From 1537f132dbf942f87388dc93ea767832f570993a Mon Sep 17 00:00:00 2001 From: quebim Date: Fri, 6 Dec 2024 11:40:46 -0300 Subject: [PATCH 1/2] Add tty char_device.major field to processes mapping Update event generator to implement tty fields --- .../event-generator/event_generator.py | 5 +++++ ecs/states-inventory-processes/fields/subset.yml | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/ecs/states-inventory-processes/event-generator/event_generator.py b/ecs/states-inventory-processes/event-generator/event_generator.py index 3da0e29cd07a2..0cf1939a37018 100644 --- a/ecs/states-inventory-processes/event-generator/event_generator.py +++ b/ecs/states-inventory-processes/event-generator/event_generator.py @@ -152,6 +152,11 @@ def generate_random_process(): }, 'user': { 'id': f'userid{random.randint(0, 9999)}' + }, + 'tty': { + 'char_device': { + 'major': random.randint(0, 5) + } } } return process diff --git a/ecs/states-inventory-processes/fields/subset.yml b/ecs/states-inventory-processes/fields/subset.yml index 16ccccb2dfb9a..6a391603f2b6f 100644 --- a/ecs/states-inventory-processes/fields/subset.yml +++ b/ecs/states-inventory-processes/fields/subset.yml @@ -45,3 +45,8 @@ fields: thread: fields: id: "" + tty: + fields: + char_device: + fields: + major: "" From f925e912f302103f782c6e0518a3819a294a72cc Mon Sep 17 00:00:00 2001 From: quebim Date: Fri, 6 Dec 2024 12:51:11 -0300 Subject: [PATCH 2/2] Update processes ecs documentation --- ecs/docs/inventory-processes.md | 42 ++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/ecs/docs/inventory-processes.md b/ecs/docs/inventory-processes.md index fd6494786a8b5..4f3451746aaed 100644 --- a/ecs/docs/inventory-processes.md +++ b/ecs/docs/inventory-processes.md @@ -8,24 +8,24 @@ Based on ECS: - [Process Fields](https://www.elastic.co/guide/en/ecs/current/ecs-process.html). -| | Field name | Data type | Description | Examples | Comments | -| --- | ------------------------ | --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | -| | `agent.*` | object | All the agent fields. | ` | -| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | -| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | -| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | -| | `process.name` | keyword | Process name. | `ssh` | | -| | `process.parent.pid` | long | Parent process ID. | `4242` | | -| | `process.pid` | long | Process ID. | `4242` | | -| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | -| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | -| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | -| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | -| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | +| | Field name | Data type | Description | Examples | Comments | +|----|---------------------------------| --------- | ---------------------------------------------------------------------------------------------------- | -------------------------------------------------- | ---------------------------------------------------------- | +| | `agent.*` | object | All the agent fields. | ` | +| | `@timestamp` | date | Date/time when the event originated. | `2016-05-23T08:05:34.853Z` | | +| | `process.args` | keyword | Array of process arguments. | `["/usr/bin/ssh", "-l", "user", "10.0.0.16"]` | | +| | `process.command_line` | wildcard | process.command_line. | `/usr/bin/ssh -l user 10.0.0.16` | | +| | `process.name` | keyword | Process name. | `ssh` | | +| | `process.parent.pid` | long | Parent process ID. | `4242` | | +| | `process.pid` | long | Process ID. | `4242` | | +| | `process.real_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.real_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.saved_group.id` | keyword | Unique identifier for the group on the system/platform. | | | +| | `process.saved_user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| | `process.start` | date | The time the process started. | `2016-05-23T08:05:34.853Z` | | +| | `process.user.id` | keyword | Unique identifier of the user. | `S-1-5-21-202424912787-2692429404-2351956786-1000` | | +| ! | `process.thread.id` | long | Thread ID. | | `thread.group` is **not part of ECS;** but `thread.id` is. | +| | `process.tty.char_device.major` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | +| \* | `process.group.id` | keyword | Unique identifier for the effective group on the system/platform. | | | \* Custom field @@ -50,7 +50,6 @@ Based on ECS: | x | session | `process.session` | **No ECS mapping** | Session ID | | **Not part of ECS;** Needs clarification. | | x | nlwp | `process.nlwp` | **No ECS mapping** | Number of light-weight processes | | **Not part of ECS;** Needs clarification. | | ! | tgid | `process.thread.id` | **No ECS mapping** | Thread ID ID | | `thread.group` is **not part of ECS;** but `thread.id` is. | -| ! | tty | `process.tty` | object | Information about the controlling TTY device. If set, the process belongs to an interactive session. | | Needs clarification | | x | processor | `host.cpu.processor` | **No ECS mapping** | Processor number | | No ECS field refers to the core number of the CPU. |

@@ -106,6 +105,11 @@ fields: thread: fields: id: "" + tty: + fields: + char_device: + fields: + major: "" ``` ### Index settings