search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
38 stars 450 forks source link

[carbon_black_cloud]: Process Start events not mapped correctly #11653

Open mike-flowers-airbnb opened 3 weeks ago

mike-flowers-airbnb commented 3 weeks ago

Integration Name

VMware Carbon Black Cloud [carbon_black_cloud]

Dataset Name

carbon_black_cloud.endpoint_event

Integration Version

2.6.1

Agent Version

8.15.2

Agent Output Type

elasticsearch

Elasticsearch Version

8.15.1

OS Version and Architecture

Elastic Cloud

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Default configuration for the integration

What did you see?

When reviewing events with event.action: ACTION_CREATE_PROCESS, the resulting process.*+process.parent.* do not accurately reflect the process being created and it's parent. Instead, the data reflects the parent + grandparent involved in the process creation. See below command line fields that are available for a sample record:

field value
carbon_black_cloud.endpoint_event.target_cmdline Google Chrome Helper (Renderer)
process.command_line Google Chrome --restart --restart
process.parent.command_line launchd

What did you expect to see?

The expectation here is threefold:

To accomplish this the mapping would need to rename the following:

Anything else?

cc: @btrieger

elasticmachine commented 3 weeks ago

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

efd6 commented 2 weeks ago

@mike-flowers-airbnb I have prepared #11686. Please take a look to see that it satisfies the requirement. Are you able to point to some documentation for the mapping that CBC uses?

mike-flowers-airbnb commented 2 weeks ago

@efd6 Appreciate the quick PR. Left some comments on it. For the documentation, this will be the best reference: https://developer.carbonblack.com/reference/carbon-black-cloud/data-forwarder/schema/latest/endpoint.event-1.1.0/#fields