[Session Viewer Auditbeat] Add support for Event.action Executed

[Omolola-Akinleye]

Summary:
As part of the Session Viewer Auditbeat epic, we need to enable Session Viewer to support Auditbeat events. Currently, Session Viewer only supports event.action: 'fork', 'exec', and 'end' from logs-endpoint index and logs-cloud-defend. Once we completed configured the auditbeats-* index, then we need to update Event Action to support executed

Definition of Done:

• Update Event.Action to include executed
• Under Hosts, event fields event.action: ['fork', 'executed'] should show.
• Allow backward compatibility support between Event.action exec and executed when Auditbeat's replace_fields setting
• Process Details panel should be populated
• Alert details panel should be populated
• Update and write unit tests and E2E where necessary

References

• https://github.com/elastic/security-team/issues/8322
• Auditbeat Docs setup
• Index pattern update

[elasticmachine]

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

[Omolola-Akinleye]

Testing PR Instructions

Prerequisites:

• Checkout my branch session-view-auditbeat
• Apply Configuration to kibana.dev.yml

Alert View

1. Go to Alerts page
2. Change the date range for the past month
3. Apply query event.action: executed to see Alerts created by Auditbeat Sessions
4. Click Session View Icon and open session. You see should see alerts
5. Click Alerts tab to see Alert Details.

[Omolola-Akinleye]

Currently, there is a bug where Auditbeat index has missing process fields such as process.entry_leader.entity_id. Until bug is fixed, we can filter sessions and events to only query for documents with process.entry_leader.entity_id. @nick-alayil Wdyt? Should bug be fixed 8.14.0 release since today is Feature Freeze?

cc: @mjwolf @kfirpeled

[nick-alayil]

Until bug is fixed, we can filter sessions and events to only query for documents with process.entry_leader.entity_id.

Sounds like a good stop-gap solution to me until the bug is fixed.

Should bug be fixed 8.14.0 release since today is Feature Freeze?

I assume we could fix bugs during BC's or after FF. Isn't it?

[Omolola-Akinleye]

@mjwolf are you able to fix this bug fixed before the next BC ? I looked into filter events on the FE, and it's a bit more complicated and the code belongs to Security Solutions team. Hence, bugs should be fixed I after FF. cc:@nick-alayil

[Omolola-Akinleye]

QA Testing:

1. Install Auditd Manager Integration
2. Under rules Audit Rules

    -a always,exit -F arch=b64 -S execve,execveat -k exec
    -a always,exit -F arch=b64 -S exit_group
    -a always,exit -F arch=b64 -S setsid

3. Under Processors, add session viewer EpbF processor

- add_session_metadata:
        backend: "auto"
        replace_fields: false

4. Save Integration
5. Connect to Ec2 instance or Google Cloud VM
6. Add Elastic agent in your VM

curl -L -O https://staging.elastic.co/8.14.0-a40d088a/downloads/beats/elastic-agent/elastic-agent-8.14.0-linux-x86_64.tar.gz
tar xzvf elastic-agent-8.14.0-linux-x86_64.tar.gz
cd elastic-agent-8.14.0-linux-x86_64
sudo ./elastic-agent install --url={CLOUD_INSTANCE_URL} --enrollment-token={ENROLLMENT_TOKEN}

8. Enter a few commands

ls -la
touch text.txt
rm text.txt

9. In Kibana, Go to Explore -> Host -> Events to Auditbeat events
10. Apply filter event.action: executed
11. Click Session View Icon to open Session View

Click on Process Details Panel and Alert Details Panel.