diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 0a6755f2fe4..35804f44388 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -93,7 +93,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff] - Fix cache processor expiries infinite growth when large a large TTL is used and recurring keys are cached. {pull}38561[38561] *Auditbeat* - +- Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994] *Filebeat* diff --git a/x-pack/auditbeat/processors/sessionmd/_meta/fields.yml b/x-pack/auditbeat/processors/sessionmd/_meta/fields.yml new file mode 100644 index 00000000000..d2878d450e5 --- /dev/null +++ b/x-pack/auditbeat/processors/sessionmd/_meta/fields.yml @@ -0,0 +1,1352 @@ +# process fields from ECS version 8.12.0-dev. + +- key: ecs + title: ECS + description: ECS Fields. + fields: + - name: process + title: Process + group: 2 + description: 'These fields contain information about a process. + + These fields can help you correlate metrics information with a process id/name + from a log message. The `process.pid` often stays in the metric itself and + is copied to the global field for correlation.' + type: group + default_field: true + fields: + - name: entry_leader.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + default_field: false + - name: entry_leader.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: entry_leader.command_line + level: extended + type: wildcard + multi_fields: + - name: text + type: match_only_text + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: entry_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: entry_leader.entry_meta.source.ip + level: core + type: ip + description: IP address of the source (IPv4 or IPv6). + default_field: false + - name: entry_leader.entry_meta.type + level: extended + type: keyword + ignore_above: 1024 + description: 'The entry type for the entry session leader. Values include: init(e.g + systemd), sshd, ssm, kubelet, teleport, terminal, console + + Note: This field is only set on process.session_leader.' + default_field: false + - name: entry_leader.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: entry_leader.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: entry_leader.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: entry_leader.interactive + level: extended + type: boolean + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + default_field: false + - name: entry_leader.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: entry_leader.parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: entry_leader.parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: entry_leader.parent.session_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: entry_leader.parent.session_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: entry_leader.parent.session_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: entry_leader.parent.session_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: entry_leader.parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: entry_leader.parent.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: entry_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: previous.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + default_field: false + - name: previous.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: previous.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: entry_leader.real_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: entry_leader.real_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: entry_leader.real_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: entry_leader.real_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: entry_leader.same_as_process + level: extended + type: boolean + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + default_field: false + - name: entry_leader.saved_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: entry_leader.saved_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: entry_leader.saved_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: entry_leader.saved_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: entry_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: entry_leader.supplemental_groups.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: entry_leader.supplemental_groups.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: entry_leader.tty + level: extended + type: object + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + default_field: false + - name: entry_leader.tty.char_device.major + level: extended + type: long + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + default_field: false + - name: entry_leader.tty.char_device.minor + level: extended + type: long + description: "The minor number is used only by the driver specified by the major\ + \ number; other parts of the kernel don\u2019t use it, and merely pass it\ + \ along to the driver. It is common for a driver to control several devices;\ + \ the minor number provides a way for the driver to differentiate among them." + example: 1 + default_field: false + - name: entry_leader.user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: entry_leader.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: entry_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: entry_leader.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The working directory of the process. + example: /home/alice + default_field: false + - name: env_vars + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of environment variable bindings. Captured from a snapshot + of the environment at the time of execution. + + May be filtered to protect sensitive information.' + example: '["PATH=/usr/local/bin:/usr/bin", "USER=ubuntu"]' + default_field: false + - name: group_leader.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + default_field: false + - name: group_leader.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: group_leader.command_line + level: extended + type: wildcard + multi_fields: + - name: text + type: match_only_text + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: group_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: group_leader.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: group_leader.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: group_leader.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: group_leader.interactive + level: extended + type: boolean + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + default_field: false + - name: group_leader.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: group_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: group_leader.real_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: group_leader.real_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: group_leader.real_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: group_leader.real_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: group_leader.same_as_process + level: extended + type: boolean + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + default_field: false + - name: group_leader.saved_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: group_leader.saved_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: group_leader.saved_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: group_leader.saved_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: group_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: group_leader.tty + level: extended + type: object + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + default_field: false + - name: group_leader.tty.char_device.major + level: extended + type: long + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + default_field: false + - name: group_leader.tty.char_device.minor + level: extended + type: long + description: "The minor number is used only by the driver specified by the major\ + \ number; other parts of the kernel don\u2019t use it, and merely pass it\ + \ along to the driver. It is common for a driver to control several devices;\ + \ the minor number provides a way for the driver to differentiate among them." + example: 1 + default_field: false + - name: group_leader.user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: group_leader.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: group_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: group_leader.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The working directory of the process. + example: /home/alice + default_field: false + - name: interactive + level: extended + type: boolean + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + default_field: false + - name: parent.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: parent.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: parent.group_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: parent.group_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: parent.group_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: parent.group_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: parent.interactive + level: extended + type: boolean + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + default_field: false + - name: parent.real_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: parent.real_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: parent.real_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: parent.real_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: parent.saved_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: parent.saved_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: parent.saved_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: parent.saved_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: parent.thread.capabilities.effective + level: extended + type: keyword + ignore_above: 1024 + description: This is the set of capabilities used by the kernel to perform permission + checks for the thread. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: parent.thread.capabilities.permitted + level: extended + type: keyword + ignore_above: 1024 + description: This is a limiting superset for the effective capabilities that + the thread may assume. + example: '["CAP_BPF", "CAP_SYS_ADMIN"]' + pattern: ^(CAP_[A-Z_]+|\d+)$ + default_field: false + - name: parent.tty + level: extended + type: object + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + default_field: false + - name: parent.tty.char_device.major + level: extended + type: long + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + default_field: false + - name: parent.tty.char_device.minor + level: extended + type: long + description: "The minor number is used only by the driver specified by the major\ + \ number; other parts of the kernel don\u2019t use it, and merely pass it\ + \ along to the driver. It is common for a driver to control several devices;\ + \ the minor number provides a way for the driver to differentiate among them." + example: 1 + default_field: false + - name: parent.user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: parent.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: parent.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: real_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: real_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: real_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: real_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: saved_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: saved_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: saved_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: saved_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: session_leader.args + level: extended + type: keyword + ignore_above: 1024 + description: 'Array of process arguments, starting with the absolute path to + the executable. + + May be filtered to protect sensitive information.' + example: '["/usr/bin/ssh", "-l", "user", "10.0.0.16"]' + default_field: false + - name: session_leader.args_count + level: extended + type: long + description: 'Length of the process.args array. + + This field can be useful for querying or performing bucket analysis on how + many arguments were provided to start a process. More arguments may be an + indication of suspicious activity.' + example: 4 + default_field: false + - name: session_leader.command_line + level: extended + type: wildcard + multi_fields: + - name: text + type: match_only_text + description: 'Full command line that started the process, including the absolute + path to the executable, and all arguments. + + Some arguments may be filtered to protect sensitive information.' + example: /usr/bin/ssh -l user 10.0.0.16 + default_field: false + - name: session_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: session_leader.executable + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Absolute path to the process executable. + example: /usr/bin/ssh + default_field: false + - name: session_leader.group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: session_leader.group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: session_leader.interactive + level: extended + type: boolean + description: 'Whether the process is connected to an interactive shell. + + Process interactivity is inferred from the processes file descriptors. If + the character device for the controlling tty is the same as stdin and stderr + for the process, the process is considered interactive. + + Note: A non-interactive process can belong to an interactive session and is + simply one that does not have open file descriptors reading the controlling + TTY on FD 0 (stdin) or writing to the controlling TTY on FD 2 (stderr). A + backgrounded process is still considered interactive if stdin and stderr are + connected to the controlling TTY.' + example: true + default_field: false + - name: session_leader.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: 'Process name. + + Sometimes called program name or similar.' + example: ssh + default_field: false + - name: session_leader.parent.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: session_leader.parent.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: session_leader.parent.session_leader.entity_id + level: extended + type: keyword + ignore_above: 1024 + description: 'Unique identifier for the process. + + The implementation of this is specified by the data source, but some examples + of what could be used here are a process-generated UUID, Sysmon Process GUIDs, + or a hash of some uniquely identifying components of a process. + + Constructing a globally unique identifier is a common practice to mitigate + PID reuse as well as to identify a specific process over time, across multiple + monitored hosts.' + example: c2c455d9f99375d + default_field: false + - name: session_leader.parent.session_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: session_leader.parent.session_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: session_leader.parent.session_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: session_leader.parent.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: session_leader.parent.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: session_leader.pid + level: core + type: long + format: string + description: Process id. + example: 4242 + default_field: false + - name: session_leader.real_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: session_leader.real_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: session_leader.real_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: session_leader.real_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: session_leader.same_as_process + level: extended + type: boolean + description: 'This boolean is used to identify if a leader process is the same + as the top level process. + + For example, if `process.group_leader.same_as_process = true`, it means the + process event in question is the leader of its process group. Details under + `process.*` like `pid` would be the same under `process.group_leader.*` The + same applies for both `process.session_leader` and `process.entry_leader`. + + This field exists to the benefit of EQL and other rule engines since it''s + not possible to compare equality between two fields in a single document. + e.g `process.entity_id` = `process.group_leader.entity_id` (top level process + is the process group leader) OR `process.entity_id` = `process.entry_leader.entity_id` + (top level process is the entry session leader) + + Instead these rules could be written like: `process.group_leader.same_as_process: + true` OR `process.entry_leader.same_as_process: true` + + Note: This field is only set on `process.entry_leader`, `process.session_leader` + and `process.group_leader`.' + example: true + default_field: false + - name: session_leader.saved_group.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: session_leader.saved_group.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: session_leader.saved_user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: session_leader.saved_user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: session_leader.start + level: extended + type: date + description: The time the process started. + example: '2016-05-23T08:05:34.853Z' + default_field: false + - name: session_leader.tty + level: extended + type: object + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + default_field: false + - name: session_leader.tty.char_device.major + level: extended + type: long + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + default_field: false + - name: session_leader.tty.char_device.minor + level: extended + type: long + description: "The minor number is used only by the driver specified by the major\ + \ number; other parts of the kernel don\u2019t use it, and merely pass it\ + \ along to the driver. It is common for a driver to control several devices;\ + \ the minor number provides a way for the driver to differentiate among them." + example: 1 + default_field: false + - name: session_leader.user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: session_leader.user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: session_leader.vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false + - name: session_leader.working_directory + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: The working directory of the process. + example: /home/alice + default_field: false + - name: supplemental_groups.id + level: extended + type: keyword + ignore_above: 1024 + description: Unique identifier for the group on the system/platform. + default_field: false + - name: supplemental_groups.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the group. + default_field: false + - name: tty + level: extended + type: object + description: Information about the controlling TTY device. If set, the process + belongs to an interactive session. + default_field: false + - name: tty.char_device.major + level: extended + type: long + description: The major number identifies the driver associated with the device. + The character device's major and minor numbers can be algorithmically combined + to produce the more familiar terminal identifiers such as "ttyS0" and "pts/0". + For more details, please refer to the Linux kernel documentation. + example: 4 + default_field: false + - name: tty.char_device.minor + level: extended + type: long + description: "The minor number is used only by the driver specified by the major\ + \ number; other parts of the kernel don\u2019t use it, and merely pass it\ + \ along to the driver. It is common for a driver to control several devices;\ + \ the minor number provides a way for the driver to differentiate among them." + example: 1 + default_field: false + - name: tty.columns + level: extended + type: long + description: 'The number of character columns per line. e.g terminal width + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 80 + default_field: false + - name: tty.rows + level: extended + type: long + description: 'The number of character rows in the terminal. e.g terminal height + + Terminal sizes can change, so this value reflects the maximum value for a + given IO event. i.e. where event.action = ''text_output''' + example: 24 + default_field: false + - name: user.id + level: core + type: keyword + ignore_above: 1024 + description: Unique identifier of the user. + example: S-1-5-21-202424912787-2692429404-2351956786-1000 + default_field: false + - name: user.name + level: core + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: match_only_text + description: Short name or login of the user. + example: a.einstein + default_field: false + - name: vpid + level: core + type: long + format: string + description: 'Virtual process id. + + The process id within a pid namespace. This is not necessarily unique across + all processes on the host but it is unique within the process namespace that + the process exists within.' + example: 4242 + default_field: false diff --git a/x-pack/auditbeat/processors/sessionmd/fields.go b/x-pack/auditbeat/processors/sessionmd/fields.go new file mode 100644 index 00000000000..b409524b811 --- /dev/null +++ b/x-pack/auditbeat/processors/sessionmd/fields.go @@ -0,0 +1,23 @@ +// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one +// or more contributor license agreements. Licensed under the Elastic License; +// you may not use this file except in compliance with the Elastic License. + +// Code generated by beats/dev-tools/cmd/asset/asset.go - DO NOT EDIT. + +package sessionmd + +import ( + "github.com/elastic/beats/v7/libbeat/asset" +) + +func init() { + if err := asset.SetFields("auditbeat", "fields.yml", asset.BeatFieldsPri, AssetFieldsYml); err != nil { + panic(err) + } +} + +// AssetFieldsYml returns asset data. +// This is the base64 encoded zlib format compressed contents of fields.yml. +func AssetFieldsYml() string { + return "eJztXW1z2zYS/t5fgfHdjOOrRMuKncTu5IMvL3ee6YuvTnrTNj0ZIiEJNUmwBGhFN/fjbxcgQVKkXEW2E73gepPYErnYfXYXeIBdMn8hSSp8JiUZcRYG8FcqIvLm1RW5ZankIiYvvKO+1+sG7Nb76qsuuWGzM8J8+RUhiquQneHF8EvApJ/yRMEt+iPyVsvz4Csj+Qx+6pKYRnBLPiZ8YqVcVj4apyJLzkhf/1ITvP9uwiQrdPVFrCiPCY9HIo0oXkLoUGSK0GII0Jno/9VvpDGZsDAhM5GBlDRlIVWMREyl3Jc1eVOuJqU4woNDNCEXqsGiJBRjuFdKOmaeHolcF8MnPLgmYqRYTKSiM5RN1KQYinAlWTgiNA5yiRytSjgLiBL6wnEohjQ0ihNQy6oLynn7BsFZAgBq0HLERjQL1UDfc0ZUmhl9Sz+UnmCxSmeDkNGApR5NxzLXI2S3LISvP4LmASu0MyNBCExFajUexyJlA8D9Fr476vWP8y/qjjtPUzoDJCySMFgWwfCyg8ikisdjAzZaTYdShBm4JKH4ichFEv0l+8j8TNFhyKx3CfkOpA/RwaFiqYEPRlLMV0SyWHLFb1nVsTl2BKTRKMEI3P917zCT6eGQx4dSTvY6ZK8b4p+ZZCn+fdTz8L+jZ3u/7Vsba1CPaCjZ3fgOfJHFagmUQxGPW5H8lsVjAAWgRDCKQEPZgCmAXAHl3YTnia1DHvABW0ZZqAPpj4ylM0Qdfk5Yisjgb8PMv2GQQTENZxJuhxyYiKkVGdF4VvqOTAFs1OGWBwZ07ctK/pHvIDoqN0TGTzS2EnkccN8kG9gkM5lwn4sMrPHBaVzNmq46Xgl+X0SgfTAIecyWcMCUh4FPbZxHMBAfVHOoHEaBgDJE9d0QZf5kIOJwNqh8W/fk2ywMSa4VQa3Ao1QZCBHN0r0dQMkPswAdVM0PO2ieJ3P50cGZhVAYxTqgEh1XImrxzD0yqJo+pBtisKXEZs1KPoNfIAIGPHiseel9zCERYF7HkUCnVOdGNbOq6QQXoqkImI1YhUkG/5cJ81FCQIYzLSCgihIpstQHRwxhVZIIeI6WtFJBxBTdDhMD5KnJ0QCWJ502rEyl7pjFLKUYGe/fX7zukKuZjECFfOUk/4APZacUm8KtEyr1TKFHzrSp4awwVic/hF8iYh0AcF1z3STklYglrCG+nqFpviCBlKyBHIBAdTyDVkmK6eszDKMIYmdMK9F6efGapAzsJBSnEIxPiRcWioGYHE3frhfgRvALjzCo/VTAJzojAcpybhIxVwJjdyIkhHojQP2+f3xyEpyOTk+fPj8JVo1I+AXWb+oZ33o8qQcnrNCsFpj2glroXVwSGgSpts3M5UYeeXJxeXuM/oO/nx1499USdXis7MGM0ENpITZ1zEcSTMMcyVUiP9EwYzKfyRAW8NYT5o2t/+RMKhYFB8AI5CTAP6MOucmGLGSqA5NsyBKR6p9wqaJhBxkgTISsDNbvYcI6q657egULURlFdFia8M51K+BabT0vJ9qHw/fhl5nzOS5VndxqXGouWaqz+UrwaEbqPdrUvXjm1gOjt3VS6aA6TIAy49K1WjoZUyrM/6GN+R5EF9OAGWwlPXkMuaF50zKKDgXkjmVi9cz+94SBLrWV0GxO4hgYgaEHFLdedkAiYUsVVhaOYmEqr4GlHIUAiWApTtN6/1QZgWHWhsyqIlIgkBejGvv3JxSFgWqwJcUFpvA67gZTEYaaI5mBtP8RWVhepAL2pPkQ/ATDW6Fz632nxWQJQYb6Vqz15ueccxKLuFvFo5BhqDfy+TbQ8kkSFeMlKZDIM2C/VHDCQAA2sVCwosNNIoH95DxSsKJSSxArYJT05d3PmBRvX5MeeaLhOMBVZppyvbTnM0MVxvKOvr4DYDvwyLmVOKT+DUYrRlYVMqm4ZrZtwBE+avgCiY4VWguxFo2ay7rd4X5qujxsQj/CDqFIIRQyx9yRCmFshaHBfpzSSF+HPoXw4SFNm1CtOpcn4KFYOTru6Pia0fE8MJP5kGyQ8Mp5itnCQjKolLcfstilK2jQouP+cf8+ms4xT5dRLqPWMqPm4nRjE0yfpi2RXEHpv5qmmBPolRotzI/oGrrv93tHz7q9k27/6bvei7PeydnTY+/FydNfVttgtlt0+8C+2P+JpyqjYaXIMTcnlF/oI3rkbgSU0CrLhPrMM1tubjgq0DeshqS8TCIT0VYoHkmWnD/fqWFM62mEK5SU35kPWEXfDqu5cW13UO5rucTjaX1zywHyfWNs84PKRdEXjKK1nEyTFDbUIpOuDvjwdcAatq4G+DlrgBZ6d1x756SUMhoOtujMtmLP+h/camVxgmlg31gaHgb3XGU95HwoXXWPusA2jrp9ENc/Pj3qP3/xvNt/dgq/nR73joGInBydnjx7/uJZ96jX693T4qZ3VrX54bPxaiJgKiuO1UIx5vGd0FGPcdhNwh8rgYKH1QMqB9UGqdXP8PXUn1+guZA087PdhXLcEJuhq8e3xbF5SbTMZ0okRpeWTfRbgCdHoYNybQeUTooF9pGX+uz2uoNkLQIt9ThWpp31bkFf7JyCGJZ6kciVzFUHh3BYVorLTRqS10xRHiIDhGusTKvX365JyG+wVQtbtKbF2YQtGejbFpgB976r6GlKDEkScixgABBDAVO3vbW+fbvW5972y6r7r9uX7ZyF5kvBkMVsBHCB0W/+9a0WJnSlJs1CrLxChIIWksdAbLna3y/pMpLqBPgzh+UDpeHJCB7AsD+AtmNpZsjUlDGYgqei6JTTJB2EjbHWIHy9gHtWIvPGNUvMSdY1uLUdt8olTxrBVJIBWVvzzMpgJByQH378sxHb+0eurfjmyMWIbWXrg9IlF5jYVPflSKbhluWZFlZRsMsPY+psueg/K6cjTIJ50xbOCqbgcb180bs92DoLI7TM+2qkVk25fsAijKS3LNgm4lE1aP2Zh9F2p6hHxWTHPWbbcFAqs6SoWuScX27JXNJi2PrPKUrNllBQDH9nfmvkXzQa+ts6E0z/BzaI4EJX69uwyWb6LuTixouVDfSwEWWQ6xDR30W6hMmLDnQwd7QMEmfRECtNRXAZZhKkHKtDVErhc10hs0dkuQYV4tjskdmXuXRc0CMe23GK5hRCw7EABjOJuK9rX8ANh0AkAyvWnKMFmW/yO8ITnRGNeMhpahvyKjkBqZ/5E9w57AFYV709PfZeouRhb6/UFrcNWlZg2HqHQLhTpFdshOUww3m/5XH2EQI6jYG0FTTUHN+tfCx0tz8Ro3v4c087tAK03X5pXlbUT41XG3VV7asPFqMPuYxvcqIPpF3ZnlELSvwhgzn1VOEwQPxN63fEUqyHJhRJrqqKpEU/UqkIZJIyDU+6wDnSBdZcR71d0OkHiQMfgK8NVPKbqlQ1b3Z+LIh10ymd2YmylBrwETgaowafwKGRMA1Mkbc379mjlTy7U8TGUZo6Hq7G9eVqXBBgNwDjIOAprPIiXYYRfLG4RNflChOr8Hx5ZR6aw4mI2CENYRZcHqHbwS1NH7+6BgPxVMS4ThIYkGPJgAyxzAJsyCOvaKIy24FLiYxpIieiRC43vSqGGhamKT6OoEsRegm2dz1I8e3y/N0/X+pqRiiAjGBN46wobmD57f3Vmx9fZsMsVtknFOBqBzGuwPngBc4Gvq7I+TmLnDX43YOOG/GgY/vR+GPNS64P1PWBflpEunaJu+DZ7IJFiylreaxY09M93eaebnNPty2dLu7ptmWRWs9+3JqKW9Cdt8ie9V94dqI7b4HFu32cfFf/zj05iOvOc915rjvPdeetXXfeHCqb35230KD1Zx670Z23yGTHPUpUNqs7r6b7NraDzRvo2sE2ux3sbn+6drDNbQereXanVlK3htbxcO1gn7UdrIa9awdrQcgVtFxByxW07nx5g3lZzWafP9SMWMszh6qGriPJdSStTUdSW2CuZ7W2TdMNO7RpM8Fx5s/KmXMXOGLoiKEjhkskyha0xTQtWWeKuBOtMA1bd/sQrXjp6RaUgltMWeds243yb9NYl2+Ah5ogE/B8mtAhD2FxZ9JjoxFblhauEhAFs9Y5xnQfU3V8s0HON9l5rQlLgeapOvw74poHlSxgwvwbaZM4t6mxd/l179X55eDvl2/x+UP88ernq8H56+8uvi+fQUyoAvYBSv7nCV7x63n3l8FvX//vQ/D1wV8fAFqtPIzwWDNbAS0lIY8MVZMZDIow2384q3BvHfXGzsPor59ko1JmUfP5ls+O6BbW+EvTXHV/s6v7izzp6vqbW9fPfboj5MjRIuL+4YIvcSK5BScs6360shNnKu4wxei1Dacoa398shvnJu7ApACi9oSMe73Tw7/eqQVh94Knz/mCpzkHuFc8bcQrntw/9ulaqtatpWo+Jt1rnu4GaMOpepsx68nZ65q6FijXAuVaoD4hYdzrnpbHKj9KdnzM8bF142N5aK5nk3u7rm6X47JqM7Jq/tPNTbINe7RkKZtcZfezVnYX+GQbAstF0heNpE2YVregr2GxRZtwwLMTXQ8LbXYF2yqZoe7FqpX6l3uxqnuxqnux6va9WLUx621BJ9hikzaBg+xIn9hCox0L2ZojlW18AKtponsQa7MfxPozj7oHsjb3gaw53+7YqurW03lE3CHslzyEdS9cbcMoS4pScH5UKjd369Viy1ruubaRmToquvFU1HHPLeKe2pkizKJ4merBwieS0IW5FfjmG5tFuWh8ukg/3OLpM2Ab9VMeqEmFihSfS/5fZjIMRMVj1iFSmN6jWxpmOsZDmPRkHgEfeZRF+VfaE1biGKCLycUPpibgEe6BClPdb2Q+wWkM/PeS7O/jGjuAWTLJ1P5+g1G8WJrfIqSpmD4KniiX5GypQHEO0wnj44naDFD7S086274pcrsg4rY9j77t+T+7GV/0" +}