Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint Exceptions] Warning callout for incomplete code signature for endpoint exceptions #198245

Merged
merged 11 commits into from
Nov 12, 2024
Merged

[Security Solution][Endpoint Exceptions] Warning callout for incomplete code signature for endpoint exceptions #198245

merged 11 commits into from
Nov 12, 2024

Conversation

parkiino
Copy link
Contributor

@parkiino parkiino commented Oct 30, 2024
edited
Loading

Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

  • Warning callout shown in endpoint exceptions when code signature field is incomplete (i.e. process.code_signature.subject_name w/o process.code_signature.trusted or vice versa)
  • For mac operating systems, process.code_signature.team_id is also accepted as an equivalent to subject_name
  • Warning callout is also shown for nested entries for this code signature field: process.Ext.code_signature
  • Unit Tests

Screenshots

Subject name only -- warning is present
image

Trusted field only -- warning is present
image

Both subject name and trusted fields -- no warning is present
image

@parkiino parkiino added release_note:skip Skip the PR/issue when compiling release notes backport:skip This commit does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 labels Oct 30, 2024
@parkiino parkiino marked this pull request as ready for review October 30, 2024 21:39
@parkiino parkiino requested a review from a team as a code owner October 30, 2024 21:39
@parkiino parkiino requested a review from rylnd October 30, 2024 21:39
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@parkiino parkiino requested review from a team, tomsonpl and paul-tavares and removed request for a team October 31, 2024 14:48
paul-tavares
paul-tavares approved these changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a suggestions re: tests for the reducer files changed, but am 👍

..._solution/public/detection_engine/rule_exceptions/components/add_exception_flyout/reducer.ts
@@ -184,6 +190,13 @@ export const createExceptionItemsReducer =
wildcardWarningExists: warningExists,
};
}
case 'setPartialCodeSignature': {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest you add some tests for the reducer files you changed as well.

tomsonpl
tomsonpl approved these changes Nov 8, 2024
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@parkiino parkiino mentioned this pull request Nov 11, 2024
Merged
4 tasks
@parkiino parkiino enabled auto-merge (squash) November 12, 2024 05:24
@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.4MB 13.4MB +717.0B

History

rylnd
rylnd approved these changes Nov 12, 2024
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM, thanks!

@parkiino parkiino merged commit ce481f1 into elastic:main Nov 12, 2024
43 checks passed
@parkiino parkiino deleted the task/exceptions-warning branch November 12, 2024 19:31
@kibanamachine kibanamachine mentioned this pull request Nov 12, 2024
Merged
3 tasks
tkajtoch pushed a commit to tkajtoch/kibana that referenced this pull request Nov 12, 2024
@parkiino @tkajtoch
[Security Solution][Endpoint Exceptions] Warning callout for incomple…
0a5ffb5 
…te code signature for endpoint exceptions (elastic#198245)

## Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

- [x] Warning callout shown in endpoint exceptions when code signature
field is incomplete (i.e. process.code_signature.subject_name w/o
process.code_signature.trusted or vice versa)
- [x] For mac operating systems, process.code_signature.team_id is also
accepted as an equivalent to subject_name
- [ ] Warning callout is also shown for nested entries for this code
signature field: process.Ext.code_signature
- [x] Unit Tests

# Screenshots
Subject name only -- warning is present

![image](https://github.com/user-attachments/assets/eccf4d49-a4b1-47fc-8c51-bddf4fd6664f)

Trusted field only -- warning is present

![image](https://github.com/user-attachments/assets/d3ba6716-e7d1-4709-a5b1-1e472964b6e3)


Both subject name and trusted fields -- no warning is present

![image](https://github.com/user-attachments/assets/11b179ff-278e-4ec6-a749-638f428215aa)
@kibanamachine kibanamachine mentioned this pull request Nov 13, 2024
Merged
3 tasks
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
@parkiino @CAWilson94
[Security Solution][Endpoint Exceptions] Warning callout for incomple…
298908c 
…te code signature for endpoint exceptions (elastic#198245)

## Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

- [x] Warning callout shown in endpoint exceptions when code signature
field is incomplete (i.e. process.code_signature.subject_name w/o
process.code_signature.trusted or vice versa)
- [x] For mac operating systems, process.code_signature.team_id is also
accepted as an equivalent to subject_name
- [ ] Warning callout is also shown for nested entries for this code
signature field: process.Ext.code_signature
- [x] Unit Tests

# Screenshots
Subject name only -- warning is present

![image](https://github.com/user-attachments/assets/eccf4d49-a4b1-47fc-8c51-bddf4fd6664f)

Trusted field only -- warning is present

![image](https://github.com/user-attachments/assets/d3ba6716-e7d1-4709-a5b1-1e472964b6e3)


Both subject name and trusted fields -- no warning is present

![image](https://github.com/user-attachments/assets/11b179ff-278e-4ec6-a749-638f428215aa)
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
@parkiino @CAWilson94
[Security Solution][Endpoint Exceptions] Warning callout for incomple…
055ca2d 
…te code signature for endpoint exceptions (elastic#198245)

## Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

- [x] Warning callout shown in endpoint exceptions when code signature
field is incomplete (i.e. process.code_signature.subject_name w/o
process.code_signature.trusted or vice versa)
- [x] For mac operating systems, process.code_signature.team_id is also
accepted as an equivalent to subject_name
- [ ] Warning callout is also shown for nested entries for this code
signature field: process.Ext.code_signature
- [x] Unit Tests

# Screenshots
Subject name only -- warning is present

![image](https://github.com/user-attachments/assets/eccf4d49-a4b1-47fc-8c51-bddf4fd6664f)

Trusted field only -- warning is present

![image](https://github.com/user-attachments/assets/d3ba6716-e7d1-4709-a5b1-1e472964b6e3)


Both subject name and trusted fields -- no warning is present

![image](https://github.com/user-attachments/assets/11b179ff-278e-4ec6-a749-638f428215aa)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paul-tavares paul-tavares paul-tavares approved these changes

@tomsonpl tomsonpl tomsonpl approved these changes

@rylnd rylnd rylnd approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@parkiino @elasticmachine @rylnd @tomsonpl @paul-tavares @kibanamachine