diff --git a/package.json b/package.json index 4fb34109bec69a..796b89b288b9f9 100644 --- a/package.json +++ b/package.json @@ -340,7 +340,7 @@ "react-moment-proptypes": "^1.7.0", "react-monaco-editor": "^0.41.2", "react-popper-tooltip": "^2.10.1", - "react-query": "^3.28.0", + "react-query": "^3.34.7", "react-redux": "^7.2.0", "react-resizable": "^1.7.5", "react-resize-detector": "^4.2.0", @@ -884,4 +884,4 @@ "yargs": "^15.4.1", "zlib": "^1.0.5" } -} \ No newline at end of file +} diff --git a/x-pack/plugins/session_view/common/constants.ts b/x-pack/plugins/session_view/common/constants.ts index 8388b92673c045..1d789bd5a1d918 100644 --- a/x-pack/plugins/session_view/common/constants.ts +++ b/x-pack/plugins/session_view/common/constants.ts @@ -18,4 +18,4 @@ export const RECENT_SESSION_ROUTE = '/internal/session_view/recent_session_route export const SESSION_ENTRY_LEADERS_ROUTE = '/internal/session_view/session_entry_leaders_route'; export const TEST_SAVED_OBJECT = 'session_view_test_saved_object'; -export const PROCESS_EVENTS_PER_PAGE = 2000; +export const PROCESS_EVENTS_PER_PAGE = 1000; diff --git a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts index 6d127a551cad52..b3b2757e461c60 100644 --- a/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts +++ b/x-pack/plugins/session_view/common/mocks/constants/session_view_process.mock.ts @@ -8,6 +8,7 @@ import { Process, ProcessEvent, + ProcessEventsPage, ProcessFields, EventAction, EventKind, @@ -15,7 +16,7 @@ import { User, } from '../../types/process_tree'; -export const mockEvents = [ +const mockEvents = [ { '@timestamp': new Date('2021-11-23T15:25:04.210Z'), process: { @@ -38,11 +39,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z') }, session: { pid: 2442, @@ -54,11 +55,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z') }, entry: { pid: 2442, @@ -70,17 +71,17 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z') }, - command_line: '', name: '', args_count: 0, args: [], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z') }, event: { action: EventAction.fork, @@ -110,11 +111,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.218Z'), }, session: { pid: 2442, @@ -126,11 +127,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.218Z'), }, entry: { pid: 2442, @@ -142,17 +143,17 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.218Z'), }, - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.218Z'), }, event: { action: EventAction.exec, @@ -182,11 +183,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:05.202Z') }, session: { pid: 2442, @@ -198,11 +199,11 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:05.202Z') }, entry: { pid: 2442, @@ -214,13 +215,13 @@ export const mockEvents = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:05.202Z') }, - command_line: '', + start: new Date('2021-11-23T15:25:05.202Z'), name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], @@ -234,7 +235,7 @@ export const mockEvents = [ }, ] as ProcessEvent[]; -export const mockAlerts = [ +export const mockAlerts: ProcessEvent[] = [ { kibana: { alert: { @@ -280,11 +281,11 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.859Z'), }, session: { pid: 2442, @@ -296,11 +297,11 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.859Z'), }, entry: { pid: 2442, @@ -312,17 +313,17 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args: [], args_count: 0, working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.859Z'), }, - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.859Z'), }, event: { action: EventAction.exec, @@ -375,11 +376,11 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.860Z'), }, session: { pid: 2442, @@ -391,11 +392,11 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.860Z'), }, entry: { pid: 2442, @@ -407,17 +408,17 @@ export const mockAlerts = [ executable: '/usr/bin/bash', interactive: true, entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.860Z'), }, - command_line: '', name: '', args_count: 2, args: ['vi', 'cmd/config.ini'], working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:26:34.860Z'), }, event: { action: EventAction.exit, @@ -427,6 +428,13 @@ export const mockAlerts = [ }, ]; +export const mockData: ProcessEventsPage[] = [ + { + events: mockEvents, + cursor: '2021-11-23T15:25:04.210Z' + } +] + export const processMock: Process = { id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', events: [], @@ -440,30 +448,30 @@ export const processMock: Process = { hasExec: () => false, getOutput: () => '', getDetails: () => - ({ - '@timestamp': new Date('2021-11-23T15:25:04.210Z'), - event: { - kind: EventKind.event, - category: 'process', - action: EventAction.exec, - }, - process: { - args: [], - args_count: 0, - command_line: '', - entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', - executable: '', - interactive: false, - name: '', - working_directory: '/home/vagrant', - pid: 1, - pgid: 1, - user: {} as User, - parent: {} as ProcessFields, - session: {} as ProcessFields, - entry: {} as ProcessFields, - }, - } as ProcessEvent), + ({ + '@timestamp': new Date('2021-11-23T15:25:04.210Z'), + event: { + kind: EventKind.event, + category: 'process', + action: EventAction.exec, + }, + process: { + args: [], + args_count: 0, + entity_id: '3d0192c6-7c54-5ee6-a110-3539a7cf42bc', + executable: '', + interactive: false, + name: '', + working_directory: '/home/vagrant', + start: new Date('2021-11-23T15:25:04.210Z'), + pid: 1, + pgid: 1, + user: {} as User, + parent: {} as ProcessFields, + session: {} as ProcessFields, + entry: {} as ProcessFields, + }, + } as ProcessEvent), isUserEntered: () => false, getMaxAlertLevel: () => null, }; diff --git a/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts index 7c3330117f338a..d5062e69636eb1 100644 --- a/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts +++ b/x-pack/plugins/session_view/common/mocks/responses/session_view_process_events.mock.ts @@ -5,1912 +5,1900 @@ * 2.0. */ -export const sessionViewProcessEventsMock = () => ({ - events: { - total: { value: 10, relation: 'eq' }, - max_score: null, - hits: [ - { - _index: 'cmd', - _id: 'FMUGTX0BGGlsPv9flMF7', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:16.528Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, +export const sessionViewProcessEventsMock = { + events: [{ + _index: 'cmd', + _id: 'FMUGTX0BGGlsPv9flMF7', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:16.528Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + user: { name: 'vagrant', id: 1000 }, + pgid: 51547, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674816528], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'FsUGTX0BGGlsPv9flMGF', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:16.541Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674816528], + }, + { + _index: 'cmd', + _id: 'FsUGTX0BGGlsPv9flMGF', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:16.541Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674816541], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'H8UGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.392Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674816541], + }, + { + _index: 'cmd', + _id: 'H8UGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.392Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674821392], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'HsUGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.392Z', - process: { - pid: 51749, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674821392], + }, + { + _index: 'cmd', + _id: 'HsUGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.392Z', + process: { + pid: 51749, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674821392], + args_count: 0, + args: [], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'HcUGTX0BGGlsPv9fp8F_', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:21.393Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674821392], + }, + { + _index: 'cmd', + _id: 'HcUGTX0BGGlsPv9fp8F_', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:21.393Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674821393], + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'IsUGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.743Z', - process: { - pid: 51752, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674821393], + }, + { + _index: 'cmd', + _id: 'IsUGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.743Z', + process: { + pid: 51752, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674823743], + args_count: 0, + args: [], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'IcUGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.744Z', - process: { - pid: 51752, - pgid: 51752, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-la'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674823743], + }, + { + _index: 'cmd', + _id: 'IcUGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.744Z', + process: { + pid: 51752, + pgid: 51752, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674823744], + args_count: 3, + args: ['ls', '--color=auto', '-la'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'I8UGTX0BGGlsPv9fsMGs', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:23.748Z', - process: { - pid: 51752, - pgid: 51752, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-la'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674823744], + }, + { + _index: 'cmd', + _id: 'I8UGTX0BGGlsPv9fsMGs', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:23.748Z', + process: { + pid: 51752, + pgid: 51752, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: 'a459679d-a1d5-56ae-9ebb-23f82edf40aa', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674823748], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-la'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'JMUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.270Z', - process: { - pid: 51753, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674823748], + }, + { + _index: 'cmd', + _id: 'JMUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.270Z', + process: { + pid: 51753, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674825270], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'JcUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.271Z', - process: { - pid: 51753, - pgid: 51753, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-ll'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674825270], + }, + { + _index: 'cmd', + _id: 'JcUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.271Z', + process: { + pid: 51753, + pgid: 51753, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674825271], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-ll'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'JsUGTX0BGGlsPv9ftsGi', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:40:25.274Z', - process: { - pid: 51753, - pgid: 51753, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/ls', - interactive: true, - entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 3, - args: ['ls', '--color=auto', '-ll'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674825271], + }, + { + _index: 'cmd', + _id: 'JsUGTX0BGGlsPv9ftsGi', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:40:25.274Z', + process: { + pid: 51753, + pgid: 51753, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/ls', + interactive: true, + entity_id: '14f44081-0f50-5a69-a6d2-d1169cdc5bae', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674825274], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 3, + args: ['ls', '--color=auto', '-ll'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'e8UTTX0BGGlsPv9fwMFw', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.889Z', - process: { - pid: 52427, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 0, - args: [], - working_directory: '/home/vagrant', - }, - event: { action: 'fork', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637674825274], + }, + { + _index: 'cmd', + _id: 'e8UTTX0BGGlsPv9fwMFw', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.889Z', + process: { + pid: 52427, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637675679889], + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 0, + args: [], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'fsUTTX0BGGlsPv9fwMF2', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 52427, - pgid: 52427, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/clear_console', - interactive: true, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['/usr/bin/clear_console', '-q'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'fork', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637675679889], + }, + { + _index: 'cmd', + _id: 'fsUTTX0BGGlsPv9fwMF2', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { + pid: 52427, + pgid: 52427, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/clear_console', + interactive: true, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637675679890], + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['/usr/bin/clear_console', '-q'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'gMUTTX0BGGlsPv9fwMF4', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - parent: { - pid: 51546, - pgid: 51458, - user: { name: 'root', id: -1 }, - executable: '/usr/sbin/sshd', - interactive: false, - entity_id: '5ffedee8-3d3f-55fb-9353-7ec6ee5fee85', - }, - session: { - pid: 51458, - pgid: 51458, - user: { name: 'root', id: 0 }, - executable: '/usr/sbin/sshd', - interactive: false, - entity_id: '2bcf9d69-1c8a-5300-94cf-b823cf5a8df0', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 1, - args: ['-bash'], - working_directory: '/home/vagrant', - }, - event: { action: 'exit', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637675679890], + }, + { + _index: 'cmd', + _id: 'gMUTTX0BGGlsPv9fwMF4', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + parent: { + pid: 51546, + pgid: 51458, + user: { name: 'root', id: -1 }, + executable: '/usr/sbin/sshd', + interactive: false, + entity_id: '5ffedee8-3d3f-55fb-9353-7ec6ee5fee85', }, - sort: [1637675679890], + session: { + pid: 51458, + pgid: 51458, + user: { name: 'root', id: 0 }, + executable: '/usr/sbin/sshd', + interactive: false, + entity_id: '2bcf9d69-1c8a-5300-94cf-b823cf5a8df0', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 1, + args: ['-bash'], + working_directory: '/home/vagrant', }, - { - _index: 'cmd', - _id: 'fMUTTX0BGGlsPv9fwMFz', - _score: null, - _source: { - '@timestamp': '2021-11-23T13:54:39.890Z', - process: { - pid: 52427, - pgid: 52427, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/clear_console', - interactive: true, - entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['/usr/bin/clear_console', '-q'], - working_directory: '/home/vagrant', - }, - event: { action: 'exec', category: 'process', kind: 'event' }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637675679890], + }, + { + _index: 'cmd', + _id: 'fMUTTX0BGGlsPv9fwMFz', + _score: null, + _source: { + '@timestamp': '2021-11-23T13:54:39.890Z', + process: { + pid: 52427, + pgid: 52427, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/clear_console', + interactive: true, + entity_id: 'd3bbc239-60ee-5eb9-922d-e4bef153a3e2', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637675679890], + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['/usr/bin/clear_console', '-q'], + working_directory: '/home/vagrant', }, - ], + event: { action: 'exec', category: 'process', kind: 'event' }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + }, + sort: [1637675679890], }, - alerts: { - total: { value: 40, relation: 'eq' }, - max_score: null, - hits: [ - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'isUGTX0BGGlsPv9fcL-A', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:07.304Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.759Z', - process: { - pid: 51568, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: false, - entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', - parent: { - pid: 51564, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', '/home/vagrant/.nvm/alias/default'], - working_directory: '/home/vagrant', + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + ancestors: [{ id: 'isUGTX0BGGlsPv9fcL-A', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:07.304Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '73e9276f49c4881bed66c644450838980802963c6df0d63a310716521e0c66c6', }, - sort: [1637674906759], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'iMUGTX0BGGlsPv9fcL9_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:07.307Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.760Z', - process: { - pid: 51568, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: false, - entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', - parent: { - pid: 51564, - pgid: 51547, - user: { name: 'vagrant', id: -1 }, - executable: '/bin/bash', - interactive: false, - entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', '/home/vagrant/.nvm/alias/default'], - working_directory: '/home/vagrant', - }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.759Z', + process: { + pid: 51568, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: false, + entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', + parent: { + pid: 51564, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674906760], + args_count: 2, + args: ['cat', '/home/vagrant/.nvm/alias/default'], + working_directory: '/home/vagrant', }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: '9cUGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:10.355Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.768Z', - process: { - pid: 51731, - pgid: 51731, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '85752b94-1c86-5540-9a61-743429d5a206', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906759], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + ancestors: [{ id: 'iMUGTX0BGGlsPv9fcL9_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:07.307Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '5c24c8d79b3066b3ed249d90a0957e442e4631d413ca7ca38631566fee6cf1d4', }, - sort: [1637674906768], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: '88UGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:10.363Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.769Z', - process: { - pid: 51731, - pgid: 51731, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '85752b94-1c86-5540-9a61-743429d5a206', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.760Z', + process: { + pid: 51568, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: false, + entity_id: 'a6fb4529-7160-59db-a9b1-f666e3da0b8e', + parent: { + pid: 51564, + pgid: 51547, + user: { name: 'vagrant', id: -1 }, + executable: '/bin/bash', + interactive: false, + entity_id: '1e9975a2-edf6-5920-b26d-f17bc5c3229a', }, - sort: [1637674906769], + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', '/home/vagrant/.nvm/alias/default'], + working_directory: '/home/vagrant', }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'BsUGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:11.397Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.770Z', - process: { - pid: 51734, - pgid: 51734, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, + }, + sort: [1637674906760], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + ancestors: [{ id: '9cUGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:10.355Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '54b9ad9a2d60c156335c13ce24ff8192fd9aede92089e56cb0bf697bcf06f68e', }, - sort: [1637674906770], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'B8UGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:11.398Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.772Z', - process: { - pid: 51734, - pgid: 51734, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', - }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.768Z', + process: { + pid: 51731, + pgid: 51731, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '85752b94-1c86-5540-9a61-743429d5a206', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', }, - sort: [1637674906772], + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'FMUGTX0BGGlsPv9flMF7', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:16.528Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.773Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906768], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + ancestors: [{ id: '88UGTX0BGGlsPv9ffMBj', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:10.363Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: 'c0558db6dc8bd7d1acf8ddd2343adcc5a4f757a7b94739e0f61e5dd666b6b692', }, - sort: [1637674906773], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'FsUGTX0BGGlsPv9flMGF', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:16.541Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', - }, - space_ids: ['default'], - }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.775Z', - process: { - pid: 51744, - pgid: 51744, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/src/main.ts'], - working_directory: '/home/vagrant', + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.769Z', + process: { + pid: 51731, + pgid: 51731, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '85752b94-1c86-5540-9a61-743429d5a206', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, + }, + sort: [1637674906769], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + ancestors: [{ id: 'BsUGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:11.397Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: 'ff3c18dd02204fcfec1695f8ab8371e657fa508db1298c3be55c3b85254d6668', }, - sort: [1637674906775], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'H8UGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:21.392Z', - original_event: { action: 'exec', category: 'process', kind: 'event' }, - uuid: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', - }, - space_ids: ['default'], + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.770Z', + process: { + pid: 51734, + pgid: 51734, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906770], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.777Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + ancestors: [{ id: 'B8UGTX0BGGlsPv9fgMFv', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:11.398Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '98aab971c23197b4bacd9b08971af525e47ff9621a4efd5c8ea41c94b00202f3', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.772Z', + process: { + pid: 51734, + pgid: 51734, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '3f0bc056-2eb3-52d6-8032-d9ea9c593461', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, + }, + sort: [1637674906772], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exec', category: 'process', kind: 'signal' }, + ancestors: [{ id: 'FMUGTX0BGGlsPv9flMF7', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:16.528Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: '8ae5e4e634bd7bf02ce45ddb5980689aa5889199806febb75d27987ee55b2217', }, - sort: [1637674906777], + space_ids: ['default'], }, - { - _index: '.internal.alerts-security.alerts-default-000001', - _id: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', - _score: null, - _source: { - kibana: { - version: '8.1.0', - alert: { - rule: { - category: 'Custom Query Rule', - consumer: 'siem', - name: 'cmd cat rule', - producer: 'siem', - rule_type_id: 'siem.queryRule', - uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', - actions: [], - created_at: '2021-11-23T13:38:39.059Z', - created_by: 'elastic', - enabled: true, - interval: '1m', - tags: [], - updated_at: '2021-11-23T13:38:40.417Z', - updated_by: 'elastic', - description: 'cmd cat rule', - risk_score: 21, - severity: 'low', - license: '', - meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, - author: [], - false_positives: [], - from: 'now-120s', - rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', - max_signals: 100, - risk_score_mapping: [], - severity_mapping: [], - threat: [], - to: 'now', - references: [], - version: 1, - exceptions_list: [], - immutable: false, - type: 'query', - language: 'kuery', - index: [ - 'apm-*-transaction*', - 'traces-apm*', - 'auditbeat-*', - 'endgame-*', - 'filebeat-*', - 'logs-*', - 'packetbeat-*', - 'winlogbeat-*', - 'cmd', - ], - query: 'process.executable : "/usr/bin/cat"', - filters: [], - }, - ancestors: [{ id: 'HcUGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], - status: 'active', - workflow_status: 'open', - depth: 1, - reason: 'process event created low alert cmd cat rule.', - original_time: '2021-11-23T13:40:21.393Z', - original_event: { action: 'exit', category: 'process', kind: 'event' }, - uuid: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', - }, - space_ids: ['default'], + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.773Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906773], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - tags: [ - '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', - '__internal_immutable:false', - ], - '@timestamp': '2021-11-23T13:41:46.780Z', - process: { - pid: 51749, - pgid: 51749, - user: { name: 'vagrant', id: 1000 }, - executable: '/usr/bin/cat', - interactive: true, - entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', - parent: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - session: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - }, - entry: { - pid: 51547, - pgid: 51547, - user: { name: 'vagrant', id: 1000 }, - executable: '/bin/bash', - interactive: true, - entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', - start: '2021-11-23T13:40:07.183Z', - }, - args_count: 2, - args: ['cat', 'EventConverter/package.json'], - working_directory: '/home/vagrant', + ancestors: [{ id: 'FsUGTX0BGGlsPv9flMGF', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:16.541Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: '54a56e2c0ca5865d47e7d7cc9df8af525be1437fd2d93345214b9bcd6a12bc7e', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.775Z', + process: { + pid: 51744, + pgid: 51744, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: 'bb5efe42-54a6-597c-bd0e-33a1a3fc372e', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/src/main.ts'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, + }, + sort: [1637674906775], + }, + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], }, - network: { application: 'ssh' }, - source: { ip: '10.0.2.2' }, - client: { ip: '10.0.2.2' }, - event: { action: 'exit', category: 'process', kind: 'signal' }, + ancestors: [{ id: 'H8UGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:21.392Z', + original_event: { action: 'exec', category: 'process', kind: 'event' }, + uuid: 'bcc079ffccbe5d28a4c9889e40a7c8c965b60c7e05b0f337e516599a9c9e4623', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.777Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', }, - sort: [1637674906780], + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', }, - ], + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exec', category: 'process', kind: 'signal' }, + }, + sort: [1637674906777], }, -}); + { + _index: '.internal.alerts-security.alerts-default-000001', + _id: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', + _score: null, + _source: { + kibana: { + version: '8.1.0', + alert: { + rule: { + category: 'Custom Query Rule', + consumer: 'siem', + name: 'cmd cat rule', + producer: 'siem', + rule_type_id: 'siem.queryRule', + uuid: 'a9d50a20-4c62-11ec-a972-9179365b52d5', + actions: [], + created_at: '2021-11-23T13:38:39.059Z', + created_by: 'elastic', + enabled: true, + interval: '1m', + tags: [], + updated_at: '2021-11-23T13:38:40.417Z', + updated_by: 'elastic', + description: 'cmd cat rule', + risk_score: 21, + severity: 'low', + license: '', + meta: { from: '1m', kibana_siem_app_url: 'http://localhost:5601/app/security' }, + author: [], + false_positives: [], + from: 'now-120s', + rule_id: '472d9de6-01fd-489f-9783-42773114fe8f', + max_signals: 100, + risk_score_mapping: [], + severity_mapping: [], + threat: [], + to: 'now', + references: [], + version: 1, + exceptions_list: [], + immutable: false, + type: 'query', + language: 'kuery', + index: [ + 'apm-*-transaction*', + 'traces-apm*', + 'auditbeat-*', + 'endgame-*', + 'filebeat-*', + 'logs-*', + 'packetbeat-*', + 'winlogbeat-*', + 'cmd', + ], + query: 'process.executable : "/usr/bin/cat"', + filters: [], + }, + ancestors: [{ id: 'HcUGTX0BGGlsPv9fp8F_', type: 'event', index: 'cmd', depth: 0 }], + status: 'active', + workflow_status: 'open', + depth: 1, + reason: 'process event created low alert cmd cat rule.', + original_time: '2021-11-23T13:40:21.393Z', + original_event: { action: 'exit', category: 'process', kind: 'event' }, + uuid: 'b078f297327f0552e2461200d0224e605a397dc705fe00565759078088eaebe4', + }, + space_ids: ['default'], + }, + tags: [ + '__internal_rule_id:472d9de6-01fd-489f-9783-42773114fe8f', + '__internal_immutable:false', + ], + '@timestamp': '2021-11-23T13:41:46.780Z', + process: { + pid: 51749, + pgid: 51749, + user: { name: 'vagrant', id: 1000 }, + executable: '/usr/bin/cat', + interactive: true, + entity_id: '628f412a-172c-5cf4-b452-a070e1e9cbeb', + parent: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + session: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + }, + entry: { + pid: 51547, + pgid: 51547, + user: { name: 'vagrant', id: 1000 }, + executable: '/bin/bash', + interactive: true, + entity_id: 'ae06c110-ad2d-5830-b47c-08ad62f1734c', + start: '2021-11-23T13:40:07.183Z', + }, + args_count: 2, + args: ['cat', 'EventConverter/package.json'], + working_directory: '/home/vagrant', + }, + network: { application: 'ssh' }, + source: { ip: '10.0.2.2' }, + client: { ip: '10.0.2.2' }, + event: { action: 'exit', category: 'process', kind: 'signal' }, + }, + sort: [1637674906780], + }] +}; diff --git a/x-pack/plugins/session_view/common/types/process_tree/index.ts b/x-pack/plugins/session_view/common/types/process_tree/index.ts index 0189751a49c2fb..d22c366a9f87ec 100644 --- a/x-pack/plugins/session_view/common/types/process_tree/index.ts +++ b/x-pack/plugins/session_view/common/types/process_tree/index.ts @@ -29,20 +29,13 @@ export interface User { name: string; } -export interface EventResultBody { - hits: any[]; - total: number; -} - export interface ProcessEventResults { - events: EventResultBody; - alerts: EventResultBody; + events: any[]; } export interface ProcessFields { args: string[]; args_count: number; - command_line: string; entity_id: string; executable: string; interactive: boolean; @@ -51,7 +44,8 @@ export interface ProcessFields { pid: number; pgid: number; user: User; - end?: string; + start: Date; + end?: Date; exit_code?: number; } @@ -119,6 +113,11 @@ export interface ProcessEvent { }; } +export interface ProcessEventsPage { + events: ProcessEvent[], + cursor: string, +} + export interface Process { id: string; // the process entity_id events: ProcessEvent[]; diff --git a/x-pack/plugins/session_view/common/utils/sort_processes.ts b/x-pack/plugins/session_view/common/utils/sort_processes.ts new file mode 100644 index 00000000000000..fed117ace763ce --- /dev/null +++ b/x-pack/plugins/session_view/common/utils/sort_processes.ts @@ -0,0 +1,16 @@ +import { Process } from '../types/process_tree'; + +export const sortProcesses = (a: Process, b: Process) => { + const eventA = a.getDetails(); + const eventB = b.getDetails(); + + if (eventA.process.start < eventB.process.start) { + return -1; + } + + if (eventA.process.start > eventB.process.start) { + return 1; + } + + return 0; +} diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.test.ts b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.test.ts index 20929bc9adb017..9092009a7d291c 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.test.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.test.ts @@ -5,7 +5,7 @@ * 2.0. */ import { - mockEvents, + mockData, mockProcessMap, } from '../../../common/mocks/constants/session_view_process.mock'; import { Process, ProcessMap } from '../../../common/types/process_tree'; @@ -20,6 +20,8 @@ const SESSION_ENTITY_ID = '3d0192c6-7c54-5ee6-a110-3539a7cf42bc'; const SEARCH_QUERY = 'vi'; const SEARCH_RESULT_PROCESS_ID = '8e4daeb2-4a4e-56c4-980e-f0dcfdbc3727'; +const mockEvents = mockData[0].events; + describe('process tree hook helpers tests', () => { let processMap: ProcessMap; @@ -37,18 +39,18 @@ describe('process tree hook helpers tests', () => { }); it('buildProcessTree works', () => { - processMap = mockProcessMap; - const orphans: Process[] = []; - processMap = buildProcessTree(processMap, mockEvents, orphans, SESSION_ENTITY_ID); + const newOrphans = buildProcessTree(mockProcessMap, mockEvents, [], SESSION_ENTITY_ID); const sessionLeaderChildrenIds = new Set( - processMap[SESSION_ENTITY_ID].children.map((child) => child.id) + mockProcessMap[SESSION_ENTITY_ID].children.map((child: Process) => child.id) ); // processes are added under their parent's childrean array in processMap mockEvents.forEach((event) => { expect(sessionLeaderChildrenIds.has(event.process.entity_id)); }); + + expect(newOrphans.length).toBe(0); }); it('searchProcessTree works', () => { diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts index b591d4a7c2d20f..4ce71096b37517 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/helpers.ts @@ -30,27 +30,53 @@ export const buildProcessTree = ( sessionEntityId: string, backwardDirection: boolean = false ) => { + if (backwardDirection) { + events = events.slice().reverse(); + } + events.forEach((event) => { const process = processMap[event.process.entity_id]; const parentProcess = processMap[event.process.parent?.entity_id]; + // if session leader, or process already has a parent, return + if (process.id === sessionEntityId || process.parent) { + return; + } + if (parentProcess) { process.parent = parentProcess; // handy for recursive operations (like auto expand) - if (!parentProcess.children.includes(process) && parentProcess.id !== process.id) { - if (backwardDirection) { - parentProcess.children.unshift(process); - } else { - parentProcess.children.push(process); - } + if (backwardDirection) { + parentProcess.children.unshift(process); + } else { + parentProcess.children.push(process); } - } else if (process.id !== sessionEntityId && !orphans.includes(process)) { + } else if (!orphans?.includes(process)) { // if no parent process, process is probably orphaned - orphans.push(process); + if (backwardDirection) { + orphans?.unshift(process); + } else { + orphans?.push(process); + } } }); - return processMap; + const newOrphans: Process[] = []; + + // with this new page of events processed, lets try re-parent any orphans + orphans?.forEach((process) => { + const parentProcess = processMap[process.getDetails().process.parent.entity_id]; + + if (parentProcess) { + process.parent = parentProcess; // handy for recursive operations (like auto expand) + + parentProcess.children.push(process); + } else { + newOrphans.push(process); + } + }); + + return newOrphans; }; export const searchProcessTree = (processMap: ProcessMap, searchQuery: string | undefined) => { @@ -113,12 +139,7 @@ export const processNewEvents = ( } const updatedProcessMap = updateProcessMap(eventsProcessMap, events); - const builtProcessMap = buildProcessTree( - updatedProcessMap, - events, - orphans, - sessionEntityId, - backwardDirection - ); - return autoExpandProcessTree(builtProcessMap); + const newOrphans = buildProcessTree(updatedProcessMap, events, orphans, sessionEntityId, backwardDirection); + + return [autoExpandProcessTree(updatedProcessMap), newOrphans]; }; diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts b/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts index 7627a2ea02467e..a5139da16cb432 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/hooks.ts @@ -13,13 +13,13 @@ import { Process, ProcessEvent, ProcessMap, + ProcessEventsPage, } from '../../../common/types/process_tree'; import { processNewEvents, searchProcessTree, autoExpandProcessTree } from './helpers'; interface UseProcessTreeDeps { sessionEntityId: string; - forward: ProcessEvent[]; - backward?: ProcessEvent[]; + data: ProcessEventsPage[]; searchQuery?: string; } @@ -108,15 +108,14 @@ export class ProcessImpl implements Process { export const useProcessTree = ({ sessionEntityId, - forward, - backward, + data, searchQuery, }: UseProcessTreeDeps) => { // initialize map, as well as a placeholder for session leader process // we add a fake session leader event, sourced from wide event data. // this is because we might not always have a session leader event // especially if we are paging in reverse from deep within a large session - const fakeLeaderEvent = forward.find((event) => event.event.kind === EventKind.event); + const fakeLeaderEvent = data[0].events.find((event) => event.event.kind === EventKind.event); const sessionLeaderProcess = new ProcessImpl(sessionEntityId); if (fakeLeaderEvent) { @@ -129,36 +128,43 @@ export const useProcessTree = ({ }; const [processMap, setProcessMap] = useState(initializedProcessMap); - const [forwardIndex, setForwardIndex] = useState(0); - const [backwardIndex, setBackwardIndex] = useState(0); + const [processedPages, setProcessedPages] = useState([]); const [searchResults, setSearchResults] = useState([]); const [orphans, setOrphans] = useState([]); useEffect(() => { let eventsProcessMap: ProcessMap = processMap; - if (backward) { - eventsProcessMap = processNewEvents( - eventsProcessMap, - backward.slice(0, backward.length - backwardIndex), - orphans, - sessionEntityId, - true - ); - setBackwardIndex(backward.length); - } + let newOrphans: Process[] = orphans; + let newProcessedPages: ProcessEventsPage[] = []; - eventsProcessMap = processNewEvents( - eventsProcessMap, - forward.slice(forwardIndex), - orphans, - sessionEntityId - ); - setForwardIndex(forward.length); + data.forEach((page, i) => { + const processed = processedPages.find(processed => processed.cursor === page.cursor); + + if (!processed) { + console.log('processing page of events'); + + const backwards = i < processedPages.length; + + const result = <[ProcessMap, Process[]]>processNewEvents( + eventsProcessMap, + page.events, + orphans, + sessionEntityId, + backwards + ) + + eventsProcessMap = result[0]; + newOrphans = result[1]; + + newProcessedPages.push(page); + } + }); setProcessMap({ ...eventsProcessMap }); - setOrphans([...orphans]); + setProcessedPages([...processedPages, ...newProcessedPages]) + setOrphans(newOrphans); // eslint-disable-next-line react-hooks/exhaustive-deps - }, [forward, backward]); + }, [data]); useEffect(() => { setSearchResults(searchProcessTree(processMap, searchQuery)); @@ -167,5 +173,5 @@ export const useProcessTree = ({ }, [searchQuery]); // return the root session leader process, and a list of orphans - return { sessionLeader: processMap[sessionEntityId], orphans, searchResults }; + return { sessionLeader: processMap[sessionEntityId], processMap, orphans, searchResults }; }; diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx b/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx index 5b711ade92cfa2..8ffeb71a91e831 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTree/index.test.tsx @@ -6,7 +6,7 @@ */ import React from 'react'; -import { mockEvents } from '../../../common/mocks/constants/session_view_process.mock'; +import { mockData } from '../../../common/mocks/constants/session_view_process.mock'; import { AppContextTestRender, createAppRootMockRenderer } from '../../test'; import { ProcessTree } from './index'; @@ -21,43 +21,53 @@ describe('ProcessTree component', () => { describe('When ProcessTree is mounted', () => { it('should render given a valid sessionEntityId and Forward data', () => { - renderResult = mockedContext.render(); + renderResult = mockedContext.render( + true} + hasNextPage={false} + fetchPreviousPage={() => true} + hasPreviousPage={false} + />); expect(renderResult.queryByTestId('sessionViewProcessTree')).toBeTruthy(); expect(renderResult.queryByTestId('processTreeNode')).toBeTruthy(); }); describe('Orphaned childrens', () => { + const mockEvents = mockData[0].events; + const orphanedProcess = { ...mockEvents[0], process: { ...mockEvents[0].process, + entity_id: 'orphaned-id', + args: ['orphaned'], + executable: 'orphaned', + working_directory: 'orphaned', parent: { ...mockEvents[0].process.parent, - entity_id: 'orphaned-id', + entity_id: 'orphaned-parent-id', }, }, } as unknown as typeof mockEvents[0]; - it('should render orphaned childrens if hideOrphans set to false', () => { - renderResult = mockedContext.render( - - ); + it('should render orphaned children under the session leader', () => { + mockEvents.push(orphanedProcess); - expect(renderResult.queryByText(/orphaned/i)).toBeTruthy(); - }); - it('should not render orphaned childrens if hideOrphans set to true', () => { renderResult = mockedContext.render( true} + hasNextPage={false} + fetchPreviousPage={() => true} + hasPreviousPage={false} /> ); - expect(renderResult.queryByText(/orphaned/i)).toBeFalsy(); + expect(renderResult.queryByText('orphaned')).toBeTruthy(); }); }); }); diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx b/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx index cca73e0fd26b3c..c031f1ee880a00 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTree/index.tsx @@ -4,22 +4,29 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import React, { useRef, useLayoutEffect, useCallback } from 'react'; +import React, { useRef, useEffect, useLayoutEffect, useCallback } from 'react'; +import { EuiButton } from '@elastic/eui'; +import { FormattedMessage } from '@kbn/i18n-react'; import { ProcessTreeNode } from '../ProcessTreeNode'; import { useProcessTree } from './hooks'; -import { ProcessEvent, Process } from '../../../common/types/process_tree'; +import { Process, ProcessEventsPage, ProcessEvent } from '../../../common/types/process_tree'; import { useScroll } from '../../hooks/use_scroll'; import { useStyles } from './styles'; +type FetchFunction = () => void; + interface ProcessTreeDeps { // process.entity_id to act as root node (typically a session (or entry session) leader). sessionEntityId: string; - // bi-directional paging support. allows us to load - // processes before and after a particular process.entity_id - // implementation in-complete. see hooks.js - forward: ProcessEvent[]; // load next - backward?: ProcessEvent[]; // load previous + data: ProcessEventsPage[]; + + jumpToEvent?: ProcessEvent; + isFetching: boolean; + hasNextPage: boolean | undefined; + hasPreviousPage: boolean | undefined; + fetchNextPage: FetchFunction; + fetchPreviousPage: FetchFunction; // plain text search query (only searches "process.working_directory process.args.join(' ')" searchQuery?: string; @@ -27,24 +34,26 @@ interface ProcessTreeDeps { // currently selected process selectedProcess?: Process | null; onProcessSelected?: (process: Process) => void; - hideOrphans?: boolean; } export const ProcessTree = ({ sessionEntityId, - forward, - backward, + data, + jumpToEvent, + isFetching, + hasNextPage, + hasPreviousPage, + fetchNextPage, + fetchPreviousPage, searchQuery, selectedProcess, onProcessSelected, - hideOrphans = true, }: ProcessTreeDeps) => { const styles = useStyles(); - const { sessionLeader, orphans, searchResults } = useProcessTree({ + const { sessionLeader, processMap, orphans, searchResults } = useProcessTree({ sessionEntityId, - forward, - backward, + data, searchQuery, }); @@ -54,14 +63,9 @@ export const ProcessTree = ({ useScroll({ div: scrollerRef.current, handler: (pos: number, endReached: boolean) => { - if (endReached) { - // eslint-disable-next-line no-console - console.log('end reached'); - // TODO: call load more + if (!isFetching && endReached) { + fetchNextPage(); } - - // eslint-disable-next-line no-console - console.log(pos); }, }); @@ -97,19 +101,15 @@ export const ProcessTree = ({ if (processEl) { processEl.prepend(selectionAreaEl); - const container = processEl.parentElement; + const cTop = scrollerRef.current.scrollTop; + const cBottom = cTop + scrollerRef.current.clientHeight; - if (container) { - const cTop = container.scrollTop; - const cBottom = cTop + container.clientHeight; + const eTop = processEl.offsetTop; + const eBottom = eTop + processEl.clientHeight; + const isVisible = eTop >= cTop && eBottom <= cBottom; - const eTop = processEl.offsetTop; - const eBottom = eTop + processEl.clientHeight; - const isVisible = eTop >= cTop && eBottom <= cBottom; - - if (!isVisible) { - processEl.scrollIntoView(); - } + if (!isVisible) { + processEl.scrollIntoView({ block: 'center' }); } } }, []); @@ -120,37 +120,51 @@ export const ProcessTree = ({ } }, [selectedProcess, selectProcess]); - // TODO: bubble the results up to parent component session_view, and show results navigation - // navigating should - // eslint-disable-next-line no-console - console.log(searchResults); - - const renderOrphans = () => { - if (!hideOrphans) { - return orphans.map((process) => { - return ( - - ); - }); + useEffect(() => { + if (searchResults.length > 0) { + selectProcess(searchResults[0]); } - }; + }, [searchResults]) + + useEffect(() => { + if (jumpToEvent && data.length === 2) { + const process = processMap[jumpToEvent.process.entity_id]; + + if (process) { + selectProcess(process); + } + } + }, [jumpToEvent, processMap]) + + function renderLoadMoreButton(text: JSX.Element, func: FetchFunction) { + return ( + func()} isLoading={isFetching}> + {text} + + ); + } return (
+ {hasPreviousPage && + renderLoadMoreButton( + , + fetchPreviousPage + )} {sessionLeader && ( )} - {renderOrphans()}
+ {hasNextPage && + renderLoadMoreButton( + , + fetchNextPage + )}
); }; diff --git a/x-pack/plugins/session_view/public/components/ProcessTree/styles.ts b/x-pack/plugins/session_view/public/components/ProcessTree/styles.ts index d706a80a95eb77..4c6e4ebab5edeb 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTree/styles.ts +++ b/x-pack/plugins/session_view/public/components/ProcessTree/styles.ts @@ -20,8 +20,6 @@ export const useStyles = () => { overflow: 'auto', height: '100%', backgroundColor: euiTheme.colors.lightestShade, - display: 'flex', - flexDirection: 'column', }; const selectionArea: CSSObject = { diff --git a/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx b/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx index 10fce07d2709c0..77d370c3fe648e 100644 --- a/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx +++ b/x-pack/plugins/session_view/public/components/ProcessTreeNode/index.tsx @@ -15,12 +15,14 @@ import React, { useMemo, useRef, useLayoutEffect, useState, useEffect, MouseEven import { EuiButton, EuiIcon } from '@elastic/eui'; import { FormattedMessage } from '@kbn/i18n-react'; import { Process } from '../../../common/types/process_tree'; +import { sortProcesses } from '../../../common/utils/sort_processes'; import { useStyles, ButtonType } from './styles'; import { ProcessTreeAlerts } from '../ProcessTreeAlerts'; interface ProcessDeps { process: Process; isSessionLeader?: boolean; + orphans?: Process[]; isOrphan?: boolean; depth?: number; onProcessSelected?: (process: Process) => void; @@ -33,6 +35,7 @@ interface ProcessDeps { export function ProcessTreeNode({ process, isSessionLeader = false, + orphans, isOrphan, depth = 0, onProcessSelected, @@ -85,7 +88,15 @@ export function ProcessTreeNode({ const { interactive } = processDetails.process; const renderChildren = () => { - const { children } = process; + let { children } = process; + + // we pass an array of orphans to the session leader + // for lack of a better approach, we just mix the orphans with its children and re-sort by timestamp. + // we could just add orphans to the children of the session leader in useProcessTree, but + // it makes it difficult to re-parent them when their parent actually shows up (e.g in the case of reverse pagination) + if (orphans) { + children = [...children, ...orphans].sort(sortProcesses); + } if (!childrenExpanded || !children || children.length === 0) { return; diff --git a/x-pack/plugins/session_view/public/components/SessionView/hooks.ts b/x-pack/plugins/session_view/public/components/SessionView/hooks.ts index de748ed0fdc202..46c90f20058d2e 100644 --- a/x-pack/plugins/session_view/public/components/SessionView/hooks.ts +++ b/x-pack/plugins/session_view/public/components/SessionView/hooks.ts @@ -5,53 +5,72 @@ * 2.0. */ import { useEffect, useState } from 'react'; -import { useQuery } from 'react-query'; +import { useInfiniteQuery } from 'react-query'; import { EuiSearchBarOnChangeArgs } from '@elastic/eui'; import { CoreStart } from 'kibana/public'; import { useKibana } from '../../../../../../src/plugins/kibana_react/public'; import { ProcessEvent, ProcessEventResults } from '../../../common/types/process_tree'; -import { PROCESS_EVENTS_ROUTE } from '../../../common/constants'; +import { PROCESS_EVENTS_ROUTE, PROCESS_EVENTS_PER_PAGE } from '../../../common/constants'; -export const useFetchSessionViewProcessEvents = (sessionEntityId: string) => { +export const useFetchSessionViewProcessEvents = ( + sessionEntityId: string, + jumpToEvent: ProcessEvent | undefined +) => { const { http } = useKibana().services; - return useQuery(['sessionViewProcessEvents', sessionEntityId], () => - http.get(PROCESS_EVENTS_ROUTE, { - query: { - sessionEntityId, - }, - }) - ); -}; + const jumpToCursor = jumpToEvent && jumpToEvent['@timestamp'].toISOString(); -export const useParseSessionViewProcessEvents = (getData: ProcessEventResults | undefined) => { - const [data, setData] = useState([]); - const { events, alerts } = getData || {}; + const query = useInfiniteQuery( + 'sessionViewProcessEvents', + async ({ pageParam = {} }) => { + let { cursor, forward } = pageParam; - const sortEvents = (a: ProcessEvent, b: ProcessEvent) => { - if (a['@timestamp'].valueOf() < b['@timestamp'].valueOf()) { - return -1; - } else if (a['@timestamp'].valueOf() > b['@timestamp'].valueOf()) { - return 1; - } + if (!cursor && jumpToCursor) { + cursor = jumpToCursor; + } - return 0; - }; + const res = await http.get(PROCESS_EVENTS_ROUTE, { + query: { + sessionEntityId, + cursor, + forward, + }, + }); + + const events = res.events.map((event: any) => event._source as ProcessEvent); + + return { events, cursor }; + }, + { + getNextPageParam: (lastPage, pages) => { + if (lastPage.events.length === PROCESS_EVENTS_PER_PAGE) { + return { + cursor: lastPage.events[lastPage.events.length - 1]['@timestamp'], + forward: true, + }; + } + }, + getPreviousPageParam: (firstPage, pages) => { + if (jumpToEvent && firstPage.events.length === PROCESS_EVENTS_PER_PAGE) { + return { + cursor: firstPage.events[0]['@timestamp'], + forward: false, + }; + } + }, + refetchOnWindowFocus: false, + refetchOnMount: false, + refetchOnReconnect: false, + } + ); useEffect(() => { - const eventsSource: ProcessEvent[] = (events?.hits || []).map( - (event: any) => event._source as ProcessEvent - ); - const alertsSource: ProcessEvent[] = (alerts?.hits || []).map((event: any) => { - return event._source as ProcessEvent; - }); - const all: ProcessEvent[] = eventsSource.concat(alertsSource).sort(sortEvents); - setData(all); - }, [events, alerts]); + if (jumpToEvent && query.data?.pages.length === 1) { + query.fetchPreviousPage(); + } + }, [query.data]); - return { - data, - }; + return query; }; export const useSearchQuery = () => { diff --git a/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx b/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx index e6d450c3ec43af..a5e45fa0c0f35a 100644 --- a/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx +++ b/x-pack/plugins/session_view/public/components/SessionView/index.test.tsx @@ -30,14 +30,7 @@ describe('SessionView component', () => { describe('And no data exists', () => { beforeEach(async () => { mockedApi.mockResolvedValue({ - events: { - hits: [], - total: 0, - }, - alerts: { - hits: [], - total: 0, - }, + events: [] }); }); @@ -87,7 +80,7 @@ describe('SessionView component', () => { render(); await waitForApiCall(); - expect(renderResult.getByTestId('processTreeNode')).toBeTruthy(); + expect(renderResult.getAllByTestId('processTreeNode')).toBeTruthy(); }); }); }); diff --git a/x-pack/plugins/session_view/public/components/SessionView/index.tsx b/x-pack/plugins/session_view/public/components/SessionView/index.tsx index aea67e214bec4b..0d61c45ebffc9d 100644 --- a/x-pack/plugins/session_view/public/components/SessionView/index.tsx +++ b/x-pack/plugins/session_view/public/components/SessionView/index.tsx @@ -16,30 +16,22 @@ import { import { FormattedMessage } from '@kbn/i18n-react'; import { SectionLoading } from '../../shared_imports'; import { ProcessTree } from '../ProcessTree'; -import { Process } from '../../../common/types/process_tree'; +import { Process, ProcessEvent } from '../../../common/types/process_tree'; import { SessionViewDetailPanel } from '../SessionViewDetailPanel'; import { useStyles } from './styles'; -import { - useSearchQuery, - useFetchSessionViewProcessEvents, - useParseSessionViewProcessEvents, -} from './hooks'; +import { useSearchQuery, useFetchSessionViewProcessEvents } from './hooks'; interface SessionViewDeps { // the root node of the process tree to render. e.g process.entry.entity_id or process.session.entity_id sessionEntityId: string; height?: number; + jumpToEvent?: ProcessEvent; } /** * The main wrapper component for the session view. - * TODO: - * - Details panel - * - Fullscreen toggle - * - Search results navigation - * - Settings menu (needs design) */ -export const SessionView = ({ sessionEntityId, height }: SessionViewDeps) => { +export const SessionView = ({ sessionEntityId, height, jumpToEvent }: SessionViewDeps) => { const [isDetailOpen, setIsDetailOpen] = useState(false); const [isDetailMounted, setIsDetailMounted] = useState(false); const [selectedProcess, setSelectedProcess] = useState(null); @@ -53,9 +45,18 @@ export const SessionView = ({ sessionEntityId, height }: SessionViewDeps) => { }; const { onSearch, searchQuery } = useSearchQuery(); - const { isLoading, isError, data: getData } = useFetchSessionViewProcessEvents(sessionEntityId); - const { data } = useParseSessionViewProcessEvents(getData); + const { + data, + error, + fetchNextPage, + hasNextPage, + isFetching, + fetchPreviousPage, + hasPreviousPage, + } = useFetchSessionViewProcessEvents(sessionEntityId, jumpToEvent); + + const hasData = data && data.pages.length > 0 && data.pages[0].events.length > 0; const renderNoData = () => { return ( { }; const renderProcessTree = () => { - if (isLoading) { + // we only show this loader on initial load + // otherwise as more pages are loaded it renders to full component + if (isFetching && !data) { return ( { ); } - if (isError) { + if (error) { return ( { /> ); } - if (data) { + if (hasData) { return (
); @@ -110,7 +119,6 @@ export const SessionView = ({ sessionEntityId, height }: SessionViewDeps) => { height={height} selectedProcess={selectedProcess} setIsDetailOpen={setIsDetailOpen} - session={data?.[0]?.process.session} /> ); } @@ -123,7 +131,7 @@ export const SessionView = ({ sessionEntityId, height }: SessionViewDeps) => { } }; - if (!(isLoading || isError || data.length)) { + if (!isFetching && !hasData) { return renderNoData(); } diff --git a/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx b/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx index eae4ffc20c3907..674f68a2355552 100644 --- a/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx +++ b/x-pack/plugins/session_view/public/components/SessionViewPage/index.tsx @@ -14,12 +14,105 @@ import { CoreStart } from '../../../../../../src/core/public'; import { RECENT_SESSION_ROUTE, BASE_PATH } from '../../../common/constants'; import { SessionView } from '../SessionView'; -import { ProcessEvent } from '../../../common/types/process_tree'; +import { ProcessEvent, EventKind, EventAction } from '../../../common/types/process_tree'; interface RecentSessionResults { hits: any[]; } +const jumpToEvent: ProcessEvent = { + "@timestamp": new Date("2022-01-04T19:18:47.143Z"), + "event": { + "kind": EventKind.event, + "action": EventAction.exec, + "category": "process", + }, + "host": { + "architecture": "x86_64", + "hostname": "mock-host-name", + "id": "48c1b3f1ac5da4e0057fc9f60f4d1d5d", + "ip": "127.0.0.1", + "mac": "42:01:0a:84:00:32", + "name": "mock-host", + "os": { + "type": "", + "family": "centos", + "full": "CentOS 7.9.2009", + "kernel": "3.10.0-1160.31.1.el7.x86_64 #1 SMP Thu Jun 10 13:32:12 UTC 2021", + "name": "Linux", + "platform": "centos", + "version": "7.9.2009" + } + }, + "process": { + "start": new Date("2022-01-04T19:18:47.143Z"), + "pid": 11197, + "pgid": 6699, + "user": { + "name": "kg", + "id": "1000" + }, + "executable": "/bin/echo", + "interactive": true, + "entity_id": "9b40fa52-fccf-52fa-9164-13a11903ee4d", + "parent": { + "pid": 6699, + "pgid": 6699, + "user": { + "name": "kg", + "id": "1000" + }, + "executable": "/usr/bin/bash", + "args": ["/usr/bin/bash"], + "working_directory": "/", + "name": "bash", + "args_count": 1, + "interactive": true, + "entity_id": "1ba32ad9-1ae1-54e9-899a-d5bd4fa5f6ed", + "start": new Date("2022-01-04T18:33:23.490Z"), + }, + "session": { + "pid": 6379, + "pgid": 6379, + "user": { + "name": "kg", + "id": "1000" + }, + "executable": "/usr/bin/zsh", + "args": ["/usr/bin/zsh"], + "working_directory": "/", + "name": "zsh", + "args_count": 1, + "interactive": true, + "entity_id": "354b317e-4037-50db-a83f-fab4a32a085c", + "start": new Date("2022-01-04T18:33:23.490Z"), + }, + "entry": { + "pid": 6379, + "pgid": 6379, + "user": { + "name": "kg", + "id": "1000" + }, + "executable": "/usr/bin/zsh", + "args": ["/usr/bin/zsh"], + "args_count": 1, + "working_directory": "/", + "name": "zsh", + "interactive": true, + "entity_id": "354b317e-4037-50db-a83f-fab4a32a085c", + "start": new Date("2022-01-04T18:33:23.490Z") + }, + "name": "echo", + "args_count": 2, + "args": [ + "/bin/echo", + "8715" + ], + "working_directory": "/" + }, +} + export const SessionViewPage = (props: RouteComponentProps) => { const { chrome, http } = useKibana().services; chrome.setBreadcrumbs([ @@ -31,13 +124,17 @@ export const SessionViewPage = (props: RouteComponentProps) => { chrome.docTitle.change('Process Tree'); // loads the entity_id of most recent 'interactive' session - const { data } = useQuery(['recent-session', 'recent_session'], () => - http.get(RECENT_SESSION_ROUTE, { + const { data } = useQuery(['recent-session', 'recent_session'], () => { + return http.get(RECENT_SESSION_ROUTE, { query: { indexes: ['cmd*', '.siem-signals*'], }, }) - ); + }, { + refetchOnWindowFocus: false, + refetchOnMount: false, + refetchOnReconnect: false + }); const [sessionEntityId, setSessionEntityId] = useState(''); @@ -61,7 +158,7 @@ export const SessionViewPage = (props: RouteComponentProps) => { description="Session view showing the most recent interactive session." /> - {sessionEntityId && } + {sessionEntityId && } diff --git a/x-pack/plugins/session_view/server/plugin.ts b/x-pack/plugins/session_view/server/plugin.ts index 794cf293020e11..cdaf3c284f1288 100644 --- a/x-pack/plugins/session_view/server/plugin.ts +++ b/x-pack/plugins/session_view/server/plugin.ts @@ -33,7 +33,7 @@ export class SessionViewPlugin implements Plugin { const router = core.http.createRouter(); // Register server routes - registerRoutes(router); + registerRoutes(router, this.logger); // Register saved objects savedObjects.registerType(getTestSavedObject()); diff --git a/x-pack/plugins/session_view/server/routes/index.ts b/x-pack/plugins/session_view/server/routes/index.ts index 3a777ccf61c7cc..c12841e7d5ef0f 100644 --- a/x-pack/plugins/session_view/server/routes/index.ts +++ b/x-pack/plugins/session_view/server/routes/index.ts @@ -11,11 +11,12 @@ import { registerTestSavedObjectsRoute } from './test_saved_objects_route'; import { registerProcessEventsRoute } from './process_events_route'; import { registerRecentSessionRoute } from './recent_session_route'; import { sessionEntryLeadersRoute } from './session_entry_leaders_route'; +import type { Logger } from 'kibana/server'; -export const registerRoutes = (router: IRouter) => { +export const registerRoutes = (router: IRouter, logger: Logger) => { registerTestRoute(router); registerTestSavedObjectsRoute(router); - registerProcessEventsRoute(router); + registerProcessEventsRoute(router, logger); registerRecentSessionRoute(router); sessionEntryLeadersRoute(router); }; diff --git a/x-pack/plugins/session_view/server/routes/process_events_route.ts b/x-pack/plugins/session_view/server/routes/process_events_route.ts index 10c0954f6ad076..e456f9a024cec9 100644 --- a/x-pack/plugins/session_view/server/routes/process_events_route.ts +++ b/x-pack/plugins/session_view/server/routes/process_events_route.ts @@ -5,68 +5,91 @@ * 2.0. */ import { schema } from '@kbn/config-schema'; +import type { Logger } from 'kibana/server'; import { IRouter } from '../../../../../src/core/server'; +import { ElasticsearchClient } from '../../../../../src/core/server/elasticsearch'; import { PROCESS_EVENTS_ROUTE, PROCESS_EVENTS_PER_PAGE } from '../../common/constants'; import { expandDottedObject } from '../../common/utils/expand_dotted_object'; -export const registerProcessEventsRoute = (router: IRouter) => { +export const registerProcessEventsRoute = (router: IRouter, logger: Logger) => { router.get( { path: PROCESS_EVENTS_ROUTE, validate: { query: schema.object({ - sessionEntityId: schema.maybe(schema.string()), + sessionEntityId: schema.string(), + cursor: schema.maybe(schema.string()), + forward: schema.maybe(schema.boolean()), }), }, }, async (context, request, response) => { const client = context.core.elasticsearch.client.asCurrentUser; + const { sessionEntityId, cursor, forward = true } = request.query; + const body = await doSearch(client, sessionEntityId, cursor, forward); - // TODO: would be good to figure out how to add securitySolution as a dep - // and make use of this way of getting the siem-signals index, instead of - // hardcoding it. - // const siemClient = context.securitySolution.getAppClient(); - // const alertsIndex = siemClient.getSignalsIndex(), + return response.ok({ body }); + } + ); +}; - const { sessionEntityId } = request.query; +const doSearch = async ( + client: ElasticsearchClient, + sessionEntityId: string, + cursor: string | undefined, + forward = true +) => { + // Temporary hack. Updates .siem-signals-default index to include a mapping for process.entry.entity_id + // TODO: find out how to do proper index mapping migrations... + let siemSignalsExists = true; - const search = await client.search({ - index: ['cmd'], - body: { - query: { - match: { - 'process.entry.entity_id': sessionEntityId, - }, + try { + await client.indices.putMapping({ + index: '.siem-signals-default', + body: { + properties: { + 'process.entry.entity_id': { + type: 'keyword', }, - size: PROCESS_EVENTS_PER_PAGE, - sort: [{ '@timestamp': 'asc' }], }, - }); + }, + }); + } catch (err) { + siemSignalsExists = false; + } + + const indices = ['cmd']; + + if (siemSignalsExists) { + indices.push('.siem-signals-default'); + } - // temporary approach. ideally we'd pull from both these indexes above, but unfortunately - // our new fields like process.entry.entity_id won't have a mapping in the .siem-signals index - // this should hopefully change once we update ECS or endpoint-package.. - // for demo purpose we just load all alerts, and stich it together on the frontend. - const alerts = await client.search({ - index: ['.siem-signals-default'], - body: { - size: PROCESS_EVENTS_PER_PAGE, - sort: [{ '@timestamp': 'asc' }], + const search = await client.search({ + index: indices, + body: { + query: { + match: { + 'process.entry.entity_id': sessionEntityId, }, - }); + }, + size: PROCESS_EVENTS_PER_PAGE, + sort: [{ '@timestamp': forward ? 'asc' : 'desc' }], + search_after: cursor ? [cursor] : undefined, + }, + }); - alerts.body.hits.hits = alerts.body.hits.hits.map((hit: any) => { - hit._source = expandDottedObject(hit._source); + const events = search.body.hits.hits.map((hit: any) => { + // the .siem-signals-default index flattens many properties. this util unflattens them. + hit._source = expandDottedObject(hit._source); - return hit; - }); + return hit; + }); - return response.ok({ - body: { - events: search.body.hits, - alerts: alerts.body.hits, - }, - }); - } - ); + if (!forward) { + events.reverse(); + } + + return { + events, + }; }; diff --git a/yarn.lock b/yarn.lock index 55a18910fb13cd..7bdca2c7572133 100644 --- a/yarn.lock +++ b/yarn.lock @@ -23581,10 +23581,10 @@ react-popper@^2.2.4: react-fast-compare "^3.0.1" warning "^4.0.2" -react-query@^3.28.0: - version "3.28.0" - resolved "https://registry.yarnpkg.com/react-query/-/react-query-3.28.0.tgz#1bfe12944860b2b773680054de37f19438f59d1d" - integrity sha512-OeX+nRqs7Zi0MvvtaKxKWE4N966UGtqSVuedOsz8cJh9eW195fgtYZ9nW3hZjIPPmeDY1PkArLUiV4wZvNRDPw== +react-query@^3.34.7: + version "3.34.7" + resolved "https://registry.yarnpkg.com/react-query/-/react-query-3.34.7.tgz#e3d71318f510ea354794cd188b351bb57f577cb9" + integrity sha512-Q8+H2DgpoZdGUpwW2Z9WAbSrIE+yOdZiCUokHjlniOOmlcsfqNLgvHF5i7rtuCmlw3hv5OAhtpS7e97/DvgpWw== dependencies: "@babel/runtime" "^7.5.5" broadcast-channel "^3.4.1"