beats icon indicating copy to clipboard operation
beats copied to clipboard

Published 20 hours ago verified publisher icon elastic

[Security-Linux Platform Integrations] Auditbeat missing Session View Process fields

Open Omolola-Akinleye opened this issue 10 months ago • 3 comments

Audibeat is missing process fields for Session View which is causing empty rows Sessions and Events Table.

I was testing the Session View on FE with auditbeat on my PR. I just noticed some auditbeat events did not have Session View Icon. When I expand the event details, I saw the process.entry_leader.entity_id field was missing.

To test bug See Session View Cloud Credentials

Steps to Reproduce

  1. Go to Discover

  2. Choose audibeat dataview

  3. Apply fields not process.entry_leader.entity_id : * and event.action : "executed"

  4. Click arrow icon and expand document details image

  5. Go to Explore > Hosts > Events or Explore > Hosts > Sessions

Sessions are also Missing image Events are also missing image

DOD

  • For Session View events and sessions, process fields should be populated. Audibeat Index to filter documents that don't have process.entry_leader.entity_id or missing Session View process fields.

Omolola-Akinleye avatar Apr 15 '24 19:04 Omolola-Akinleye

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

elasticmachine avatar Apr 15 '24 19:04 elasticmachine

From what I've seen in my testing, the processor will fail to enrich a process when the process is missing from the processdb.

I have this branch with some additional logging on the error when enrichment fails, every time I've seen failure it's because the process is missing from the processdb.

There could be two potential problems here:

  1. A timing issue when starting the processor. When starting, the processor with scrape procfs to fill in the process DB. There could be a gap between this scraping and when ebpf takes over, and processes will be missed from the DB. Most of the missed processes happen close to when the processor is started, so I think this is happening.
  2. I've seen the enrich event run on processes that are not in the processdb, well after the processor is started. It seems like a timing issue where processes from ebpfevents are inserted into the DB after enrich has already been run on them. This could be tricky to fix, as it would need to coordinate with ebpfevents and the processor to wait for processes to be inserted before being enriched (and deal with problems like the process never being inserted)

mjwolf avatar Apr 22 '24 20:04 mjwolf

With https://github.com/elastic/beats/pull/39173, the problem of missing processes in the DB wasn't completely fixed.

I had a theory that the processor was getting the event before the ebpf backend had inserted it into the DB, since auditbeat and ebpf aren't synced. In this branch, when processing an event for a process that isn't in the processdb, the processor would wait for the process to be inserted. Even with a delay to wait for the process to be inserted, it never arrived. So the problem isn't a timing issue where the processor is enriching events before ebpf inserts them

One other thing to note about the original query; this includes failed exec calls from auditd (for instance the new executable file isn't found). Since the exec failed, it shouldn't be in the session viewer. This query should find the processes that should be enriched but weren't not process.entry_leader.entity_id : * and event.action : "executed" and not auditd.result: "fail"

mjwolf avatar Apr 25 '24 23:04 mjwolf