From a96de41af575fc9a09d8a42b06b7a20d7238cfa6 Mon Sep 17 00:00:00 2001 From: kevinlog Date: Tue, 22 Jun 2021 22:11:14 -0400 Subject: [PATCH 1/6] Correct linux OS lookup for Endpoint Exceptions --- .../public/common/components/exceptions/helpers.tsx | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 20413a6493661..1a63ab36aa987 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -236,7 +236,14 @@ export const enrichExceptionItemsWithOS = ( export const retrieveAlertOsTypes = (alertData?: AlertData): OsTypeArray => { const osDefaults: OsTypeArray = ['windows', 'macos']; if (alertData != null) { - const os = alertData.host && alertData.host.os && alertData.host.os.family; + const osTypeBasedOnAgentType = (data: AlertData) => { + if (data.agent && data.agent.type === 'endpoint') { + return data.host?.os?.name?.toLowerCase(); + } else { + return data.host?.os?.family; + } + }; + const os = osTypeBasedOnAgentType(alertData); if (os != null) { return osType.is(os) ? [os] : osDefaults; } @@ -361,8 +368,9 @@ export const getPrepopulatedEndpointException = ({ const { file, host } = alertEcsData; const filePath = file?.path ?? ''; const sha256Hash = file?.hash?.sha256 ?? ''; - const filePathDefault = host?.os?.family === 'linux' ? 'file.path' : 'file.path.caseless'; + const filePathDefault = host?.os?.name === 'Linux' ? 'file.path' : 'file.path.caseless'; + // TODO: Fix this return { ...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }), entries: addIdToEntries([ From 462d8be903f350022743a58c787fa6bb15b04363 Mon Sep 17 00:00:00 2001 From: kevinlog Date: Wed, 23 Jun 2021 20:55:49 -0400 Subject: [PATCH 2/6] correct default exceptions --- .../exceptionable_endpoint_fields.json | 20 ---- .../exceptionable_windows_mac_fields.json | 18 +++- .../common/components/exceptions/helpers.tsx | 93 +++++++++++-------- 3 files changed, 70 insertions(+), 61 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json index d5134945441f5..b5480aac27f67 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json @@ -1,19 +1,11 @@ [ "Endpoint.policy.applied.id", - "Target.process.Ext.code_signature.status", - "Target.process.Ext.code_signature.subject_name", - "Target.process.Ext.code_signature.trusted", - "Target.process.Ext.code_signature.valid", "Target.process.Ext.services", "Target.process.Ext.user", "Target.process.hash.md5", "Target.process.hash.sha1", "Target.process.hash.sha256", "Target.process.hash.sha512", - "Target.process.parent.Ext.code_signature.status", - "Target.process.parent.Ext.code_signature.subject_name", - "Target.process.parent.Ext.code_signature.trusted", - "Target.process.parent.Ext.code_signature.valid", "Target.process.parent.hash.md5", "Target.process.parent.hash.sha1", "Target.process.parent.hash.sha256", @@ -38,10 +30,6 @@ "event.outcome", "event.provider", "event.type", - "file.Ext.code_signature.status", - "file.Ext.code_signature.subject_name", - "file.Ext.code_signature.trusted", - "file.Ext.code_signature.valid", "file.attributes", "file.device", "file.directory", @@ -78,20 +66,12 @@ "host.os.platform", "host.os.version", "host.type", - "process.Ext.code_signature.status", - "process.Ext.code_signature.subject_name", - "process.Ext.code_signature.trusted", - "process.Ext.code_signature.valid", "process.Ext.services", "process.Ext.user", "process.hash.md5", "process.hash.sha1", "process.hash.sha256", "process.hash.sha512", - "process.parent.Ext.code_signature.status", - "process.parent.Ext.code_signature.subject_name", - "process.parent.Ext.code_signature.trusted", - "process.parent.Ext.code_signature.valid", "process.parent.hash.md5", "process.parent.hash.sha1", "process.parent.hash.sha256", diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json index 31784bb9c764a..dc21434f96b5a 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json @@ -18,5 +18,21 @@ "process.parent.executable.caseless", "process.parent.name.caseless", "process.parent.working_directory.caseless", - "process.working_directory.caseless" + "process.working_directory.caseless", + "Target.process.Ext.code_signature.status", + "Target.process.Ext.code_signature.subject_name", + "Target.process.Ext.code_signature.trusted", + "Target.process.Ext.code_signature.valid", + "Target.process.parent.Ext.code_signature.status", + "Target.process.parent.Ext.code_signature.subject_name", + "Target.process.parent.Ext.code_signature.trusted", + "Target.process.parent.Ext.code_signature.valid", + "file.Ext.code_signature.status", + "file.Ext.code_signature.subject_name", + "file.Ext.code_signature.trusted", + "file.Ext.code_signature.valid", + "process.parent.Ext.code_signature.status", + "process.parent.Ext.code_signature.subject_name", + "process.parent.Ext.code_signature.trusted", + "process.parent.Ext.code_signature.valid" ] \ No newline at end of file diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 1a63ab36aa987..279f080b1380d 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -368,49 +368,62 @@ export const getPrepopulatedEndpointException = ({ const { file, host } = alertEcsData; const filePath = file?.path ?? ''; const sha256Hash = file?.hash?.sha256 ?? ''; - const filePathDefault = host?.os?.name === 'Linux' ? 'file.path' : 'file.path.caseless'; + const isLinux = host?.os?.name === 'Linux'; + const filePathDefault = isLinux ? 'file.path' : 'file.path.caseless'; + + const codeSignatureFields = [ + { + field: 'file.Ext.code_signature', + type: 'nested', + entries: [ + { + field: 'subject_name', + operator: 'included', + type: 'match', + value: codeSignature != null ? codeSignature.subjectName : '', + }, + { + field: 'trusted', + operator: 'included', + type: 'match', + value: codeSignature != null ? codeSignature.trusted : '', + }, + ], + }, + ]; + + const commonFields = [ + { + field: filePathDefault, + operator: 'included', + type: 'match', + value: filePath ?? '', + }, + { + field: 'file.hash.sha256', + operator: 'included', + type: 'match', + value: sha256Hash ?? '', + }, + { + field: 'event.code', + operator: 'included', + type: 'match', + value: eventCode ?? '', + }, + ]; + + const entriesToAdd = () => { + if (isLinux) { + return commonFields; + } else { + return [...codeSignatureFields, ...commonFields]; + } + }; - // TODO: Fix this return { ...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }), - entries: addIdToEntries([ - { - field: 'file.Ext.code_signature', - type: 'nested', - entries: [ - { - field: 'subject_name', - operator: 'included', - type: 'match', - value: codeSignature != null ? codeSignature.subjectName : '', - }, - { - field: 'trusted', - operator: 'included', - type: 'match', - value: codeSignature != null ? codeSignature.trusted : '', - }, - ], - }, - { - field: filePathDefault, - operator: 'included', - type: 'match', - value: filePath ?? '', - }, - { - field: 'file.hash.sha256', - operator: 'included', - type: 'match', - value: sha256Hash ?? '', - }, - { - field: 'event.code', - operator: 'included', - type: 'match', - value: eventCode ?? '', - }, - ]), + entries: addIdToEntries(entriesToAdd()), }; }; From 761ff481e52a72b73d52ef638cb242f21c2d249d Mon Sep 17 00:00:00 2001 From: kevinlog Date: Thu, 24 Jun 2021 10:26:03 -0400 Subject: [PATCH 3/6] fix test --- .../common/components/exceptions/helpers.test.tsx | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index 383b177d40c64..0af83e2cff3b5 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -87,17 +87,6 @@ const mockLinuxEndpointFields = [ aggregatable: false, readFromDocValues: false, }, - { - name: 'file.Ext.code_signature.status', - type: 'string', - esTypes: ['text'], - count: 0, - scripted: false, - searchable: true, - aggregatable: false, - readFromDocValues: false, - subType: { nested: { path: 'file.Ext.code_signature' } }, - }, ]; export const getEndpointField = (name: string) => From aaf285d1b52614bc31067aede46dc81cab14d2e7 Mon Sep 17 00:00:00 2001 From: kevinlog Date: Thu, 24 Jun 2021 12:38:13 -0400 Subject: [PATCH 4/6] fix type error --- .../common/components/exceptions/helpers.tsx | 93 +++++++++++-------- 1 file changed, 53 insertions(+), 40 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 279f080b1380d..371f40f6a9293 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -369,61 +369,74 @@ export const getPrepopulatedEndpointException = ({ const filePath = file?.path ?? ''; const sha256Hash = file?.hash?.sha256 ?? ''; const isLinux = host?.os?.name === 'Linux'; - const filePathDefault = isLinux ? 'file.path' : 'file.path.caseless'; - const codeSignatureFields = [ - { - field: 'file.Ext.code_signature', - type: 'nested', - entries: [ + const entriesToAdd = () => { + if (isLinux) { + return addIdToEntries([ { - field: 'subject_name', + field: 'file.path', operator: 'included', type: 'match', - value: codeSignature != null ? codeSignature.subjectName : '', + value: filePath ?? '', }, { - field: 'trusted', + field: 'file.hash.sha256', operator: 'included', type: 'match', - value: codeSignature != null ? codeSignature.trusted : '', + value: sha256Hash ?? '', }, - ], - }, - ]; - - const commonFields = [ - { - field: filePathDefault, - operator: 'included', - type: 'match', - value: filePath ?? '', - }, - { - field: 'file.hash.sha256', - operator: 'included', - type: 'match', - value: sha256Hash ?? '', - }, - { - field: 'event.code', - operator: 'included', - type: 'match', - value: eventCode ?? '', - }, - ]; - - const entriesToAdd = () => { - if (isLinux) { - return commonFields; + { + field: 'event.code', + operator: 'included', + type: 'match', + value: eventCode ?? '', + }, + ]); } else { - return [...codeSignatureFields, ...commonFields]; + return addIdToEntries([ + { + field: 'file.Ext.code_signature', + type: 'nested', + entries: [ + { + field: 'subject_name', + operator: 'included', + type: 'match', + value: codeSignature != null ? codeSignature.subjectName : '', + }, + { + field: 'trusted', + operator: 'included', + type: 'match', + value: codeSignature != null ? codeSignature.trusted : '', + }, + ], + }, + { + field: 'file.path.caseless', + operator: 'included', + type: 'match', + value: filePath ?? '', + }, + { + field: 'file.hash.sha256', + operator: 'included', + type: 'match', + value: sha256Hash ?? '', + }, + { + field: 'event.code', + operator: 'included', + type: 'match', + value: eventCode ?? '', + }, + ]); } }; return { ...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }), - entries: addIdToEntries(entriesToAdd()), + entries: entriesToAdd(), }; }; From 680c2f1946ed2ab7994939471699703c4ccc1742 Mon Sep 17 00:00:00 2001 From: kevinlog Date: Thu, 24 Jun 2021 17:11:07 -0400 Subject: [PATCH 5/6] consolidate common fields --- .../common/components/exceptions/helpers.tsx | 65 ++++++++----------- 1 file changed, 27 insertions(+), 38 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 371f40f6a9293..d977080c57f5a 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -370,28 +370,34 @@ export const getPrepopulatedEndpointException = ({ const sha256Hash = file?.hash?.sha256 ?? ''; const isLinux = host?.os?.name === 'Linux'; + const commonFields: Array<{ + field: string; + operator: 'excluded' | 'included'; + type: 'match'; + value: string; + }> = [ + { + field: isLinux ? 'file.path' : 'file.path.caseless', + operator: 'included', + type: 'match', + value: filePath ?? '', + }, + { + field: 'file.hash.sha256', + operator: 'included', + type: 'match', + value: sha256Hash ?? '', + }, + { + field: 'event.code', + operator: 'included', + type: 'match', + value: eventCode ?? '', + }, + ]; const entriesToAdd = () => { if (isLinux) { - return addIdToEntries([ - { - field: 'file.path', - operator: 'included', - type: 'match', - value: filePath ?? '', - }, - { - field: 'file.hash.sha256', - operator: 'included', - type: 'match', - value: sha256Hash ?? '', - }, - { - field: 'event.code', - operator: 'included', - type: 'match', - value: eventCode ?? '', - }, - ]); + return addIdToEntries(commonFields); } else { return addIdToEntries([ { @@ -412,24 +418,7 @@ export const getPrepopulatedEndpointException = ({ }, ], }, - { - field: 'file.path.caseless', - operator: 'included', - type: 'match', - value: filePath ?? '', - }, - { - field: 'file.hash.sha256', - operator: 'included', - type: 'match', - value: sha256Hash ?? '', - }, - { - field: 'event.code', - operator: 'included', - type: 'match', - value: eventCode ?? '', - }, + ...commonFields, ]); } }; From ffe599fbf572afde9c9a45e606c1efb503408ab6 Mon Sep 17 00:00:00 2001 From: kevinlog Date: Thu, 24 Jun 2021 17:51:43 -0400 Subject: [PATCH 6/6] PR comments --- .../public/common/components/exceptions/helpers.tsx | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index d977080c57f5a..bfb5c7298f330 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -236,14 +236,10 @@ export const enrichExceptionItemsWithOS = ( export const retrieveAlertOsTypes = (alertData?: AlertData): OsTypeArray => { const osDefaults: OsTypeArray = ['windows', 'macos']; if (alertData != null) { - const osTypeBasedOnAgentType = (data: AlertData) => { - if (data.agent && data.agent.type === 'endpoint') { - return data.host?.os?.name?.toLowerCase(); - } else { - return data.host?.os?.family; - } - }; - const os = osTypeBasedOnAgentType(alertData); + const os = + alertData?.agent?.type === 'endpoint' + ? alertData.host?.os?.name?.toLowerCase() + : alertData.host?.os?.family; if (os != null) { return osType.is(os) ? [os] : osDefaults; }