[Security Solution] User can make Exceptions for Memory protection alerts #102196
Conversation
add tests for the memory exception default fields
academo
added
v7.15.0
Team:Defend Workflows
|
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt) |
academo
added
the
release_note:feature
| */ | ||
| export interface MemoryProtection { | ||
| cross_session?: boolean; | ||
| // should this be a enum with 'signature' and ' shellcode_thread' ? are there more options? |
There was a problem hiding this comment.
im not sure if this is more a question for the pr or leftover comments, but we'll wanna remove it before merge. Idk much about the context for the field itself
There was a problem hiding this comment.
leftover comment. Thanks for pointing it.
| "Memory_protection.feature", | ||
| "Memory_protection.self_injection" |
There was a problem hiding this comment.
Just double checking, get @gogochan or someone from the endpoint team to sign off on these fields being accessed by users, I don't know enough about them to say they'd be prone to unknowingly making super permissive exceptions
There was a problem hiding this comment.
They were explicitly mentioned in the acceptance criteria, but I summon @kevinlog to help me confirm.
There was a problem hiding this comment.
These seem to be memory protection plug in feature. @gabriellandau, can you check the fields?
There was a problem hiding this comment.
CC @jdu2600 for user-facing shellcode exception fields
There was a problem hiding this comment.
TL;DR - Memory_protection.feature and Memory_protection.self_injection are required for user exceptions.
Hey folks,
I'm super new - and not familiar with the typical user exception writing process.
And, in particular, how we balance simplicity and flexibility.
These two fields are absolutely necessary for writing user Memory Protection exceptions - however, if used on their own, they will produce super permissive exceptions (i.e. basically the equivalent of disabling the feature). But I assume that this is the case for all other exception types? Or do we typically provide guardrails - e.g. mandatory rule fields/complexity?
My expectation is that users will predominately be writing simple rules based on acting process + Memory_protection.feature + Memory_protection.self_injection [+ optionally target process].
This is broader that the global exception list rules that we write internally - but that's reasonable since the deployment scope for user rules is not global.
TBH - I'm personally not sure that the typical user needs to see the above Target.process.thread.Ext.start_address* fields, but suspect that 'power users' will be more comfortable having them there. If they use them though they'll like write rules that are too specific - and end up having to tune the rules over time...
There was a problem hiding this comment.
@jdu2600 this is how the add exception UI looks in kibana:
Note: this is from a malware alert. just an example.
The user will have pre-filled the value that came with the alert itself. For Memory_protection.feature the value could be shellcode_thread. The user has the option to remove the rule or to put a custom value on the rule.
There was a problem hiding this comment.
If they're required for the Memory exceptions themselves, it shouldn't be a problem. And yeah, technically a user could create an exception for "@timestamp is not 1" which would be pretty permissive. I think the goal is just to make it less likely for users to unknowingly do that by not adding unnecessary fields, but these don't fit in that category so should be all good 👍
academo
changed the title
academo
added
the
auto-backport
| integrity_level_name: string; | ||
| } | ||
|
|
||
| export interface MemoryPe { |
There was a problem hiding this comment.
what does Pe suffix mean? Can we spell it out instead of shorten it up (if possible)? (same for other areas below where this suffix is used)
There was a problem hiding this comment.
I am not sure what it means, maybe "portable executable". Everywhere inside the indexes is mentioned as PE. @kevinlog do you know?
There was a problem hiding this comment.
Yes it's a Portable Executable file that's found in memory.
There was a problem hiding this comment.
@gabriellandau should we change the keys to reflect the fullname?
@paul-tavares perhaps if we use the abbreviation everywhere it might come more confusing if we use the fullname in some place and the short in other. Perhaps better add a comment to explain the full meaning?
There was a problem hiding this comment.
should we change the keys to reflect the fullname?
I don't think it's necessary. pe is an ECS field. I was following that convention with these other field names.
| @@ -63,4 +65,7 @@ export interface Ecs { | |||
| // This should be temporary | |||
| eql?: { parentId: string; sequenceNumber: string }; | |||
| Ransomware?: Ransomware; | |||
| // eslint-disable-next-line @typescript-eslint/naming-convention | |||
There was a problem hiding this comment.
Curious: did this really error? I see keys in other areas here starting with Capital letter and including underscores with no eslint disable rules on them
There was a problem hiding this comment.
Memory_protection fails to match this rule. memory_protection would work, but not with the upper M
There was a problem hiding this comment.
@paul-tavares can you point me to places where there are keys like this without eslint errors?
x-pack/plugins/security_solution/common/endpoint/generate_data.ts
Outdated
Show resolved
Hide resolved
| export interface StartAddressDetails { | ||
| allocation_type?: string; | ||
| allocation_size?: number; | ||
| region_size?: number; | ||
| region_protection?: string; | ||
| memory_pe?: MemoryPe; | ||
| } |
There was a problem hiding this comment.
Do we want the rest of the fields from here too? https://github.com/elastic/endpoint-package/blob/1c983ab3fe1ebaa62171b38cb37c3dc420d9b16b/custom_schemas/custom_memory_region.yml
There was a problem hiding this comment.
@gabriellandau they are not used for the functionality in this PR so I left them out. I can add them.
| "Target.process.thread.Ext.start_address_details.allocation_size", | ||
| "Target.process.thread.Ext.start_address_details.region_size", | ||
| "Target.process.thread.Ext.start_address_details.region_protection", | ||
| "Target.process.thread.Ext.start_address_details.memory_pe.imphash", |
There was a problem hiding this comment.
| "Target.process.thread.Ext.start_address_details.memory_pe.imphash", | |
| "Target.process.thread.Ext.start_address_details.memory_pe.imphash", | |
| "Target.process.thread.Ext.start_address_bytes", | |
| "process.executable", | |
| "process.name", | |
| "Target.process.executable", | |
| "Target.process.name", | |
| "process.Ext.code_signature", /* can we allow nested only? */ |
There was a problem hiding this comment.
@gabriellandau can you clarify what do you mean with /* can we allow nested only? */ ?
There was a problem hiding this comment.
code_signature should be a nested comparison so "trusted": true can be included, keeping users from accidentally trusting untrusted signatures:
"code_signature": [
{
"exists": true,
"status": "trusted",
"subject_name": "Microsoft Windows",
"trusted": true
}
],
Untrusted:
"code_signature": [
{
"exists": true,
"status": "errorCode_80092003",
"subject_name": "LogMeIn, Inc.",
"trusted": false
}
],
| field: 'Memory_protection.feature', | ||
| operator: 'included', | ||
| type: 'match', | ||
| value: alertEcsData.Memory_protection?.feature ?? '', |
There was a problem hiding this comment.
Q: Do we have to add an entry with empty value or should we just skip the entry if we don't have the specific value?
There was a problem hiding this comment.
This should always come with a value.
There was a problem hiding this comment.
Then I'm wondering why this key can be undefined alertEcsData.Memory_protection?.feature ?? ''
That seems .feature can be null and then value will be empty.
If this is ok, forget this comment 🙂
There was a problem hiding this comment.
@dasansol92 there's not really a good reason for this type to allow undefined. But I saw that every single type inside the ECS is marked as possible undefined and I followed that pattern. Based on the real data I got for this kind of alarm, they should not be undefined and the other exception implementations do the same as me here.
It actually makes more sense to conditionally add fields only when they are populated rather than this than this nullish coalescing.
I'll keep it like this to follow the pattern and I'll reevaluate it when I start working in the behaviour protection that should also touch this area.
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
…-png-pdf-report-type * 'master' of github.com:elastic/kibana: (292 commits) bring back KQL autocomplete in timeline + fix last updated (elastic#105380) [Maps] Change TOC pop-up wording to reflect filter change, not search bar change (elastic#105163) Updating urls to upstream elastic repo (elastic#105250) [Maps] Move new vector layer wizard card down (elastic#104797) Exclude registering the cases feature if not enabled (elastic#105292) [Uptime] Alerts - Monitor status alert - check monitor status by monitor.timespan (elastic#104541) updated UI copy (elastic#105184) Log a warning when documents of unknown types are detected during migration (elastic#105213) [Logs UI] Register log threshold rule as lifecycle rule (elastic#104341) [Ingest pipelines] add network direction processor (elastic#103436) [Console] Autocomplete definitions (manual backport) (elastic#105086) [Security Solution] User can make Exceptions for Memory protection alerts (elastic#102196) [Lens] Formula: add validation for multiple field/metrics (elastic#104092) Removing async from file upload and data visualizer plugins start lifecycle (elastic#105197) Fix error when validating the form with non blocking validations (elastic#103629) [ML] Fix "View by" swim lane with applied filter and sorting by score (elastic#105217) Update dependency @elastic/charts to v32 (elastic#104625) [CTI] shortens large numbers on Dashboard Link Panel (elastic#105269) [Security Solution][Endpoint][Host Isolation] Fixes bug to remove excess host metadata status toasts on non user initiated errors (elastic#105331) [Cases] Fix pushing alerts count on every push to external service (elastic#105030) ... # Conflicts: # x-pack/plugins/reporting/common/types.ts
Summary
Checklist
Delete any items that are not applicable to this PR.