[Security Solution] [Timeline] Endpoint row renderers (1st batch) (#8…

…9810) (#90499)

## [Security Solution] [Timeline] Endpoint row renderers (1st batch)

This PR implements the 1st batch of Endpoint (`event.module: "endpoint"`) row renderers by updating and enhancing some of the existing "Endgame" (`event.module: "endgame"`) row renderers to use the latest [ECS fields](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html).

The following Endpoint events will be rendered via row renderers in Timeline:

| event.dataset            | event.action        |
|--------------------------|---------------------|
| endpoint.events.file     | creation            |
| endpoint.events.file     | deletion            |
| endpoint.events.process  | start               |
| endpoint.events.process  | end                 |
| endpoint.events.network  | lookup_requested    |
| endpoint.events.network  | lookup_result       |
| endpoint.events.network  | connection_accepted |
| endpoint.events.network  | disconnect_received |
| endpoint.events.security | log_on              |
| endpoint.events.security | log_off             |

## File (FIM) Creation events

Endpoint File (FIM) Creation events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: creation
```

### Sample rendered File (FIM) Creation event

![endpoint_file_creation](https://user-images.githubusercontent.com/4459398/106036793-ff522f80-6092-11eb-9e3b-c24538129bea.png)

Each field with `this formatting` is draggable (to pivot a search) in the row-rendered event:

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` created a file `WimProvider.dll` in `C:\Windows\TEMP\F590BACBAE94\WimProvider.dll` via `MsMpEng.exe` `(2424)`

### Fields in a File (FIM) Creation event

`user.name` \ `user.domain` @ `host.name` created a file `file.name` in `file.path` via `process.name` `(process.pid)`

## File (FIM) Deletion events

Endpoint File (FIM) Deletion events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.file and event.action: deletion
```

### Sample rendered File (FIM) Deletion event

![endpoint_file_deletion](https://user-images.githubusercontent.com/4459398/106037520-088fcc00-6094-11eb-985d-ba8cead9fec9.png)

`SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` deleted a file `AM_Delta_Patch_1.329.2793.0.exe` in `C:\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.329.2793.0.exe` via `svchost.exe` `(1728)`

### Fields in a File (FIM) Deletion event

`user.name` \ `user.domain` @ `host.name` deleted a file `file.name` in `file.path` via `process.name` `(process.pid)`

## Process Start events

Endpoint Process Start events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: start
```

### Sample rendered Process Start event

![creation-event](https://user-images.githubusercontent.com/4459398/106061579-c7f37b00-60b2-11eb-9bc4-224e671baa4a.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` started process `conhost.exe` (`376`) `C:\Windows\system32\conhost.exe` `0xffffffff` `-ForceV1` via parent process `sshd.exe` (`6460`)

`sha256 697334c236cce7d4c9e223146ee683a1219adced9729d4ae771fd6a1502a6b63`

`sha1 e19da2c35ba1c38adf12d1a472c1fcf1f1a811a7`

`md5 1b0e9b5fcb62de0787235ecca560b610`

### Fields in a Process Start event

The following fields will be used to render a Process Start event:

`user.name` \ `user.domain` @ `host.name` started process `process.name` (`process.pid`) `process.args` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`

`process.hash.sha1`

`process.hash.md5`

## Process End events

Endpoint Process End events with the following `event.dataset` and `event.action` will be rendered in  Timeline via row renderers:

```
event.dataset: endpoint.events.process and event.action: end
```

### Sample rendered Process End event

![endpoint_process_end](https://user-images.githubusercontent.com/4459398/106076527-f1b99b80-60cc-11eb-8ff8-2da78a1fcb8f.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` terminated process `svchost.exe` (`10392`) `C:\Windows\System32\svchost.exe` `-k` `netsvcs` `-p` `-s` `NetSetupSvc` with exit code `0` via parent process `services.exe` `(568)`

`7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6`

`a1385ce20ad79f55df235effd9780c31442aa234`

`8a0a29438052faed8a2532da50455756`

### Fields in a Process End event

The following fields will be used to render a Process End event:

`user.name` \ `user.domain` @ `host.name` terminated process `process.name` (`process.pid`) with exit code `process.exit_code` via parent process `process.parent.name` (`process.parent.pid`)

`process.hash.sha256`

`process.hash.sha1`

`process.hash.md5`

## Network (DNS) Lookup Requested events

Endpoint Network (DNS) Lookup Requested events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: lookup_requested
```

### Runtime matching criteria

All Network Lookup Requested events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:

```
dns.question.type: * and dns.question.name: *
```

### Sample rendered Network Lookup Requested event

![network_lookup_requested](https://user-images.githubusercontent.com/4459398/106191208-cdf76380-6167-11eb-9be7-aaf78e4cfdd3.png)

`SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `A` via `google_osconfig_agent.exe` `(4064)` `dns`

### Fields in a Network Lookup Requested event

The following fields will be used to render a Network Lookup Request event:

`user.name` \ `user.domain`  @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol`

## Network Lookup Result events

Endpoint Network (DNS) Lookup Result events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: lookup_result
```

### Runtime matching criteria

All Network Lookup Result events, including Endpoint and non-Endpoint DNS events matching the following criteria will be rendered:

```
dns.question.type: * and dns.question.name: *
```

### Sample rendered Network Lookup Result event

![network_lookup_result](https://user-images.githubusercontent.com/4459398/106192595-a43f3c00-6169-11eb-95bc-4ebe331f1231.png)

`SYSTEM` \ `NT AUTHORITY` @ `windows-endpoint-1` asked for `logging.googleapis.com` with question type `AAAA` via `GCEWindowsAgent.exe` `(684)` `dns`

### Fields in a Network Lookup Result event

The following fields will be used to render a Network Lookup Result event:

`user.name` \ `user.domain`  @ `host.name` asked for `dns.question.name` with question type `dns.question.type` via `process.name` `(process.pid)` `network.protocol`

## Network Connection Accepted events

Endpoint Network Connection Accepted events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: connection_accepted
````

### Sample rendered Network Connection Accepted event

![network_connection_accepted](https://user-images.githubusercontent.com/4459398/106200497-4f54f300-6174-11eb-8879-06b7bfc88edf.png)

Network Connection Accepted events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.

`NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` accepted a connection via `svchost.exe` `(328)` with result `success`

### Fields in a Network Connection Accepted event

`user.name` \ `user.domain` @ `host.name` accepted a connection via `process.name` `(process.pid)` with result `event.outcome`

## Network Disconnect Received events

Endpoint Network Disconnect Received events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.network and event.action: disconnect_received
````

### Sample rendered Network Disconnect Received event

![network_disconnect_received](https://user-images.githubusercontent.com/4459398/106205196-56cbca80-617b-11eb-83d3-26aa9670f114.png)

Network Disconnect Received events, like the one in the screenshot above, are also rendered by the _Netflow_ row renderer, which displays information that includes the directionality of the connection, protocol, and source / destination details.

`NETWORK SERVICE` \ `NT AUTHORITY` @ `windows-endpoint-1` disconnected via `svchost.exe` `(328)`

### Fields in a Network Disconnect Received event

`user.name` \ `user.domain` @ `host.name` disconnected via `process.name` `(process.pid)`

## Security Log On events

Endpoint Security Log On events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.security and event.action: log_on
```

### `event.outcome: "success"` vs `event.outcome: "failure"`

The row renderer for Security Log On events uses the `event.outcome` field to display different results for events matching:

```
event.dataset: endpoint.events.security and event.action: log_on and event.outcome: success
```

vs events matching:

```
event.dataset: endpoint.events.security and event.action: log_on and event.outcome: failure
```

### Sample rendered Security Log On / `event.outcome: "success"` event

![security_log_on_success](https://user-images.githubusercontent.com/4459398/106210917-fcd00280-6184-11eb-9c1c-564cfb375539.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` successfully logged in via `C:\Program Files\OpenSSH-Win64\sshd.exe`

### Fields in an Security Log On / `event.outcome: "success"` event

`user.name` \ `user.domain` @ `host.name` successfully logged in via `process.name` (`process.pid`)

### Sample rendered Security Log On / `event.outcome: "failure"` event

![security_log_on_failure](https://user-images.githubusercontent.com/4459398/106211893-b2e81c00-6186-11eb-9c34-43227c15a1f0.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` failed to log in via `C:\Program Files\OpenSSH-Win64\sshd.exe`

### Fields in an Security Log On / `event.outcome: "failure"` event

`user.name` \ `user.domain` @ `host.name` failed to log in via `process.name` (`process.pid`)

## Security Log Off events

Endpoint Security Log Off events with the following `event.dataset` and `event.action` will be rendered in Timeline via row renderers:

```
event.dataset: endpoint.events.security and event.action: log_off
```

### Sample rendered Security Log Off event

![security_log_off](https://user-images.githubusercontent.com/4459398/106212499-0018bd80-6188-11eb-9e91-971f360ee87a.png)

`SYSTEM` \ `NT AUTHORITY` @ `win2019-endpoint` logged off via `C:\Program Files\OpenSSH-Win64\sshd.exe`

### Fields in a Security Log Off event

`user.name` \ `user.domain` @ `host.name` logged off via `process.name` (`process.pid`)

x-pack/plugins/security_solution/common/ecs/process/index.ts

@@ -7,7 +7,9 @@
 
 export interface ProcessEcs {
   entity_id?: string[];
+  exit_code?: number[];
   hash?: ProcessHashData;
+  parent?: ProcessParentData;
   pid?: number[];
   name?: string[];
   ppid?: number[];
@@ -24,6 +26,10 @@ export interface ProcessHashData {
   sha256?: string[];
 }
 
+export interface ProcessParentData {
+  name?: string[];
+}
+
 export interface Thread {
   id?: number[];
   start?: string[];