Add thread callstacks to process, file, registry, and image/library load events #360
Conversation
💚 Build Succeeded
Expand to view the summary
Build stats
🤖 GitHub commentsExpand to view the GitHub comments
To re-run your PR in the CI, just comment with:
|
@dasansol92 and/or @gergoabraham it looks like you were chosen by the GitHub lottery. Can you take a look at this PR? |
|
@gabriellandau apologies - David and Gergo have been on PTO. I checked it out and reviewed it. There are only mapping additions here which are safer changes to make. The new package installs after correcting the type from this commit: 1a5d4bf I'm able to stream the new sample process doc with the new value LGTM! |
|
Thanks @kevinlog! |
|
Package endpoint - 8.8.0 containing this change is available at https://epr.elastic.co/search?package=endpoint |
Change Summary
This PR adds thread callstacks to process, file, registry, and image/library load events. Callstacks for process events are attributed to the parent at
process.parent.thread.Ext.call_stack. For the other listed events, they're attributed to the acting process atprocess.thread.Ext.call_stack.Callstacks will not be sent to ES in events by default. Rather, they will be sent to Endpoint's behavioral protection engine (aka rules engine). When a rule fires and generates an alert, the alert includes a list of events which triggered the rule. Callstacks will be included in such events.
For users who want all the data all the time, there will be a new advanced policy option to allow users to get callstacks in supported regular events.
Sample values
See included sample docs.
Release Target
8.8.0
Q/A
For mapping changes:
makeafter making the schema changes, and committed all changes