Add windows_defender.evidence paths for multiple hits, add anotehr test case, generate new expected and README

Author: nicpenning

packages/windows/data_stream/windows_defender/_dev/test/pipeline/test-events-windows-defender-events.json

@@ -1,5 +1,78 @@
 {
  "events": [
+ {
+ "@timestamp": "2024-06-21T01:21:15.1310609Z",
+ "event": {
+ "code": "1116",
+ "kind": "event",
+ "provider": "Microsoft-Windows-Windows Defender"
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "log": {
+ "level": "Warning"
+ },
+ "message": "Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020\u0026name=Virus:DOS/EICAR_Test_File\u0026threatid=2147519003\u0026enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\topsy\\OneDrive\\Desktop\\eat_more_yams.exe\r\n \tDetection Origin: Local machine\r\n \tDetection Type: Concrete\r\n \tDetection Source: Real-Time Protection\r\n \tUser: el33t-b00k-1\\topsy\r\n \tProcess Name: C:\\Users\\topsy\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\r\n \tSecurity intelligence Version: AV: 1.413.419.0, AS: 1.413.419.0, NIS: 1.413.419.0\r\n \tEngine Version: AM: 1.1.24050.5, NIS: 1.1.24050.5",
+ "winlog": {
+ "activity_id": "5f4a9fb7-8bb9-4d46-a5af-b880cefca3c1",
+ "channel": "Microsoft-Windows-Windows Defender/Operational",
+ "computer_name": "el33t-b00k-1",
+ "event_data": {
+ "Detection_User": "NT AUTHORITY\\SYSTEM",
+ "Execution_Name": "Suspended",
+ "Detection_Time": "2024-09-26T16:04:49.772Z",
+ "Error_Description": "The operation completed successfully. ",
+ "Error_Code": "0x00000000",
+ "Action_Name": "Not Applicable",
+ "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=1",
+ "Post_Clean_Status": "0",
+ "Category_ID": "42",
+ "Additional_Actions_String": "No additional actions required",
+ "Additional_Actions_ID": "0",
+ "Pre_Execution_Status": "0",
+ "Security_intelligence_Version": "AV: 1.419.183.0, AS: 1.419.183.0, NIS: 1.419.183.0",
+ "Threat_ID": "2147519003",
+ "Detection_ID": "{21A294A2-FE84-4DE0-B1D0-47D6DCD4DA9A}",
+ "Path": "file:_D:\\autorun.inf\\autorun.inf.exe; file:_D:\\autorun.inf\\Protection for Autorun\\Protection for Autorun.exe; file:_D:\\test\\.exe",
+ "Source_Name": "System",
+ "Origin_ID": "1",
+ "Type_Name": "Concrete",
+ "Action_ID": "9",
+ "Source_ID": "2",
+ "Product_Name": "Microsoft Defender Antivirus",
+ "Category_Name": "Virus",
+ "Status_Code": "1",
+ "Threat_Name": "Virus:DOS/EICAR_Test_File",
+ "Origin_Name": "Local machine",
+ "Severity_ID": "5",
+ "State": "1",
+ "Severity_Name": "Severe",
+ "Execution_ID": "1",
+ "Product_Version": "4.18.24080.9",
+ "Engine_Version": "AM: 1.1.24080.9, NIS: 1.1.24080.9",
+ "Type_ID": "0"
+ },
+ "event_id": "1116",
+ "level": "Warning",
+ "opcode": "Info",
+ "process": {
+ "pid": 7676,
+ "thread": {
+ "id": 29468
+ }
+ },
+ "provider_guid": "11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78",
+ "provider_name": "Microsoft-Windows-Windows Defender",
+ "record_id": "5646",
+ "time_created": "2024-06-21T01:21:15.1310609Z",
+ "user": {
+ "identifier": "S-1-5-18",
+ "name": "Topsy"
+ },
+ "version": 0
+ }
+ },
  {
  "@timestamp": "2024-06-21T01:21:15.1310609Z",
  "event": {

packages/windows/data_stream/windows_defender/_dev/test/pipeline/test-events-windows-defender-events.json-expected.json

@@ -1,5 +1,106 @@
 {
  "expected": [
+ {
+ "@timestamp": "2024-06-21T01:21:15.131Z",
+ "ecs": {
+ "version": "8.11.0"
+ },
+ "event": {
+ "action": "malware-detected",
+ "category": [
+ "malware"
+ ],
+ "code": "1116",
+ "kind": "event",
+ "outcome": "success",
+ "provider": "Microsoft-Windows-Windows Defender",
+ "reference": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=1",
+ "type": [
+ "info"
+ ]
+ },
+ "file": {
+ "extension": "inf.exe",
+ "name": "autorun.inf.exe",
+ "path": "D:\\autorun.inf\\autorun.inf.exe"
+ },
+ "host": {
+ "name": "el33t-b00k-1"
+ },
+ "log": {
+ "level": "Warning"
+ },
+ "message": "Microsoft Defender Antivirus has detected malware or other potentially unwanted software.\r\n For more information please see the following:\r\nhttps://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=0\r\n \tName: Virus:DOS/EICAR_Test_File\r\n \tID: 2147519003\r\n \tSeverity: Severe\r\n \tCategory: Virus\r\n \tPath: file:_C:\\Users\\topsy\\OneDrive\\Desktop\\eat_more_yams.exe\r\n \tDetection Origin: Local machine\r\n \tDetection Type: Concrete\r\n \tDetection Source: Real-Time Protection\r\n \tUser: el33t-b00k-1\\topsy\r\n \tProcess Name: C:\\Users\\topsy\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe\r\n \tSecurity intelligence Version: AV: 1.413.419.0, AS: 1.413.419.0, NIS: 1.413.419.0\r\n \tEngine Version: AM: 1.1.24050.5, NIS: 1.1.24050.5",
+ "user": {
+ "domain": "NT AUTHORITY",
+ "name": "SYSTEM"
+ },
+ "windows_defender": {
+ "evidence_paths": [
+ "D:\\autorun.inf\\autorun.inf.exe",
+ "D:\\autorun.inf\\Protection for Autorun\\Protection for Autorun.exe",
+ "D:\\test\\.exe"
+ ]
+ },
+ "winlog": {
+ "activity_id": "5f4a9fb7-8bb9-4d46-a5af-b880cefca3c1",
+ "channel": "Microsoft-Windows-Windows Defender/Operational",
+ "computer_name": "el33t-b00k-1",
+ "event_data": {
+ "Action_ID": "9",
+ "Action_Name": "Not Applicable",
+ "Additional_Actions_ID": "0",
+ "Additional_Actions_String": "No additional actions required",
+ "Category_ID": "42",
+ "Category_Name": "Virus",
+ "Detection_ID": "{21A294A2-FE84-4DE0-B1D0-47D6DCD4DA9A}",
+ "Detection_Time": "2024-09-26T16:04:49.772Z",
+ "Detection_User": "NT AUTHORITY\\SYSTEM",
+ "Engine_Version": "AM: 1.1.24080.9, NIS: 1.1.24080.9",
+ "Error_Code": "0x00000000",
+ "Error_Description": "The operation completed successfully. ",
+ "Execution_ID": "1",
+ "Execution_Name": "Suspended",
+ "FWLink": "https://go.microsoft.com/fwlink/?linkid=37020&name=Virus:DOS/EICAR_Test_File&threatid=2147519003&enterprise=1",
+ "Origin_ID": "1",
+ "Origin_Name": "Local machine",
+ "Path": "file:_D:\\autorun.inf\\autorun.inf.exe; file:_D:\\autorun.inf\\Protection for Autorun\\Protection for Autorun.exe; file:_D:\\test\\.exe",
+ "Post_Clean_Status": "0",
+ "Pre_Execution_Status": "0",
+ "Product_Name": "Microsoft Defender Antivirus",
+ "Product_Version": "4.18.24080.9",
+ "Security_intelligence_Version": "AV: 1.419.183.0, AS: 1.419.183.0, NIS: 1.419.183.0",
+ "Severity_ID": "5",
+ "Severity_Name": "Severe",
+ "Source_ID": "2",
+ "Source_Name": "System",
+ "State": "1",
+ "Status_Code": "1",
+ "Threat_ID": "2147519003",
+ "Threat_Name": "Virus:DOS/EICAR_Test_File",
+ "Type_ID": "0",
+ "Type_Name": "Concrete"
+ },
+ "event_id": "1116",
+ "level": "Warning",
+ "opcode": "Info",
+ "process": {
+ "pid": 7676,
+ "thread": {
+ "id": 29468
+ }
+ },
+ "provider_guid": "11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78",
+ "provider_name": "Microsoft-Windows-Windows Defender",
+ "record_id": "5646",
+ "time_created": "2024-06-21T01:21:15.1310609Z",
+ "user": {
+ "identifier": "S-1-5-18",
+ "name": "Topsy"
+ },
+ "version": 0
+ }
+ },
  {
  "@timestamp": "2024-06-21T01:21:15.131Z",
  "ecs": {
@@ -35,6 +136,11 @@
  "domain": "NT AUTHORITY",
  "name": "SYSTEM"
  },
+ "windows_defender": {
+ "evidence_paths": [
+ "C:\\Users\\Topsy\\Desktop\\eat_more_yams.exe"
+ ]
+ },
  "winlog": {
  "activity_id": "5f4a9fb7-8bb9-4d46-a5af-b880cefca3c1",
  "channel": "Microsoft-Windows-Windows Defender/Operational",
@@ -129,6 +235,12 @@
  "domain": "NT AUTHORITY",
  "name": "SYSTEM"
  },
+ "windows_defender": {
+ "evidence_paths": [
+ "C:\\Users\\Topsy\\Desktop\\eat_more_yams.exe",
+ "pid: 31337"
+ ]
+ },
  "winlog": {
  "activity_id": "5f4a9fb7-8bb9-4d46-a5af-b880cefca3c1",
  "channel": "Microsoft-Windows-Windows Defender/Operational",
@@ -459,6 +571,11 @@
  "domain": "NT AUTHORITY",
  "name": "SYSTEM"
  },
+ "windows_defender": {
+ "evidence_paths": [
+ "C:\\Users\\Topsy\\Desktop\\eat_more_yams.exe"
+ ]
+ },
  "winlog": {
  "activity_id": "",
  "channel": "Microsoft-Windows-Windows Defender/Operational",
@@ -554,6 +671,12 @@
  "domain": "NT AUTHORITY",
  "name": "SYSTEM"
  },
+ "windows_defender": {
+ "evidence_paths": [
+ "C:\\Users\\Topsy\\Desktop\\eat_more_yams.exe",
+ "pid: 1337"
+ ]
+ },
  "winlog": {
  "activity_id": "",
  "channel": "Microsoft-Windows-Windows Defender/Operational",

packages/windows/data_stream/windows_defender/elasticsearch/ingest_pipeline/default.yml

@@ -162,6 +162,28 @@ processors:
  patterns:
  - "file:_(?<file.path>[^;]+)(; process:_pid:%{NUMBER:process.pid})?"
  ignore_missing: true
+ - split:
+ field: winlog.event_data.Path
+ separator: ";"
+ target_field: windows_defender.evidence_paths
+ ignore_missing: true
+ ignore_failure: true
+ - trim:
+ field: windows_defender.evidence_paths
+ ignore_missing: true
+ ignore_failure: true
+ - gsub:
+ field: windows_defender.evidence_paths
+ pattern: "file:_"
+ replacement: ""
+ ignore_missing: true
+ ignore_failure: true
+ - gsub:
+ field: windows_defender.evidence_paths
+ pattern: "process:_"
+ replacement: ""
+ ignore_missing: true
+ ignore_failure: true
  - grok:
  field: winlog.event_data.FileName
  patterns:

packages/windows/data_stream/windows_defender/fields/fields.yml

@@ -0,0 +1,7 @@
+- name: windows_defender
+ type: group
+ description: All custom fields that are specific to a Windows Defender event will be grouped in this field name.
+ fields:
+ - name: evidence_paths
+ type: keyword
+ description: One or more paths found in the event.

packages/windows/data_stream/windows_defender/sample_event.json

@@ -1,24 +1,24 @@
 {
  "@timestamp": "2024-09-25T19:30:20.339Z",
  "agent": {
- "ephemeral_id": "d0fee858-3b2f-4e5d-9fbb-204845903e8a",
- "id": "757d65b4-4801-45c8-ad21-82958af8fd34",
- "name": "elastic-agent-80630",
+ "ephemeral_id": "e9af23ec-c024-4b56-a624-39e242319c16",
+ "id": "4a0bc7fa-6bfd-41c2-9cb6-17a1560abba7",
+ "name": "elastic-agent-41982",
  "type": "filebeat",
- "version": "8.15.3"
+ "version": "8.15.2"
  },
  "data_stream": {
  "dataset": "windows.windows_defender",
- "namespace": "71160",
+ "namespace": "97455",
  "type": "logs"
  },
  "ecs": {
  "version": "8.11.0"
  },
  "elastic_agent": {
- "id": "757d65b4-4801-45c8-ad21-82958af8fd34",
+ "id": "4a0bc7fa-6bfd-41c2-9cb6-17a1560abba7",
  "snapshot": false,
- "version": "8.15.3"
+ "version": "8.15.2"
  },
  "event": {
  "action": "malware-quarantined",
@@ -27,9 +27,9 @@
  "malware"
  ],
  "code": "1117",
- "created": "2024-10-27T18:11:49.634Z",
+ "created": "2024-11-04T23:00:42.213Z",
  "dataset": "windows.windows_defender",
- "ingested": "2024-10-27T18:11:52Z",
+ "ingested": "2024-11-04T23:00:45Z",
  "kind": "event",
  "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Windows Defender' Guid='{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}'/><EventID>1117</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2024-09-25T19:30:20.3397185Z'/><EventRecordID>22399</EventRecordID><Correlation ActivityID='{e8e94442-2856-4bab-a775-454654f7ec59}'/><Execution ProcessID='3168' ThreadID='13904'/><Channel>Microsoft-Windows-Windows Defender/Operational</Channel><Computer>el33t-b00k-1.org.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='Product Name'>Microsoft Defender Antivirus</Data><Data Name='Product Version'>4.18.24080.9</Data><Data Name='Detection ID'>{4E4D1D41-19CC-4EE2-BDB0-950A07B81378}</Data><Data Name='Detection Time'>2024-09-25T19:29:38.198Z</Data><Data Name='Unused'></Data><Data Name='Unused2'></Data><Data Name='Threat ID'>2147680291</Data><Data Name='Threat Name'>Trojan:Win32/Detplock</Data><Data Name='Severity ID'>5</Data><Data Name='Severity Name'>Severe</Data><Data Name='Category ID'>8</Data><Data Name='Category Name'>Trojan</Data><Data Name='FWLink'>https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Detplock&amp;threatid=2147680291&amp;enterprise=1</Data><Data Name='Status Code'>3</Data><Data Name='Status Description'></Data><Data Name='State'>2</Data><Data Name='Source ID'>3</Data><Data Name='Source Name'>Real-Time Protection</Data><Data Name='Process Name'>C:\\Program Files\\Notepad++\\notepad++.exe</Data><Data Name='Detection User'>ORG\\Topsy</Data><Data Name='Unused3'></Data><Data Name='Path'>file:_C:\\Users\\Topsy\\Desktop\\eat_dem_yams.exe</Data><Data Name='Origin ID'>1</Data><Data Name='Origin Name'>Local machine</Data><Data Name='Execution ID'>1</Data><Data Name='Execution Name'>Suspended</Data><Data Name='Type ID'>8</Data><Data Name='Type Name'>FastPath</Data><Data Name='Pre Execution Status'>0</Data><Data Name='Action ID'>2</Data><Data Name='Action Name'>Quarantine</Data><Data Name='Unused4'></Data><Data Name='Error Code'>0x00000000</Data><Data Name='Error Description'>The operation completed successfully. </Data><Data Name='Unused5'></Data><Data Name='Post Clean Status'>0</Data><Data Name='Additional Actions ID'>0</Data><Data Name='Additional Actions String'>No additional actions required</Data><Data Name='Remediation User'>NT AUTHORITY\\SYSTEM</Data><Data Name='Unused6'></Data><Data Name='Security intelligence Version'>AV: 1.419.163.0, AS: 1.419.163.0, NIS: 1.419.163.0</Data><Data Name='Engine Version'>AM: 1.1.24080.9, NIS: 1.1.24080.9</Data></EventData><RenderingInfo Culture='en-US'><Message>Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software.&#13;&#10; For more information please see the following:&#13;&#10;https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Detplock&amp;threatid=2147680291&amp;enterprise=1&#13;&#10; &#9;Name: Trojan:Win32/Detplock&#13;&#10; &#9;ID: 2147680291&#13;&#10; &#9;Severity: Severe&#13;&#10; &#9;Category: Trojan&#13;&#10; &#9;Path: file:_C:\\Users\\Topsy\\Desktop\\eat_dem_yams.exe&#13;&#10; &#9;Detection Origin: Local machine&#13;&#10; &#9;Detection Type: FastPath&#13;&#10; &#9;Detection Source: Real-Time Protection&#13;&#10; &#9;User: NT AUTHORITY\\SYSTEM&#13;&#10; &#9;Process Name: C:\\Program Files\\Notepad++\\notepad++.exe&#13;&#10; &#9;Action: Quarantine&#13;&#10; &#9;Action Status: No additional actions required&#13;&#10; &#9;Error Code: 0x00000000&#13;&#10; &#9;Error description: The operation completed successfully. &#13;&#10; &#9;Security intelligence Version: AV: 1.419.163.0, AS: 1.419.163.0, NIS: 1.419.163.0&#13;&#10; &#9;Engine Version: AM: 1.1.24080.9, NIS: 1.1.24080.9</Message><Level>Information</Level><Opcode>Info</Opcode><Provider>Microsoft-Windows-Windows Defender</Provider></RenderingInfo></Event>",
  "outcome": "success",
@@ -66,6 +66,11 @@
  "domain": "ORG",
  "name": "Topsy"
  },
+ "windows_defender": {
+ "evidence_paths": [
+ "C:\\Users\\Topsy\\Desktop\\eat_dem_yams.exe"
+ ]
+ },
  "winlog": {
  "activity_id": "{e8e94442-2856-4bab-a775-454654f7ec59}",
  "channel": "Microsoft-Windows-Windows Defender/Operational",