Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security-Linux Platform Integrations] Auditbeat missing Session View Process fields #38955

Closed
Omolola-Akinleye opened this issue Apr 15, 2024 · 3 comments · Fixed by #38994, #39173 or #39243
Closed

[Security-Linux Platform Integrations] Auditbeat missing Session View Process fields #38955

Omolola-Akinleye opened this issue Apr 15, 2024 · 3 comments · Fixed by #38994, #39173 or #39243
Assignees
@mjwolf
Labels
bug Team:Security-Linux Platform Linux Platform Team in Security Solution

Comments

@Omolola-Akinleye
Copy link

Omolola-Akinleye commented Apr 15, 2024
edited

Audibeat is missing process fields for Session View which is causing empty rows Sessions and Events Table.

I was testing the Session View on FE with auditbeat on my PR. I just noticed some auditbeat events did not have Session View Icon. When I expand the event details, I saw the process.entry_leader.entity_id field was missing.

To test bug
See Session View Cloud Credentials

Steps to Reproduce

  1. Go to Discover
  2. Choose audibeat dataview
  3. Apply fields not process.entry_leader.entity_id : * and event.action : "executed"
  4. Click arrow icon and expand document details
image
  1. Go to Explore > Hosts > Events or Explore > Hosts > Sessions

Sessions are also Missing
image
Events are also missing
image

DOD

  • For Session View events and sessions, process fields should be populated. Audibeat Index to filter documents that don't have process.entry_leader.entity_id or missing Session View process fields.
@Omolola-Akinleye Omolola-Akinleye added the Team:Security-Linux Platform Linux Platform Team in Security Solution label Apr 15, 2024
@elasticmachine
Copy link
Collaborator

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

@Omolola-Akinleye Omolola-Akinleye mentioned this issue Apr 15, 2024
Closed
6 tasks
@mjwolf mjwolf mentioned this issue Apr 16, 2024
Merged
6 tasks
@mjwolf mjwolf reopened this Apr 22, 2024
@mjwolf
Copy link
Contributor

mjwolf commented Apr 22, 2024
edited

From what I've seen in my testing, the processor will fail to enrich a process when the process is missing from the processdb.

I have this branch with some additional logging on the error when enrichment fails, every time I've seen failure it's because the process is missing from the processdb.

There could be two potential problems here:

  1. A timing issue when starting the processor. When starting, the processor with scrape procfs to fill in the process DB. There could be a gap between this scraping and when ebpf takes over, and processes will be missed from the DB. Most of the missed processes happen close to when the processor is started, so I think this is happening.
  2. I've seen the enrich event run on processes that are not in the processdb, well after the processor is started. It seems like a timing issue where processes from ebpfevents are inserted into the DB after enrich has already been run on them. This could be tricky to fix, as it would need to coordinate with ebpfevents and the processor to wait for processes to be inserted before being enriched (and deal with problems like the process never being inserted)

@mjwolf mjwolf mentioned this issue Apr 24, 2024
Merged
6 tasks
@mergify mergify bot mentioned this issue Apr 25, 2024
Merged
6 tasks
@mjwolf
Copy link
Contributor

mjwolf commented Apr 25, 2024

With #39173, the problem of missing processes in the DB wasn't completely fixed.

I had a theory that the processor was getting the event before the ebpf backend had inserted it into the DB, since auditbeat and ebpf aren't synced. In this branch, when processing an event for a process that isn't in the processdb, the processor would wait for the process to be inserted. Even with a delay to wait for the process to be inserted, it never arrived. So the problem isn't a timing issue where the processor is enriching events before ebpf inserts them

One other thing to note about the original query; this includes failed exec calls from auditd (for instance the new executable file isn't found). Since the exec failed, it shouldn't be in the session viewer. This query should find the processes that should be enriched but weren't not process.entry_leader.entity_id : * and event.action : "executed" and not auditd.result: "fail"

@mjwolf mjwolf reopened this Apr 25, 2024
@mjwolf mjwolf mentioned this issue Apr 26, 2024
Merged
6 tasks
@mergify mergify bot mentioned this issue May 1, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjwolf mjwolf

Labels
bug Team:Security-Linux Platform Linux Platform Team in Security Solution
Projects
None yet
Milestone
No milestone
4 participants
@mjwolf @elasticmachine @Omolola-Akinleye @norrietaylor