Skip to content

Commit

Permalink
Rename session -> session_info and restore legacy keyword field
Browse files Browse the repository at this point in the history
  • Loading branch information
@gabriellandau
gabriellandau committed Nov 27, 2022
1 parent 689de66 commit 08e4fc0
Show file tree
Hide file tree
Showing 13 changed files with 145 additions and 51 deletions.
20 changes: 13 additions & 7 deletions custom_schemas/custom_process.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,12 @@
description: >
Process authentication ID
- name: Ext.session
level: custom
type: keyword
description: >
Session information for the current process
- name: Ext.code_signature
level: custom
type: nested
Expand Down Expand Up @@ -377,43 +383,43 @@
Indicates the protection level of this process. Uses the same syntax as Process Explorer.
Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light.
- name: Ext.session.logon_type
- name: Ext.session_info.logon_type
level: custom
type: keyword
description: >
Session logon type. Examples include Interactive, Network, and Service.
- name: Ext.session.client_address
- name: Ext.session_info.client_address
level: custom
type: keyword
description: >
Client's IPv4 or IPv6 address as a string, if available.
- name: Ext.session.id
- name: Ext.session_info.id
level: custom
type: unsigned_long
description: >
Session ID
- name: Ext.session.authentication_package
- name: Ext.session_info.authentication_package
level: custom
type: keyword
description: >
Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP
- name: Ext.session.relative_logon_time
- name: Ext.session_info.relative_logon_time
level: custom
type: double
description: >
Process creation time, relative to logon time, in seconds.
- name: Ext.session.relative_password_age
- name: Ext.session_info.relative_password_age
level: custom
type: double
description: >
Process creation time, relative to the last time the password was changed, in seconds.
- name: Ext.session.user_flags
- name: Ext.session_info.user_flags
level: custom
type: keyword
description: >
Expand Down
2 changes: 2 additions & 0 deletions custom_subsets/elastic_endpoint/alerts/malware_event.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -779,6 +779,7 @@ fields:
ancestry: {}
authentication_id: {}
services: {}
session: {}
user: {}
code_signature:
fields:
Expand Down Expand Up @@ -1008,6 +1009,7 @@ fields:
ancestry: {}
authentication_id: {}
services: {}
session: {}
user: {}
code_signature:
fields:
Expand Down
1 change: 1 addition & 0 deletions custom_subsets/elastic_endpoint/alerts/memory_protection_event.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -648,6 +648,7 @@ fields:
dll:
fields: *dll-fields
services: {}
session: {}
user: {}
code_signature:
fields:
Expand Down
1 change: 1 addition & 0 deletions custom_subsets/elastic_endpoint/alerts/ransomware_event.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -622,6 +622,7 @@ fields:
ancestry: {}
authentication_id: {}
services: {}
session: {}
user: {}
code_signature:
fields:
Expand Down
3 changes: 2 additions & 1 deletion custom_subsets/elastic_endpoint/process/process.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,8 @@ fields:
protection: {}
relative_file_creation_time: {}
relative_file_name_modify_time: {}
session:
session: {}
session_info:
fields:
logon_type: {}
client_address: {}
Expand Down
12 changes: 12 additions & 0 deletions package/endpoint/data_stream/alerts/fields/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1293,6 +1293,12 @@
ignore_above: 1024
description: Services running in this process.
default_field: false
- name: process.Ext.session
level: custom
type: keyword
ignore_above: 1024
description: Session information for the current process
default_field: false
- name: process.Ext.token.domain
level: custom
type: keyword
Expand Down Expand Up @@ -4975,6 +4981,12 @@
ignore_above: 1024
description: Services running in this process.
default_field: false
- name: Ext.session
level: custom
type: keyword
ignore_above: 1024
description: Session information for the current process
default_field: false
- name: Ext.token.domain
level: custom
type: keyword
Expand Down
20 changes: 13 additions & 7 deletions package/endpoint/data_stream/process/fields/fields.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -891,40 +891,46 @@
type: double
description: Number of seconds since the process's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future.
default_field: false
- name: Ext.session.authentication_package
- name: Ext.session
level: custom
type: keyword
ignore_above: 1024
description: Session information for the current process
default_field: false
- name: Ext.session_info.authentication_package
level: custom
type: keyword
ignore_above: 1024
description: Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP
default_field: false
- name: Ext.session.client_address
- name: Ext.session_info.client_address
level: custom
type: keyword
ignore_above: 1024
description: Client's IPv4 or IPv6 address as a string, if available.
default_field: false
- name: Ext.session.id
- name: Ext.session_info.id
level: custom
type: unsigned_long
description: Session ID
default_field: false
- name: Ext.session.logon_type
- name: Ext.session_info.logon_type
level: custom
type: keyword
ignore_above: 1024
description: Session logon type. Examples include Interactive, Network, and Service.
default_field: false
- name: Ext.session.relative_logon_time
- name: Ext.session_info.relative_logon_time
level: custom
type: double
description: Process creation time, relative to logon time, in seconds.
default_field: false
- name: Ext.session.relative_password_age
- name: Ext.session_info.relative_password_age
level: custom
type: double
description: Process creation time, relative to the last time the password was changed, in seconds.
default_field: false
- name: Ext.session.user_flags
- name: Ext.session_info.user_flags
level: custom
type: keyword
ignore_above: 1024
Expand Down
2 changes: 1 addition & 1 deletion package/endpoint/data_stream/process/sample_event.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
},
"relative_file_creation_time": 48628704.4029488,
"relative_file_name_modify_time": 48628704.4029488,
"session": {
"session_info": {
"logon_type": "Interactive",
"client_address": "127.0.0.1",
"id": 1,
Expand Down
17 changes: 10 additions & 7 deletions package/endpoint/docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,7 @@ sent by the endpoint.
| Target.process.Ext.memory_region.strings | Array of strings found within the memory region. | keyword |
| Target.process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword |
| Target.process.Ext.services | Services running in this process. | keyword |
| Target.process.Ext.session | Session information for the current process | keyword |
| Target.process.Ext.token.domain | Domain of token user. | keyword |
| Target.process.Ext.token.elevation | Whether the token is elevated or not | boolean |
| Target.process.Ext.token.elevation_type | What level of elevation the token has | keyword |
Expand Down Expand Up @@ -681,6 +682,7 @@ sent by the endpoint.
| process.Ext.memory_region.strings | Array of strings found within the memory region. | keyword |
| process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword |
| process.Ext.services | Services running in this process. | keyword |
| process.Ext.session | Session information for the current process | keyword |
| process.Ext.token.domain | Domain of token user. | keyword |
| process.Ext.token.elevation | Whether the token is elevated or not | boolean |
| process.Ext.token.elevation_type | What level of elevation the token has | keyword |
Expand Down Expand Up @@ -2096,13 +2098,14 @@ sent by the endpoint.
| process.Ext.protection | Indicates the protection level of this process. Uses the same syntax as Process Explorer. Examples include PsProtectedSignerWinTcb, PsProtectedSignerWinTcb-Light, and PsProtectedSignerWindows-Light. | keyword |
| process.Ext.relative_file_creation_time | Number of seconds since the process's file was created. This number may be negative if the file's timestamp is in the future. | double |
| process.Ext.relative_file_name_modify_time | Number of seconds since the process's name was modified. This information can come from the NTFS MFT. This number may be negative if the file's timestamp is in the future. | double |
| process.Ext.session.authentication_package | Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP | keyword |
| process.Ext.session.client_address | Client's IPv4 or IPv6 address as a string, if available. | keyword |
| process.Ext.session.id | Session ID | unsigned_long |
| process.Ext.session.logon_type | Session logon type. Examples include Interactive, Network, and Service. | keyword |
| process.Ext.session.relative_logon_time | Process creation time, relative to logon time, in seconds. | double |
| process.Ext.session.relative_password_age | Process creation time, relative to the last time the password was changed, in seconds. | double |
| process.Ext.session.user_flags | List of user flags associated with this logon session. Examples include LOGON_NTLMV2_ENABLED and LOGON_WINLOGON. | keyword |
| process.Ext.session | Session information for the current process | keyword |
| process.Ext.session_info.authentication_package | Name of authentication package used to log on, such as NTLM, Kerberos, or CloudAP | keyword |
| process.Ext.session_info.client_address | Client's IPv4 or IPv6 address as a string, if available. | keyword |
| process.Ext.session_info.id | Session ID | unsigned_long |
| process.Ext.session_info.logon_type | Session logon type. Examples include Interactive, Network, and Service. | keyword |
| process.Ext.session_info.relative_logon_time | Process creation time, relative to logon time, in seconds. | double |
| process.Ext.session_info.relative_password_age | Process creation time, relative to the last time the password was changed, in seconds. | double |
| process.Ext.session_info.user_flags | List of user flags associated with this logon session. Examples include LOGON_NTLMV2_ENABLED and LOGON_WINLOGON. | keyword |
| process.Ext.token.elevation | Whether the token is elevated or not | boolean |
| process.Ext.token.elevation_level | What level of elevation the token has | keyword |
| process.Ext.token.elevation_type | What level of elevation the token has | keyword |
Expand Down
21 changes: 21 additions & 0 deletions schemas/v1/alerts/malware_event.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 21 additions & 0 deletions schemas/v1/alerts/memory_protection_event.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions schemas/v1/alerts/ransomware_event.yaml
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 08e4fc0

Please sign in to comment.