-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] User can make Exceptions for Memory protection alerts #102196
[Security Solution] User can make Exceptions for Memory protection alerts #102196
Conversation
add tests for the memory exception default fields
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me besides a couple comments, thanks for refactoring some of this to make it easier adding more exception types in the future!
*/ | ||
export interface MemoryProtection { | ||
cross_session?: boolean; | ||
// should this be a enum with 'signature' and ' shellcode_thread' ? are there more options? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
im not sure if this is more a question for the pr or leftover comments, but we'll wanna remove it before merge. Idk much about the context for the field itself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
leftover comment. Thanks for pointing it.
"Memory_protection.feature", | ||
"Memory_protection.self_injection" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just double checking, get @gogochan or someone from the endpoint team to sign off on these fields being accessed by users, I don't know enough about them to say they'd be prone to unknowingly making super permissive exceptions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They were explicitly mentioned in the acceptance criteria, but I summon @kevinlog to help me confirm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These seem to be memory protection plug in feature. @gabriellandau, can you check the fields?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CC @jdu2600 for user-facing shellcode exception fields
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TL;DR - Memory_protection.feature
and Memory_protection.self_injection
are required for user exceptions.
Hey folks,
I'm super new - and not familiar with the typical user exception writing process.
And, in particular, how we balance simplicity and flexibility.
These two fields are absolutely necessary for writing user Memory Protection exceptions - however, if used on their own, they will produce super permissive exceptions (i.e. basically the equivalent of disabling the feature). But I assume that this is the case for all other exception types? Or do we typically provide guardrails - e.g. mandatory rule fields/complexity?
My expectation is that users will predominately be writing simple rules based on acting process + Memory_protection.feature + Memory_protection.self_injection [+ optionally target process].
This is broader that the global exception list rules that we write internally - but that's reasonable since the deployment scope for user rules is not global.
TBH - I'm personally not sure that the typical user needs to see the above Target.process.thread.Ext.start_address* fields, but suspect that 'power users' will be more comfortable having them there. If they use them though they'll like write rules that are too specific - and end up having to tune the rules over time...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jdu2600 this is how the add exception UI looks in kibana:
Note: this is from a malware alert. just an example.
The user will have pre-filled the value that came with the alert itself. For Memory_protection.feature
the value could be shellcode_thread
. The user has the option to remove the rule or to put a custom value on the rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If they're required for the Memory exceptions themselves, it shouldn't be a problem. And yeah, technically a user could create an exception for "@timestamp
is not 1" which would be pretty permissive. I think the goal is just to make it less likely for users to unknowingly do that by not adding unnecessary fields, but these don't fit in that category so should be all good 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
left a few comments. Let me know if you have any questions
integrity_level_name: string; | ||
} | ||
|
||
export interface MemoryPe { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what does Pe
suffix mean? Can we spell it out instead of shorten it up (if possible)? (same for other areas below where this suffix is used)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure what it means, maybe "portable executable". Everywhere inside the indexes is mentioned as PE. @kevinlog do you know?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes it's a Portable Executable file that's found in memory.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabriellandau should we change the keys to reflect the fullname?
@paul-tavares perhaps if we use the abbreviation everywhere it might come more confusing if we use the fullname in some place and the short in other. Perhaps better add a comment to explain the full meaning?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we change the keys to reflect the fullname?
I don't think it's necessary. pe
is an ECS field. I was following that convention with these other field names.
@@ -63,4 +65,7 @@ export interface Ecs { | |||
// This should be temporary | |||
eql?: { parentId: string; sequenceNumber: string }; | |||
Ransomware?: Ransomware; | |||
// eslint-disable-next-line @typescript-eslint/naming-convention |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious: did this really error? I see keys in other areas here starting with Capital letter and including underscores with no eslint disable rules on them
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Memory_protection
fails to match this rule. memory_protection
would work, but not with the upper M
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@paul-tavares can you point me to places where there are keys like this without eslint errors?
x-pack/plugins/security_solution/common/endpoint/generate_data.ts
Outdated
Show resolved
Hide resolved
export interface StartAddressDetails { | ||
allocation_type?: string; | ||
allocation_size?: number; | ||
region_size?: number; | ||
region_protection?: string; | ||
memory_pe?: MemoryPe; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want the rest of the fields from here too? https://github.com/elastic/endpoint-package/blob/1c983ab3fe1ebaa62171b38cb37c3dc420d9b16b/custom_schemas/custom_memory_region.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabriellandau they are not used for the functionality in this PR so I left them out. I can add them.
"Target.process.thread.Ext.start_address_details.allocation_size", | ||
"Target.process.thread.Ext.start_address_details.region_size", | ||
"Target.process.thread.Ext.start_address_details.region_protection", | ||
"Target.process.thread.Ext.start_address_details.memory_pe.imphash", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Target.process.thread.Ext.start_address_details.memory_pe.imphash", | |
"Target.process.thread.Ext.start_address_details.memory_pe.imphash", | |
"Target.process.thread.Ext.start_address_bytes", | |
"process.executable", | |
"process.name", | |
"Target.process.executable", | |
"Target.process.name", | |
"process.Ext.code_signature", /* can we allow nested only? */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gabriellandau can you clarify what do you mean with /* can we allow nested only? */
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
code_signature should be a nested
comparison so "trusted": true can be included, keeping users from accidentally trusting untrusted signatures:
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
Untrusted:
"code_signature": [
{
"exists": true,
"status": "errorCode_80092003",
"subject_name": "LogMeIn, Inc.",
"trusted": false
}
],
field: 'Memory_protection.feature', | ||
operator: 'included', | ||
type: 'match', | ||
value: alertEcsData.Memory_protection?.feature ?? '', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Do we have to add an entry with empty value or should we just skip the entry if we don't have the specific value?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should always come with a value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Then I'm wondering why this key can be undefined alertEcsData.Memory_protection?.feature ?? ''
That seems .feature
can be null and then value will be empty.
If this is ok, forget this comment 🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dasansol92 there's not really a good reason for this type to allow undefined. But I saw that every single type inside the ECS is marked as possible undefined and I followed that pattern. Based on the real data I got for this kind of alarm, they should not be undefined and the other exception implementations do the same as me here.
It actually makes more sense to conditionally add fields only when they are populated rather than this than this nullish coalescing.
I'll keep it like this to follow the pattern and I'll reevaluate it when I start working in the behaviour protection that should also touch this area.
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…-png-pdf-report-type * 'master' of github.com:elastic/kibana: (292 commits) bring back KQL autocomplete in timeline + fix last updated (elastic#105380) [Maps] Change TOC pop-up wording to reflect filter change, not search bar change (elastic#105163) Updating urls to upstream elastic repo (elastic#105250) [Maps] Move new vector layer wizard card down (elastic#104797) Exclude registering the cases feature if not enabled (elastic#105292) [Uptime] Alerts - Monitor status alert - check monitor status by monitor.timespan (elastic#104541) updated UI copy (elastic#105184) Log a warning when documents of unknown types are detected during migration (elastic#105213) [Logs UI] Register log threshold rule as lifecycle rule (elastic#104341) [Ingest pipelines] add network direction processor (elastic#103436) [Console] Autocomplete definitions (manual backport) (elastic#105086) [Security Solution] User can make Exceptions for Memory protection alerts (elastic#102196) [Lens] Formula: add validation for multiple field/metrics (elastic#104092) Removing async from file upload and data visualizer plugins start lifecycle (elastic#105197) Fix error when validating the form with non blocking validations (elastic#103629) [ML] Fix "View by" swim lane with applied filter and sorting by score (elastic#105217) Update dependency @elastic/charts to v32 (elastic#104625) [CTI] shortens large numbers on Dashboard Link Panel (elastic#105269) [Security Solution][Endpoint][Host Isolation] Fixes bug to remove excess host metadata status toasts on non user initiated errors (elastic#105331) [Cases] Fix pushing alerts count on every push to external service (elastic#105030) ... # Conflicts: # x-pack/plugins/reporting/common/types.ts
Summary
Checklist
Delete any items that are not applicable to this PR.