Effective Process Parents, and File/Registry Effective Processes

[gabriellandau]

Change Summary

These fields contain information about an effective process.
The effective process is the process that requested the a specific action, without directly performing it.

Effective Parent Processes

Processes can have effective parents that differ from their regular parents.
For example, on Windows, wmic process call create notepad will ask WmiPrvSE.exe to launch notepad.exe.
WmiPrvSE will be notepad's parent, but the wmic will be the effective parent.

Effective Processes

Events can have effective processes that differ from their regular processes.
For example, on Windows, reg add \\localhost\HKLM\Software\Foo /v Data /t REG_SZ /d 123
will result in a registry event from the Remote Registry service (svchost.exe).
In this case, the effective process will be reg.exe.

Sample values

See below for an example process creation event for wmic process call create notepad. Note the addition of process.Ext.effective_parent and how it differs from process.parent:

Full event here

{
	"@timestamp": "2022-06-14T19:09:01.3188768Z",
	"agent": {
		"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
		"type": "endpoint",
		"version": "8.4.0-SNAPSHOT"
	},
	"data_stream": {
		"dataset": "endpoint.events.process",
		"namespace": "default",
		"type": "logs"
	},
	"ecs": {
		"version": "1.11.0"
	},
	"elastic": {
		"agent": {
			"id": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
		}
	},
	"event": {
		"action": "start",
		"category": [
			"process"
		],
		"created": "2022-06-14T19:09:01.3188768Z",
		"dataset": "endpoint.events.process",
		"id": "MeXQZsaRQxDBzRm5++++++GR",
		"kind": "event",
		"module": "endpoint",
		"sequence": 845,
		"type": [
			"start"
		]
	},
	"host": {
		"architecture": "x86_64",
		"hostname": "DESKTOP-4S6F4KN",
		"id": "dabadaba-0000-0000-0000-000000000000",
		"ip": [
			"192.168.150.129",
			"fe80::f0b9:40c8:abac:9888",
			"169.254.19.88",
			"fe80::bcb5:643b:2ddb:1358",
			"127.0.0.1",
			"::1"
		],
		"mac": [
			"00:0c:29:61:18:2e",
			"18:1d:ea:b0:be:12"
		],
		"name": "DESKTOP-4S6F4KN",
		"os": {
			"Ext": {
				"variant": "Windows 10 Pro"
			},
			"family": "windows",
			"full": "Windows 10 Pro 21H2 (10.0.19044.1706)",
			"kernel": "21H2 (10.0.19044.1706)",
			"name": "Windows",
			"platform": "windows",
			"type": "windows",
			"version": "21H2 (10.0.19044.1706)"
		}
	},
	"message": "Endpoint process event",
	"process": {
		"Ext": {
			"ancestry": [
				"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQzMjAtMTMyOTg3NjIxNDMuNTk3ODg3NjAw",
				"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTkwMC0xMzI5ODc2MjE0MS4xNDQ4OTQzMDA=",
				"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTc2MC0xMzI5ODc2MjE0MC43ODQ4OTA0MDA=",
				"YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTYxMi0xMzI5ODc2MjE0MC42NDgyODEyMDA="
			],
			"authentication_id": "0x1bfbf",
			"code_signature": [
				{
					"exists": true,
					"status": "trusted",
					"subject_name": "Microsoft Windows",
					"trusted": true
				}
			],
			"effective_parent": {
				"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTI3MzItMTMyOTk3MDczNDEuMjUyNTI3NDAw",
				"executable": "C:\\Windows\\System32\\wbem\\WMIC.exe",
				"name": "WMIC.exe",
				"pid": 2732
			},
			"token": {
				"elevation_level": "full",
				"integrity_level_name": "high",
				"security_attributes": [
					"TSA://ProcUnique"
				]
			}
		},
		"args": [
			"notepad"
		],
		"args_count": 1,
		"code_signature": {
			"exists": true,
			"status": "trusted",
			"subject_name": "Microsoft Windows",
			"trusted": true
		},
		"command_line": "notepad",
		"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTcxNjQtMTMyOTk3MDczNDEuMzE4ODc2ODAw",
		"executable": "C:\\Windows\\System32\\notepad.exe",
		"hash": {
			"md5": "bbe80313cf12098d3fc4d8a42e9dbb33",
			"sha1": "5b80bbb07b1a84384e61fb3f9366cad97904ebea",
			"sha256": "371106996a6ff4700c8bfbfbc6d4e6f39cfa5c6691edc15223f680b49e5b0657"
		},
		"name": "notepad.exe",
		"parent": {
			"args": [
				"C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"
			],
			"args_count": 1,
			"command_line": "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe",
			"entity_id": "YWFhYWFhYWEtYWFhYS1hYWFhLWFhYWEtYWFhYWFhYWFhYWFhLTQzMjAtMTMyOTg3NjIxNDMuNTk3ODg3NjAw",
			"executable": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe",
			"name": "WmiPrvSE.exe",
			"pid": 4320
		},
		"pe": {
			"original_file_name": "NOTEPAD.EXE"
		},
		"pid": 7164,
		"working_directory": "C:\\WINDOWS\\system32\\"
	},
	"user": {
		"domain": "DESKTOP-4S6F4KN",
		"id": "S-1-5-21-2862132742-1403383571-1346394525-1001",
		"name": "user"
	}
}

Release Target

This is targeting the 8.4.0 release.

Q/A

For mapping changes:

• I ran make after making the schema changes, and committed any generated files (in schema/, generated/)
• If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2022-06-16T16:49:11.699+0000

• Duration: 7 min 36 sec

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[gabriellandau]

/test

[Trinity2019]

I'm curious about when we should make changes in endpoint-package repo. As member of our team we all add fields/information to events/alerts, then I'm guessing we're all responsible of changing endpoint-package?

[gabriellandau]

I answered @Trinity2019's question elsewhere.

[gabriellandau]

/test

[gabriellandau]

I'm not sure exactly how I got a green build this time, but I at least had to:

rm -rf out
make -B

[gabriellandau]

I confirmed with Protections that this is a reasonable schema, at least to start. We can add more fields later if necessary.