Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[carbon_black_cloud]: Process Start events not mapped correctly #11653

Open
mike-flowers-airbnb opened this issue Nov 6, 2024 · 3 comments · May be fixed by #11686
Open

[carbon_black_cloud]: Process Start events not mapped correctly #11653

mike-flowers-airbnb opened this issue Nov 6, 2024 · 3 comments · May be fixed by #11686
Assignees
@efd6
Labels
Integration:carbon_black_cloud VMware Carbon Black Cloud needs:triage Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]

Comments

@mike-flowers-airbnb
Copy link

Integration Name

VMware Carbon Black Cloud [carbon_black_cloud]

Dataset Name

carbon_black_cloud.endpoint_event

Integration Version

2.6.1

Agent Version

8.15.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.1

OS Version and Architecture

Elastic Cloud

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Default configuration for the integration

What did you see?

When reviewing events with event.action: ACTION_CREATE_PROCESS, the resulting process.*+process.parent.* do not accurately reflect the process being created and it's parent. Instead, the data reflects the parent + grandparent involved in the process creation. See below command line fields that are available for a sample record:

field value
carbon_black_cloud.endpoint_event.target_cmdline Google Chrome Helper (Renderer)
process.command_line Google Chrome --restart --restart
process.parent.command_line launchd

What did you expect to see?

The expectation here is threefold:

  • The "child" event would populate the process.* fields
  • The "process" event would populate the process.parent.* fields
  • The "parent" event would populate some other field such as carbon_black_cloud.endpoint_event.grandparent

To accomplish this the mapping would need to rename the following:

  • process.* -> process.parent.*
  • process.parent.* -> carbon_black_cloud.endpoint_event.grandparent.*
  • carbon_black_cloud.endpoint_event.childproc.guid -> process.entity_id
  • carbon_black_cloud.endpoint_event.childproc.hash.md5 -> process.hash.md5
  • carbon_black_cloud.endpoint_event.childproc.hash.sha256 -> process.hash.sha256
  • carbon_black_cloud.endpoint_event.childproc.name -> process.executable
  • carbon_black_cloud.endpoint_event.childproc.pid -> process.pid
  • carbon_black_cloud.endpoint_event.childproc.username -> process.user.name

Anything else?

cc: @btrieger
@andrewkroh andrewkroh added Integration:carbon_black_cloud VMware Carbon Black Cloud Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations] labels Nov 6, 2024
@elasticmachine
Copy link

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@efd6 efd6 linked a pull request Nov 11, 2024 that will close this issue
Draft
5 tasks
@efd6 efd6 self-assigned this Nov 11, 2024
@efd6
Copy link
Contributor

efd6 commented Nov 11, 2024

@mike-flowers-airbnb I have prepared #11686. Please take a look to see that it satisfies the requirement. Are you able to point to some documentation for the mapping that CBC uses?

@mike-flowers-airbnb
Copy link
Author

mike-flowers-airbnb commented Nov 11, 2024
edited
Loading

@efd6 Appreciate the quick PR. Left some comments on it. For the documentation, this will be the best reference: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.1.0/#fields

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Integration:carbon_black_cloud VMware Carbon Black Cloud needs:triage Team:Security-Service Integrations Security Service Integrations Team [elastic/security-service-integrations]
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

carbon_black_cloud: fix mapping for process lineage efd6/integrations
4 participants
@andrewkroh @elasticmachine @mike-flowers-airbnb @efd6