We want to run ML jobs for rare module loads in processes. From what I have seen, this is not in the ECS today, though I think it would be similar to process.args.
Before we start creating custom fields and ML jobs, is this in the roadmap for ECS and SIEM?
At least in Windows processes, I would want to differentiate between modules:
- Linked to the EXE (from DLL file)
- Imported at runtime via reflection (from memory)
Possible example below:
"command_line": "C:\\Windows\\system32\\cmd.exe /c C:\\PROGRA~1\\INFORM~1\\apps\\Common_Integration_Components\\12.0.2.1\\.lcm\\status-wrapper.bat",
"parent": {
"name": "java.exe"
},
"modules": {
"linked": [
[
"\\Windows\\System32\\ntdll.dll"
],
[
"\\Windows\\System32\\KernelBase.dll"
],
[
"\\Windows\\System32\\kernel32.dll"
],
[
"\\PROGRA~1\\INFORM~1\\apps\\jdk\\1.8.0_275_SA\\jre\\bin\\java.dll"
],
[
"HEAP:4482:RWX-:UNKNOWN::0x267e000"
]
]
},