Skip to content

Commit

Permalink
[Security Solution] Correct linux OS lookup for Endpoint Exceptions (e…
Browse files Browse the repository at this point in the history
  • Loading branch information
kevinlog authored and kibanamachine committed Jun 25, 2021
1 parent 00c2047 commit 4a802a8
Show file tree
Hide file tree
Showing 4 changed files with 76 additions and 72 deletions.
Original file line number Diff line number Diff line change
@@ -1,19 +1,11 @@
[
"Endpoint.policy.applied.id",
"Target.process.Ext.code_signature.status",
"Target.process.Ext.code_signature.subject_name",
"Target.process.Ext.code_signature.trusted",
"Target.process.Ext.code_signature.valid",
"Target.process.Ext.services",
"Target.process.Ext.user",
"Target.process.hash.md5",
"Target.process.hash.sha1",
"Target.process.hash.sha256",
"Target.process.hash.sha512",
"Target.process.parent.Ext.code_signature.status",
"Target.process.parent.Ext.code_signature.subject_name",
"Target.process.parent.Ext.code_signature.trusted",
"Target.process.parent.Ext.code_signature.valid",
"Target.process.parent.hash.md5",
"Target.process.parent.hash.sha1",
"Target.process.parent.hash.sha256",
Expand All @@ -38,10 +30,6 @@
"event.outcome",
"event.provider",
"event.type",
"file.Ext.code_signature.status",
"file.Ext.code_signature.subject_name",
"file.Ext.code_signature.trusted",
"file.Ext.code_signature.valid",
"file.attributes",
"file.device",
"file.directory",
Expand Down Expand Up @@ -78,20 +66,12 @@
"host.os.platform",
"host.os.version",
"host.type",
"process.Ext.code_signature.status",
"process.Ext.code_signature.subject_name",
"process.Ext.code_signature.trusted",
"process.Ext.code_signature.valid",
"process.Ext.services",
"process.Ext.user",
"process.hash.md5",
"process.hash.sha1",
"process.hash.sha256",
"process.hash.sha512",
"process.parent.Ext.code_signature.status",
"process.parent.Ext.code_signature.subject_name",
"process.parent.Ext.code_signature.trusted",
"process.parent.Ext.code_signature.valid",
"process.parent.hash.md5",
"process.parent.hash.sha1",
"process.parent.hash.sha256",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,5 +18,21 @@
"process.parent.executable.caseless",
"process.parent.name.caseless",
"process.parent.working_directory.caseless",
"process.working_directory.caseless"
"process.working_directory.caseless",
"Target.process.Ext.code_signature.status",
"Target.process.Ext.code_signature.subject_name",
"Target.process.Ext.code_signature.trusted",
"Target.process.Ext.code_signature.valid",
"Target.process.parent.Ext.code_signature.status",
"Target.process.parent.Ext.code_signature.subject_name",
"Target.process.parent.Ext.code_signature.trusted",
"Target.process.parent.Ext.code_signature.valid",
"file.Ext.code_signature.status",
"file.Ext.code_signature.subject_name",
"file.Ext.code_signature.trusted",
"file.Ext.code_signature.valid",
"process.parent.Ext.code_signature.status",
"process.parent.Ext.code_signature.subject_name",
"process.parent.Ext.code_signature.trusted",
"process.parent.Ext.code_signature.valid"
]
Original file line number Diff line number Diff line change
Expand Up @@ -87,17 +87,6 @@ const mockLinuxEndpointFields = [
aggregatable: false,
readFromDocValues: false,
},
{
name: 'file.Ext.code_signature.status',
type: 'string',
esTypes: ['text'],
count: 0,
scripted: false,
searchable: true,
aggregatable: false,
readFromDocValues: false,
subType: { nested: { path: 'file.Ext.code_signature' } },
},
];

export const getEndpointField = (name: string) =>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -236,7 +236,10 @@ export const enrichExceptionItemsWithOS = (
export const retrieveAlertOsTypes = (alertData?: AlertData): OsTypeArray => {
const osDefaults: OsTypeArray = ['windows', 'macos'];
if (alertData != null) {
const os = alertData.host && alertData.host.os && alertData.host.os.family;
const os =
alertData?.agent?.type === 'endpoint'
? alertData.host?.os?.name?.toLowerCase()
: alertData.host?.os?.family;
if (os != null) {
return osType.is(os) ? [os] : osDefaults;
}
Expand Down Expand Up @@ -361,48 +364,64 @@ export const getPrepopulatedEndpointException = ({
const { file, host } = alertEcsData;
const filePath = file?.path ?? '';
const sha256Hash = file?.hash?.sha256 ?? '';
const filePathDefault = host?.os?.family === 'linux' ? 'file.path' : 'file.path.caseless';
const isLinux = host?.os?.name === 'Linux';

const commonFields: Array<{
field: string;
operator: 'excluded' | 'included';
type: 'match';
value: string;
}> = [
{
field: isLinux ? 'file.path' : 'file.path.caseless',
operator: 'included',
type: 'match',
value: filePath ?? '',
},
{
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: sha256Hash ?? '',
},
{
field: 'event.code',
operator: 'included',
type: 'match',
value: eventCode ?? '',
},
];
const entriesToAdd = () => {
if (isLinux) {
return addIdToEntries(commonFields);
} else {
return addIdToEntries([
{
field: 'file.Ext.code_signature',
type: 'nested',
entries: [
{
field: 'subject_name',
operator: 'included',
type: 'match',
value: codeSignature != null ? codeSignature.subjectName : '',
},
{
field: 'trusted',
operator: 'included',
type: 'match',
value: codeSignature != null ? codeSignature.trusted : '',
},
],
},
...commonFields,
]);
}
};

return {
...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
entries: addIdToEntries([
{
field: 'file.Ext.code_signature',
type: 'nested',
entries: [
{
field: 'subject_name',
operator: 'included',
type: 'match',
value: codeSignature != null ? codeSignature.subjectName : '',
},
{
field: 'trusted',
operator: 'included',
type: 'match',
value: codeSignature != null ? codeSignature.trusted : '',
},
],
},
{
field: filePathDefault,
operator: 'included',
type: 'match',
value: filePath ?? '',
},
{
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: sha256Hash ?? '',
},
{
field: 'event.code',
operator: 'included',
type: 'match',
value: eventCode ?? '',
},
]),
entries: entriesToAdd(),
};
};

Expand Down

0 comments on commit 4a802a8

Please sign in to comment.