Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EDR Workflows][Process descendants filter] Transform event filter entry for filtering process descendant #187141

Merged
merged 13 commits into from
Jul 1, 2024
Merged

[EDR Workflows][Process descendants filter] Transform event filter entry for filtering process descendant #187141

merged 13 commits into from
Jul 1, 2024

Conversation

gergoabraham
Copy link
Contributor

@gergoabraham gergoabraham commented Jun 28, 2024
edited
Loading

Summary

This PR adds logic to server side artifact logic, in order to transform Event Filter entries to the expected format, if process descendant filtering is enabled.

Conditions:

  • feature flag is enabled: xpack.securitySolution.enableExperimental.filterProcessDescendantsForEventFiltersEnabled
  • amongst the tags, there is the filter_process_descendants tag

Output: the output contains a new operator called descendent_of, with all the original entries listed as the operator's values, and one additional event.category is process entry.

Example input entry (only relevant fields):

            "entries": [
              {
                "field": "process.args",
                "operator": "included",
                "type": "match",
                "value": "IGNOREMYCHILDREN"
              }
            ],
            "tags": [
              "filter_process_descendants"
            ],

Example output entry:

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "operator": "included",
          "type": "descendent_of", // note: writing descendEnt here to harmonise with endpoint implementation
          "value": {
            "entries": [
              {
                "type": "simple",
                "entries": [
                  {
                    "field": "process.args",
                    "operator": "included",
                    "type": "exact_cased",
                    "value": "IGNOREMYCHILDREN"
                  },
                  {
                    "field": "event.category",
                    "operator": "included",
                    "type": "exact_cased",
                    "value": "process"
                  }
                ]
              }
            ]
          }
        }
      ]
    }
  ]
}

e2e testing

  • spin up Kibana with the FF enabled
  • spin up a v15-snapshot Agent with Endpoint integration on VM, enroll it
  • create an Event Filter with the following setup, where 'Process descendants' is selected and process.args is IGNOREMYCHILDREN:
image
  • create a test.sh on your VM with the following content:
echo "Creating file test_file_$1.tmp"
touch test_file_$1.tmp

# recursively call the original script
if [ $1 -ge 1 ]
then
	sh test.sh $(( $1 - 1 )) $2
fi

(alternatively you can use the python script from the endpoint tests, https://github.com/elastic/endpoint-dev/blob/790c611325998c6ef8578144844d9260b8f73044/Python/endpoint/test/test_event_filtering.py#L439-L450)

  • run the script sh test.sh 6 DO_NOT_IGNOREMYCHILDREN
image
  • go to Security -> Explore -> Hosts to see the reported events
  • I added some filters to easily see the events
image
  • you should see that all events are there
image
  • now try with sh test.sh 9 IGNOREMYCHILDREN
image
  • now only the events of the top process are visible, the events from descendants are not
image

Checklist

Delete any items that are not applicable to this PR.

@gergoabraham gergoabraham added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution labels Jun 28, 2024
@gergoabraham gergoabraham self-assigned this Jun 28, 2024
@gergoabraham
Copy link
Contributor Author

/ci

@gergoabraham gergoabraham changed the title [EDR Workflows][Process descendants filter] Transform manifests for process descendant event filter [EDR Workflows][Process descendants filter] Transform event filter entry for filtering process descendant Jun 28, 2024
@gergoabraham gergoabraham marked this pull request as ready for review June 28, 2024 15:19
@gergoabraham gergoabraham requested a review from a team as a code owner June 28, 2024 15:19
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@gergoabraham
Copy link
Contributor Author

@elasticmachine merge upstream

tomsonpl
tomsonpl approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm 👍

ashokaditya
ashokaditya approved these changes Jul 1, 2024
View reviewed changes
Copy link
Member

@ashokaditya ashokaditya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked it out and works as advertised. I verified the artifact entry and that the events were generated and reported correctly.

simple event filter
Screenshot 2024-07-01 at 13 33 08

artifact
Screenshot 2024-07-01 at 13 32 43

event details
Screenshot 2024-07-01 at 13 31 38

nested filter
Screenshot 2024-07-01 at 13 37 00

nested artifact
Screenshot 2024-07-01 at 13 36 55

x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts Outdated
): TranslatedExceptionListItem[] {
const entrySet = new Set();
const entriesFiltered: TranslatedExceptionListItem[] = [];
const deduplicatedItems: TranslatedExceptionListItem[] = [];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: naming

Suggested change
const deduplicatedItems: TranslatedExceptionListItem[] = [];
const uniqueItems: TranslatedExceptionListItem[] = [];

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1bc9e78

x-pack/plugins/security_solution/server/endpoint/lib/artifacts/lists.ts Outdated
): TranslatedExceptionListItem[] {
const entrySet = new Set();
const entriesFiltered: TranslatedExceptionListItem[] = [];
const deduplicatedItems: TranslatedExceptionListItem[] = [];
const storeDeduplicatedItem = (item: TranslatedExceptionListItem) => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: naming

Suggested change
const storeDeduplicatedItem = (item: TranslatedExceptionListItem) => {
const storeUniqueItem = (item: TranslatedExceptionListItem) => {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1bc9e78

@gergoabraham gergoabraham enabled auto-merge (squash) July 1, 2024 20:43
@gergoabraham gergoabraham merged commit c209f34 into elastic:main Jul 1, 2024
38 checks passed
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 15.6MB 15.5MB -4.6KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @gergoabraham

@gergoabraham gergoabraham deleted the transform-manifests-for-descendents-of-process branch July 2, 2024 07:39
@gergoabraham gergoabraham mentioned this pull request Jul 2, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomsonpl tomsonpl tomsonpl approved these changes

@ashokaditya ashokaditya ashokaditya approved these changes

Assignees

@gergoabraham gergoabraham

Labels
8.15 candidate backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@gergoabraham @elasticmachine @kibana-ci @ashokaditya @tomsonpl @kibanamachine