Merge pull request #1401 from SEKOIA-IO/bug/HarfangLab

HarfangLab: fix on process field
SEKOIA-IO · Dec 18, 2024 · 99cbd38 · 99cbd38
2 parents 42b9dfe + 3a478f3
commit 99cbd38
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 22 deletions.
diff --git a/HarfangLab/harfanglab/_meta/fields.yml b/HarfangLab/harfanglab/_meta/fields.yml
@@ -998,11 +998,6 @@ harfanglab.grandparent.process.ancestors:
   name: harfanglab.grandparent.process.ancestors
   type: keyword
 
-harfanglab.grandparent.process.command_line:
-  description: Command line that started the grandparent process
-  name: harfanglab.grandparent.process.command_line
-  type: keyword
-
 harfanglab.grandparent.process.executable:
   description: Absolute path to the grandparent process executable
   name: harfanglab.grandparent.process.executable

diff --git a/HarfangLab/harfanglab/ingest/parser.yml b/HarfangLab/harfanglab/ingest/parser.yml
@@ -207,7 +207,6 @@ stages:
           process.working_directory: "{{json_event.message.current_directory}}"
           process.pe.imphash: "{{json_event.message.pe_imphash}}"
           harfanglab.grandparent.process.executable: "{{json_event.message.grandparent_image}}"
-          harfanglab.grandparent.process.command_line: "{{json_event.message.parent_commandline}}"
           harfanglab.grandparent.process.ancestors: "{{json_event.message.ancestors.split('|')}}"
 
           user.name: >

diff --git a/HarfangLab/harfanglab/tests/process-event.json b/HarfangLab/harfanglab/tests/process-event.json
@@ -28,7 +28,6 @@
     "harfanglab": {
       "grandparent": {
         "process": {
-          "command_line": "C:\\ProgramData\\CentraStage\\AEMAgent\\AEMAge.exe",
           "executable": "C:\\Program Files (x86)\\Centra\\CagServ.exe"
         }
       },

diff --git a/HarfangLab/harfanglab/tests/process.json b/HarfangLab/harfanglab/tests/process.json
@@ -25,13 +25,6 @@
         "sha256": "100af46c952e58105dbc51eb92510f6990377a3ffc57e82074a8bfb64c56c529"
       }
     },
-    "harfanglab": {
-      "grandparent": {
-        "process": {
-          "command_line": "E:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\Microsoft.Exchange.Diagnostics.Service.exe"
-        }
-      }
-    },
     "host": {
       "domain": "NIVURA",
       "hostname": "EXCHANGE",

diff --git a/HarfangLab/harfanglab/tests/process3.json b/HarfangLab/harfanglab/tests/process3.json
@@ -25,13 +25,6 @@
         "sha256": "b5c78bef3883e3099f7ef844da1446db29107e5c0223b97f29e7fafab5527f15"
       }
     },
-    "harfanglab": {
-      "grandparent": {
-        "process": {
-          "command_line": "C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p"
-        }
-      }
-    },
     "host": {
       "domain": "WORKGROUP",
       "hostname": "REDACTED",

diff --git a/HarfangLab/harfanglab/tests/process4.json b/HarfangLab/harfanglab/tests/process4.json
@@ -34,7 +34,6 @@
             "C:\\Windows\\test2.exe",
             "C:\\Windows\\test3.exe"
           ],
-          "command_line": "test.exe -p -e test_script.py | find test",
           "executable": "C:\\Windows\\grandparent_image.exe"
         }
       },