custom_subsets/elastic_endpoint/alerts/memory_protection_event.yaml (829 lines of code) (raw):

--- name: memory_protection_event fields: # these fields are needed in the mapping so the maps page of the security app does not throw a bunch of errors source: fields: geo: fields: "*" destination: fields: geo: fields: "*" base: fields: "@timestamp": {} "message": {} data_stream: fields: "*" agent: fields: ephemeral_id: {} id: {} name: {} type: {} version: {} dll: fields: &dll-fields name: {} path: {} hash: fields: md5: {} sha1: {} sha256: {} sha512: {} pe: fields: &pe-fields company: {} description: {} file_version: {} imphash: {} original_file_name: {} product: {} code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} Ext: fields: mapped_address: {} mapped_size: {} compile_time: {} code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} ecs: fields: version: {} event: fields: action: {} category: {} created: {} code: {} dataset: {} hash: {} id: {} ingested: {} kind: {} module: {} outcome: {} provider: {} sequence: {} severity: {} type: {} Endpoint: fields: policy: fields: applied: fields: id: {} status: {} version: {} name: {} artifacts: fields: "*" elastic: fields: agent: fields: id: {} rule: fields: author: {} category: {} description: {} id: {} license: {} name: {} reference: {} ruleset: {} uuid: {} version: {} threat: fields: enrichments: fields: indicator: fields: file: fields: code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} accessed: {} attributes: {} created: {} ctime: {} device: {} directory: {} drive_letter: {} elf: fields: "*" extension: {} gid: {} group: {} hash: fields: md5: {} sha1: {} sha256: {} sha512: {} ssdeep: {} inode: {} mime_type: {} mode: {} mtime: {} name: {} owner: {} path: {} pe: fields: architecture: {} company: {} description: {} file_version: {} imphash: {} original_file_name: {} product: {} size: {} target_path: {} type: {} uid: {} Ext: fields: code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} device: fields: bus_type: {} dos_name: {} nt_name: {} product_id: {} serial_number: {} vendor_id: {} entropy: {} entry_modified: {} header_bytes: {} header_data: {} malware_classification: fields: features: fields: data: fields: buffer: {} decompressed_size: {} encoding: {} identifier: {} score: {} threshold: {} upx_packed: {} version: {} malware_signature: fields: all_names: {} identifier: {} primary: fields: matches: {} signature: fields: hash: fields: sha256: {} id: {} name: {} secondary: {} version: {} monotonic_id: {} original: fields: gid: {} group: {} mode: {} name: {} owner: {} path: {} uid: {} quarantine_message: {} quarantine_path: {} quarantine_result: {} temp_file_path: {} windows: fields: zone_identifier: {} first_seen: {} last_seen: {} geo: fields: city_name: {} continent_code: {} continent_name: {} country_iso_code: {} country_name: {} location: {} name: {} postal_code: {} region_iso_code: {} region_name: {} timezone: {} ip: {} marking: fields: tlp: {} modified_at: {} port: {} provider: {} reference: {} registry: fields: data: fields: bytes: {} strings: {} type: {} hive: {} key: {} path: {} value: {} scanner_stats: {} sightings: {} type: {} url: fields: domain: {} extension: {} fragment: {} full: {} original: {} password: {} path: {} port: {} query: {} registered_domain: {} scheme: {} subdomain: {} top_level_domain: {} username: {} x509: fields: "*" matched: fields: atomic: {} field: {} id: {} index: {} type: {} framework: {} group: fields: "*" indicator: fields: as: fields: number: {} organization: fields: name: {} confidence: {} description: {} email: fields: address: {} file: fields: Ext: fields: code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} device: fields: bus_type: {} dos_name: {} nt_name: {} product_id: {} serial_number: {} vendor_id: {} entropy: {} entry_modified: {} header_bytes: {} header_data: {} malware_classification: fields: features: fields: data: fields: buffer: {} decompressed_size: {} encoding: {} identifier: {} score: {} threshold: {} upx_packed: {} version: {} malware_signature: fields: all_names: {} identifier: {} primary: fields: matches: {} signature: fields: hash: fields: sha256: {} id: {} name: {} secondary: {} version: {} monotonic_id: {} original: fields: gid: {} group: {} mode: {} name: {} owner: {} path: {} uid: {} quarantine_message: {} quarantine_path: {} quarantine_result: {} temp_file_path: {} windows: fields: zone_identifier: {} accessed: {} attributes: {} code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} created: {} ctime: {} device: {} directory: {} drive_letter: {} elf: fields: "*" extension: {} gid: {} group: {} hash: fields: md5: {} sha1: {} sha256: {} sha512: {} ssdeep: {} inode: {} mime_type: {} mode: {} mtime: {} name: {} owner: {} path: {} pe: fields: architecture: {} company: {} description: {} file_version: {} imphash: {} original_file_name: {} product: {} size: {} target_path: {} type: {} uid: {} first_seen: {} geo: fields: "*" ip: {} last_seen: {} marking: fields: tlp: {} modified_at: {} port: {} provider: {} reference: {} registry: fields: "*" scanner_stats: {} sightings: {} type: {} url: fields: domain: {} extension: {} fragment: {} full: {} original: {} password: {} path: {} port: {} query: {} registered_domain: {} scheme: {} subdomain: {} top_level_domain: {} username: {} x509: fields: "*" software: fields: id: {} name: {} platforms: {} reference: {} type: {} tactic: fields: "*" technique: fields: "*" host: fields: architecture: {} domain: {} hostname: {} id: {} ip: {} mac: {} name: {} type: {} uptime: {} geo: fields: "*" os: fields: family: {} full: {} kernel: {} name: {} platform: {} version: {} type: {} Ext: fields: variant: {} user: fields: domain: {} email: {} full_name: {} hash: {} id: {} name: {} Ext: fields: real: fields: id: {} name: {} group: fields: Ext: fields: real: fields: id: {} name: {} domain: {} id: {} name: {} group: fields: domain: {} id: {} name: {} Ext: fields: real: fields: id: {} name: {} process: fields: &process-fields args: {} args_count: {} command_line: {} entity_id: {} executable: {} exit_code: {} hash: fields: md5: {} sha1: {} sha256: {} sha512: {} name: {} pe: fields: company: {} description: {} file_version: {} imphash: {} original_file_name: {} product: {} pgid: {} pid: {} ppid: {} start: {} thread: fields: id: {} name: {} Ext: fields: call_stack: enabled: false fields: module_path: {} module_name: {} instruction_pointer: {} memory_section: fields: memory_address: {} memory_size: {} protection: {} symbol_info: {} rva: {} call_stack_summary: {} call_stack_final_user_module: fields: name: {} path: {} code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} hash: fields: sha256: {} hardware_breakpoint_set: {} parameter: {} parameter_bytes_compressed: {} parameter_bytes_compressed_present: {} start: {} start_address: {} start_address_module: {} start_address_allocation_offset: {} start_address_bytes: {} start_address_bytes_disasm: {} start_address_bytes_disasm_hash: {} original_start_address: {} original_start_address_module: {} original_start_address_allocation_offset: {} original_start_address_bytes: {} original_start_address_bytes_disasm: {} original_start_address_bytes_disasm_hash: {} service: {} token: fields: domain: {} elevation: {} elevation_type: {} impersonation_level: {} integrity_level: {} integrity_level_name: {} is_appcontainer: {} privileges: fields: name: {} enabled: {} description: {} sid: {} type: {} user: {} uptime: {} title: {} uptime: {} working_directory: {} code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} Ext: fields: ancestry: {} architecture: {} authentication_id: {} dll: fields: *dll-fields services: {} session: {} user: {} code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} protection: {} token: fields: domain: {} elevation: {} elevation_type: {} impersonation_level: {} integrity_level: {} integrity_level_name: {} is_appcontainer: {} privileges: fields: name: {} enabled: {} description: {} sid: {} type: {} user: {} memory_region: fields: allocation_base: {} allocation_protection: {} allocation_size: {} allocation_type: {} bytes_address: {} bytes_allocation_offset: {} bytes_compressed: {} bytes_compressed_present: {} malware_signature: fields: all_names: {} identifier: {} primary: fields: signature: fields: id: {} name: {} hash: fields: sha256: {} matches: {} version: {} mapped_path: {} mapped_pe: fields: *pe-fields mapped_pe_detected: {} memory_pe: fields: *pe-fields memory_pe_detected: {} region_base: {} region_protection: {} region_size: {} region_start_bytes: {} region_state: {} strings: {} parent: fields: args: {} args_count: {} command_line: {} entity_id: {} executable: {} exit_code: {} hash: fields: md5: {} sha1: {} sha256: {} sha512: {} name: {} pe: fields: company: {} description: {} file_version: {} imphash: {} original_file_name: {} product: {} pgid: {} pid: {} ppid: {} start: {} thread: fields: id: {} name: {} title: {} uptime: {} working_directory: {} code_signature: fields: exists: {} signing_id: {} status: {} subject_name: {} team_id: {} trusted: {} valid: {} Ext: fields: architecture: {} real: fields: pid: {} code_signature: fields: exists: {} status: {} subject_name: {} trusted: {} valid: {} dll: fields: *dll-fields protection: {} token: fields: domain: {} elevation: {} elevation_type: {} impersonation_level: {} integrity_level: {} integrity_level_name: {} is_appcontainer: {} privileges: fields: name: {} enabled: {} description: {} sid: {} type: {} user: {} user: {} user: fields: domain: {} email: {} full_name: {} hash: {} id: {} name: {} group: fields: domain: {} id: {} name: {} Ext: fields: real: fields: id: {} name: {} Ext: fields: real: fields: id: {} name: {} Target: fields: process: fields: *process-fields Memory_protection: fields: "*"