[carbon_black_cloud]: Process Start events not mapped correctly #11653
Description
Integration Name
VMware Carbon Black Cloud [carbon_black_cloud]
Dataset Name
carbon_black_cloud.endpoint_event
Integration Version
2.6.1
Agent Version
8.15.2
Agent Output Type
elasticsearch
Elasticsearch Version
8.15.1
OS Version and Architecture
Elastic Cloud
Software/API Version
No response
Error Message
No response
Event Original
No response
What did you do?
Default configuration for the integration
What did you see?
When reviewing events with event.action: ACTION_CREATE_PROCESS, the resulting process.*+process.parent.* do not accurately reflect the process being created and it's parent. Instead, the data reflects the parent + grandparent involved in the process creation. See below command line fields that are available for a sample record:
| field | value |
|---|---|
| carbon_black_cloud.endpoint_event.target_cmdline | Google Chrome Helper (Renderer) |
| process.command_line | Google Chrome --restart --restart |
| process.parent.command_line | launchd |
What did you expect to see?
The expectation here is threefold:
- The "child" event would populate the
process.*fields - The "process" event would populate the
process.parent.*fields - The "parent" event would populate some other field such as
carbon_black_cloud.endpoint_event.grandparent
To accomplish this the mapping would need to rename the following:
process.*->process.parent.*process.parent.*->carbon_black_cloud.endpoint_event.grandparent.*carbon_black_cloud.endpoint_event.childproc.guid->process.entity_idcarbon_black_cloud.endpoint_event.childproc.hash.md5->process.hash.md5carbon_black_cloud.endpoint_event.childproc.hash.sha256->process.hash.sha256carbon_black_cloud.endpoint_event.childproc.name->process.executablecarbon_black_cloud.endpoint_event.childproc.pid->process.pidcarbon_black_cloud.endpoint_event.childproc.username->process.user.name
Anything else?
cc: @btrieger