ECS fields and ML jobs for modules loaded by process

hukel · April 25, 2021, 12:40pm

We want to run ML jobs for rare module loads in processes. From what I have seen, this is not in the ECS today, though I think it would be similar to process.args.

Before we start creating custom fields and ML jobs, is this in the roadmap for ECS and SIEM?

At least in Windows processes, I would want to differentiate between modules:

Linked to the EXE (from DLL file)
Imported at runtime via reflection (from memory)

Possible example below:

    "command_line": "C:\\Windows\\system32\\cmd.exe /c C:\\PROGRA~1\\INFORM~1\\apps\\Common_Integration_Components\\12.0.2.1\\.lcm\\status-wrapper.bat",
    "parent": {
      "name": "java.exe"
    },
    "modules": {
      "linked": [
        [
          "\\Windows\\System32\\ntdll.dll"
        ],
        [
          "\\Windows\\System32\\KernelBase.dll"
        ],
        [
          "\\Windows\\System32\\kernel32.dll"
        ],
        [
          "\\PROGRA~1\\INFORM~1\\apps\\jdk\\1.8.0_275_SA\\jre\\bin\\java.dll"
        ],
        [
          "HEAP:4482:RWX-:UNKNOWN::0x267e000"
        ]
      ]
    },

system · May 23, 2021, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Enable Elastic Security prebuilt ML jobs [2] Elasticsearch elastic-stack-machine-learning	1	339	December 1, 2021
Out of the Box ML jobs for Security Elasticsearch elastic-stack-machine-learning	4	548	July 1, 2022
Siem integrated ml jobs and multi tenancy Elastic Security	3	204	February 1, 2024
Machine learning jobs et saved objects Discussions en français	7	503	October 3, 2022
Unusual Process For a Windows Host (rare_process_by_host_windows_ecs) SIEM elastic-stack-machine-learning	5	519	July 29, 2021

ECS fields and ML jobs for modules loaded by process

Related topics