custom_subsets/elastic_endpoint/alerts/malware_event.yaml (1,140 lines of code) (raw):
---
name: malware_event
fields:
base:
fields:
"@timestamp": {}
"message": {}
data_stream:
fields: "*"
agent:
fields:
ephemeral_id: {}
id: {}
name: {}
type: {}
version: {}
# these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors
source:
fields:
geo:
fields: "*"
ip: {}
destination:
fields:
geo:
fields: "*"
ip: {}
dll:
fields:
name: {}
path: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
Ext:
fields:
mapped_address: {}
mapped_size: {}
compile_time: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
malware_classification:
fields:
score: {}
threshold: {}
identifier: {}
version: {}
upx_packed: {}
features:
enabled: false
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
ecs:
fields:
version: {}
event:
fields:
action: {}
category: {}
created: {}
code: {}
dataset: {}
hash: {}
id: {}
ingested: {}
kind: {}
module: {}
outcome: {}
provider: {}
risk_score: {}
sequence: {}
severity: {}
type: {}
Endpoint:
fields:
policy:
fields:
applied:
fields:
id: {}
status: {}
version: {}
name: {}
artifacts:
fields: "*"
elastic:
fields:
agent:
fields:
id: {}
rule:
fields:
author: {}
category: {}
description: {}
id: {}
license: {}
name: {}
reference: {}
ruleset: {}
uuid: {}
version: {}
threat:
fields:
enrichments:
fields:
indicator:
fields:
file:
fields:
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
accessed: {}
attributes: {}
created: {}
ctime: {}
device: {}
directory: {}
drive_letter: {}
elf:
fields: "*"
extension: {}
gid: {}
group: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
ssdeep: {}
inode: {}
mime_type: {}
mode: {}
mtime: {}
name: {}
owner: {}
path: {}
pe:
fields:
architecture: {}
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
size: {}
target_path: {}
type: {}
uid: {}
Ext:
fields:
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
device:
fields:
bus_type: {}
dos_name: {}
nt_name: {}
product_id: {}
serial_number: {}
vendor_id: {}
file_system_type: {}
volume_device_type: {}
entropy: {}
entry_modified: {}
header_bytes: {}
header_data: {}
malware_classification:
fields:
features:
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
identifier: {}
score: {}
threshold: {}
upx_packed: {}
version: {}
malware_signature:
fields:
all_names: {}
identifier: {}
primary:
fields:
matches: {}
signature:
fields:
hash:
fields:
sha256: {}
id: {}
name: {}
secondary: {}
version: {}
monotonic_id: {}
original:
fields:
gid: {}
group: {}
mode: {}
name: {}
owner: {}
path: {}
uid: {}
quarantine_message: {}
quarantine_path: {}
quarantine_result: {}
temp_file_path: {}
windows:
fields:
zone_identifier: {}
first_seen: {}
last_seen: {}
geo:
fields:
city_name: {}
continent_code: {}
continent_name: {}
country_iso_code: {}
country_name: {}
location: {}
name: {}
postal_code: {}
region_iso_code: {}
region_name: {}
timezone: {}
ip: {}
marking:
fields:
tlp: {}
modified_at: {}
port: {}
provider: {}
reference: {}
registry:
fields:
data:
fields:
bytes: {}
strings: {}
type: {}
hive: {}
key: {}
path: {}
value: {}
scanner_stats: {}
sightings: {}
type: {}
url:
fields:
domain: {}
extension: {}
fragment: {}
full: {}
original: {}
password: {}
path: {}
port: {}
query: {}
registered_domain: {}
scheme: {}
subdomain: {}
top_level_domain: {}
username: {}
x509:
fields: "*"
matched:
fields:
atomic: {}
field: {}
id: {}
index: {}
type: {}
framework: {}
group:
fields: "*"
indicator:
fields:
as:
fields:
number: {}
organization:
fields:
name: {}
confidence: {}
description: {}
email:
fields:
address: {}
file:
fields:
Ext:
fields:
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
device:
fields:
bus_type: {}
dos_name: {}
nt_name: {}
product_id: {}
serial_number: {}
vendor_id: {}
file_system_type: {}
volume_device_type: {}
entropy: {}
entry_modified: {}
header_bytes: {}
header_data: {}
malware_classification:
fields:
features:
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
identifier: {}
score: {}
threshold: {}
upx_packed: {}
version: {}
malware_signature:
fields:
all_names: {}
identifier: {}
primary:
fields:
matches: {}
signature:
fields:
hash:
fields:
sha256: {}
id: {}
name: {}
secondary: {}
version: {}
monotonic_id: {}
original:
fields:
gid: {}
group: {}
mode: {}
name: {}
owner: {}
path: {}
uid: {}
quarantine_message: {}
quarantine_path: {}
quarantine_result: {}
temp_file_path: {}
windows:
fields:
zone_identifier: {}
accessed: {}
attributes: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
created: {}
ctime: {}
device: {}
directory: {}
drive_letter: {}
elf:
fields: "*"
extension: {}
gid: {}
group: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
ssdeep: {}
inode: {}
mime_type: {}
mode: {}
mtime: {}
name: {}
owner: {}
path: {}
pe:
fields:
architecture: {}
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
size: {}
target_path: {}
type: {}
uid: {}
first_seen: {}
geo:
fields: "*"
ip: {}
last_seen: {}
marking:
fields:
tlp: {}
modified_at: {}
port: {}
provider: {}
reference: {}
registry:
fields: "*"
scanner_stats: {}
sightings: {}
type: {}
url:
fields:
domain: {}
extension: {}
fragment: {}
full: {}
original: {}
password: {}
path: {}
port: {}
query: {}
registered_domain: {}
scheme: {}
subdomain: {}
top_level_domain: {}
username: {}
x509:
fields: "*"
software:
fields:
id: {}
name: {}
platforms: {}
reference: {}
type: {}
tactic:
fields: "*"
technique:
fields: "*"
host:
fields:
architecture: {}
domain: {}
hostname: {}
id: {}
ip: {}
mac: {}
name: {}
type: {}
uptime: {}
geo:
fields: "*"
os:
fields:
family: {}
full: {}
kernel: {}
name: {}
platform: {}
version: {}
type: {}
Ext:
fields:
variant: {}
user:
fields:
domain: {}
email: {}
full_name: {}
hash: {}
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
group:
fields:
Ext:
fields:
real:
fields:
id: {}
name: {}
domain: {}
id: {}
name: {}
file:
fields:
accessed: {}
attributes: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
created: {}
ctime: {}
device: {}
directory: {}
drive_letter: {}
extension: {}
gid: {}
group: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
inode: {}
mime_type: {}
mode: {}
mtime: {}
name: {}
owner: {}
path: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
Ext:
fields:
dotnet: {}
sections:
fields:
name: {}
hash:
fields:
md5: {}
sha256: {}
streams:
fields:
name: {}
hash:
fields:
md5: {}
sha256: {}
size: {}
target_path: {}
type: {}
uid: {}
Ext:
fields:
entry_modified: {}
temp_file_path: {}
quarantine_result: {}
quarantine_path: {}
quarantine_message: {}
windows:
fields:
zone_identifier: {}
original:
fields:
name: {}
path: {}
mode: {}
uid: {}
owner: {}
gid: {}
group: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
malware_classification:
fields:
score: {}
threshold: {}
identifier: {}
version: {}
upx_packed: {}
features:
enabled: false
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
macro:
fields:
errors:
fields:
count: {}
error_type: {}
collection:
fields:
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
project_file:
fields:
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
stream:
fields:
name: {}
raw_code: {}
raw_code_size: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
code_page: {}
file_extension: {}
group:
fields:
domain: {}
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
process:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
exit_code: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
pgid: {}
pid: {}
ppid: {}
start: {}
thread:
fields:
id: {}
name: {}
Ext:
fields:
call_stack:
enabled: false
fields:
module_path: {}
instruction_pointer: {}
memory_section:
fields:
memory_address: {}
memory_size: {}
protection: {}
symbol_info: {}
rva: {}
start: {}
start_address: {}
start_address_module: {}
service: {}
token:
fields:
domain: {}
elevation: {}
elevation_type: {}
impersonation_level: {}
integrity_level: {}
integrity_level_name: {}
is_appcontainer: {}
privileges:
fields:
name: {}
enabled: {}
description: {}
sid: {}
type: {}
user: {}
uptime: {}
title: {}
uptime: {}
working_directory: {}
Ext:
fields:
ancestry: {}
authentication_id: {}
services: {}
session: {}
user: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
malware_classification:
fields:
score: {}
threshold: {}
identifier: {}
version: {}
upx_packed: {}
features:
enabled: false
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
protection: {}
token:
fields:
domain: {}
elevation: {}
elevation_type: {}
impersonation_level: {}
integrity_level: {}
integrity_level_name: {}
is_appcontainer: {}
privileges:
fields:
name: {}
enabled: {}
description: {}
sid: {}
type: {}
user: {}
parent:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
exit_code: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
pgid: {}
pid: {}
ppid: {}
start: {}
thread:
fields:
id: {}
name: {}
title: {}
uptime: {}
working_directory: {}
Ext:
fields:
real:
fields:
pid: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
protection: {}
Target:
fields:
dll:
fields:
name: {}
path: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
Ext:
fields:
mapped_address: {}
mapped_size: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
compile_time: {}
malware_classification:
fields:
score: {}
threshold: {}
identifier: {}
version: {}
upx_packed: {}
features:
enabled: false
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
process:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
exit_code: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
pe:
fields:
company: {}
description: {}
file_version: {}
imphash: {}
original_file_name: {}
product: {}
pgid: {}
pid: {}
ppid: {}
start: {}
thread:
fields:
id: {}
name: {}
Ext:
fields:
call_stack:
enabled: false
fields:
module_path: {}
instruction_pointer: {}
memory_section:
fields:
memory_address: {}
memory_size: {}
protection: {}
symbol_info: {}
rva: {}
start: {}
start_address: {}
start_address_module: {}
service: {}
token:
fields:
domain: {}
elevation: {}
elevation_type: {}
impersonation_level: {}
integrity_level: {}
integrity_level_name: {}
is_appcontainer: {}
privileges:
fields:
name: {}
enabled: {}
description: {}
sid: {}
type: {}
user: {}
uptime: {}
title: {}
uptime: {}
working_directory: {}
Ext:
fields:
ancestry: {}
authentication_id: {}
services: {}
session: {}
user: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
malware_classification:
fields:
score: {}
threshold: {}
identifier: {}
version: {}
upx_packed: {}
features:
enabled: false
fields:
data:
fields:
buffer: {}
decompressed_size: {}
encoding: {}
token:
fields:
domain: {}
elevation: {}
elevation_type: {}
impersonation_level: {}
integrity_level: {}
integrity_level_name: {}
is_appcontainer: {}
privileges:
fields:
name: {}
enabled: {}
description: {}
sid: {}
type: {}
user: {}
parent:
fields:
args: {}
args_count: {}
command_line: {}
entity_id: {}
executable: {}
exit_code: {}
hash:
fields:
md5: {}
sha1: {}
sha256: {}
sha512: {}
name: {}
code_signature:
fields:
exists: {}
signing_id: {}
status: {}
subject_name: {}
team_id: {}
trusted: {}
valid: {}
pgid: {}
pid: {}
ppid: {}
start: {}
thread:
fields:
id: {}
name: {}
title: {}
uptime: {}
working_directory: {}
Ext:
fields:
real:
fields:
pid: {}
code_signature:
fields:
exists: {}
status: {}
subject_name: {}
trusted: {}
valid: {}
user:
fields:
domain: {}
email: {}
full_name: {}
hash: {}
id: {}
name: {}
group:
fields:
domain: {}
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
Ext:
fields:
real:
fields:
id: {}
name: {}
dns:
fields:
question:
fields:
name: {}
type: {}
registry:
fields:
path: {}
value: {}
data:
fields:
strings: {}