From 79903ec27afab3b7542973e61f333f69b1c8d04f Mon Sep 17 00:00:00 2001 From: Candace Park <56409205+parkiino@users.noreply.github.com> Date: Fri, 4 Oct 2024 02:26:39 -0400 Subject: [PATCH] [Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749) ## Summary Navigate to Security Solution > Manage > Event Filters > Add Event Filter - [x] Warning callout shown when code signature field is incomplete (i.e. `process.code_signature.subject_name` w/o `process.code_signature.trusted` or vice versa) - [x] For mac operating systems, `process.code_signature.team_id` is also accepted as an equivalent to `subject_name` - [x] Warning callout is also shown for nested entries for this code signature field: `process.Ext.code_signature` - [x] Unit Tests # Screenshots ![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9) ![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b) MAC ![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd) NESTED ![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1) Followup prs: need to address user being allowed to choose the nested field: `process.Ext.code_signature` for a non-nested entry, need to address what happens when a user chooses `false` instead of true for the `trusted` field option --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> --- .../index.ts | 1 + .../partial_code_signature_callout/index.tsx | 34 ++++++ .../src/helpers/index.test.ts | 115 +++++++++++++++++- .../src/helpers/index.ts | 35 ++++++ .../event_filters/view/components/form.tsx | 11 +- 5 files changed, 194 insertions(+), 2 deletions(-) create mode 100644 packages/kbn-securitysolution-exception-list-components/src/partial_code_signature_callout/index.tsx diff --git a/packages/kbn-securitysolution-exception-list-components/index.ts b/packages/kbn-securitysolution-exception-list-components/index.ts index 5811612d8a3a4..0e11a4694384d 100644 --- a/packages/kbn-securitysolution-exception-list-components/index.ts +++ b/packages/kbn-securitysolution-exception-list-components/index.ts @@ -19,3 +19,4 @@ export * from './src/list_header'; export * from './src/header_menu'; export * from './src/generate_linked_rules_menu_item'; export * from './src/wildcard_with_wrong_operator_callout'; +export * from './src/partial_code_signature_callout'; diff --git a/packages/kbn-securitysolution-exception-list-components/src/partial_code_signature_callout/index.tsx b/packages/kbn-securitysolution-exception-list-components/src/partial_code_signature_callout/index.tsx new file mode 100644 index 0000000000000..72836fc78fb55 --- /dev/null +++ b/packages/kbn-securitysolution-exception-list-components/src/partial_code_signature_callout/index.tsx @@ -0,0 +1,34 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the "Elastic License + * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side + * Public License v 1"; you may not use this file except in compliance with, at + * your election, the "Elastic License 2.0", the "GNU Affero General Public + * License v3.0 only", or the "Server Side Public License, v 1". + */ + +import React from 'react'; +import { FormattedMessage } from '@kbn/i18n-react'; +import { i18n } from '@kbn/i18n'; + +import { EuiCallOut } from '@elastic/eui'; + +export const PartialCodeSignatureCallout = () => { + return ( + + + + ); +}; diff --git a/packages/kbn-securitysolution-list-utils/src/helpers/index.test.ts b/packages/kbn-securitysolution-list-utils/src/helpers/index.test.ts index 087b27f136591..fffcabbf41575 100644 --- a/packages/kbn-securitysolution-list-utils/src/helpers/index.test.ts +++ b/packages/kbn-securitysolution-list-utils/src/helpers/index.test.ts @@ -7,7 +7,12 @@ * License v3.0 only", or the "Server Side Public License, v 1". */ -import { getMappingConflictsInfo, fieldSupportsMatches, hasWrongOperatorWithWildcard } from '.'; +import { + getMappingConflictsInfo, + fieldSupportsMatches, + hasWrongOperatorWithWildcard, + hasPartialCodeSignatureEntry, +} from '.'; describe('Helpers', () => { describe('getMappingConflictsInfo', () => { @@ -261,4 +266,112 @@ describe('Helpers', () => { ).toBeTruthy(); }); }); + + describe('hasPartialCodeSignatureEntry', () => { + it('returns false if the entry has neither code signature subject name nor trusted field', () => { + expect( + hasPartialCodeSignatureEntry([ + { + description: '', + name: '', + type: 'simple', + os_types: ['windows'], + entries: [{ type: 'match', value: 'asdf', field: 'someField', operator: 'excluded' }], + }, + ]) + ).toBeFalsy(); + }); + it('returns true if the entry has code signature subject name but not trusted field', () => { + expect( + hasPartialCodeSignatureEntry([ + { + description: '', + name: '', + type: 'simple', + os_types: ['windows'], + entries: [ + { + type: 'match', + value: 'asdf', + field: 'process.code_signature.subject_name', + operator: 'excluded', + }, + ], + }, + ]) + ).toBeTruthy(); + }); + it('returns true if the entry has code signature trusted but not the subject name field', () => { + expect( + hasPartialCodeSignatureEntry([ + { + description: '', + name: '', + type: 'simple', + os_types: ['windows'], + entries: [ + { + type: 'match', + value: 'asdf', + field: 'process.code_signature.trusted', + operator: 'excluded', + }, + ], + }, + ]) + ).toBeTruthy(); + }); + it('returns false if the entry has both code signature subject name and trusted field', () => { + expect( + hasPartialCodeSignatureEntry([ + { + description: '', + name: '', + type: 'simple', + os_types: ['windows'], + entries: [ + { + type: 'match', + value: 'asdf', + field: 'process.code_signature.subject_name', + operator: 'excluded', + }, + { + type: 'match', + value: 'true', + field: 'process.code_signature.trusted', + operator: 'excluded', + }, + ], + }, + ]) + ).toBeFalsy(); + }); + it('returns false if the entry has both code signature team_id and trusted fields for mac os', () => { + expect( + hasPartialCodeSignatureEntry([ + { + description: '', + name: '', + type: 'simple', + os_types: ['macos'], + entries: [ + { + type: 'match', + value: 'asdf', + field: 'process.code_signature.team_id', + operator: 'excluded', + }, + { + type: 'match', + value: 'true', + field: 'process.code_signature.trusted', + operator: 'excluded', + }, + ], + }, + ]) + ).toBeFalsy(); + }); + }); }); diff --git a/packages/kbn-securitysolution-list-utils/src/helpers/index.ts b/packages/kbn-securitysolution-list-utils/src/helpers/index.ts index a625d694961ab..8031cfba14f2d 100644 --- a/packages/kbn-securitysolution-list-utils/src/helpers/index.ts +++ b/packages/kbn-securitysolution-list-utils/src/helpers/index.ts @@ -1052,3 +1052,38 @@ export const hasWrongOperatorWithWildcard = ( } }); }; + +/** + * Event filters helper where given an exceptions list, + * determine if both 'subject_name' and 'trusted' are + * included in an entry with 'code_signature' + */ +export const hasPartialCodeSignatureEntry = ( + items: ExceptionsBuilderReturnExceptionItem[] +): boolean => { + const { os_types: os = ['windows'], entries = [] } = items[0] || {}; + let name = false; + let trusted = false; + + for (const e of entries) { + if (e.type === 'nested' && e.field === 'process.Ext.code_signature') { + const includesNestedName = e.entries.some( + (nestedEntry) => nestedEntry.field === 'subject_name' + ); + const includesNestedTrusted = e.entries.some( + (nestedEntry) => nestedEntry.field === 'trusted' + ); + if (includesNestedName !== includesNestedTrusted) { + return true; + } + } else if ( + e.field === 'process.code_signature.subject_name' || + (os.includes('macos') && e.field === 'process.code_signature.team_id') + ) { + name = true; + } else if (e.field === 'process.code_signature.trusted') { + trusted = true; + } + } + return name !== trusted; +}; diff --git a/x-pack/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx b/x-pack/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx index 173645eae203e..783fda9a806b2 100644 --- a/x-pack/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx +++ b/x-pack/plugins/security_solution/public/management/pages/event_filters/view/components/form.tsx @@ -30,8 +30,12 @@ import type { ExceptionListItemSchema } from '@kbn/securitysolution-io-ts-list-t import { EVENT_FILTERS_OPERATORS, hasWrongOperatorWithWildcard, + hasPartialCodeSignatureEntry, } from '@kbn/securitysolution-list-utils'; -import { WildCardWithWrongOperatorCallout } from '@kbn/securitysolution-exception-list-components'; +import { + WildCardWithWrongOperatorCallout, + PartialCodeSignatureCallout, +} from '@kbn/securitysolution-exception-list-components'; import { OperatingSystem } from '@kbn/securitysolution-utils'; import { getExceptionBuilderComponentLazy } from '@kbn/lists-plugin/public'; @@ -171,6 +175,9 @@ export const EventFiltersForm: React.FC(false); + // This value has to be memoized to avoid infinite useEffect loop on useFetchIndex const indexNames = useMemo(() => [eventsIndexPattern], []); const [isIndexPatternLoading, { indexPatterns }] = useFetchIndex( @@ -563,6 +570,7 @@ export const EventFiltersForm: React.FC = arg.exceptionItems[0] !== undefined @@ -725,6 +733,7 @@ export const EventFiltersForm: React.FC {criteriaSection} {hasWildcardWithWrongOperator && } + {hasPartialCodeSignatureWarning && } {hasDuplicateFields && ( <>