	2021-02-04 17:43:03 -07:00
plugins	[dev/cli] ensure plugins/ and all watch source dirs exist (#78973 )	2020-09-30 10:20:44 -07:00
rfcs	RFC for automatically generated typescript API documentation for every plugins public services, types, and functionality (#86704 )	2021-02-04 17:22:22 -05:00
scripts	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
src	Fix Visualize Link Redirecting to Dashboard Linked Visualization (#90243 )	2021-02-05 13:48:25 -05:00
tasks/config	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
test	Fix Visualize Link Redirecting to Dashboard Linked Visualization (#90243 )	2021-02-05 13:48:25 -05:00
typings	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
utilities	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
vars	[ci/docsLink] hide link when 200 says "There aren't any differences!" (#90079 )	2021-02-02 15:21:19 -07:00
x-pack	[Security Solution] [Timeline] Endpoint row renderers (1st batch) (#89810 )	2021-02-05 12:15:44 -07:00
.backportrc.json	[backportrc] Adds 7.11 branch and bumps 7.x (#86131 )	2020-12-16 10:10:39 -08:00
.bazelignore	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazeliskversion	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
.bazelrc	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazelrc.common	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.bazelversion	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
.browserslistrc	[browserslist] remove unnecessary browsers (#89186 )	2021-01-25 16:30:18 -07:00
.editorconfig	[editorconfig] disable `insert_final_newline` for package.json	2019-04-18 09:44:17 -07:00
.eslintignore	[eslint] stop ignoring .storybook files (#90447 )	2021-02-05 10:52:39 -07:00
.eslintrc.js	[Enterprise Search] eslint rule override: catch unnecessary backticks (#90347 )	2021-02-05 10:38:37 -08:00
.fossa.yml	Adds FOSSA CLI configuration file (#70137 )	2020-07-02 08:37:37 -07:00
.gitattributes	[canvas] Color fixes + Storybook 5 (#34075 )	2019-04-02 11:21:51 -05:00
.gitignore	chore(NA): introduce new yarn kbn reset command to support bazel workflow (#89597 )	2021-02-03 22:02:34 +00:00
.i18nrc.json	Cleanup OSS code from visualizations wizard (#89092 )	2021-01-27 12:45:49 +02:00
.node-version	Bump Node.js from version 14.15.3 to 14.15.4 (#87207 )	2021-01-04 22:14:48 +01:00
.npmrc	chore(NA): assure puppeteer_skip_chromium_download is applied across every yarn install situation (#88346 )	2021-01-14 18:00:23 +00:00
.nvmrc	Bump Node.js from version 14.15.3 to 14.15.4 (#87207 )	2021-01-04 22:14:48 +01:00
.prettierignore	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.prettierrc	Increase prettier line width to 100 (#20535 )	2018-07-09 22:50:37 +02:00
.stylelintignore	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.stylelintrc	[dev] Replace sass-lint with stylelint (#86177 )	2021-01-15 11:52:29 -06:00
.telemetryrc.json	[Usage collection] Make `schema` mandatory (#79999 )	2020-10-26 12:57:15 +02:00
.yarnrc	chore(NA): enable yarn prefer offline and local mirror for development (#84124 )	2020-11-25 00:18:18 +00:00
api-documenter.json
BUILD.bazel	chore(NA): support bazel and kbn packages in parallel on kbn pm and on distributable build scripts (#89961 )	2021-02-04 04:39:35 +00:00
CONTRIBUTING.md	Improvements to our developer guide (#67764 )	2020-07-13 10:47:01 -04:00
FAQ.md	propose language changes (#10709 )	2017-03-05 12:10:32 -05:00
github_checks_reporter.json
Gruntfile.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
Jenkinsfile	chore(NA): remove usage of unverified es snapshots (#83589 )	2020-11-18 00:18:31 +00:00
jest.config.integration.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
jest.config.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
jest.config.oss.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
kibana.d.ts	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
LICENSE.txt	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
NOTICE.txt	🍾 update notice text for 2021	2021-01-01 01:26:53 -07:00
package.json	Upgrade EUI to v31.4.0 (#89648 )	2021-02-05 10:14:58 -07:00
preinstall_check.js	Elastic License 2.0 (#90099 )	2021-02-03 18:12:39 -08:00
README.md	Fix "Getting started" link in README (#84153 )	2020-11-23 15:33:02 -05:00
renovate.json5	[renovate] update label config	2020-12-04 12:23:47 -07:00
SECURITY.md	Add security policy to the Kibana repository (#85407 )	2020-12-10 09:26:00 -05:00
STYLEGUIDE.md	chore(NA): tool to find plugins circular dependencies between plugins (#82867 )	2020-11-30 22:19:32 +00:00
tsconfig.base.json	chore(NA): improve ts build refs performance on kbn bootstrap (#89333 )	2021-01-27 00:59:24 +00:00
tsconfig.browser.json	Introduce TS incremental builds & move src/test_utils to TS project (#76082 )	2020-09-03 14:20:04 +02:00
tsconfig.json	migrate more core-owned plugins to tsproject ref (#89975 )	2021-02-02 16:16:25 +01:00
tsconfig.refs.json	migrate more core-owned plugins to tsproject ref (#89975 )	2021-02-02 16:16:25 +01:00
tsconfig.types.json	ui_actions service initial docs (#78902 )	2020-09-30 16:44:29 +02:00
TYPESCRIPT.md	Fixed grammar (#74725 )	2020-08-11 06:40:22 -04:00
WORKSPACE.bazel	chore(NA): bazel machinery installation on kbn bootstrap (#89469 )	2021-01-28 00:51:01 +00:00
yarn.lock	Upgrade EUI to v31.4.0 (#89648 )	2021-02-05 10:14:58 -07:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.md.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	5.1.2	5.1.2	💚 OK
ES patch number is newer.	5.1.2	5.1.5	⚠️ Logged warning
ES minor number is newer.	5.1.2	5.5.0	⚠️ Logged warning
ES major number is newer.	5.1.2	6.0.0	🚫 Fatal error
ES patch number is older.	5.1.2	5.1.0	⚠️ Logged warning
ES minor number is older.	5.1.2	5.0.0	🚫 Fatal error
ES major number is older.	5.1.2	4.0.0	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.