diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java index c887e5459bc80..8dff2b3fabd41 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java @@ -40,9 +40,9 @@ public void testBasicSearch() throws Exception { assertNotNull(response); assertFalse(response.isTimeout()); assertNotNull(response.hits()); - assertNull(response.hits().events()); + assertNull(response.hits().sequences()); assertNull(response.hits().counts()); - assertNotNull(response.hits().sequences()); - assertThat(response.hits().sequences().size(), equalTo(2)); + assertNotNull(response.hits().events()); + assertThat(response.hits().events().size(), equalTo(1)); } } diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index 541c22fe52dd1..528139f34cf2a 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -17,6 +17,18 @@ ext { archivesBaseName = 'x-pack-eql' +// All integration tests live in qa modules +integTest.enabled = false + +// Instead we create a separate task to run the tests based on ESIntegTestCase +task internalClusterTest(type: Test) { + mustRunAfter test + include '**/*IT.class' + systemProperty 'es.set.netty.runtime.available.processors', 'false' +} + +check.dependsOn internalClusterTest + dependencies { compileOnly project(path: xpackModule('core'), configuration: 'default') compileOnly(project(':modules:lang-painless')) { @@ -31,21 +43,17 @@ dependencies { testCompile project(path: ':modules:reindex', configuration: 'runtime') testCompile project(path: ':modules:parent-join', configuration: 'runtime') testCompile project(path: ':modules:analysis-common', configuration: 'runtime') -} -integTest.enabled = false -testingConventions.enabled = false + // TOML parser for EqlActionIT tests + testCompile 'io.ous:jtoml:2.0.0' -// Instead we create a separate task to run the tests based on ESIntegTestCase -task internalClusterTest(type: Test) { - description = '🌈🌈🌈🦄 Welcome to fantasy integration tests land! 🦄🌈🌈🌈' - mustRunAfter test + // JSON parser for tests input data + testCompile "com.fasterxml.jackson.core:jackson-core:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}" - include '**/*IT.class' - systemProperty 'es.set.netty.runtime.available.processors', 'false' } -check.dependsOn internalClusterTest /**************************************************************** * Enable QA/rest integration tests for snapshot builds only * diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index fc7d93697ee15..a6f4dac4e5c0e 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -23,5 +23,5 @@ setup: - match: {timed_out: false} - match: {took: 0} - - match: {hits.total.value: 0} + - match: {hits.total.value: 1} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java new file mode 100644 index 0000000000000..2e808501ae9f8 --- /dev/null +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -0,0 +1,58 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.action.ActionRequestBuilder; +import org.elasticsearch.client.ElasticsearchClient; +import org.elasticsearch.index.query.QueryBuilder; + +public class EqlSearchRequestBuilder extends ActionRequestBuilder { + public EqlSearchRequestBuilder(ElasticsearchClient client, EqlSearchAction action) { + super(client, action, new EqlSearchRequest()); + } + + public EqlSearchRequestBuilder indices(String... indices) { + request.indices(indices); + return this; + } + + public EqlSearchRequestBuilder query(QueryBuilder query) { + request.query(query); + return this; + } + + public EqlSearchRequestBuilder timestampField(String timestampField) { + request.timestampField(timestampField); + return this; + } + + public EqlSearchRequestBuilder eventTypeField(String eventTypeField) { + request.eventTypeField(eventTypeField); + return this; + } + + public EqlSearchRequestBuilder implicitJoinKeyField(String implicitJoinKeyField) { + request.implicitJoinKeyField(implicitJoinKeyField); + return this; + } + + public EqlSearchRequestBuilder fetchSize(int size) { + request.fetchSize(size); + return this; + } + + public EqlSearchRequestBuilder searchAfter(Object[] values) { + request.searchAfter(values); + return this; + } + + public EqlSearchRequestBuilder rule(String rule) { + request.rule(rule); + return this; + } + +} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index 0ffcab4ca93b5..e88e6d6b8f40e 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -27,50 +27,6 @@ import java.util.List; import java.util.Objects; - -/** - * Response to perform an eql search - * - * Example events response: - * List<SearchHit> events = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(Arrays.asList( - * new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - * new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - * ), null, null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example sequence response: - * List<SearchHit> events1 = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * List<SearchHit> events2 = Arrays.asList( - * new SearchHit(1, "333", null), - * new SearchHit(2, "444", null) - * ); - * List<Sequence> sequences = Arrays.asList( - * new EqlSearchResponse.Sequence(new String[]{"4021"}, events1), - * new EqlSearchResponse.Sequence(new String[]{"2343"}, events2) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, sequences, null, new TotalHits(100, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example count response: - * TotalHits totals = new TotalHits(100, TotalHits.Relation.EQUAL_TO); - * List<Count> counts = Arrays.asList( - * new EqlSearchResponse.Count(40, new String[]{"foo", "bar"}, .42233f), - * new EqlSearchResponse.Count(15, new String[]{"foo", "bar"}, .170275f) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, null, counts, totals); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - */ public class EqlSearchResponse extends ActionResponse implements ToXContentObject { private final Hits hits; @@ -399,7 +355,7 @@ public Hits(StreamInput in) throws IOException { } else { totalHits = null; } - events = in.readBoolean() ? in.readList(SearchHit::new) : null; + events = in.readBoolean() ? in.readList(SearchHit::new) : null; sequences = in.readBoolean() ? in.readList(Sequence::new) : null; counts = in.readBoolean() ? in.readList(Count::new) : null; } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index 19396f2230263..c6f86b5105e0f 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -22,6 +22,7 @@ import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.env.Environment; import org.elasticsearch.env.NodeEnvironment; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.ActionPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.rest.RestController; @@ -45,6 +46,8 @@ public class EqlPlugin extends Plugin implements ActionPlugin { + private final boolean enabled; + private static final boolean EQL_FEATURE_FLAG_REGISTERED; static { @@ -69,16 +72,20 @@ public class EqlPlugin extends Plugin implements ActionPlugin { Setting.Property.NodeScope ); + public EqlPlugin(final Settings settings) { + this.enabled = EQL_ENABLED_SETTING.get(settings); + } + @Override public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, IndexNameExpressionResolver expressionResolver) { - return createComponents(client, clusterService.getClusterName().value(), namedWriteableRegistry); } - private Collection createComponents(Client client, String clusterName, NamedWriteableRegistry namedWriteableRegistry) { + private Collection createComponents(Client client, String clusterName, + NamedWriteableRegistry namedWriteableRegistry) { IndexResolver indexResolver = new IndexResolver(client, clusterName, DefaultDataTypeRegistry.INSTANCE); PlanExecutor planExecutor = new PlanExecutor(client, indexResolver, namedWriteableRegistry); return Arrays.asList(planExecutor); @@ -91,14 +98,6 @@ public Collection createGuiceModules() { return modules; } - @Override - public List> getActions() { - return Arrays.asList( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class) - ); - } - /** * The settings defined by EQL plugin. * @@ -113,6 +112,17 @@ public List> getSettings() { } } + @Override + public List> getActions() { + if (enabled) { + return Arrays.asList( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class) + ); + } + return Collections.emptyList(); + } + boolean isSnapshot() { return Build.CURRENT.isSnapshot(); } @@ -131,9 +141,14 @@ public List getRestHandlers(Settings settings, IndexNameExpressionResolver indexNameExpressionResolver, Supplier nodesInCluster) { - if (isEnabled(settings) == false) { - return Collections.emptyList(); + if (enabled) { + return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); } - return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); + return Collections.emptyList(); + } + + // overridable by tests + protected XPackLicenseState getLicenseState() { + return XPackPlugin.getSharedLicenseState(); } } \ No newline at end of file diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 75e1478cdf032..f9c3746250b96 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -31,7 +31,6 @@ import java.time.ZoneId; import java.util.Arrays; -import java.util.Collections; import java.util.List; public class TransportEqlSearchAction extends HandledTransportAction { @@ -41,7 +40,7 @@ public class TransportEqlSearchAction extends HandledTransportAction listener) { + String clusterName, ActionListener listener) { // TODO: these should be sent by the client ZoneId zoneId = DateUtils.of("Z"); QueryBuilder filter = request.query(); TimeValue timeout = TimeValue.timeValueSeconds(30); boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false; String clientId = null; - + ParserParams params = new ParserParams() - .fieldEventType(request.eventTypeField()) - .fieldTimestamp(request.timestampField()) - .implicitJoinKey(request.implicitJoinKeyField()); - + .fieldEventType(request.eventTypeField()) + .fieldTimestamp(request.timestampField()) + .implicitJoinKey(request.implicitJoinKeyField()); + Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, includeFrozen, clientId); //planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); listener.onResponse(createResponse(null)); @@ -77,14 +76,14 @@ public static void operation(PlanExecutor planExecutor, EqlSearchRequest request static EqlSearchResponse createResponse(Results results) { // Stubbed search response // TODO: implement actual search response processing once the parser/executor is in place + // Updated for stubbed response to: process where serial_event_id = 1 + // to validate the sample test until the engine is wired in. List events = Arrays.asList( - new SearchHit(1, "111", null, null), - new SearchHit(2, "222", null, null) + new SearchHit(1, "111", null, null) ); - EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, Arrays.asList( - new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - ), null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); + EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(events, null, + null, new TotalHits(1, TotalHits.Relation.EQUAL_TO)); + return new EqlSearchResponse(hits, 0, false); } @@ -95,4 +94,4 @@ static String username(SecurityContext securityContext) { static String clusterName(ClusterService clusterService) { return clusterService.getClusterName().value(); } -} \ No newline at end of file +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java index dba73070690db..52545a5c672c5 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/EqlTestUtils.java @@ -16,19 +16,20 @@ public final class EqlTestUtils { - private EqlTestUtils() {} + private EqlTestUtils() { + } - public static final Configuration TEST_CFG = new Configuration(new String[] { "none" }, org.elasticsearch.xpack.ql.util.DateUtils.UTC, - "nobody", "cluster", null, TimeValue.timeValueSeconds(30), false, ""); + public static final Configuration TEST_CFG = new Configuration(new String[]{"none"}, org.elasticsearch.xpack.ql.util.DateUtils.UTC, + "nobody", "cluster", null, TimeValue.timeValueSeconds(30), false, ""); public static Configuration randomConfiguration() { - return new Configuration(new String[] {randomAlphaOfLength(16)}, - randomZone(), - randomAlphaOfLength(16), - randomAlphaOfLength(16), - null, - new TimeValue(randomNonNegativeLong()), - randomBoolean(), - randomAlphaOfLength(16)); + return new Configuration(new String[]{randomAlphaOfLength(16)}, + randomZone(), + randomAlphaOfLength(16), + randomAlphaOfLength(16), + null, + new TimeValue(randomNonNegativeLong()), + randomBoolean(), + randomAlphaOfLength(16)); } } diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java new file mode 100644 index 0000000000000..a7f1cf5099766 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.LicenseService; +import org.elasticsearch.plugins.Plugin; +import org.elasticsearch.test.ESIntegTestCase; +import org.elasticsearch.xpack.core.XPackSettings; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.util.Collection; +import java.util.Collections; + +import static org.elasticsearch.test.ESIntegTestCase.Scope.SUITE; + +@ESIntegTestCase.ClusterScope(scope = SUITE, numDataNodes = 0, numClientNodes = 0, maxNumDataNodes = 0) +public abstract class AbstractEqlIntegTestCase extends ESIntegTestCase { + + @Override + protected Settings nodeSettings(int nodeOrdinal) { + Settings.Builder settings = Settings.builder().put(super.nodeSettings(nodeOrdinal)); + settings.put(XPackSettings.SECURITY_ENABLED.getKey(), false); + settings.put(XPackSettings.MONITORING_ENABLED.getKey(), false); + settings.put(XPackSettings.WATCHER_ENABLED.getKey(), false); + settings.put(XPackSettings.GRAPH_ENABLED.getKey(), false); + settings.put(XPackSettings.MACHINE_LEARNING_ENABLED.getKey(), false); + settings.put(EqlPlugin.EQL_ENABLED_SETTING.getKey(), true); + settings.put(LicenseService.SELF_GENERATED_LICENSE_TYPE.getKey(), "trial"); + return settings.build(); + } + + @Override + protected Collection> nodePlugins() { + return Collections.singletonList(LocalStateEqlXPackPlugin.class); + } +} + diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java new file mode 100644 index 0000000000000..9fe49106015a3 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -0,0 +1,113 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import org.elasticsearch.Build; +import org.elasticsearch.action.bulk.BulkRequestBuilder; +import org.elasticsearch.action.bulk.BulkResponse; +import org.elasticsearch.action.index.IndexRequest; +import org.elasticsearch.action.support.WriteRequest; +import org.elasticsearch.common.xcontent.XContentType; +import org.elasticsearch.search.SearchHit; +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import static org.hamcrest.Matchers.equalTo; + +public class EqlActionIT extends AbstractEqlIntegTestCase { + + static final String indexPrefix = "endgame"; + static final String testIndexName = indexPrefix + "-1.4.0"; + protected static final String PARAM_FORMATTING = "%1$s.test"; + + + @BeforeClass + public static void checkForSnapshot() { + assumeTrue("Only works on snapshot builds for now", Build.CURRENT.isSnapshot()); + } + + @Before + public void setUpData() throws Exception { + // Insert test data + ObjectMapper mapper = new ObjectMapper(); + BulkRequestBuilder bulkBuilder = client().prepareBulk(); + JsonNode rootNode = mapper.readTree(EqlActionIT.class.getResourceAsStream("/test_data.json")); + Iterator entries = rootNode.elements(); + while (entries.hasNext()) { + JsonNode entry = entries.next(); + bulkBuilder.add(new IndexRequest(testIndexName).source(entry.toString(), XContentType.JSON)); + } + BulkResponse bulkResponse = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); + assertThat(bulkResponse.hasFailures() ? bulkResponse.buildFailureMessage() : "", bulkResponse.hasFailures(), equalTo(false)); + + ensureYellow(testIndexName); + } + + @After + public void tearDownData() { + client().admin().indices().prepareDelete(testIndexName).get(); + } + + @ParametersFactory(shuffle = false, argumentFormatting = PARAM_FORMATTING) + public static List readTestSpecs() throws Exception { + List testSpecs = new ArrayList<>(); + + // Load EQL validation specs + List specs = EqlSpecLoader.load("/test_queries.toml", true); + List unsupportedSpecs = EqlSpecLoader.load("/test_queries_unsupported.toml", false); + + // Validate only currently supported specs + int num = 1; // Seq number of the test + for (EqlSpec spec : specs) { + boolean supported = true; + // Check if spec is supported, simple iteration, cause the list is short. + for (EqlSpec unSpec : unsupportedSpecs) { + if (spec.query() != null && spec.query().equals(unSpec.query())) { + supported = false; + break; + } + } + + if (supported) { + testSpecs.add(new Object[]{num++, spec}); + } + } + return testSpecs; + } + + private final int num; + private final EqlSpec spec; + + public EqlActionIT(int num, EqlSpec spec) { + this.num = num; + this.spec = spec; + } + + public final void test() { + EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) + .indices(testIndexName).rule(spec.query()).get(); + + List events = response.hits().events(); + assertNotNull(events); + + final int len = events.size(); + final long ids[] = new long[len]; + for (int i = 0; i < events.size(); i++) { + ids[i] = events.get(i).docId(); + } + final String msg = "unexpected result for spec: [" + spec.toString() + "]"; + assertArrayEquals(msg, spec.expectedEventIds(), ids); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java new file mode 100644 index 0000000000000..1db8269656f6e --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.Strings; + +import java.util.Arrays; + +public class EqlSpec { + private String description; + private String note; + private String[] tags; + private String query; + private long[] expectedEventIds; + + public String description() { + return description; + } + + public void description(String description) { + this.description = description; + } + + public String note() { + return note; + } + + public void note(String note) { + this.note = note; + } + + public String[] tags() { + return tags; + } + + public void tags(String[] tags) { + this.tags = tags; + } + + public String query() { + return query; + } + + public void query(String query) { + this.query = query; + } + + public long[] expectedEventIds() { + return expectedEventIds; + } + + public void expectedEventIds(long[] expectedEventIds) { + this.expectedEventIds = expectedEventIds; + } + + @Override + public String toString() { + String str = ""; + str = appendWithComma(str, "query", query); + str = appendWithComma(str, "description", description); + str = appendWithComma(str, "note", note); + + if (tags != null) { + str = appendWithComma(str, "tags", Arrays.toString(tags)); + } + + if (expectedEventIds != null) { + str = appendWithComma(str, "expected_event_ids", Arrays.toString(expectedEventIds)); + } + return str; + } + + private static String appendWithComma(String str, String name, String append) { + if (!Strings.isNullOrEmpty(append)) { + if (!Strings.isNullOrEmpty(str)) { + str += ", "; + } + str += name + ": " + append; + } + return str; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java new file mode 100644 index 0000000000000..f5fe4f93c315d --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import io.ous.jtoml.JToml; +import io.ous.jtoml.Toml; +import io.ous.jtoml.TomlTable; +import org.elasticsearch.common.Strings; + +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +public class EqlSpecLoader { + public static List load(String path, boolean supported) throws Exception { + try (InputStream is = EqlSpecLoader.class.getResourceAsStream(path)) { + return readFromStream(is, supported); + } + } + + private static void validateAndAddSpec(List specs, EqlSpec spec, boolean supported) throws Exception { + if (Strings.isNullOrEmpty(spec.query())) { + throw new IllegalArgumentException("Read a test without a query value"); + } + + if (supported && spec.expectedEventIds() == null) { + throw new IllegalArgumentException("Read a test without a expected_event_ids value"); + } + + specs.add(spec); + } + + private static String getTrimmedString(TomlTable table, String key) { + String s = table.getString(key); + if (s != null) { + return s.trim(); + } + return null; + } + + private static List readFromStream(InputStream is, boolean supported) throws Exception { + List testSpecs = new ArrayList<>(); + + EqlSpec spec; + Toml toml = JToml.parse(is); + + List queries = toml.getArrayTable("queries"); + for (TomlTable table : queries) { + spec = new EqlSpec(); + spec.query(getTrimmedString(table, "query")); + spec.note(getTrimmedString(table, "note")); + spec.description(getTrimmedString(table, "description")); + + List arr = table.getList("tags"); + if (arr != null) { + String tags[] = new String[arr.size()]; + int i = 0; + for (Object obj : arr) { + tags[i] = (String) obj; + } + spec.tags(tags); + } + + arr = table.getList("expected_event_ids"); + if (arr != null) { + long expectedEventIds[] = new long[arr.size()]; + int i = 0; + for (Object obj : arr) { + expectedEventIds[i++] = (Long) obj; + } + spec.expectedEventIds(expectedEventIds); + } + validateAndAddSpec(testSpecs, spec, supported); + } + + return testSpecs; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java new file mode 100644 index 0000000000000..7a6cd355a6ffa --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.nio.file.Path; + +public class LocalStateEqlXPackPlugin extends LocalStateCompositeXPackPlugin { + + public LocalStateEqlXPackPlugin(final Settings settings, final Path configPath) throws Exception { + super(settings, configPath); + LocalStateEqlXPackPlugin thisVar = this; + plugins.add(new EqlPlugin(settings) { + @Override + protected XPackLicenseState getLicenseState() { + return thisVar.getLicenseState(); + } + }); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java index 02c429a339665..03f14247d77f1 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.eql.plugin; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import static org.hamcrest.Matchers.hasItem; @@ -13,7 +14,7 @@ public class EqlPluginTests extends ESTestCase { public void testEnabledSettingRegisteredInSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { @@ -25,7 +26,7 @@ protected boolean isSnapshot() { } public void testEnabledSettingNotRegisteredInNonSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { diff --git a/x-pack/plugin/eql/src/test/resources/test_data.json b/x-pack/plugin/eql/src/test/resources/test_data.json new file mode 100644 index 0000000000000..4a08e7f7a5542 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_data.json @@ -0,0 +1,2080 @@ +[ + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "pid": 0, + "process_name": "System Idle Process", + "serial_event_id": 1, + "subtype": "create", + "timestamp": 116444736000000000, + "unique_pid": 1 + }, + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "parent_process_name": "System Idle Process", + "pid": 4, + "process_name": "System", + "serial_event_id": 2, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 2, + "unique_ppid": 1, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\\SystemRoot\\System32\\smss.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63d3c30b497347495b8ea78a38188969", + "opcode": 3, + "parent_process_name": "System", + "pid": 284, + "ppid": 4, + "process_name": "smss.exe", + "process_path": "C:\\Windows\\System32\\smss.exe", + "serial_event_id": 3, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 3, + "unique_ppid": 2, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 372, + "ppid": 364, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 4, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 4, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "94355c28c1970635a31b3fe52eb7ceba", + "opcode": 3, + "pid": 424, + "ppid": 364, + "process_name": "wininit.exe", + "process_path": "C:\\Windows\\System32\\wininit.exe", + "serial_event_id": 5, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 5, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 436, + "ppid": 416, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 6, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 6, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 472, + "ppid": 416, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 7, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 7, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\services.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "24acb7e5be595468e3b9aa488b9b4fcb", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 524, + "ppid": 424, + "process_name": "services.exe", + "process_path": "C:\\Windows\\System32\\services.exe", + "serial_event_id": 8, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 8, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsass.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "7554a1b82b4a222fd4cc292abd38a558", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 536, + "ppid": 424, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "serial_event_id": 9, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 9, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsm.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "9662ee182644511439f1c53745dc1c88", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 544, + "ppid": 424, + "process_name": "lsm.exe", + "process_path": "C:\\Windows\\System32\\lsm.exe", + "serial_event_id": 10, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 10, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 648, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 11, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 11, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3c4d41c4f8cdd2ca945e91a61e6cfbaf", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 708, + "ppid": 524, + "process_name": "vmacthlp.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe", + "serial_event_id": 12, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 12, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 752, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 13, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 13, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"LogonUI.exe\" /flags:0x0", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "715f03b4c7223349768013ea95d9e5b7", + "opcode": 3, + "parent_process_name": "winlogon.exe", + "parent_process_path": "C:\\Windows\\System32\\winlogon.exe", + "pid": 828, + "ppid": 472, + "process_name": "LogonUI.exe", + "process_path": "C:\\Windows\\System32\\LogonUI.exe", + "serial_event_id": 14, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 14, + "unique_ppid": 7, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 848, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 15, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 15, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 896, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 16, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 16, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 924, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 17, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 17, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 264, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 18, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 18, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 968, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 19, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 19, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\spoolsv.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "b96c17b5dc1424d56eea3a99e97428cd", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1108, + "ppid": 524, + "process_name": "spoolsv.exe", + "process_path": "C:\\Windows\\System32\\spoolsv.exe", + "serial_event_id": 20, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 20, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1136, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 21, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 21, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ccd745aa6425c7637a34ff12ed8a1c18", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1320, + "ppid": 524, + "process_name": "VGAuthService.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe", + "serial_event_id": 22, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 22, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1344, + "ppid": 524, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 23, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 23, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3f61b1a4fe078bb7705b508cfcbb987e", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1376, + "ppid": 524, + "process_name": "ManagementAgentHost.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe", + "serial_event_id": 24, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 24, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1692, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 25, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 25, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1840, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 26, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 26, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\msdtc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "de0ece52236cfa3ed2dbfc03f28253a8", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 960, + "ppid": 524, + "process_name": "msdtc.exe", + "process_path": "C:\\Windows\\System32\\msdtc.exe", + "serial_event_id": 27, + "subtype": "create", + "timestamp": 131485996550000000, + "unique_pid": 27, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 3048, + "ppid": 3040, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 28, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 28, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 2108, + "ppid": 3040, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 29, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 29, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "rdpclip", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "25d284eb2f12254c001afe9a82575a81", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2704, + "ppid": 968, + "process_name": "rdpclip.exe", + "process_path": "C:\\Windows\\System32\\rdpclip.exe", + "serial_event_id": 30, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 30, + "unique_ppid": 19, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"taskhost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "517110bd83835338c037269e603db55d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2776, + "ppid": 524, + "process_name": "taskhost.exe", + "process_path": "C:\\Windows\\System32\\taskhost.exe", + "serial_event_id": 31, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 31, + "unique_ppid": 8, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "e17e0188bb90fae42d83e98707efa59c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2804, + "ppid": 524, + "process_name": "sppsvc.exe", + "process_path": "C:\\Windows\\System32\\sppsvc.exe", + "serial_event_id": 32, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 32, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"C:\\Windows\\system32\\Dwm.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f162d5f5e845b9dc352dd1bad8cef1bc", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2464, + "ppid": 896, + "process_name": "dwm.exe", + "process_path": "C:\\Windows\\System32\\dwm.exe", + "serial_event_id": 33, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 33, + "unique_ppid": 16, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\Explorer.EXE", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "opcode": 3, + "pid": 2460, + "ppid": 3052, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "serial_event_id": 34, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 34, + "unique_ppid": 0, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2604, + "ppid": 2460, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 35, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 35, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ad31942bdf3d594c404874613bc2fe4d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1620, + "ppid": 524, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "serial_event_id": 36, + "subtype": "create", + "timestamp": 131485997210000000, + "unique_pid": 36, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3684, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 37, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 37, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k secsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3712, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 38, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 38, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2864, + "ppid": 2460, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 39, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 39, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 2228, + "ppid": 3048, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 40, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 40, + "unique_ppid": 28, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k SDRSVC", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3820, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 41, + "subtype": "create", + "timestamp": 131491940310000000, + "unique_pid": 41, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "773212b2aaa24c1e31f10246b15b276c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3384, + "ppid": 524, + "process_name": "TrustedInstaller.exe", + "process_path": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "serial_event_id": 42, + "subtype": "create", + "timestamp": 131509366130000000, + "unique_pid": 42, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1860, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 43, + "subtype": "create", + "timestamp": 131509366230000000, + "unique_pid": 43, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "65ea57712340c09b1b0c427b4848ae05", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 660, + "ppid": 924, + "process_name": "taskeng.exe", + "process_path": "C:\\Windows\\System32\\taskeng.exe", + "serial_event_id": 44, + "subtype": "create", + "timestamp": 131509371900000000, + "unique_pid": 44, + "unique_ppid": 17, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\msiexec.exe /V", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "a190da6546501cb4146bbcc0b6a3f48b", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 760, + "ppid": 524, + "process_name": "msiexec.exe", + "process_path": "C:\\Windows\\System32\\msiexec.exe", + "serial_event_id": 45, + "subtype": "create", + "timestamp": 131509372370000000, + "unique_pid": 45, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2824, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 46, + "subtype": "create", + "timestamp": 131509373980000000, + "unique_pid": 46, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 3408, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 47, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 47, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "wsmprovhost.exe", + "parent_process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "pid": 420, + "ppid": 3408, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 48, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 48, + "unique_ppid": 47, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 3080, + "ppid": 372, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 49, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 49, + "unique_ppid": 4, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1688, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 50, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 50, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1720, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 51, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 51, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\System32\\LauncherProcess.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "6a8649f3205b311e208ac35a04e99700", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2164, + "ppid": 648, + "process_name": "LauncherProcess.exe", + "process_path": "C:\\Windows\\System32\\LauncherProcess.exe", + "serial_event_id": 52, + "subtype": "create", + "timestamp": 131509374150000000, + "unique_pid": 52, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 53, + "subtype": "create", + "timestamp": 131509374294209140, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 1, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 54, + "subtype": "create", + "timestamp": 131509374294365140, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 55, + "subtype": "create", + "timestamp": 131509374295457140, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "svchost.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 56, + "subtype": "create", + "timestamp": 131509374295613140, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 20, + "bytes_written_string_list": [ + "en-US", + "en" + ], + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "key_type": "multiSz", + "opcode": 1, + "pid": 2460, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "registry_key": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E", + "registry_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "registry_type": "multi_string", + "registry_value": "LanguageList", + "serial_event_id": 57, + "timestamp": 131509374306065200, + "unique_pid": 34, + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 58, + "subtype": "terminate", + "timestamp": 131509374345689460, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 59, + "subtype": "modify", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SVCHOST.EXE-CB1B3AA2.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CB1B3AA2.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 60, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 61, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "lsass.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 62, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "request_event", + "event_type": "dns", + "event_type_full": "dns_event", + "opcode": 3008, + "pid": 924, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "query_name": "teredo.ipv6.microsoft.com.", + "serial_event_id": 63, + "timestamp": 131509374350369490, + "unique_pid": 17, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 64, + "subtype": "terminate", + "timestamp": 131509374395921780, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 65, + "subtype": "modify", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "LSASS.EXE-02265BD5.pf", + "file_path": "C:\\Windows\\Prefetch\\LSASS.EXE-02265BD5.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 66, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 67, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "services.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 68, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 69, + "subtype": "terminate", + "timestamp": 131509374446778110, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 70, + "subtype": "modify", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SERVICES.EXE-01D9177B.pf", + "file_path": "C:\\Windows\\Prefetch\\SERVICES.EXE-01D9177B.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 71, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 72, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "csrss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 73, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 74, + "subtype": "terminate", + "timestamp": 131509374497010430, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 75, + "subtype": "modify", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 76, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "CSRSS.EXE-006B4E4D.pf", + "file_path": "C:\\Windows\\Prefetch\\CSRSS.EXE-006B4E4D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 77, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "smss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 78, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 80, + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "key_type": "binary", + "opcode": 1, + "pid": 536, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "registry_key": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9", + "registry_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "registry_type": "binary", + "registry_value": "F", + "serial_event_id": 79, + "timestamp": 131509374520566580, + "unique_pid": 9, + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 80, + "subtype": "terminate", + "timestamp": 131509374547086750, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 81, + "subtype": "modify", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SMSS.EXE-8C66D82D.pf", + "file_path": "C:\\Windows\\Prefetch\\SMSS.EXE-8C66D82D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 82, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 83, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 84, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 85, + "subtype": "terminate", + "timestamp": 131509374597163070, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 86, + "subtype": "modify", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "WININIT.EXE-F4D46129.pf", + "file_path": "C:\\Windows\\Prefetch\\WININIT.EXE-F4D46129.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 87, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 88, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "explorer.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 89, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 90, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 91, + "subtype": "modify", + "timestamp": 131509374647239400, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "EXPLORER.EXE-854AF04C.pf", + "file_path": "C:\\Windows\\Prefetch\\EXPLORER.EXE-854AF04C.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 92, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 2, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 93, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 94, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\dev\\TestLogs\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 95, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 96, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "net localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63dd6fbaabf881385899fd39df13dce3", + "opcode": 1, + "original_file_name": "NET.exe", + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3608, + "ppid": 392, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "serial_event_id": 97, + "subtype": "create", + "timestamp": 131605904083494370, + "unique_pid": 750058, + "unique_ppid": 707545, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "C:\\Windows\\system32\\net1 localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3b6928bc39e5530cead1e99269e7b1ee", + "opcode": 1, + "original_file_name": "net1.exe", + "parent_process_name": "net.exe", + "parent_process_path": "C:\\Windows\\System32\\net.exe", + "pid": 1348, + "ppid": 3608, + "process_name": "net1.exe", + "process_path": "C:\\Windows\\System32\\net1.exe", + "serial_event_id": 98, + "subtype": "create", + "timestamp": 131605904083806370, + "unique_pid": 750059, + "unique_ppid": 750058, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 13728872, + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 1, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75273, + "subtype": "create", + "timestamp": 131762381484502110, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 2, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75303, + "subtype": "terminate", + "timestamp": 131762381493483680, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "opcode": 12, + "pid": 860, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75304, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 75273, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "mysterious_field": { + "num": 100, + "outer_cross_match": "s3-c-x-y", + "subarray": [ + { + "a": "s0-a", + "b": [ + "s0-b" + ], + "c": [ + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c0-x-z" + }, + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c1-x-z" + } + ], + "cross_match": "s0-c1-x-z" + }, + { + "a": "s1-a", + "b": [ + "s1-b" + ], + "c": [] + }, + { + "a": "s2-a", + "b": [ + "s2-b" + ], + "c": [] + }, + { + "a": "s3-a", + "b": [ + "s3-b" + ], + "c": [ + { + "x": { + "y": "s3-c-x-y" + }, + "z": "s3-c-x-z" + } + ] + } + ], + "this_is_for_testing_nested_data": "true" + }, + "opcode": 12, + "pid": 10000, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75305, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 99999, + "user_domain": "vagrant", + "user_name": "vagrant" + } +] diff --git a/x-pack/plugin/eql/src/test/resources/test_queries.toml b/x-pack/plugin/eql/src/test/resources/test_queries.toml new file mode 100644 index 0000000000000..e2ee95c12e268 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries.toml @@ -0,0 +1,1298 @@ +[[queries]] +query = 'process where serial_event_id = 1' +expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' diff --git a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml new file mode 100644 index 0000000000000..f8a96eaef12aa --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml @@ -0,0 +1,1309 @@ +# This file is populated with currently unsupported queries. +# Serves as a blacklist, until our implementation starts supporting a specific query +# This file is expected to become empty once the feature parity is reached with the +# official EQL implementation + +# The query below is the first query from the test_queries.toml +# and is currently "emulated" as supported with the hardcoded response +# in order to allow at least one round-trip test with the test harness. +# This will be removed once the EQL implementation is wired and actually supports this query. + +# [[queries]] +# query = 'process where serial_event_id = 1' +# expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' +