From a7bdb0b4565ef34fefdf6d7c277f00bf95ff2881 Mon Sep 17 00:00:00 2001 From: Aleksandr Maus Date: Mon, 24 Feb 2020 12:46:59 -0500 Subject: [PATCH] EQL: Add integration tests harness to test EQL feature parity with original implementation (#52248) (#52675) The tests use the original test queries from https://github.com/endgameinc/eql/blob/master/eql/etc/test_queries.toml for EQL implementation correctness validation. The file test_queries_unsupported.toml serves as a "blacklist" for the queries that we do not support. Currently all of the queries are blacklisted. Over the time the expectation is to eventually have an empty "blacklist" when all of the queries are fully supported. The tests use the original test vector from https://raw.githubusercontent.com/endgameinc/eql/master/eql/etc/test_data.json. Only one EQL and the response is stubbed for now to match the expected output from that query. This part would need some tweaking after EQL is fully wired. Related to https://github.com/elastic/elasticsearch/issues/49581 --- .../java/org/elasticsearch/client/EqlIT.java | 6 +- x-pack/plugin/eql/build.gradle | 34 +- .../rest-api-spec/test/eql/10_basic.yml | 2 +- .../eql/action/EqlSearchRequestBuilder.java | 58 + .../xpack/eql/action/EqlSearchResponse.java | 46 +- .../xpack/eql/plugin/EqlPlugin.java | 41 +- .../eql/plugin/TransportEqlSearchAction.java | 29 +- .../elasticsearch/xpack/eql/EqlTestUtils.java | 23 +- .../eql/action/AbstractEqlIntegTestCase.java | 41 + .../xpack/eql/action/EqlActionIT.java | 113 + .../xpack/eql/action/EqlSpec.java | 86 + .../xpack/eql/action/EqlSpecLoader.java | 82 + .../eql/action/LocalStateEqlXPackPlugin.java | 28 + .../xpack/eql/plugin/EqlPluginTests.java | 5 +- .../eql/src/test/resources/test_data.json | 2080 +++++++++++++++++ .../eql/src/test/resources/test_queries.toml | 1298 ++++++++++ .../resources/test_queries_unsupported.toml | 1309 +++++++++++ 17 files changed, 5178 insertions(+), 103 deletions(-) create mode 100644 x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/AbstractEqlIntegTestCase.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java create mode 100644 x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java create mode 100644 x-pack/plugin/eql/src/test/resources/test_data.json create mode 100644 x-pack/plugin/eql/src/test/resources/test_queries.toml create mode 100644 x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml diff --git a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java index c887e5459bc..8dff2b3fabd 100644 --- a/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java +++ b/client/rest-high-level/src/test/java/org/elasticsearch/client/EqlIT.java @@ -40,9 +40,9 @@ public class EqlIT extends ESRestHighLevelClientTestCase { assertNotNull(response); assertFalse(response.isTimeout()); assertNotNull(response.hits()); - assertNull(response.hits().events()); + assertNull(response.hits().sequences()); assertNull(response.hits().counts()); - assertNotNull(response.hits().sequences()); - assertThat(response.hits().sequences().size(), equalTo(2)); + assertNotNull(response.hits().events()); + assertThat(response.hits().events().size(), equalTo(1)); } } diff --git a/x-pack/plugin/eql/build.gradle b/x-pack/plugin/eql/build.gradle index 541c22fe52d..528139f34cf 100644 --- a/x-pack/plugin/eql/build.gradle +++ b/x-pack/plugin/eql/build.gradle @@ -17,6 +17,18 @@ ext { archivesBaseName = 'x-pack-eql' +// All integration tests live in qa modules +integTest.enabled = false + +// Instead we create a separate task to run the tests based on ESIntegTestCase +task internalClusterTest(type: Test) { + mustRunAfter test + include '**/*IT.class' + systemProperty 'es.set.netty.runtime.available.processors', 'false' +} + +check.dependsOn internalClusterTest + dependencies { compileOnly project(path: xpackModule('core'), configuration: 'default') compileOnly(project(':modules:lang-painless')) { @@ -31,21 +43,17 @@ dependencies { testCompile project(path: ':modules:reindex', configuration: 'runtime') testCompile project(path: ':modules:parent-join', configuration: 'runtime') testCompile project(path: ':modules:analysis-common', configuration: 'runtime') + + // TOML parser for EqlActionIT tests + testCompile 'io.ous:jtoml:2.0.0' + + // JSON parser for tests input data + testCompile "com.fasterxml.jackson.core:jackson-core:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}" + testCompile "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}" + } -integTest.enabled = false -testingConventions.enabled = false - -// Instead we create a separate task to run the tests based on ESIntegTestCase -task internalClusterTest(type: Test) { - description = '🌈🌈🌈🦄 Welcome to fantasy integration tests land! 🦄🌈🌈🌈' - mustRunAfter test - - include '**/*IT.class' - systemProperty 'es.set.netty.runtime.available.processors', 'false' -} - -check.dependsOn internalClusterTest /**************************************************************** * Enable QA/rest integration tests for snapshot builds only * diff --git a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml index fc7d93697ee..a6f4dac4e5c 100644 --- a/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml +++ b/x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml @@ -23,5 +23,5 @@ setup: - match: {timed_out: false} - match: {took: 0} - - match: {hits.total.value: 0} + - match: {hits.total.value: 1} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java new file mode 100644 index 00000000000..2e808501ae9 --- /dev/null +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchRequestBuilder.java @@ -0,0 +1,58 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.action.ActionRequestBuilder; +import org.elasticsearch.client.ElasticsearchClient; +import org.elasticsearch.index.query.QueryBuilder; + +public class EqlSearchRequestBuilder extends ActionRequestBuilder { + public EqlSearchRequestBuilder(ElasticsearchClient client, EqlSearchAction action) { + super(client, action, new EqlSearchRequest()); + } + + public EqlSearchRequestBuilder indices(String... indices) { + request.indices(indices); + return this; + } + + public EqlSearchRequestBuilder query(QueryBuilder query) { + request.query(query); + return this; + } + + public EqlSearchRequestBuilder timestampField(String timestampField) { + request.timestampField(timestampField); + return this; + } + + public EqlSearchRequestBuilder eventTypeField(String eventTypeField) { + request.eventTypeField(eventTypeField); + return this; + } + + public EqlSearchRequestBuilder implicitJoinKeyField(String implicitJoinKeyField) { + request.implicitJoinKeyField(implicitJoinKeyField); + return this; + } + + public EqlSearchRequestBuilder fetchSize(int size) { + request.fetchSize(size); + return this; + } + + public EqlSearchRequestBuilder searchAfter(Object[] values) { + request.searchAfter(values); + return this; + } + + public EqlSearchRequestBuilder rule(String rule) { + request.rule(rule); + return this; + } + +} diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java index 0ffcab4ca93..e88e6d6b8f4 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/action/EqlSearchResponse.java @@ -27,50 +27,6 @@ import java.util.Collections; import java.util.List; import java.util.Objects; - -/** - * Response to perform an eql search - * - * Example events response: - * List<SearchHit> events = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(Arrays.asList( - * new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - * new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - * ), null, null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example sequence response: - * List<SearchHit> events1 = Arrays.asList( - * new SearchHit(1, "111", null), - * new SearchHit(2, "222", null) - * ); - * List<SearchHit> events2 = Arrays.asList( - * new SearchHit(1, "333", null), - * new SearchHit(2, "444", null) - * ); - * List<Sequence> sequences = Arrays.asList( - * new EqlSearchResponse.Sequence(new String[]{"4021"}, events1), - * new EqlSearchResponse.Sequence(new String[]{"2343"}, events2) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, sequences, null, new TotalHits(100, TotalHits.Relation.EQUAL_TO)); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - * - * - * Example count response: - * TotalHits totals = new TotalHits(100, TotalHits.Relation.EQUAL_TO); - * List<Count> counts = Arrays.asList( - * new EqlSearchResponse.Count(40, new String[]{"foo", "bar"}, .42233f), - * new EqlSearchResponse.Count(15, new String[]{"foo", "bar"}, .170275f) - * ); - * - * EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, null, counts, totals); - * EqlSearchResponse response = new EqlSearchResponse(hits, 5, false); - */ public class EqlSearchResponse extends ActionResponse implements ToXContentObject { private final Hits hits; @@ -399,7 +355,7 @@ public class EqlSearchResponse extends ActionResponse implements ToXContentObjec } else { totalHits = null; } - events = in.readBoolean() ? in.readList(SearchHit::new) : null; + events = in.readBoolean() ? in.readList(SearchHit::new) : null; sequences = in.readBoolean() ? in.readList(Sequence::new) : null; counts = in.readBoolean() ? in.readList(Count::new) : null; } diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java index 19396f22302..c6f86b5105e 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/EqlPlugin.java @@ -22,6 +22,7 @@ import org.elasticsearch.common.settings.SettingsFilter; import org.elasticsearch.common.xcontent.NamedXContentRegistry; import org.elasticsearch.env.Environment; import org.elasticsearch.env.NodeEnvironment; +import org.elasticsearch.license.XPackLicenseState; import org.elasticsearch.plugins.ActionPlugin; import org.elasticsearch.plugins.Plugin; import org.elasticsearch.rest.RestController; @@ -45,6 +46,8 @@ import java.util.function.Supplier; public class EqlPlugin extends Plugin implements ActionPlugin { + private final boolean enabled; + private static final boolean EQL_FEATURE_FLAG_REGISTERED; static { @@ -69,16 +72,20 @@ public class EqlPlugin extends Plugin implements ActionPlugin { Setting.Property.NodeScope ); + public EqlPlugin(final Settings settings) { + this.enabled = EQL_ENABLED_SETTING.get(settings); + } + @Override public Collection createComponents(Client client, ClusterService clusterService, ThreadPool threadPool, ResourceWatcherService resourceWatcherService, ScriptService scriptService, NamedXContentRegistry xContentRegistry, Environment environment, NodeEnvironment nodeEnvironment, NamedWriteableRegistry namedWriteableRegistry, IndexNameExpressionResolver expressionResolver) { - return createComponents(client, clusterService.getClusterName().value(), namedWriteableRegistry); } - private Collection createComponents(Client client, String clusterName, NamedWriteableRegistry namedWriteableRegistry) { + private Collection createComponents(Client client, String clusterName, + NamedWriteableRegistry namedWriteableRegistry) { IndexResolver indexResolver = new IndexResolver(client, clusterName, DefaultDataTypeRegistry.INSTANCE); PlanExecutor planExecutor = new PlanExecutor(client, indexResolver, namedWriteableRegistry); return Arrays.asList(planExecutor); @@ -91,14 +98,6 @@ public class EqlPlugin extends Plugin implements ActionPlugin { return modules; } - @Override - public List> getActions() { - return Arrays.asList( - new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), - new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class) - ); - } - /** * The settings defined by EQL plugin. * @@ -113,6 +112,17 @@ public class EqlPlugin extends Plugin implements ActionPlugin { } } + @Override + public List> getActions() { + if (enabled) { + return Arrays.asList( + new ActionHandler<>(EqlSearchAction.INSTANCE, TransportEqlSearchAction.class), + new ActionHandler<>(EqlStatsAction.INSTANCE, TransportEqlStatsAction.class) + ); + } + return Collections.emptyList(); + } + boolean isSnapshot() { return Build.CURRENT.isSnapshot(); } @@ -131,9 +141,14 @@ public class EqlPlugin extends Plugin implements ActionPlugin { IndexNameExpressionResolver indexNameExpressionResolver, Supplier nodesInCluster) { - if (isEnabled(settings) == false) { - return Collections.emptyList(); + if (enabled) { + return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); } - return Arrays.asList(new RestEqlSearchAction(), new RestEqlStatsAction()); + return Collections.emptyList(); + } + + // overridable by tests + protected XPackLicenseState getLicenseState() { + return XPackPlugin.getSharedLicenseState(); } } \ No newline at end of file diff --git a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java index 75e1478cdf0..f9c3746250b 100644 --- a/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java +++ b/x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/plugin/TransportEqlSearchAction.java @@ -31,7 +31,6 @@ import org.elasticsearch.xpack.eql.session.Results; import java.time.ZoneId; import java.util.Arrays; -import java.util.Collections; import java.util.List; public class TransportEqlSearchAction extends HandledTransportAction { @@ -41,7 +40,7 @@ public class TransportEqlSearchAction extends HandledTransportAction listener) { + String clusterName, ActionListener listener) { // TODO: these should be sent by the client ZoneId zoneId = DateUtils.of("Z"); QueryBuilder filter = request.query(); TimeValue timeout = TimeValue.timeValueSeconds(30); boolean includeFrozen = request.indicesOptions().ignoreThrottled() == false; String clientId = null; - + ParserParams params = new ParserParams() - .fieldEventType(request.eventTypeField()) - .fieldTimestamp(request.timestampField()) - .implicitJoinKey(request.implicitJoinKeyField()); - + .fieldEventType(request.eventTypeField()) + .fieldTimestamp(request.timestampField()) + .implicitJoinKey(request.implicitJoinKeyField()); + Configuration cfg = new Configuration(request.indices(), zoneId, username, clusterName, filter, timeout, includeFrozen, clientId); //planExecutor.eql(cfg, request.rule(), params, wrap(r -> listener.onResponse(createResponse(r)), listener::onFailure)); listener.onResponse(createResponse(null)); @@ -77,14 +76,14 @@ public class TransportEqlSearchAction extends HandledTransportAction events = Arrays.asList( - new SearchHit(1, "111", null, null), - new SearchHit(2, "222", null, null) + new SearchHit(1, "111", null, null) ); - EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(null, Arrays.asList( - new EqlSearchResponse.Sequence(Collections.singletonList("4021"), events), - new EqlSearchResponse.Sequence(Collections.singletonList("2343"), events) - ), null, new TotalHits(0, TotalHits.Relation.EQUAL_TO)); + EqlSearchResponse.Hits hits = new EqlSearchResponse.Hits(events, null, + null, new TotalHits(1, TotalHits.Relation.EQUAL_TO)); + return new EqlSearchResponse(hits, 0, false); } @@ -95,4 +94,4 @@ public class TransportEqlSearchAction extends HandledTransportAction> nodePlugins() { + return Collections.singletonList(LocalStateEqlXPackPlugin.class); + } +} + diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java new file mode 100644 index 00000000000..9fe49106015 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlActionIT.java @@ -0,0 +1,113 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import com.carrotsearch.randomizedtesting.annotations.ParametersFactory; +import com.fasterxml.jackson.databind.JsonNode; +import com.fasterxml.jackson.databind.ObjectMapper; +import org.elasticsearch.Build; +import org.elasticsearch.action.bulk.BulkRequestBuilder; +import org.elasticsearch.action.bulk.BulkResponse; +import org.elasticsearch.action.index.IndexRequest; +import org.elasticsearch.action.support.WriteRequest; +import org.elasticsearch.common.xcontent.XContentType; +import org.elasticsearch.search.SearchHit; +import org.junit.After; +import org.junit.Before; +import org.junit.BeforeClass; + +import java.util.ArrayList; +import java.util.Iterator; +import java.util.List; + +import static org.hamcrest.Matchers.equalTo; + +public class EqlActionIT extends AbstractEqlIntegTestCase { + + static final String indexPrefix = "endgame"; + static final String testIndexName = indexPrefix + "-1.4.0"; + protected static final String PARAM_FORMATTING = "%1$s.test"; + + + @BeforeClass + public static void checkForSnapshot() { + assumeTrue("Only works on snapshot builds for now", Build.CURRENT.isSnapshot()); + } + + @Before + public void setUpData() throws Exception { + // Insert test data + ObjectMapper mapper = new ObjectMapper(); + BulkRequestBuilder bulkBuilder = client().prepareBulk(); + JsonNode rootNode = mapper.readTree(EqlActionIT.class.getResourceAsStream("/test_data.json")); + Iterator entries = rootNode.elements(); + while (entries.hasNext()) { + JsonNode entry = entries.next(); + bulkBuilder.add(new IndexRequest(testIndexName).source(entry.toString(), XContentType.JSON)); + } + BulkResponse bulkResponse = bulkBuilder.setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).get(); + assertThat(bulkResponse.hasFailures() ? bulkResponse.buildFailureMessage() : "", bulkResponse.hasFailures(), equalTo(false)); + + ensureYellow(testIndexName); + } + + @After + public void tearDownData() { + client().admin().indices().prepareDelete(testIndexName).get(); + } + + @ParametersFactory(shuffle = false, argumentFormatting = PARAM_FORMATTING) + public static List readTestSpecs() throws Exception { + List testSpecs = new ArrayList<>(); + + // Load EQL validation specs + List specs = EqlSpecLoader.load("/test_queries.toml", true); + List unsupportedSpecs = EqlSpecLoader.load("/test_queries_unsupported.toml", false); + + // Validate only currently supported specs + int num = 1; // Seq number of the test + for (EqlSpec spec : specs) { + boolean supported = true; + // Check if spec is supported, simple iteration, cause the list is short. + for (EqlSpec unSpec : unsupportedSpecs) { + if (spec.query() != null && spec.query().equals(unSpec.query())) { + supported = false; + break; + } + } + + if (supported) { + testSpecs.add(new Object[]{num++, spec}); + } + } + return testSpecs; + } + + private final int num; + private final EqlSpec spec; + + public EqlActionIT(int num, EqlSpec spec) { + this.num = num; + this.spec = spec; + } + + public final void test() { + EqlSearchResponse response = new EqlSearchRequestBuilder(client(), EqlSearchAction.INSTANCE) + .indices(testIndexName).rule(spec.query()).get(); + + List events = response.hits().events(); + assertNotNull(events); + + final int len = events.size(); + final long ids[] = new long[len]; + for (int i = 0; i < events.size(); i++) { + ids[i] = events.get(i).docId(); + } + final String msg = "unexpected result for spec: [" + spec.toString() + "]"; + assertArrayEquals(msg, spec.expectedEventIds(), ids); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java new file mode 100644 index 00000000000..1db8269656f --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpec.java @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.Strings; + +import java.util.Arrays; + +public class EqlSpec { + private String description; + private String note; + private String[] tags; + private String query; + private long[] expectedEventIds; + + public String description() { + return description; + } + + public void description(String description) { + this.description = description; + } + + public String note() { + return note; + } + + public void note(String note) { + this.note = note; + } + + public String[] tags() { + return tags; + } + + public void tags(String[] tags) { + this.tags = tags; + } + + public String query() { + return query; + } + + public void query(String query) { + this.query = query; + } + + public long[] expectedEventIds() { + return expectedEventIds; + } + + public void expectedEventIds(long[] expectedEventIds) { + this.expectedEventIds = expectedEventIds; + } + + @Override + public String toString() { + String str = ""; + str = appendWithComma(str, "query", query); + str = appendWithComma(str, "description", description); + str = appendWithComma(str, "note", note); + + if (tags != null) { + str = appendWithComma(str, "tags", Arrays.toString(tags)); + } + + if (expectedEventIds != null) { + str = appendWithComma(str, "expected_event_ids", Arrays.toString(expectedEventIds)); + } + return str; + } + + private static String appendWithComma(String str, String name, String append) { + if (!Strings.isNullOrEmpty(append)) { + if (!Strings.isNullOrEmpty(str)) { + str += ", "; + } + str += name + ": " + append; + } + return str; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java new file mode 100644 index 00000000000..f5fe4f93c31 --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/EqlSpecLoader.java @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import io.ous.jtoml.JToml; +import io.ous.jtoml.Toml; +import io.ous.jtoml.TomlTable; +import org.elasticsearch.common.Strings; + +import java.io.InputStream; +import java.util.ArrayList; +import java.util.List; + +public class EqlSpecLoader { + public static List load(String path, boolean supported) throws Exception { + try (InputStream is = EqlSpecLoader.class.getResourceAsStream(path)) { + return readFromStream(is, supported); + } + } + + private static void validateAndAddSpec(List specs, EqlSpec spec, boolean supported) throws Exception { + if (Strings.isNullOrEmpty(spec.query())) { + throw new IllegalArgumentException("Read a test without a query value"); + } + + if (supported && spec.expectedEventIds() == null) { + throw new IllegalArgumentException("Read a test without a expected_event_ids value"); + } + + specs.add(spec); + } + + private static String getTrimmedString(TomlTable table, String key) { + String s = table.getString(key); + if (s != null) { + return s.trim(); + } + return null; + } + + private static List readFromStream(InputStream is, boolean supported) throws Exception { + List testSpecs = new ArrayList<>(); + + EqlSpec spec; + Toml toml = JToml.parse(is); + + List queries = toml.getArrayTable("queries"); + for (TomlTable table : queries) { + spec = new EqlSpec(); + spec.query(getTrimmedString(table, "query")); + spec.note(getTrimmedString(table, "note")); + spec.description(getTrimmedString(table, "description")); + + List arr = table.getList("tags"); + if (arr != null) { + String tags[] = new String[arr.size()]; + int i = 0; + for (Object obj : arr) { + tags[i] = (String) obj; + } + spec.tags(tags); + } + + arr = table.getList("expected_event_ids"); + if (arr != null) { + long expectedEventIds[] = new long[arr.size()]; + int i = 0; + for (Object obj : arr) { + expectedEventIds[i++] = (Long) obj; + } + spec.expectedEventIds(expectedEventIds); + } + validateAndAddSpec(testSpecs, spec, supported); + } + + return testSpecs; + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java new file mode 100644 index 00000000000..7a6cd355a6f --- /dev/null +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/action/LocalStateEqlXPackPlugin.java @@ -0,0 +1,28 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License; + * you may not use this file except in compliance with the Elastic License. + */ + +package org.elasticsearch.xpack.eql.action; + +import org.elasticsearch.common.settings.Settings; +import org.elasticsearch.license.XPackLicenseState; +import org.elasticsearch.xpack.core.LocalStateCompositeXPackPlugin; +import org.elasticsearch.xpack.eql.plugin.EqlPlugin; + +import java.nio.file.Path; + +public class LocalStateEqlXPackPlugin extends LocalStateCompositeXPackPlugin { + + public LocalStateEqlXPackPlugin(final Settings settings, final Path configPath) throws Exception { + super(settings, configPath); + LocalStateEqlXPackPlugin thisVar = this; + plugins.add(new EqlPlugin(settings) { + @Override + protected XPackLicenseState getLicenseState() { + return thisVar.getLicenseState(); + } + }); + } +} diff --git a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java index 02c429a3396..03f14247d77 100644 --- a/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java +++ b/x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/plugin/EqlPluginTests.java @@ -6,6 +6,7 @@ package org.elasticsearch.xpack.eql.plugin; +import org.elasticsearch.common.settings.Settings; import org.elasticsearch.test.ESTestCase; import static org.hamcrest.Matchers.hasItem; @@ -13,7 +14,7 @@ import static org.hamcrest.Matchers.not; public class EqlPluginTests extends ESTestCase { public void testEnabledSettingRegisteredInSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { @@ -25,7 +26,7 @@ public class EqlPluginTests extends ESTestCase { } public void testEnabledSettingNotRegisteredInNonSnapshotBuilds() { - final EqlPlugin plugin = new EqlPlugin() { + final EqlPlugin plugin = new EqlPlugin(Settings.EMPTY) { @Override protected boolean isSnapshot() { diff --git a/x-pack/plugin/eql/src/test/resources/test_data.json b/x-pack/plugin/eql/src/test/resources/test_data.json new file mode 100644 index 00000000000..4a08e7f7a55 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_data.json @@ -0,0 +1,2080 @@ +[ + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "pid": 0, + "process_name": "System Idle Process", + "serial_event_id": 1, + "subtype": "create", + "timestamp": 116444736000000000, + "unique_pid": 1 + }, + { + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "opcode": 3, + "parent_process_name": "System Idle Process", + "pid": 4, + "process_name": "System", + "serial_event_id": 2, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 2, + "unique_ppid": 1, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\\SystemRoot\\System32\\smss.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63d3c30b497347495b8ea78a38188969", + "opcode": 3, + "parent_process_name": "System", + "pid": 284, + "ppid": 4, + "process_name": "smss.exe", + "process_path": "C:\\Windows\\System32\\smss.exe", + "serial_event_id": 3, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 3, + "unique_ppid": 2, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 372, + "ppid": 364, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 4, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 4, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "94355c28c1970635a31b3fe52eb7ceba", + "opcode": 3, + "pid": 424, + "ppid": 364, + "process_name": "wininit.exe", + "process_path": "C:\\Windows\\System32\\wininit.exe", + "serial_event_id": 5, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 5, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 436, + "ppid": 416, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 6, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 6, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 472, + "ppid": 416, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 7, + "subtype": "create", + "timestamp": 131485996510000000, + "unique_pid": 7, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\services.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "24acb7e5be595468e3b9aa488b9b4fcb", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 524, + "ppid": 424, + "process_name": "services.exe", + "process_path": "C:\\Windows\\System32\\services.exe", + "serial_event_id": 8, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 8, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsass.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "7554a1b82b4a222fd4cc292abd38a558", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 536, + "ppid": 424, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "serial_event_id": 9, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 9, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\lsm.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "9662ee182644511439f1c53745dc1c88", + "opcode": 3, + "parent_process_name": "wininit.exe", + "parent_process_path": "C:\\Windows\\System32\\wininit.exe", + "pid": 544, + "ppid": 424, + "process_name": "lsm.exe", + "process_path": "C:\\Windows\\System32\\lsm.exe", + "serial_event_id": 10, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 10, + "unique_ppid": 5, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 648, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 11, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 11, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3c4d41c4f8cdd2ca945e91a61e6cfbaf", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 708, + "ppid": 524, + "process_name": "vmacthlp.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe", + "serial_event_id": 12, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 12, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 752, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 13, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 13, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"LogonUI.exe\" /flags:0x0", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "715f03b4c7223349768013ea95d9e5b7", + "opcode": 3, + "parent_process_name": "winlogon.exe", + "parent_process_path": "C:\\Windows\\System32\\winlogon.exe", + "pid": 828, + "ppid": 472, + "process_name": "LogonUI.exe", + "process_path": "C:\\Windows\\System32\\LogonUI.exe", + "serial_event_id": 14, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 14, + "unique_ppid": 7, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 848, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 15, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 15, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 896, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 16, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 16, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k netsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 924, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 17, + "subtype": "create", + "timestamp": 131485996520000000, + "unique_pid": 17, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 264, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 18, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 18, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkService", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 968, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 19, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 19, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\spoolsv.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "b96c17b5dc1424d56eea3a99e97428cd", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1108, + "ppid": 524, + "process_name": "spoolsv.exe", + "process_path": "C:\\Windows\\System32\\spoolsv.exe", + "serial_event_id": 20, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 20, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1136, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 21, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 21, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ccd745aa6425c7637a34ff12ed8a1c18", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1320, + "ppid": 524, + "process_name": "VGAuthService.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware VGAuth\\VGAuthService.exe", + "serial_event_id": 22, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 22, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1344, + "ppid": 524, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 23, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 23, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3f61b1a4fe078bb7705b508cfcbb987e", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1376, + "ppid": 524, + "process_name": "ManagementAgentHost.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\VMware CAF\\pme\\bin\\ManagementAgentHost.exe", + "serial_event_id": 24, + "subtype": "create", + "timestamp": 131485996530000000, + "unique_pid": 24, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k NetworkServiceNetworkRestricted", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1692, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 25, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 25, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1840, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 26, + "subtype": "create", + "timestamp": 131485996540000000, + "unique_pid": 26, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\msdtc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "de0ece52236cfa3ed2dbfc03f28253a8", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 960, + "ppid": 524, + "process_name": "msdtc.exe", + "process_path": "C:\\Windows\\System32\\msdtc.exe", + "serial_event_id": 27, + "subtype": "create", + "timestamp": 131485996550000000, + "unique_pid": 27, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "60c2862b4bf0fd9f582ef344c2b1ec72", + "opcode": 3, + "pid": 3048, + "ppid": 3040, + "process_name": "csrss.exe", + "process_path": "C:\\Windows\\System32\\csrss.exe", + "serial_event_id": 28, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 28, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "winlogon.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "1151b1baa6f350b1db6598e0fea7c457", + "opcode": 3, + "pid": 2108, + "ppid": 3040, + "process_name": "winlogon.exe", + "process_path": "C:\\Windows\\System32\\winlogon.exe", + "serial_event_id": 29, + "subtype": "create", + "timestamp": 131485996790000000, + "unique_pid": 29, + "unique_ppid": 0, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "rdpclip", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "25d284eb2f12254c001afe9a82575a81", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2704, + "ppid": 968, + "process_name": "rdpclip.exe", + "process_path": "C:\\Windows\\System32\\rdpclip.exe", + "serial_event_id": 30, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 30, + "unique_ppid": 19, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"taskhost.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "517110bd83835338c037269e603db55d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2776, + "ppid": 524, + "process_name": "taskhost.exe", + "process_path": "C:\\Windows\\System32\\taskhost.exe", + "serial_event_id": 31, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 31, + "unique_ppid": 8, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\sppsvc.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "e17e0188bb90fae42d83e98707efa59c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 2804, + "ppid": 524, + "process_name": "sppsvc.exe", + "process_path": "C:\\Windows\\System32\\sppsvc.exe", + "serial_event_id": 32, + "subtype": "create", + "timestamp": 131485996810000000, + "unique_pid": 32, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "NETWORK SERVICE" + }, + { + "command_line": "\"C:\\Windows\\system32\\Dwm.exe\"", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f162d5f5e845b9dc352dd1bad8cef1bc", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2464, + "ppid": 896, + "process_name": "dwm.exe", + "process_path": "C:\\Windows\\System32\\dwm.exe", + "serial_event_id": 33, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 33, + "unique_ppid": 16, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\Explorer.EXE", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ac4c51eb24aa95b77f705ab159189e24", + "opcode": 3, + "pid": 2460, + "ppid": 3052, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "serial_event_id": 34, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 34, + "unique_ppid": 0, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "404202d6f0628331aaade8c8f9ef6feb", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2604, + "ppid": 2460, + "process_name": "vmtoolsd.exe", + "process_path": "C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe", + "serial_event_id": 35, + "subtype": "create", + "timestamp": 131485997150000000, + "unique_pid": 35, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\SearchIndexer.exe /Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "ad31942bdf3d594c404874613bc2fe4d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 1620, + "ppid": 524, + "process_name": "SearchIndexer.exe", + "process_path": "C:\\Windows\\System32\\SearchIndexer.exe", + "serial_event_id": 36, + "subtype": "create", + "timestamp": 131485997210000000, + "unique_pid": 36, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3684, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 37, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 37, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "LOCAL SERVICE" + }, + { + "command_line": "C:\\Windows\\System32\\svchost.exe -k secsvcs", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3712, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 38, + "subtype": "create", + "timestamp": 131485997750000000, + "unique_pid": 38, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "\"C:\\Windows\\system32\\cmd.exe\" ", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 3, + "parent_process_name": "explorer.exe", + "parent_process_path": "C:\\Windows\\explorer.exe", + "pid": 2864, + "ppid": 2460, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 39, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 39, + "unique_ppid": 34, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 2228, + "ppid": 3048, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 40, + "subtype": "create", + "timestamp": 131491838190000000, + "unique_pid": 40, + "unique_ppid": 28, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\svchost.exe -k SDRSVC", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "c78655bc80301d76ed4fef1c1ea40a7d", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3820, + "ppid": 524, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 41, + "subtype": "create", + "timestamp": 131491940310000000, + "unique_pid": 41, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "773212b2aaa24c1e31f10246b15b276c", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 3384, + "ppid": 524, + "process_name": "TrustedInstaller.exe", + "process_path": "C:\\Windows\\servicing\\TrustedInstaller.exe", + "serial_event_id": 42, + "subtype": "create", + "timestamp": 131509366130000000, + "unique_pid": 42, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wbem\\wmiprvse.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "8f4ecbbfe943030acfd9e892b2513ec1", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 1860, + "ppid": 648, + "process_name": "WmiPrvSE.exe", + "process_path": "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", + "serial_event_id": 43, + "subtype": "create", + "timestamp": 131509366230000000, + "unique_pid": 43, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "taskeng.exe {6108575A-1CC2-4917-BB5D-5929CDC39B9C}", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "65ea57712340c09b1b0c427b4848ae05", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 660, + "ppid": 924, + "process_name": "taskeng.exe", + "process_path": "C:\\Windows\\System32\\taskeng.exe", + "serial_event_id": 44, + "subtype": "create", + "timestamp": 131509371900000000, + "unique_pid": 44, + "unique_ppid": 17, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\msiexec.exe /V", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "a190da6546501cb4146bbcc0b6a3f48b", + "opcode": 3, + "parent_process_name": "services.exe", + "parent_process_path": "C:\\Windows\\System32\\services.exe", + "pid": 760, + "ppid": 524, + "process_name": "msiexec.exe", + "process_path": "C:\\Windows\\System32\\msiexec.exe", + "serial_event_id": 45, + "subtype": "create", + "timestamp": 131509372370000000, + "unique_pid": 45, + "unique_ppid": 8, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2824, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 46, + "subtype": "create", + "timestamp": 131509373980000000, + "unique_pid": 46, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3e5cfefdda537ddbed9f5c6c7e926cdd", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 3408, + "ppid": 648, + "process_name": "wsmprovhost.exe", + "process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "serial_event_id": 47, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 47, + "unique_ppid": 11, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" worker.py --target c:\\workspace\\red_ttp\\process_name_masquerade.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "wsmprovhost.exe", + "parent_process_path": "C:\\Windows\\System32\\wsmprovhost.exe", + "pid": 420, + "ppid": 3408, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 48, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 48, + "unique_ppid": 47, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\\??\\C:\\Windows\\system32\\conhost.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "bd51024fb014064bc9fe8c715c18392f", + "opcode": 3, + "parent_process_name": "csrss.exe", + "parent_process_path": "C:\\Windows\\System32\\csrss.exe", + "pid": 3080, + "ppid": 372, + "process_name": "conhost.exe", + "process_path": "C:\\Windows\\System32\\conhost.exe", + "serial_event_id": 49, + "subtype": "create", + "timestamp": 131509374020000000, + "unique_pid": 49, + "unique_ppid": 4, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe myappserver.py --log-file C:\\workspace\\dev\\myapp.out --update-server-port 8446 --sout C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\hunt_out.json", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1688, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 50, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 50, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Python27\\python.exe C:\\workspace\\dev\\Simple_Https_Server\\simple_https_server.py", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 3, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1720, + "ppid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 51, + "subtype": "create", + "timestamp": 131509374100000000, + "unique_pid": 51, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "C:\\Windows\\System32\\LauncherProcess.exe", + "event_subtype_full": "already_running", + "event_type": "process", + "event_type_full": "process_event", + "md5": "6a8649f3205b311e208ac35a04e99700", + "opcode": 3, + "parent_process_name": "svchost.exe", + "parent_process_path": "C:\\Windows\\System32\\svchost.exe", + "pid": 2164, + "ppid": 648, + "process_name": "LauncherProcess.exe", + "process_path": "C:\\Windows\\System32\\LauncherProcess.exe", + "serial_event_id": 52, + "subtype": "create", + "timestamp": 131509374150000000, + "unique_pid": 52, + "unique_ppid": 11, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "C:\\Windows\\system32\\cmd.exe /c \"c:\\workspace\\red_ttp\\process_name_masquerade.py\"", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 53, + "subtype": "create", + "timestamp": 131509374294209140, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "\"C:\\Python27\\python.exe\" \"C:\\workspace\\red_ttp\\process_name_masquerade.py\" ", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 1, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 54, + "subtype": "create", + "timestamp": 131509374294365140, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 55, + "subtype": "create", + "timestamp": 131509374295457140, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "svchost.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 56, + "subtype": "create", + "timestamp": 131509374295613140, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 20, + "bytes_written_string_list": [ + "en-US", + "en" + ], + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "key_type": "multiSz", + "opcode": 1, + "pid": 2460, + "process_name": "explorer.exe", + "process_path": "C:\\Windows\\explorer.exe", + "registry_key": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E", + "registry_path": "\\REGISTRY\\USER\\S-1-5-21-3942132181-2402070379-3970972291-1001_CLASSES\\Local Settings\\MuiCache\\1B\\52C64B7E\\LanguageList", + "registry_type": "multi_string", + "registry_value": "LanguageList", + "serial_event_id": 57, + "timestamp": 131509374306065200, + "unique_pid": 34, + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 2760, + "ppid": 2256, + "process_name": "svchost.exe", + "process_path": "C:\\workspace\\red_ttp\\svchost.exe", + "serial_event_id": 58, + "subtype": "terminate", + "timestamp": 131509374345689460, + "unique_pid": 56, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "svchost.exe", + "file_path": "C:\\workspace\\red_ttp\\svchost.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 59, + "subtype": "modify", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SVCHOST.EXE-CB1B3AA2.pf", + "file_path": "C:\\Windows\\Prefetch\\SVCHOST.EXE-CB1B3AA2.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 60, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 61, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "lsass.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 62, + "subtype": "create", + "timestamp": 131509374345689460, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "request_event", + "event_type": "dns", + "event_type_full": "dns_event", + "opcode": 3008, + "pid": 924, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "query_name": "teredo.ipv6.microsoft.com.", + "serial_event_id": 63, + "timestamp": 131509374350369490, + "unique_pid": 17, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3696, + "ppid": 2256, + "process_name": "lsass.exe", + "process_path": "C:\\workspace\\red_ttp\\lsass.exe", + "serial_event_id": 64, + "subtype": "terminate", + "timestamp": 131509374395921780, + "unique_pid": 62, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "lsass.exe", + "file_path": "C:\\workspace\\red_ttp\\lsass.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 65, + "subtype": "modify", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "LSASS.EXE-02265BD5.pf", + "file_path": "C:\\Windows\\Prefetch\\LSASS.EXE-02265BD5.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 66, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 67, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "services.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 68, + "subtype": "create", + "timestamp": 131509374395921780, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1832, + "ppid": 2256, + "process_name": "services.exe", + "process_path": "C:\\workspace\\red_ttp\\services.exe", + "serial_event_id": 69, + "subtype": "terminate", + "timestamp": 131509374446778110, + "unique_pid": 68, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "services.exe", + "file_path": "C:\\workspace\\red_ttp\\services.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 70, + "subtype": "modify", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SERVICES.EXE-01D9177B.pf", + "file_path": "C:\\Windows\\Prefetch\\SERVICES.EXE-01D9177B.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 71, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 72, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "csrss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 73, + "subtype": "create", + "timestamp": 131509374446778110, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3948, + "ppid": 2256, + "process_name": "csrss.exe", + "process_path": "C:\\workspace\\red_ttp\\csrss.exe", + "serial_event_id": 74, + "subtype": "terminate", + "timestamp": 131509374497010430, + "unique_pid": 73, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "csrss.exe", + "file_path": "C:\\workspace\\red_ttp\\csrss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 75, + "subtype": "modify", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 76, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "CSRSS.EXE-006B4E4D.pf", + "file_path": "C:\\Windows\\Prefetch\\CSRSS.EXE-006B4E4D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 77, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "command_line": "smss.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 78, + "subtype": "create", + "timestamp": 131509374497010430, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "bytes_written_count": 80, + "event_subtype_full": "registry_modify_event", + "event_type": "registry", + "event_type_full": "registry_event", + "key_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "key_type": "binary", + "opcode": 1, + "pid": 536, + "process_name": "lsass.exe", + "process_path": "C:\\Windows\\System32\\lsass.exe", + "registry_key": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9", + "registry_path": "\\REGISTRY\\MACHINE\\SAM\\SAM\\DOMAINS\\Account\\Users\\000003E9\\F", + "registry_type": "binary", + "registry_value": "F", + "serial_event_id": 79, + "timestamp": 131509374520566580, + "unique_pid": 9, + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 3720, + "ppid": 2256, + "process_name": "smss.exe", + "process_path": "C:\\workspace\\red_ttp\\smss.exe", + "serial_event_id": 80, + "subtype": "terminate", + "timestamp": 131509374547086750, + "unique_pid": 78, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "smss.exe", + "file_path": "C:\\workspace\\red_ttp\\smss.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 81, + "subtype": "modify", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "SMSS.EXE-8C66D82D.pf", + "file_path": "C:\\Windows\\Prefetch\\SMSS.EXE-8C66D82D.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 82, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 83, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "wininit.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 84, + "subtype": "create", + "timestamp": 131509374547086750, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1680, + "ppid": 2256, + "process_name": "wininit.exe", + "process_path": "C:\\workspace\\red_ttp\\wininit.exe", + "serial_event_id": 85, + "subtype": "terminate", + "timestamp": 131509374597163070, + "unique_pid": 84, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "wininit.exe", + "file_path": "C:\\workspace\\red_ttp\\wininit.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 86, + "subtype": "modify", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "WININIT.EXE-F4D46129.pf", + "file_path": "C:\\Windows\\Prefetch\\WININIT.EXE-F4D46129.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 87, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 0, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 88, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "command_line": "explorer.exe", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 1, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 89, + "subtype": "create", + "timestamp": 131509374597163070, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "f49c54c4997a0401db0f6640a6111c52", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 4080, + "ppid": 2256, + "process_name": "explorer.exe", + "process_path": "C:\\workspace\\red_ttp\\explorer.exe", + "serial_event_id": 90, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 89, + "unique_ppid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_delete_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "explorer.exe", + "file_path": "C:\\workspace\\red_ttp\\explorer.exe", + "opcode": 2, + "pid": 2256, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 91, + "subtype": "modify", + "timestamp": 131509374647239400, + "unique_pid": 54, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "EXPLORER.EXE-854AF04C.pf", + "file_path": "C:\\Windows\\Prefetch\\EXPLORER.EXE-854AF04C.pf", + "opcode": 0, + "pid": 896, + "process_name": "svchost.exe", + "process_path": "C:\\Windows\\System32\\svchost.exe", + "serial_event_id": 92, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 16, + "user_domain": "NT AUTHORITY", + "user_name": "SYSTEM" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "21f73cd55626f0ec9fbce53eafbef128", + "opcode": 2, + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 2256, + "ppid": 1788, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 93, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 54, + "unique_ppid": 53, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "5746bd7e255dd6a8afa06f7c42c1ba41", + "opcode": 2, + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 1788, + "ppid": 420, + "process_name": "cmd.exe", + "process_path": "C:\\Windows\\System32\\cmd.exe", + "serial_event_id": 94, + "subtype": "terminate", + "timestamp": 131509374647239400, + "unique_pid": 53, + "unique_ppid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\dev\\TestLogs\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 95, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "file_create_event", + "event_type": "file", + "event_type_full": "file_event", + "file_name": "something.json", + "file_path": "C:\\workspace\\Libraries\\myapp\\myapp\\python\\myapp\\something.json", + "opcode": 0, + "pid": 420, + "process_name": "python.exe", + "process_path": "C:\\Python27\\python.exe", + "serial_event_id": 96, + "subtype": "create", + "timestamp": 131509374647239400, + "unique_pid": 48, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "net localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "63dd6fbaabf881385899fd39df13dce3", + "opcode": 1, + "original_file_name": "NET.exe", + "parent_process_name": "cmd.exe", + "parent_process_path": "C:\\Windows\\System32\\cmd.exe", + "pid": 3608, + "ppid": 392, + "process_name": "net.exe", + "process_path": "C:\\Windows\\System32\\net.exe", + "serial_event_id": 97, + "subtype": "create", + "timestamp": 131605904083494370, + "unique_pid": 750058, + "unique_ppid": 707545, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 854482244, + "command_line": "C:\\Windows\\system32\\net1 localgroup administrators findme2", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "3b6928bc39e5530cead1e99269e7b1ee", + "opcode": 1, + "original_file_name": "net1.exe", + "parent_process_name": "net.exe", + "parent_process_path": "C:\\Windows\\System32\\net.exe", + "pid": 1348, + "ppid": 3608, + "process_name": "net1.exe", + "process_path": "C:\\Windows\\System32\\net1.exe", + "serial_event_id": 98, + "subtype": "create", + "timestamp": 131605904083806370, + "unique_pid": 750059, + "unique_ppid": 750058, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "authentication_id": 13728872, + "command_line": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\msbuild.exe tmp-file.csproj", + "event_subtype_full": "creation_event", + "event_type": "process", + "event_type_full": "process_event", + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 1, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75273, + "subtype": "create", + "timestamp": 131762381484502110, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "event_subtype_full": "termination_event", + "event_type": "process", + "event_type_full": "process_event", + "exit_code": 0, + "md5": "4b736b85e5de65e572f28a91e31b99bf", + "opcode": 2, + "original_file_name": "MSBuild.exe", + "parent_process_name": "python.exe", + "parent_process_path": "C:\\Python27\\python.exe", + "pid": 860, + "ppid": 1196, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "serial_event_id": 75303, + "subtype": "terminate", + "timestamp": 131762381493483680, + "unique_pid": 75273, + "unique_ppid": 75248, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "opcode": 12, + "pid": 860, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75304, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 75273, + "user_domain": "vagrant", + "user_name": "vagrant" + }, + { + "destination_address": "10.6.48.157", + "destination_port": 8000, + "event_subtype_full": "ipv4_connection_attempt_event", + "event_type": "network", + "event_type_full": "network_event", + "mysterious_field": { + "num": 100, + "outer_cross_match": "s3-c-x-y", + "subarray": [ + { + "a": "s0-a", + "b": [ + "s0-b" + ], + "c": [ + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c0-x-z" + }, + { + "x": { + "y": "s0-c-x-y" + }, + "z": "s0-c1-x-z" + } + ], + "cross_match": "s0-c1-x-z" + }, + { + "a": "s1-a", + "b": [ + "s1-b" + ], + "c": [] + }, + { + "a": "s2-a", + "b": [ + "s2-b" + ], + "c": [] + }, + { + "a": "s3-a", + "b": [ + "s3-b" + ], + "c": [ + { + "x": { + "y": "s3-c-x-y" + }, + "z": "s3-c-x-z" + } + ] + } + ], + "this_is_for_testing_nested_data": "true" + }, + "opcode": 12, + "pid": 10000, + "process_name": "MSBuild.exe", + "process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe", + "protocol": "tcp", + "serial_event_id": 75305, + "source_address": "10.6.48.157", + "source_port": 52178, + "subtype": "outgoing", + "timestamp": 131762381493039760, + "unique_pid": 99999, + "user_domain": "vagrant", + "user_name": "vagrant" + } +] diff --git a/x-pack/plugin/eql/src/test/resources/test_queries.toml b/x-pack/plugin/eql/src/test/resources/test_queries.toml new file mode 100644 index 00000000000..e2ee95c12e2 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries.toml @@ -0,0 +1,1298 @@ +[[queries]] +query = 'process where serial_event_id = 1' +expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' diff --git a/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml new file mode 100644 index 00000000000..f8a96eaef12 --- /dev/null +++ b/x-pack/plugin/eql/src/test/resources/test_queries_unsupported.toml @@ -0,0 +1,1309 @@ +# This file is populated with currently unsupported queries. +# Serves as a blacklist, until our implementation starts supporting a specific query +# This file is expected to become empty once the feature parity is reached with the +# official EQL implementation + +# The query below is the first query from the test_queries.toml +# and is currently "emulated" as supported with the hardcoded response +# in order to allow at least one round-trip test with the test harness. +# This will be removed once the EQL implementation is wired and actually supports this query. + +# [[queries]] +# query = 'process where serial_event_id = 1' +# expected_event_ids = [1] + +[[queries]] +query = 'process where serial_event_id < 4' +expected_event_ids = [1, 2, 3] + +[[queries]] +query = 'process where true | head 6' +expected_event_ids = [1, 2, 3, 4, 5, 6] + +[[queries]] +query = 'process where false' +expected_event_ids = [] + +[[queries]] +expected_event_ids = [] +query = 'process where missing_field != null' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = 'process where bad_field == null | head 5' + +[[queries]] +query = ''' + process where process_name == "impossible name" or (serial_event_id < 4.5 and serial_event_id >= 3.1) +''' +expected_event_ids = [4] + +[[queries]] +tags = ["comparisons", "pipes"] +query = ''' +process where serial_event_id <= 8 and serial_event_id > 7 +| filter serial_event_id == 8''' +expected_event_ids = [8] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6''' +expected_event_ids = [7, 8, 9, 10] + +[[queries]] +query = ''' +process where true +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| head 2''' +expected_event_ids = [7, 8] + +[[queries]] +query = ''' +process where true +| head 1000 +| filter serial_event_id <= 10 +| filter serial_event_id > 6 +| tail 2 +''' +expected_event_ids = [9, 10] + +[[queries]] +query = ''' +process where serial_event_id<=8 and serial_event_id > 7 +''' +expected_event_ids = [8] + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code >= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where 0 <= exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code <= 0' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code < 1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where exit_code > -1' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [58, 64, 69, 74, 80, 85, 90, 93, 94, 75303] +query = 'process where -1 < exit_code' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [] +query = ''' +process where not (exit_code > -1) + and serial_event_id in (58, 64, 69, 74, 80, 85, 90, 93, 94) +| head 10 +''' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (exit_code > -1) | head 7' + +[[queries]] +note = "check that comparisons against null values return false" +expected_event_ids = [1, 2, 3, 4, 5, 6, 7] +query = 'process where not (-1 < exit_code) | head 7' + +[[queries]] +query = 'process where exit_code > 0' +expected_event_ids = [] + +[[queries]] +query = 'process where exit_code < 0' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 < exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where 0 > exit_code' +expected_event_ids = [] + +[[queries]] +query = 'process where (serial_event_id<=8 and serial_event_id > 7) and (opcode=3 and opcode>2)' +expected_event_ids = [8] + +[[queries]] +query = 'process where (serial_event_id<9 and serial_event_id >= 7) or (opcode == pid)' +expected_event_ids = [7, 8] + +[[queries]] +query = 'process where process_name == "VMACTHLP.exe" and unique_pid == 12 | filter true' +expected_event_ids = [12] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "SMSS.exe", "explorer.exe") +| unique process_name''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "Explorer.exe") +| unique length(process_name)''' +expected_event_ids = [3, 34, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique length(process_name) == length("python.exe")''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("Python.exe", "smss.exe", "explorer.exe") +| unique process_name != "python.exe"''' +expected_event_ids = [3, 48] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| head 2 +| tail 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe", "explorer.exe") +| unique process_name +| tail 2 +| head 1''' +expected_event_ids = [34] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| unique process_name, parent_process_name''' +expected_event_ids = [3, 48, 50, 54, 78] + +[[queries]] +query = ''' +process where process_name in ("python.exe", "smss.exe") +| head 5 +| unique process_name parent_process_name''' +expected_event_ids = [3, 48, 50, 54] + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) == 2 and bytes_written_string_list[1] == "EN"''' + +[[queries]] +query = ''' +registry where key_path == "*\\MACHINE\\SAM\\SAM\\*\\Account\\Us*ers\\00*03E9\\F"''' +expected_event_ids = [79] + +[[queries]] +query = ''' +process where process_path == "*\\red_ttp\\wininit.*" and opcode in (0,1,2,3,4)''' +expected_event_ids = [84, 85] + +[[queries]] +query = ''' +file where file_name == "csrss.exe" and opcode=0 + and descendant of [process where opcode in (1,3) and process_name="cmd.exe"] +''' +expected_event_ids = [72] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "csrss.exe" + and descendant of [file where file_name == "csrss.exe" and opcode=0] +''' +expected_event_ids = [73] + +[[queries]] +query = ''' +process where opcode=1 and process_name == "smss.exe" + and descendant of [ + file where file_name == "csrss.exe" and opcode=0 + and descendant of [ + process where opcode in(1,3) and process_name="cmd.exe" + ] + ] +''' +expected_event_ids = [78] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (0,1,2) and user_name="vagrant" +''' +expected_event_ids = [] + +[[queries]] +query = ''' +file where file_path="*\\red_ttp\\winin*.*" + and opcode not in (3, 4, 5, 6 ,7) and user_name="vagrant" +''' +expected_event_ids = [83, 86] + + +[[queries]] +query = ''' +file where file_name in ("wininit.exe", "lsass.exe") and opcode == 2 +''' +expected_event_ids = [65, 86] + +[[queries]] +query = ''' +file where true +| tail 3''' +expected_event_ids = [92, 95, 96] + +[[queries]] +query = ''' +process where opcode in (1,3) and process_name in (parent_process_name, "SYSTEM") +''' +expected_event_ids = [2, 50, 51] + +[[queries]] +expected_event_ids = [92, 95, 96, 91] +query = ''' +file where true +| tail 4 +| sort file_path''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name''' + +[[queries]] +expected_event_ids = [2, 1, 4, 3, 5] +query = ''' +process where true +| head 5 +| sort md5, event_subtype_full, null_field, process_name''' + +[[queries]] +expected_event_ids = [2, 1] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| head 2''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4, 5] +query = ''' +process where true +| head 5 +| sort md5 event_subtype_full null_field process_name +| sort serial_event_id''' + +[[queries]] +query = ''' +sequence + [process where serial_event_id = 1] + [process where serial_event_id = 2] +''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id = 5] +''' +expected_event_ids = [4, 5] + +[[queries]] +query = ''' +sequence + [process where serial_event_id=1] by unique_pid + [process where true] by unique_ppid''' +expected_event_ids = [1, 2] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid + [process where true] by unique_ppid +''' +expected_event_ids = [1, 2, 2, 3] + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2 + [process where true] by unique_ppid * 2 +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [process where serial_event_id<3] by unique_pid * 2, length(unique_pid), string(unique_pid) + [process where true] by unique_ppid * 2, length(unique_ppid), string(unique_ppid) +''' +expected_event_ids = [1, 2, 2, 3] + + +[[queries]] +query = ''' +sequence + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1d + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1h + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=1m + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=10s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [67, 68, 69, 70, 72, 73, 74, 75] + +[[queries]] +query = ''' +sequence with maxspan=0.5s + [file where event_subtype_full == "file_create_event"] by file_path + [process where opcode == 1] by process_path + [process where opcode == 2] by process_path + [file where event_subtype_full == "file_delete_event"] by file_path +| head 4 +| tail 2''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence + [process where serial_event_id < 5] + [process where serial_event_id < 5] +''' +expected_event_ids = [1, 2, 2, 3, 3, 4] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0] by unique_pid + [file where opcode=0] by unique_pid +| filter events[1].serial_event_id == 92''' +expected_event_ids = [87, 92] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=5000] by unique_ppid +| head 1''' +expected_event_ids = [55, 61] + +[[queries]] +query = ''' +sequence + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=0 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="*.exe"] by unique_pid + [file where opcode=2 and file_name="*.exe"] by unique_pid +until [process where opcode=1] by unique_ppid +| head 1''' +expected_event_ids = [61, 59] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="smss.exe"] + [process where opcode in (1,3) and process_name == "python.exe"] +''' +expected_event_ids = [78, 48] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by string(unique_pid) + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"]''' +expected_event_ids = [54, 55, 61] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by string(unique_pid), unique_pid, unique_pid * 2 + [process where opcode=1] + [file where opcode=0 and file_name="svchost.exe"] + [file where opcode == 0 and file_name == "lsass.exe"] +until [file where opcode == 2]''' +expected_event_ids = [] + +[[queries]] +query = ''' +join + [file where opcode=0 and file_name="svchost.exe"] by unique_pid + [process where opcode == 1] by unique_ppid +''' +expected_event_ids = [55, 56] + +[[queries]] +query = ''' +join by unique_pid + [process where opcode in (1,3) and process_name="python.exe"] + [file where file_name == "*.exe"]''' +expected_event_ids = [54, 55] + +[[queries]] +query = ''' +join by user_name + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 78] + +[[queries]] +query = ''' +join + [process where opcode in (1,3) and process_name="python.exe"] + [process where opcode in (1,3) and process_name == "smss.exe"] +''' +expected_event_ids = [48, 3, 50, 78] + +[[queries]] +expected_event_ids = [] +query = ''' +process where fake_field == "*"''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where fake_field != "*" +| head 4''' + +[[queries]] +expected_event_ids = [1, 2, 3, 4] +query = ''' +process where not (fake_field == "*") +| head 4''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where invalid_field_name != null''' + +[[queries]] +expected_event_ids = [] +query = ''' +registry where length(bad_field) > 0 +''' + +[[queries]] +query = ''' +process where opcode == 1 + and process_name in ("net.exe", "net1.exe") + and not (parent_process_name == "net.exe" + and process_name == "net1.exe") + and command_line == "*group *admin*" and command_line != "* /add*"''' +expected_event_ids = [97] + +[[queries]] +expected_event_ids = [1, 55, 57, 63, 75304] +query = ''' +any where true +| unique event_type_full''' + +[[queries]] +query = ''' +process where opcode=1 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 68, 78] + +[[queries]] +query = ''' +process where process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [62, 64, 68, 69, 78, 80] + +[[queries]] +query = ''' +process where opcode=2 and process_name in ("services.exe", "smss.exe", "lsass.exe") + and descendant of [process where process_name == "cmd.exe" ]''' +expected_event_ids = [64, 69, 80] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and child of [file where file_name="svchost.exe" and opcode=0]''' +expected_event_ids = [56, 58] + +[[queries]] +query = ''' +process where process_name="svchost.exe" + and not child of [file where file_name="svchost.exe" and opcode=0] +| head 3''' +expected_event_ids = [11, 13, 15] + +[[queries]] +query = ''' +process where process_name="lsass.exe" + and child of [ + process where process_name="python.exe" + and child of [process where process_name="cmd.exe"] + ] +''' +expected_event_ids = [62, 64] + +[[queries]] +query = ''' +file where child of [ + process where child of [ + process where child of [process where process_name="*wsmprovhost.exe"] + ] +] +| tail 1''' +expected_event_ids = [91] + +[[queries]] +query = ''' +file where process_name = "python.exe" +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +file where event of [process where process_name = "python.exe" ] +| unique unique_pid''' +expected_event_ids = [55, 95] + +[[queries]] +query = ''' +process where process_name = "python.exe"''' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = 'process where event of [process where process_name = "python.exe" ]' +expected_event_ids = [48, 50, 51, 54, 93] + +[[queries]] +query = ''' +sequence + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by user_name + [file where file_name="lsass.exe"] by file_path, process_path + [process where true] by process_path, parent_process_path +''' +expected_event_ids = [61, 62] + +[[queries]] +query = ''' +sequence by pid + [file where file_name="lsass.exe"] by file_path,process_path + [process where true] by process_path,parent_process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [88, 89, 90, 91] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=2] by ppid,process_path +''' +expected_event_ids = [] + +[[queries]] +query = ''' +sequence by user_name + [file where opcode=0] by pid,file_path + [file where opcode=2] by pid,file_path +until [process where opcode=5] by ppid,process_path +| head 2''' +expected_event_ids = [55, 59, 61, 65] + +[[queries]] +query = ''' +sequence by pid + [file where opcode=0] by file_path + [process where opcode=1] by process_path + [process where opcode=2] by process_path + [file where opcode=2] by file_path +| tail 1''' +expected_event_ids = [] + +[[queries]] +query = ''' +join by user_name + [file where true] by pid,file_path + [process where true] by ppid,process_path +| head 2''' +expected_event_ids = [55, 56, 59, 58] + +[[queries]] +query = ''' +sequence + [process where true] by unique_pid + [file where true] fork=true by unique_pid + [process where true] by unique_ppid +| head 4''' +expected_event_ids = [54, 55, 56, 54, 61, 62, 54, 67, 68, 54, 72, 73] + +[[queries]] +query = ''' +process where command_line == "*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "*%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +query = ''' +process where command_line == "%*%*" ''' +expected_event_ids = [4, 6, 28] + +[[queries]] +expected_event_ids = [11, 60, 63] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [63, 60, 11] +query = ''' +any where process_name == "svchost.exe" +| sort event_type_full serial_event_id +| unique_count event_type_full process_name''' + +[[queries]] +expected_event_ids = [60] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter count == 7''' + +[[queries]] +expected_event_ids = [11] +query = ''' +any where process_name == "svchost.exe" +| unique_count event_type_full opcode +| filter percent >= .5 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En-uS')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, 'En')''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where length(bytes_written_string_list) > 0 and bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[0] == 'EN-us' +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where bytes_written_string_list[1] == 'EN' +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+localgroup\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w+\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +expected_event_ids = [98] +query = ''' +process where match(?'.*?net1\s+\w{4,15}\s+.*?', command_line) +''' + +[[queries]] +query = ''' +process where matchLite(?'.*?net1\s+[localgrup]{4,15}\s+.*?', command_line) +''' +expected_event_ids = [98] + +[[queries]] +query = ''' +process where 'net.EXE' == original_file_name +| filter process_name="net*.exe" +''' +expected_event_ids = [97] +note = "check that case insensitive comparisons are performed even for lhs strings." + +[[queries]] +query = ''' +process where process_name == original_file_name +| filter process_name='net*.exe' +''' +expected_event_ids = [97, 98] +note = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +process where original_file_name == process_name +| filter length(original_file_name) > 0 +''' +expected_event_ids = [97, 98, 75273, 75303] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'exploRER.') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'expLORER.exe') +''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and endsWith(file_name, 'loREr.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith(file_name, 'explORER.EXE')''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and startsWith('explorer.exeaaaaaaaa', file_name)''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and serial_event_id = 88 and startsWith('explorer.exeaAAAA', 'EXPLORER.exe')''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and stringContains('ABCDEFGHIexplorer.exeJKLMNOP', file_name) +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plore') == 2 and not indexOf(file_name, '.pf') +''' +expected_event_ids = [88] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.') and indexOf(file_name, 'plore', 100) +''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 0) == 2''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2)''' +expected_event_ids = [88, 92] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 4)''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'thing that never happened')''' +expected_event_ids = [] +description = "check built-in string functions" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'plorer.', 2) == 2''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where opcode=0 and indexOf(file_name, 'explorer.', 0) == 0''' +expected_event_ids = [88, 92] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 0, 4) == 'expl' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, 1, 3) == 'xp' +''' +expected_event_ids = [88] +description = "chaeck substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4) == '.exe' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +file where serial_event_id=88 and substring(file_name, -4, -1) == '.ex' +''' +expected_event_ids = [88] +description = "check substring ranges" + +[[queries]] +query = ''' +process where add(serial_event_id, 0) == 1 and add(0, 1) == serial_event_id''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where subtract(serial_event_id, -5) == 6''' +expected_event_ids = [1] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where multiply(6, serial_event_id) == 30 and divide(30, 4.0) == 7.5''' +expected_event_ids = [5] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where modulo(11, add(serial_event_id, 1)) == serial_event_id''' +expected_event_ids = [1, 2, 3, 5, 11] +description = "test built-in math functions" + +[[queries]] +query = ''' +process where serial_event_id == number('5')''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('0x32', 16)''' + +[[queries]] +expected_event_ids = [50] +description = "test string/number conversions" +query = ''' +process where serial_event_id == number('32', 16)''' + +[[queries]] +query = ''' +process where number(serial_event_id) == number(5)''' +expected_event_ids = [5] +description = "test string/number conversions" + +[[queries]] +query = ''' +process where concat(serial_event_id, ':', process_name, opcode) == '5:winINIT.exe3' +''' +expected_event_ids = [5] +description = "test string concatenation" + +[[queries]] +query = ''' +process where process_name != original_file_name +| filter length(original_file_name) > 0''' +expected_event_ids = [] +description = "check that case insensitive comparisons are performed for fields." + +[[queries]] +query = ''' +sequence by unique_pid [process where opcode=1 and process_name == 'msbuild.exe'] [network where true]''' +expected_event_ids = [75273, 75304] +description = "test that process sequences are working correctly" + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, a == 'en-us')''' + +[[queries]] +expected_event_ids = [57] +description = "test arraySearch functionality for lists of strings, and lists of objects" +query = ''' +registry where arraySearch(bytes_written_string_list, a, endsWith(a, '-us'))''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - true" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, s, true) +''' + +[[queries]] +expected_event_ids = [] +description = "test arraySearch - false" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, false) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a == 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - conditional" +query = ''' +network where mysterious_field and arraySearch(mysterious_field.subarray, s, s.a != 's0-*') +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == '*')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == 's0-c1-x-z')) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + sub1.a == 's0-a' and arraySearch(sub1.c, nested, nested.z == sub1.cross_match)) +''' + +[[queries]] +expected_event_ids = [75305] +description = "test arraySearch - nested with cross-check pass" +query = ''' +network where mysterious_field + and arraySearch(mysterious_field.subarray, sub1, + arraySearch(sub1.c, nested, nested.x.y == mysterious_field.outer_cross_match)) +''' + +[[queries]] +expected_event_ids = [] +description = "test 'safe()' wrapper for exception handling" +query = ''' +network where safe(divide(process_name, process_name)) +''' + +[[queries]] +query = ''' +file where serial_event_id == 82 and (true == (process_name in ('svchost.EXE', 'bad.exe', 'bad2.exe'))) +''' +expected_event_ids = [82] +description = "nested set comparisons" + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*-us') == 1 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayCount(bytes_written_string_list, s, s == '*en*') == 2 +''' + +[[queries]] +expected_event_ids = [57] +query = ''' +registry where arrayContains(bytes_written_string_list, "missing", "en-US") +''' + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id - 1 == 81" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id + 1 == 83" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id * 2 == 164" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id / 2 == 41" + +[[queries]] +expected_event_ids = [82] +query = "file where serial_event_id % 40 == 2" + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e") == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "s", "e", false) == "yst" +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where between(process_name, "s", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1, 2, 42] +query = ''' +process where between(process_name, "s", "e", false, true) == "t" +''' + +[[queries]] +expected_event_ids = [1, 2] +query = ''' +process where between(process_name, "S", "e", false, true) == "yst" +''' + +[[queries]] +expected_event_ids = [1] +query = ''' +process where between(process_name, "s", "e", true) == "ystem Idle Proc" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", false) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [95] +query = ''' +file where between(file_path, "dev", ".json", true) == "\\testlogs\\something" +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "10.6.48.157/8") +''' + +[[queries]] +expected_event_ids = [] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16") +''' + +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "192.168.0.0/16", "10.6.48.157/8") + +''' +[[queries]] +expected_event_ids = [75304, 75305] +query = ''' +network where cidrMatch(source_address, "0.0.0.0/0") +''' + +[[queries]] +expected_event_ids = [7, 14, 22, 29, 44] +query = ''' +process where length(between(process_name, 'g', 'e')) > 0 +''' + +[[queries]] +expected_event_ids = [] +query = ''' +process where length(between(process_name, 'g', 'z')) > 0 +''' +