diff --git a/packages/eset_protect/changelog.yml b/packages/eset_protect/changelog.yml index 457a1987535..89a68de150a 100644 --- a/packages/eset_protect/changelog.yml +++ b/packages/eset_protect/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.6.1" + changes: + - description: Add missing field support. + type: bugfix + link: https://github.com/elastic/integrations/pull/12934 - version: "1.6.0" changes: - description: Update Kibana constraint to support 9.0.0. diff --git a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log index 68ed05019f7..3a748d5bc28 100644 --- a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log +++ b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log @@ -22,3 +22,4 @@ {"event_type":"FirewallAggregated_Event","ipv4":"1.128.0.5","hostname":"machine4","source_uuid":"c539dbdf-2063-477b-81d7-8081a6f7a080","occured":"12-Mar-2024 11:00:26","severity":"Fatal","event":"Web threat","source_address":"192.168.30.32","source_address_type":"IPv4","source_port":37966,"target_address":"1.128.0.5","target_address_type":"IPv4","target_port":49677,"protocol":"TCP","account":"NT AUTHORITY\\SYSTEM","process_name":"C:\\Windows\\System32\\lsass.exe","inbound":true,"threat_name":"RPC/Exploit.CVE-2020-1472","aggregate_count":1} {"event_type":"Threat_Event","ipv4":"192.168.30.31","hostname":"machine5","source_uuid":"f193d96b-cbd8-4402-94fc-6993efc30b11","occured":"11-Mar-2024 05:56:58","severity":"Warning","threat_type":"Trojan","threat_name":"LNK/Agent.BZ","scanner_id":"Real-time file system protection","scan_id":"virlog.dat","engine_version":"28873 (20240310)","object_type":"File","object_uri":"file:///E:/Removable Drive (1GB).lnk","action_taken":"Cleaned by deleting","threat_handled":true,"need_restart":false,"username":"machine5\\Administrator","processname":"C:\\Windows\\explorer.exe","circumstances":"Event occurred during an attempt to access the file.","firstseen":"28-Jul-2021 07:20:55","hash":"1A45EBA0F9EF909E6F3C87B0D5CEDAD27BDB6CF2"} {"event_type":"Threat_Event","ipv4":"192.168.112.128","ipv6":"","hostname":"kate-ebademo","source_uuid":"16b429cb-c064-4a31-98ba-62fff54f0c96","os_name":"Microsoft Windows 11 Pro","occured":"27-Mar-2024 09:54:20","group_name":"All","group_description":"","severity":"Warning","threat_type":"Trojan","threat_name":"VBS\/TrojanDownloader.Agent.YUI","threat_flags":"","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"28962 (20240327)","object_type":"File","object_uri":"script","action_taken":"Blocked","action_error":"","threat_handled":"true","need_restart":"false","username":"KATE-EBADEMO\\Kate","processname":"PowerShell_C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe_10.0.22621.1","circumstances":"","firstseen":"","hash":"22B9B35A804A7A3739CBD007E00959075AECF0FC"} +{"event_type":"ESET Inspect Alert","ipv4":"10.0.0.47","ipv6":"","hostname":"wsu-pf3r12l5","source_uuid":"08764ed7-7480-482a-8eaa-da8e2084fe22","os_name":"Microsoft Windows 11 Business","occured":"25-Feb-2025 13:57:46","group_name":"All","group_description":"","severity":"Information","processname":"%SYSTEM%\\taskkill.exe","username":"nt authority\\local service","rulename":"Processes killing from command line [B0401]","count":"1","eiconsolelink":"https://inspect.eset.com:443/console/detection/993374","resolved":"","hash":"912DC85EAFCE7FC20247715ADC5ACB4C43555BC8","computer_severity_score":"20","severity_score":"34","trigger_event":"%SYSTEM%\\cmd.exe","command_line":"/PID 21288 /F","detection_uuid":"3f3f5a5a-87de-49f2-adaf-e2158d8666a7"} diff --git a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json index 5f00d7d9a89..71339468c12 100644 --- a/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json +++ b/packages/eset_protect/data_stream/event/_dev/test/pipeline/test-event.log-expected.json @@ -2272,6 +2272,88 @@ "domain": "KATE-EBADEMO", "name": "Kate" } + }, + { + "@timestamp": "2025-02-25T13:57:46.000Z", + "ecs": { + "version": "8.11.0" + }, + "eset_protect": { + "event": { + "command_line": "/PID 21288 /F", + "computer_severity_score": 20, + "count": 1, + "detection_uuid": "3f3f5a5a-87de-49f2-adaf-e2158d8666a7", + "eiconsolelink": "https://inspect.eset.com:443/console/detection/993374", + "group_name": "All", + "hash": "912DC85EAFCE7FC20247715ADC5ACB4C43555BC8", + "hostname": "wsu-pf3r12l5", + "ipv4": "10.0.0.47", + "is_handled": false, + "occured": "2025-02-25T13:57:46.000Z", + "os_name": "Microsoft Windows 11 Business", + "processname": "%SYSTEM%\\taskkill.exe", + "rulename": "Processes killing from command line [B0401]", + "severity": "Information", + "severity_score": 34, + "source_uuid": "08764ed7-7480-482a-8eaa-da8e2084fe22", + "trigger_event": "%SYSTEM%\\cmd.exe", + "type": "ESET Inspect Alert", + "username": "nt authority\\local service" + } + }, + "event": { + "kind": "alert", + "original": "{\"event_type\":\"ESET Inspect Alert\",\"ipv4\":\"10.0.0.47\",\"ipv6\":\"\",\"hostname\":\"wsu-pf3r12l5\",\"source_uuid\":\"08764ed7-7480-482a-8eaa-da8e2084fe22\",\"os_name\":\"Microsoft Windows 11 Business\",\"occured\":\"25-Feb-2025 13:57:46\",\"group_name\":\"All\",\"group_description\":\"\",\"severity\":\"Information\",\"processname\":\"%SYSTEM%\\\\taskkill.exe\",\"username\":\"nt authority\\\\local service\",\"rulename\":\"Processes killing from command line [B0401]\",\"count\":\"1\",\"eiconsolelink\":\"https://inspect.eset.com:443/console/detection/993374\",\"resolved\":\"\",\"hash\":\"912DC85EAFCE7FC20247715ADC5ACB4C43555BC8\",\"computer_severity_score\":\"20\",\"severity_score\":\"34\",\"trigger_event\":\"%SYSTEM%\\\\cmd.exe\",\"command_line\":\"/PID 21288 /F\",\"detection_uuid\":\"3f3f5a5a-87de-49f2-adaf-e2158d8666a7\"}", + "reference": "https://inspect.eset.com:443/console/detection/993374", + "severity": 34, + "type": [ + "info" + ] + }, + "group": { + "name": "All" + }, + "host": { + "hostname": "wsu-pf3r12l5", + "id": "08764ed7-7480-482a-8eaa-da8e2084fe22", + "ip": [ + "10.0.0.47" + ], + "name": "wsu-pf3r12l5", + "os": { + "name": "Microsoft Windows 11 Business" + } + }, + "process": { + "executable": "%SYSTEM%\\taskkill.exe", + "name": "taskkill.exe" + }, + "related": { + "hash": [ + "912dc85eafce7fc20247715adc5acb4c43555bc8" + ], + "hosts": [ + "wsu-pf3r12l5", + "08764ed7-7480-482a-8eaa-da8e2084fe22" + ], + "ip": [ + "10.0.0.47" + ], + "user": [ + "nt authority\\local service" + ] + }, + "rule": { + "name": "Processes killing from command line [B0401]" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "user": { + "name": "nt authority\\local service" + } } ] -} \ No newline at end of file +} diff --git a/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml b/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml index de5122c0f4c..0346b656675 100644 --- a/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml +++ b/packages/eset_protect/data_stream/event/elasticsearch/ingest_pipeline/default.yml @@ -385,6 +385,16 @@ processors: tag: rename_event target_field: eset_protect.event.name ignore_missing: true + - rename: + field: json.trigger_event + tag: rename_trigger_event + target_field: eset_protect.event.trigger_event + ignore_missing: true + - rename: + field: json.detection_uuid + tag: rename_detection_uuid + target_field: eset_protect.event.detection_uuid + ignore_missing: true - set: field: message tag: set_message_from_event_name @@ -527,6 +537,11 @@ processors: tag: set_process_executable_from_event_processname copy_from: eset_protect.event.processname ignore_empty_value: true + - rename: + field: json.command_line + tag: rename_command_line + target_field: eset_protect.event.command_line + ignore_missing: true - grok: field: eset_protect.event.processname tag: grok_processname diff --git a/packages/eset_protect/data_stream/event/fields/fields.yml b/packages/eset_protect/data_stream/event/fields/fields.yml index ddd7ea147cc..2d18712c5e7 100644 --- a/packages/eset_protect/data_stream/event/fields/fields.yml +++ b/packages/eset_protect/data_stream/event/fields/fields.yml @@ -30,6 +30,9 @@ - name: computer_severity_score type: long description: Computer severity score associated with the event. + - name: command_line + type: keyword + description: Command line of process which triggered detection. - name: count type: long description: Number of alerts of this type generated since last alarm. @@ -39,6 +42,9 @@ - name: detail type: keyword description: Detailed description of the action. + - name: detection_uuid + type: keyword + description: A detection's unique identifier can be used to query details via ESET CONNECT API. - name: domain type: keyword description: Audit log domain. @@ -165,6 +171,9 @@ - name: threat_type type: keyword description: Type of detection. + - name: trigger_event + type: keyword + description: Description of event which triggered detection. - name: type type: keyword description: Type of exported events. diff --git a/packages/eset_protect/docs/README.md b/packages/eset_protect/docs/README.md index 8b19005369b..fad72ef8890 100644 --- a/packages/eset_protect/docs/README.md +++ b/packages/eset_protect/docs/README.md @@ -570,10 +570,12 @@ An example event for `event` looks as following: | eset_protect.event.application | Application name associated with the event. | keyword | | eset_protect.event.cause | | keyword | | eset_protect.event.circumstances | Short description of what caused the event. | keyword | +| eset_protect.event.command_line | Command line of process which triggered detection. | keyword | | eset_protect.event.computer_severity_score | Computer severity score associated with the event. | long | | eset_protect.event.count | Number of alerts of this type generated since last alarm. | long | | eset_protect.event.description | Description of the blocked file. | keyword | | eset_protect.event.detail | Detailed description of the action. | keyword | +| eset_protect.event.detection_uuid | A detection's unique identifier can be used to query details via ESET CONNECT API. | keyword | | eset_protect.event.domain | Audit log domain. | keyword | | eset_protect.event.eialarmid | ID sub-part of the alarm link ($1 in ^http.\*/alarm/([0-9]+)$). | keyword | | eset_protect.event.eiconsolelink | Link to the alarm in ESET Inspect console. | keyword | @@ -616,6 +618,7 @@ An example event for `event` looks as following: | eset_protect.event.threat_handled | Indicates whether or not the detection was handled. | boolean | | eset_protect.event.threat_name | Name of the detection. | keyword | | eset_protect.event.threat_type | Type of detection. | keyword | +| eset_protect.event.trigger_event | Description of event which triggered detection. | keyword | | eset_protect.event.type | Type of exported events. | keyword | | eset_protect.event.username | Name of the user account associated with the event. | keyword | | event.dataset | Event dataset. | constant_keyword | diff --git a/packages/eset_protect/manifest.yml b/packages/eset_protect/manifest.yml index a503d85f361..25ccbf9ab12 100644 --- a/packages/eset_protect/manifest.yml +++ b/packages/eset_protect/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.0.3 name: eset_protect title: ESET PROTECT -version: "1.6.0" +version: "1.6.1" description: Collect logs from ESET PROTECT with Elastic Agent. type: integration categories: