Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Exceptions] Add lowercase normalized fields for case-insensitive matching #79

Merged
merged 13 commits into from
Oct 1, 2020
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -149,7 +149,7 @@ $(ROOT_DIR)/out:
build-package: $(ROOT_DIR)/out
rm -rf $(PACKAGES_DIR)
mkdir -p $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION)
cp -r $(ROOT_DIR)/package/endpoint/ $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION)
cp -r $(ROOT_DIR)/package/endpoint/* $(PACKAGES_DIR)/endpoint/$(PACKAGE_VERSION)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍


# Use this target to run the package registry with your modifications to the endpoint package
.PHONY: run-registry
Expand Down
16 changes: 16 additions & 0 deletions custom_schemas/custom_file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,22 @@
File fields provide details about the affected file associated with the event or metric.
type: group
fields:
- name: path
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
Copy link
Collaborator

@jonathan-buttner jonathan-buttner Sep 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@madirey since ECS already defines the path.text as type text, if you remove that from here does it still get outputted or does it get removed?

Basically I'm wondering if we can avoid having to define the -name: text fields in these files.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like ECS doesn't support merging custom and core multi_fields. I'll open an issue in the ECS repo.

type: text

- name: target_path
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: Ext
level: custom
type: object
Expand Down
16 changes: 16 additions & 0 deletions custom_schemas/custom_os.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,22 @@
expected:
- host
fields:
- name: full
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: name
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: Ext
level: custom
type: object
Expand Down
32 changes: 32 additions & 0 deletions custom_schemas/custom_process.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,38 @@
- { at: Target.process, as: parent }
type: group
fields:
- name: command_line
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: executable
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: name
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: working_directory
multi_fields:
- name: caseless
type: keyword
normalizer: lowercase
- name: text
type: text

- name: Ext
level: custom
type: object
Expand Down
100 changes: 100 additions & 0 deletions generated/alerts/ecs/ecs_flat.yml
Original file line number Diff line number Diff line change
Expand Up @@ -968,6 +968,11 @@ Target.process.command_line:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.command_line.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.command_line.text
name: text
norms: false
Expand Down Expand Up @@ -1005,6 +1010,11 @@ Target.process.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.executable.text
name: text
norms: false
Expand Down Expand Up @@ -1082,6 +1092,11 @@ Target.process.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.name.text
name: text
norms: false
Expand Down Expand Up @@ -1248,6 +1263,11 @@ Target.process.parent.command_line:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.parent.command_line.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.parent.command_line.text
name: text
norms: false
Expand Down Expand Up @@ -1285,6 +1305,11 @@ Target.process.parent.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.parent.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.parent.executable.text
name: text
norms: false
Expand Down Expand Up @@ -1362,6 +1387,11 @@ Target.process.parent.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.parent.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.parent.name.text
name: text
norms: false
Expand Down Expand Up @@ -1479,6 +1509,11 @@ Target.process.parent.working_directory:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.parent.working_directory.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.parent.working_directory.text
name: text
norms: false
Expand Down Expand Up @@ -1967,6 +2002,11 @@ Target.process.working_directory:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: Target.process.working_directory.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: Target.process.working_directory.text
name: text
norms: false
Expand Down Expand Up @@ -3835,6 +3875,11 @@ file.path:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: file.path.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: file.path.text
name: text
norms: false
Expand Down Expand Up @@ -3922,6 +3967,11 @@ file.target_path:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: file.target_path.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: file.target_path.text
name: text
norms: false
Expand Down Expand Up @@ -4253,6 +4303,11 @@ host.os.full:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: host.os.full.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: host.os.full.text
name: text
norms: false
Expand Down Expand Up @@ -4282,6 +4337,11 @@ host.os.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: host.os.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: host.os.name.text
name: text
norms: false
Expand Down Expand Up @@ -4983,6 +5043,11 @@ process.command_line:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.command_line.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.command_line.text
name: text
norms: false
Expand Down Expand Up @@ -5018,6 +5083,11 @@ process.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.executable.text
name: text
norms: false
Expand Down Expand Up @@ -5093,6 +5163,11 @@ process.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.name.text
name: text
norms: false
Expand Down Expand Up @@ -5258,6 +5333,11 @@ process.parent.command_line:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.command_line.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.command_line.text
name: text
norms: false
Expand Down Expand Up @@ -5295,6 +5375,11 @@ process.parent.executable:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.executable.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.executable.text
name: text
norms: false
Expand Down Expand Up @@ -5372,6 +5457,11 @@ process.parent.name:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.name.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.name.text
name: text
norms: false
Expand Down Expand Up @@ -5489,6 +5579,11 @@ process.parent.working_directory:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.parent.working_directory.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.parent.working_directory.text
name: text
norms: false
Expand Down Expand Up @@ -5963,6 +6058,11 @@ process.working_directory:
ignore_above: 1024
level: extended
multi_fields:
- flat_name: process.working_directory.caseless
ignore_above: 1024
name: caseless
normalizer: lowercase
type: keyword
- flat_name: process.working_directory.text
name: text
norms: false
Expand Down
Loading