Skip to content

Add support for FireEye HX acquisition packages in process_tree #616

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ianhelle merged 9 commits into from
Mar 8, 2023
Merged

Add support for FireEye HX acquisition packages in process_tree #616

ianhelle merged 9 commits into from
Mar 8, 2023

Conversation

@ZeArioch
Copy link
Contributor

@ZeArioch ZeArioch commented Feb 1, 2023

Hello 👋 this is just in case you are open to supporting third-party commercial tools.

FireEye's endpoint security HX product records process creation events and can make them available in data acquisition packages as XML structured data (see sample below). This is easily parsed into pandas DataFrames, and provides all required information for a process_tree schema.

I successfully tested this in a notebook, I could provide a sample acquisition package if needed.

<eventItem sequence_num="4257223597" uid="379727734">
    <timestamp>2023-01-11T06:21:59.774Z</timestamp>
    <eventType>processEvent</eventType>
    <details>
     <detail>
      <name>eventType</name>
      <value>start</value>
     </detail>
     <detail>
      <name>pid</name>
      <value>11604</value>
     </detail>
     <detail>
      <name>processPath</name>
      <value>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</value>
     </detail>
     <detail>
      <name>process</name>
      <value>msedge.exe</value>
     </detail>
     <detail>
      <name>parentPid</name>
      <value>17936</value>
     </detail>
     <detail>
      <name>parentProcessPath</name>
      <value>C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe</value>
     </detail>
     <detail>
      <name>parentProcess</name>
      <value>msedge.exe</value>
     </detail>
     <detail>
      <name>username</name>
      <value>SNIP_DOMAIN\SNIP_USER</value>
     </detail>
     <detail>
      <name>startTime</name>
      <value>2023-01-11T06:21:59.774Z</value>
     </detail>
     <detail>
      <name>md5</name>
      <value>0fd9e9bd708f1f69c9bb987cfc1f9a4c</value>
     </detail>
     <detail>
      <name>processCmdLine</name>
      <value>"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" SNIP_CMDLINE</value>
     </detail>
    </details>
   </eventItem>

Note: the hostname comes from another source inside the HX acquisition package and is added to the dataframe on the side.

ianhelle
ianhelle approved these changes Feb 1, 2023
View reviewed changes
Copy link
Contributor

@ianhelle ianhelle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice - thanks for the submission!
Definitely open to supporting whatever schemas people want to add.

@ianhelle
Copy link
Contributor

ianhelle commented Feb 1, 2023

/azpipelines run

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 1, 2023

Azure Pipelines successfully started running 1 pipeline(s).

@ZeArioch
Copy link
Contributor Author

ZeArioch commented Feb 2, 2023

@microsoft-github-policy-service agree

@ianhelle
Copy link
Contributor

ianhelle commented Feb 22, 2023

/azpipelines run

@azure-pipelines
Copy link

azure-pipelines bot commented Feb 22, 2023

Azure Pipelines successfully started running 1 pipeline(s).

@ianhelle
Copy link
Contributor

ianhelle commented Mar 8, 2023

/azpipelines run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 8, 2023

Azure Pipelines successfully started running 1 pipeline(s).

@ianhelle ianhelle merged commit 85fd101 into microsoft:main Mar 8, 2023
@ZeArioch ZeArioch deleted the hx_proc_tree branch March 18, 2023 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ianhelle ianhelle ianhelle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ZeArioch @ianhelle