From c20b6d966e1986684bcae9ab48a523fab56b0d9c Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Tue, 22 Apr 2025 22:12:42 -0400 Subject: [PATCH 1/2] add origin_url and origin_referrer_url fields --- .../library/windows/windows_library_load.md | 2 ++ .../windows/windows_process_already_running.md | 2 ++ .../windows/windows_process_create_and_exit.md | 2 ++ .../library/windows/windows_library_load.yaml | 2 ++ .../windows/windows_process_already_running.yaml | 2 ++ .../windows/windows_process_create_and_exit.yaml | 2 ++ custom_schemas/custom_dll.yml | 16 ++++++++++++++++ custom_schemas/custom_process.yml | 16 ++++++++++++++++ .../elastic_endpoint/library/library.yaml | 2 ++ .../elastic_endpoint/process/process.yaml | 2 ++ .../data_stream/library/sample_event.json | 2 ++ .../data_stream/process/sample_event.json | 2 ++ 12 files changed, 52 insertions(+) diff --git a/custom_documentation/doc/endpoint/library/windows/windows_library_load.md b/custom_documentation/doc/endpoint/library/windows/windows_library_load.md index d034c030d..3dbd5d362 100644 --- a/custom_documentation/doc/endpoint/library/windows/windows_library_load.md +++ b/custom_documentation/doc/endpoint/library/windows/windows_library_load.md @@ -34,6 +34,8 @@ This event is generated when a DLL or driver is loaded. | dll.hash.sha1 | | dll.hash.sha256 | | dll.name | +| dll.origin_referrer_url | +| dll.origin_url | | dll.path | | dll.pe.file_version | | dll.pe.imphash | diff --git a/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md b/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md index 4fae85807..56096851f 100644 --- a/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md +++ b/custom_documentation/doc/endpoint/process/windows/windows_process_already_running.md @@ -77,6 +77,8 @@ This event is generated for a process that was already running before Endpoint's | process.hash.sha1 | | process.hash.sha256 | | process.name | +| process.origin_referrer_url | +| process.origin_url | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | diff --git a/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md b/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md index 30ec17c88..fd1295480 100644 --- a/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md +++ b/custom_documentation/doc/endpoint/process/windows/windows_process_create_and_exit.md @@ -94,6 +94,8 @@ This event is generated when a process is created or exits. | process.hash.sha1 | | process.hash.sha256 | | process.name | +| process.origin_referrer_url | +| process.origin_url | | process.parent.Ext.code_signature.exists | | process.parent.Ext.code_signature.status | | process.parent.Ext.code_signature.subject_name | diff --git a/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml b/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml index fff9d21f8..743130e30 100644 --- a/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml +++ b/custom_documentation/src/endpoint/data_stream/library/windows/windows_library_load.yaml @@ -39,6 +39,8 @@ fields: - dll.hash.sha1 - dll.hash.sha256 - dll.name + - dll.origin_referrer_url + - dll.origin_url - dll.path - dll.pe.file_version - dll.pe.imphash diff --git a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml index 8a14ca96f..679f2dfc8 100644 --- a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml +++ b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_already_running.yaml @@ -83,6 +83,8 @@ fields: - process.hash.sha1 - process.hash.sha256 - process.name + - process.origin_referrer_url + - process.origin_url - process.parent.Ext.code_signature.exists - process.parent.Ext.code_signature.status - process.parent.Ext.code_signature.subject_name diff --git a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml index ba473459c..067add3ce 100644 --- a/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml +++ b/custom_documentation/src/endpoint/data_stream/process/windows/windows_process_create_and_exit.yaml @@ -101,6 +101,8 @@ fields: - process.hash.sha1 - process.hash.sha256 - process.name + - process.origin_referrer_url + - process.origin_url - process.parent.Ext.code_signature.exists - process.parent.Ext.code_signature.status - process.parent.Ext.code_signature.subject_name diff --git a/custom_schemas/custom_dll.yml b/custom_schemas/custom_dll.yml index 72a947a0b..5ee86dc93 100644 --- a/custom_schemas/custom_dll.yml +++ b/custom_schemas/custom_dll.yml @@ -277,3 +277,19 @@ This is used to identify the team or vendor of a software product. The field is relevant to Apple *OS only.' example: EQHXZ8M8AV + + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: > + The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: > + The URL where the dll file is hosted. + example: http://example.com/files/example.dll diff --git a/custom_schemas/custom_process.yml b/custom_schemas/custom_process.yml index f6f362367..bff1d5975 100644 --- a/custom_schemas/custom_process.yml +++ b/custom_schemas/custom_process.yml @@ -55,6 +55,22 @@ description: Parent process' pid. example: 4241 + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: > + The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: > + The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + - name: parent.thread level: custom type: object diff --git a/custom_subsets/elastic_endpoint/library/library.yaml b/custom_subsets/elastic_endpoint/library/library.yaml index 6d517e1da..19b148bc0 100644 --- a/custom_subsets/elastic_endpoint/library/library.yaml +++ b/custom_subsets/elastic_endpoint/library/library.yaml @@ -204,6 +204,8 @@ fields: imphash: {} original_file_name: {} product: {} + origin_referrer_url: {} + origin_url: {} Ext: fields: code_signature: diff --git a/custom_subsets/elastic_endpoint/process/process.yaml b/custom_subsets/elastic_endpoint/process/process.yaml index e131c51e3..64db164cc 100644 --- a/custom_subsets/elastic_endpoint/process/process.yaml +++ b/custom_subsets/elastic_endpoint/process/process.yaml @@ -151,6 +151,8 @@ fields: title: {} uptime: {} working_directory: {} + origin_referrer_url: {} + origin_url: {} Ext: fields: ancestry: {} diff --git a/package/endpoint/data_stream/library/sample_event.json b/package/endpoint/data_stream/library/sample_event.json index 5f64e4b11..8e090a7a0 100644 --- a/package/endpoint/data_stream/library/sample_event.json +++ b/package/endpoint/data_stream/library/sample_event.json @@ -81,6 +81,8 @@ "original_file_name": "MSXML3.dll" }, "name": "msxml3.dll", + "origin_referrer_url": "http://example.com/article1.html", + "origin_url": "http://example.com/files/example.dll", "hash": { "sha1": "02488fb2dbf679a3282338178b451da635b79b54", "sha256": "a9698adcf789d9e30f37dd5e6c9be0441bc37662ba7402e85071ccec2135d36c", diff --git a/package/endpoint/data_stream/process/sample_event.json b/package/endpoint/data_stream/process/sample_event.json index 30d05268f..0e2b4a481 100644 --- a/package/endpoint/data_stream/process/sample_event.json +++ b/package/endpoint/data_stream/process/sample_event.json @@ -169,6 +169,8 @@ "original_file_name": "svchost.exe" }, "name": "svchost.exe", + "origin_referrer_url": "http://example.com/article1.html", + "origin_url": "http://example.com/files/example.exe", "args_count": 3, "command_line": "C:\\Windows\\System32\\svchost.exe -k WerSvcGroup", "hash": { From 831c0d46633f78438ab1374546ae66f5f38187ed Mon Sep 17 00:00:00 2001 From: Asuka Nakajima Date: Wed, 23 Apr 2025 02:34:39 +0000 Subject: [PATCH 2/2] add generated files --- .../data_stream/library/fields/fields.yml | 14 ++++++++++++ .../data_stream/process/fields/fields.yml | 14 ++++++++++++ package/endpoint/docs/README.md | 4 ++++ schemas/v1/library/library.yaml | 22 +++++++++++++++++++ schemas/v1/process/process.yaml | 22 +++++++++++++++++++ 5 files changed, 76 insertions(+) diff --git a/package/endpoint/data_stream/library/fields/fields.yml b/package/endpoint/data_stream/library/fields/fields.yml index 95da0cfe4..7937174c6 100644 --- a/package/endpoint/data_stream/library/fields/fields.yml +++ b/package/endpoint/data_stream/library/fields/fields.yml @@ -446,6 +446,20 @@ This generally maps to the name of the file on disk.' example: kernel32.dll default_field: false + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + default_field: false - name: path level: extended type: keyword diff --git a/package/endpoint/data_stream/process/fields/fields.yml b/package/endpoint/data_stream/process/fields/fields.yml index 630bac801..9fca4751b 100644 --- a/package/endpoint/data_stream/process/fields/fields.yml +++ b/package/endpoint/data_stream/process/fields/fields.yml @@ -1891,6 +1891,20 @@ Sometimes called program name or similar.' example: ssh + - name: origin_referrer_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + default_field: false + - name: origin_url + level: extended + type: keyword + ignore_above: 8192 + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + default_field: false - name: parent.Ext level: custom type: object diff --git a/package/endpoint/docs/README.md b/package/endpoint/docs/README.md index 90258f661..d0cd7e3f0 100644 --- a/package/endpoint/docs/README.md +++ b/package/endpoint/docs/README.md @@ -1793,6 +1793,8 @@ sent by the endpoint. | dll.hash.sha256 | SHA256 hash. | keyword | | dll.hash.sha512 | SHA512 hash. | keyword | | dll.name | Name of the library. This generally maps to the name of the file on disk. | keyword | +| dll.origin_referrer_url | The URL of the webpage that linked to the dll file. | keyword | +| dll.origin_url | The URL where the dll file is hosted. | keyword | | dll.path | Full file path of the library. | keyword | | dll.pe.company | Internal company name of the file, provided at compile-time. | keyword | | dll.pe.description | Internal description of the file, provided at compile-time. | keyword | @@ -2344,6 +2346,8 @@ sent by the endpoint. | process.io.total_bytes_captured | The total number of bytes captured in this event. | long | | process.io.total_bytes_skipped | The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. Implementors should strive to ensure this value is always zero | long | | process.name | Process name. Sometimes called program name or similar. | keyword | +| process.origin_referrer_url | The URL of the webpage that linked to the process's executable file. | keyword | +| process.origin_url | The URL where the process's executable file is hosted. | keyword | | process.parent.Ext | Object for all custom defined fields to live in. | object | | process.parent.Ext.architecture | Process architecture. It can differ from host architecture. | keyword | | process.parent.Ext.code_signature | Nested version of ECS code_signature fieldset. | nested | diff --git a/schemas/v1/library/library.yaml b/schemas/v1/library/library.yaml index ff8c94022..304e53d16 100644 --- a/schemas/v1/library/library.yaml +++ b/schemas/v1/library/library.yaml @@ -669,6 +669,28 @@ dll.name: normalize: [] short: Name of the library. type: keyword +dll.origin_referrer_url: + dashed_name: dll-origin-referrer-url + description: The URL of the webpage that linked to the dll file. + example: http://example.com/article1.html + flat_name: dll.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the dll file. + type: keyword +dll.origin_url: + dashed_name: dll-origin-url + description: The URL where the dll file is hosted. + example: http://example.com/files/example.dll + flat_name: dll.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the dll file is hosted. + type: keyword dll.path: dashed_name: dll-path description: Full file path of the library. diff --git a/schemas/v1/process/process.yaml b/schemas/v1/process/process.yaml index d3443ccdd..320e102a6 100644 --- a/schemas/v1/process/process.yaml +++ b/schemas/v1/process/process.yaml @@ -2279,6 +2279,28 @@ process.name: normalize: [] short: Process name. type: keyword +process.origin_referrer_url: + dashed_name: process-origin-referrer-url + description: The URL of the webpage that linked to the process's executable file. + example: http://example.com/article1.html + flat_name: process.origin_referrer_url + ignore_above: 8192 + level: extended + name: origin_referrer_url + normalize: [] + short: The URL of the webpage that linked to the process's executable file. + type: keyword +process.origin_url: + dashed_name: process-origin-url + description: The URL where the process's executable file is hosted. + example: http://example.com/files/example.exe + flat_name: process.origin_url + ignore_above: 8192 + level: extended + name: origin_url + normalize: [] + short: The URL where the process's executable file is hosted. + type: keyword process.parent.Ext: dashed_name: process-parent-Ext description: Object for all custom defined fields to live in.