[Security Solution][Event Filters] Warning callout for incomplete code signature entries #193749
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
parkiino
added
release_note:skip
|
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
…ana into task/code-signature-warning
Comment on lines
1070
to
1089
| items[0]?.entries.forEach((e) => { | ||
| if (e.type === 'nested' && e.field === 'process.Ext.code_signature') { | ||
| e.entries.forEach((n) => { | ||
| if (n.field === 'subject_name') { | ||
| nestedName = true; | ||
| } else if (n.field === 'trusted') { | ||
| nestedTrusted = true; | ||
| } | ||
| }); | ||
| } else if ( | ||
| e.field === 'process.code_signature.subject_name' || | ||
| (os.includes('macos') && e.field === 'process.code_signature.team_id') | ||
| ) { | ||
| name = true; | ||
| } else if (e.field === 'process.code_signature.trusted') { | ||
| trusted = true; | ||
| } | ||
| }); | ||
| return name !== trusted || nestedName !== nestedTrusted; | ||
| }; |
There was a problem hiding this comment.
I’d recommend simplifying the code to avoid nested iterations. Consider using a single for loop with early returns. Here’s a rough pseudocode example
for (e of entries) {
if (e.type === 'nested' && e.field === 'process.Ext.code_signature) {
const includesNestedName = e.entries.some(entry => entry.field === 'subject_name')
const includesNestedTrusted = e.entries.some(entry => entry.field === 'trusted')
if (includesNestedName !== includesNestedTrusted) {
return true // Mismatch found, no need to continue
} else {
if (e.field === 'process.code_signature.subject_name' ||
(os.includes('macos') && e.field === 'process.code_signature.team_id')
) {
name = true;
} if (e.field === 'process.code_signature.trusted') {
trusted = true;
}
if (name !== trusted) {
return true; // Mismatch found in outer entries
}
return false; // No mismatch
}
There was a problem hiding this comment.
To avoid ? and checks for os you can go with
const { os_types = ['windows'], entries = [] } = items[0] || {};
if items[0] is undefined then it will default to os_types = ['windows'] and empty entries, otherwise it will be overwritten with what items[0].os_types and .entries carries.
There was a problem hiding this comment.
I'm wondering if either code block (including the suggestion) here is going to make sense in 3 months? Can we break it down into smaller chunks of contextual logic? Something like
isNestedTrustedEntry();
isNestedNameEntry();
isNameEntry();
isTrustedEntry();and use that to compose a boolean statement?
If you do decide to break them into chunks, perhaps it would be a good idea to write unit tests for those so that we understand what that logic does.
There was a problem hiding this comment.
Good idea @ashokaditya!
There was a problem hiding this comment.
Hi, I tried to incorporate some of your logic for the single for loop with early returns. I could only do it for the nested condition however because the name and trusted fields need to be checked in all the entries.
| size="s" | ||
| data-test-subj="partialCodeSignatureCallout" | ||
| > | ||
| <p> |
There was a problem hiding this comment.
Nit: I believe you can pass the tagName="p" prop to <FormattedMessage />, and it will render the message inside a
tag.
vitaliidm
reviewed
Sep 25, 2024
| ]) | ||
| ).toBeFalsy(); | ||
| }); | ||
| it('returns true if the entry has code signature subject name but not trusted field or vice versa', () => { |
There was a problem hiding this comment.
I think it would be better to split into 2 tests
| ]) | ||
| ).toBeTruthy(); | ||
| }); | ||
| it('returns false if the entry has both code signature subject, or team id for mac, name and trusted field or vice versa', () => { |
There was a problem hiding this comment.
let's split it into 2 cases for better maintainability and readability
ashokaditya
approved these changes
Oct 1, 2024
Comment on lines
1070
to
1089
| items[0]?.entries.forEach((e) => { | ||
| if (e.type === 'nested' && e.field === 'process.Ext.code_signature') { | ||
| e.entries.forEach((n) => { | ||
| if (n.field === 'subject_name') { | ||
| nestedName = true; | ||
| } else if (n.field === 'trusted') { | ||
| nestedTrusted = true; | ||
| } | ||
| }); | ||
| } else if ( | ||
| e.field === 'process.code_signature.subject_name' || | ||
| (os.includes('macos') && e.field === 'process.code_signature.team_id') | ||
| ) { | ||
| name = true; | ||
| } else if (e.field === 'process.code_signature.trusted') { | ||
| trusted = true; | ||
| } | ||
| }); | ||
| return name !== trusted || nestedName !== nestedTrusted; | ||
| }; |
There was a problem hiding this comment.
I'm wondering if either code block (including the suggestion) here is going to make sense in 3 months? Can we break it down into smaller chunks of contextual logic? Something like
isNestedTrustedEntry();
isNestedNameEntry();
isNameEntry();
isTrustedEntry();and use that to compose a boolean statement?
If you do decide to break them into chunks, perhaps it would be a good idea to write unit tests for those so that we understand what that logic does.
szwarckonrad
approved these changes
Oct 3, 2024
vitaliidm
reviewed
Oct 3, 2024
There was a problem hiding this comment.
Thank you for addressing comments on tests.
One question, I still have is regarding other signature fields - #193749 (review)
Hi @vitaliidm so technically that field is a |
vitaliidm
approved these changes
Oct 3, 2024
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: |
animehart
added
backport:prev-minor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11211353751 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Oct 7, 2024
…e signature entries (elastic#193749) ## Summary Navigate to Security Solution > Manage > Event Filters > Add Event Filter - [x] Warning callout shown when code signature field is incomplete (i.e. `process.code_signature.subject_name` w/o `process.code_signature.trusted` or vice versa) - [x] For mac operating systems, `process.code_signature.team_id` is also accepted as an equivalent to `subject_name` - [x] Warning callout is also shown for nested entries for this code signature field: `process.Ext.code_signature` - [x] Unit Tests # Screenshots   MAC  NESTED  Followup prs: need to address user being allowed to choose the nested field: `process.Ext.code_signature` for a non-nested entry, need to address what happens when a user chooses `false` instead of true for the `trusted` field option --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 61c9137)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Oct 7, 2024
…te code signature entries (#193749) (#195184) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)](#193749) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Candace Park","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-04T06:26:39Z","message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n\r\n\r\n\r\n\r\nMAC\r\n\r\n\r\n\r\nNESTED\r\n\r\n\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","backport:prev-minor","v8.16.0"],"title":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries","number":193749,"url":"https://github.com/elastic/kibana/pull/193749","mergeCommit":{"message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n\r\n\r\n\r\n\r\nMAC\r\n\r\n\r\n\r\nNESTED\r\n\r\n\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193749","number":193749,"mergeCommit":{"message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n\r\n\r\n\r\n\r\nMAC\r\n\r\n\r\n\r\nNESTED\r\n\r\n\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Candace Park <[email protected]>
tiansivive
pushed a commit
to tiansivive/kibana
that referenced
this pull request
Oct 7, 2024
…e signature entries (elastic#193749) ## Summary Navigate to Security Solution > Manage > Event Filters > Add Event Filter - [x] Warning callout shown when code signature field is incomplete (i.e. `process.code_signature.subject_name` w/o `process.code_signature.trusted` or vice versa) - [x] For mac operating systems, `process.code_signature.team_id` is also accepted as an equivalent to `subject_name` - [x] Warning callout is also shown for nested entries for this code signature field: `process.Ext.code_signature` - [x] Unit Tests # Screenshots   MAC  NESTED  Followup prs: need to address user being allowed to choose the nested field: `process.Ext.code_signature` for a non-nested entry, need to address what happens when a user chooses `false` instead of true for the `trusted` field option --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Navigate to Security Solution > Manage > Event Filters > Add Event Filter
process.code_signature.subject_namew/oprocess.code_signature.trustedor vice versa)process.code_signature.team_idis also accepted as an equivalent tosubject_nameprocess.Ext.code_signaturePaired PR for endpoint exceptions: #198245
Screenshots
MAC
NESTED
Followup prs: need to address user being allowed to choose the nested field:
process.Ext.code_signaturefor a non-nested entry, need to address what happens when a user choosesfalseinstead of true for thetrustedfield option