Open kqualters-elastic opened 2 years ago
Pinging @elastic/security-threat-hunting (Feature:Resolver)
Pinging @elastic/security-solution (Team: SecuritySolution)
@kqualters-elastic can we close this or is there any pending task to be done? Thanks!
@MadameSheema no, we should keep this open. The pending task is to still do what the ticket describes ha, they are currently fake and not true to reality, i.e. process trees with windows process names and lifecycle event types have session data, and events with session data are never of type fork/exec etc.
Describe the bug: Currently, the event generation script creates trees of events that consist exclusively event.type of start or end for process events, which are what are found on windows endpoints, with some linux only fields, for testing. As of now this shouldn't cause any sort of bugs, however for testing behavior around fork/exec event types, the script is lacking.
Kibana/Elasticsearch Stack version: 8.2+ Server OS version: All Browser and Browser OS versions: All Elastic Endpoint version: N/A
Functional Area (e.g. Endpoint management, timelines, resolver, etc.): Analyzer
Steps to reproduce:
Current behavior: Windows lifecycle events contain posix eventing model fields. Expected behavior: Trees of events with only windows lifecycle events should not contain the eventing model fields, Trees with Posix lifecycle event types should contain only these types of lifecycle events + the eventing model fields.