Skip to content

Add Effective_process fields to malware events#751

Open
matthewh-elastic wants to merge 1 commit into
mainfrom
matthew/vuln_driver
Open

Add Effective_process fields to malware events#751
matthewh-elastic wants to merge 1 commit into
mainfrom
matthew/vuln_driver

Conversation

@matthewh-elastic

Copy link
Copy Markdown
Contributor

Change Summary

Add the following pre-existing fields to malware events:

  • Effective_process.entity_id
  • Effective_process.executable
  • Effective_process.name
  • Effective_process.pid

Sample document:

{"@timestamp": "2026-06-24T17:37:12.014Z", "Effective_process": {"entity_id": "!BsbYzMR11p0y/54kQN3cIA", "executable": "C:\\pixi\\envs\\python\\python.exe", "name": "python.exe", "pid": 6948}, "Endpoint": {"policy": {"applied": {"artifacts": {"global": {"channel": "default", "identifiers": [{"name": "diagnostic-configuration-v1", "sha256": "b133c06e4283b5b22853a6cc2b21e72328409a047ccbeac23a1a71913c006809"}, {"name": "diagnostic-endpointpe-v4-blocklist", "sha256": "338eb3e0d0c2b7efcd291ca270a0a6188d3632a25c7a8dc5d020fdb44293e12f"}, {"name": "diagnostic-endpointpe-v4-exceptionlist", "sha256": "6e887b8d76b164e567f732af3a8e91c69a2545037d83cf682835edb3e4c04b8e"}, {"name": "diagnostic-endpointpe-v4-model", "sha256": "1e309b560540f76503f0b7bb4cedc4889e8516f103f6bece662c4cdfa4e83083"}, {"name": "diagnostic-malware-signature-v1-windows", "sha256": "760013f99851a0970084b131c557ae84eec0cc82b756e2406ea23956ee3c8af9"}, {"name": "diagnostic-ransomware-v1-windows", "sha256": "9636fb1bda16d4dc236d40d2aeb379f30d81276028e9b3048002e3ca6a83dfb5"}, {"name": "diagnostic-rules-windows-v1", "sha256": "ca3b3a84f09d4d091d3578d929cd5416e1a20e305fcf5807d23ff99340c27095"}, {"name": "endpointpe-v4-blocklist", "sha256": "36835c7031be9856f1b14660beaa9251c7972018f07aa8213c8b156533e98344"}, {"name": "endpointpe-v4-exceptionlist", "sha256": "7985447896617a30b4643247a5cd7e2c003a2a3e1b4d57e27cc615f255e042ac"}, {"name": "endpointpe-v4-model", "sha256": "6452b718ae142b74b02d1caa7f3546d35b52540eb268067f405ba946b18be712"}, {"name": "global-configuration-v1", "sha256": "52872a09380cceb9e4ae171b47a34703940372fb648e3f9afafd0d6866106681"}, {"name": "global-eventfilterlist-windows-v1", "sha256": "2a30e0a996468b99cf2bd71629713d866ba7c51c24aa54c57c467122c8d55ab4"}, {"name": "global-exceptionlist-windows", "sha256": "49a68499beb6f48b1703a7211557d9cf8fb96c1e0f2c123f72cd288b036a4b97"}, {"name": "global-trustlist-windows-v1", "sha256": "aaeab218a20828574c347e88ecb4eb411ffca9e8496c484327b2213f49e1dc9e"}, {"name": "production-malware-signature-v1-windows", "sha256": "501d50a3b8ead382a744566daace438514ebda9177743a5d6aed454888865443"}, {"name": "production-ransomware-v1-windows", "sha256": "e3efc40c7e3fc0a590a074011abf990ab120f9f182b3dbca7b32ee58d0e5c3aa"}, {"name": "production-rules-windows-v1", "sha256": "13dc031d9fc08f37d794488672621b15fbc7d27a82e6654cec8b44e56b8da3b4"}, {"name": "tamper-protection-config-v1", "sha256": "6fd383db741c2dbbd6f1a0d455c8461e9f78356cbb441c48c6c92e3429415a44"}], "manifest_type": "stable", "snapshot": "latest", "update_age": 0, "version": "X8KCGU1EUO"}, "user": {"identifiers": [{"name": "endpoint-blocklist-windows-v1", "sha256": "30ea237edf5678fc30adbcdd85c23bae501150e9c6a64a6b8cc7980cd606ed3a"}, {"name": "endpoint-eventfilterlist-windows-v1", "sha256": "6122af1927f4ab869c8281cb52079c956f49978fea62299af51778cec6441ec9"}, {"name": "endpoint-exceptionlist-windows-v1", "sha256": "d12789f634623786e0e72c13a22710afc4dc722f142003008a719b71b9b2164c"}, {"name": "endpoint-hostisolationexceptionlist-windows-v1", "sha256": "93c69c537542708e8e1e6eeaad63a818f1b64fb6e84fd06e07d142cb926457a4"}, {"name": "endpoint-trusteddevicelist-windows-v1", "sha256": "ca1f73fe84ce93d962dadc64d9c2c80e73b0f511dc2a741c40d781cc66b68419"}, {"name": "endpoint-trustlist-windows-v1", "sha256": "0c10a80c47b133248c1517fb0d517b8a387e61fdc392fb022ad069d3d09b926b"}], "version": "1.0.0"}}, "endpoint_policy_version": "eaf-policy-version", "id": "9a4bfc8d-4ea4-4c67-863e-cb19185db508", "name": "eaf-default-policy", "version": "YIR6ZV8O5B"}}}, "agent": {"build": {"original": "version: 9.5.0-SNAPSHOT, compiled: Wed Jun 24 15:00:00 2026, branch: HEAD, commit: 159d2c77ca30f197000f86e37b437b4fb3283267"}, "id": "20260624_165406_999857_bk-agent-prod-gcp-1782319371360201744_019efa85-6bd7-428e-a2e5-7ba1d2734f72", "type": "endpoint", "version": "9.5.0-SNAPSHOT"}, "data_stream": {"dataset": "endpoint.alerts", "namespace": "default", "type": "logs"}, "ecs": {"version": "8.10.0"}, "elastic": {"agent": {"id": "20260624_165406_999857_bk-agent-prod-gcp-1782319371360201744_019efa85-6bd7-428e-a2e5-7ba1d2734f72"}}, "event": {"action": "load", "category": ["malware", "intrusion_detection", "driver"], "code": "malicious_file", "created": "2026-06-24T17:37:12.014Z", "dataset": "endpoint.alerts", "id": "OXkJc5p0K7v23xTm+++++906", "kind": "alert", "module": "endpoint", "outcome": "success", "risk_score": 99, "sequence": 2915, "severity": 99, "type": ["info", "allowed"]}, "file": {"Ext": {"code_signature": [{"exists": true, "status": "trusted", "subject_name": "Microsoft Windows Hardware Compatibility Publisher", "trusted": true}], "malware_classification": {"identifier": "endpointpe-v4-model", "score": 0.0009017530828714371, "threshold": 0.58, "version": "4.0.68000"}, "malware_signature": {"all_names": "Windows.VulnDriver.ProcExp", "identifier": "production-malware-signature-v1-windows", "primary": {"matches": ["TwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAHAAcgBvAGMAZQB4AHAALgBTAHkAcwAAAA==", "VgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAFx4YmQEXHhlZlx4ZmUAAAEAIAAQAAAAAAA="], "signature": {"hash": {"sha256": "b06d9e07aebfe4acadb717f7a8534feb6863b0649cd10fbbf9b53587a855ea01"}, "id": "aeb4e5c0-5ed5-4ecf-95a5-a741c105f02f", "name": "Windows.VulnDriver.ProcExp"}}, "secondary": [], "version": "1.0.68"}, "temp_file_path": ""}, "accessed": "2026-06-24T17:36:58.849Z", "code_signature": {"exists": true, "status": "trusted", "subject_name": "Microsoft Windows Hardware Compatibility Publisher", "trusted": true}, "created": "2026-06-24T17:36:58.849Z", "directory": "C:\\_\\Python", "drive_letter": "C", "extension": "sys", "hash": {"sha256": "cdfbe62ef515546f1728189260d0bdf77167063b6dbb77f1db6ed8b61145a2bc"}, "mtime": "2026-06-24T17:36:58.849Z", "name": "kph.sys", "owner": "Administrators", "path": "C:\\_\\Python\\kph.sys", "pe": {"architecture": "x64", "company": "Sysinternals - www.sysinternals.com", "description": "Process Explorer", "file_version": "16.32", "original_file_name": "procexp.Sys", "product": "Process Explorer"}, "size": 36200}, "host": {"architecture": "x86_64", "hostname": "bk-agent-prod-gcp-1782319371360201744", "id": "dabadaba-0000-0000-0000-000000000000", "ip": ["10.75.0.218", "fe80::a5da:e7e8:5ebf:aeae", "127.0.0.1", "::1"], "mac": ["42-01-0a-4b-00-da"], "name": "bk-agent-prod-gcp-1782319371360201744", "os": {"Ext": {"variant": "Windows 11 Enterprise"}, "family": "windows", "full": "Windows 11 Enterprise 24H2 (10.0.26100.7840)", "kernel": "24H2 (10.0.26100.7840)", "name": "Windows", "platform": "windows", "type": "windows", "version": "24H2 (10.0.26100.7840)"}}, "message": "Malware Detection Alert: Windows.VulnDriver.ProcExp", "process": {"Ext": {"ancestry": ["!fCmrro3m7LpL9hAsxcuR1A"], "architecture": "x86_64", "protection": "PsProtectedSignerWinSystem", "token": {"domain": "NT AUTHORITY", "elevation": true, "elevation_type": "default", "integrity_level_name": "system", "sid": "S-1-5-18", "user": "SYSTEM"}, "user": "SYSTEM"}, "command_line": "", "entity_id": "xhk0n1y71xpH1jTsCB8GPQ", "executable": "", "name": "System", "parent": {"Ext": {"architecture": "unknown", "protection": "", "user": ""}, "command_line": "", "entity_id": "!fCmrro3m7LpL9hAsxcuR1A", "executable": "", "name": "System Idle Process", "pid": 0, "ppid": 0, "start": "2026-06-24T16:43:57.255Z", "uptime": 3195}, "pe": {}, "pid": 4, "start": "2026-06-24T16:43:57.255Z", "uptime": 3195}, "rule": {"id": "aeb4e5c0-5ed5-4ecf-95a5-a741c105f02f", "name": "Windows.VulnDriver.ProcExp", "ruleset": "production"}, "user": {"domain": "NT AUTHORITY", "name": "SYSTEM"}}

@matthewh-elastic matthewh-elastic requested review from a team as code owners July 2, 2026 10:02

@tomsonpl tomsonpl left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

group: 2
description: 'These fields contain information about an effective process.

The effective process is the process that requested the a specific action, without directly performing it.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: requested the/a specific

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review @tomsonpl!

This is a pre-existing issue:

The effective process is the process that requested the a specific action, without directly performing it.

Should we update the string in this PR and rebuild everything, or leave it as-is?

@matthewh-elastic matthewh-elastic enabled auto-merge (squash) July 2, 2026 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants