Skip to content

Deprecation Notice to Cloud Defend Rules #4520

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
imays11 merged 6 commits into from
Mar 7, 2025
Merged

Deprecation Notice to Cloud Defend Rules #4520

imays11 merged 6 commits into from
Mar 7, 2025

Conversation

@shashank-elastic
Copy link
Contributor

@shashank-elastic shashank-elastic commented Mar 6, 2025

Pull Request

Issue link(s): https://github.com/elastic/security-team/issues/11393

Summary - What I changed

  • Issue Deprecation notice via rule name.

How To Test

  • Unit test should pass.

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@shashank-elastic shashank-elastic self-assigned this Mar 6, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Mar 6, 2025

Rule: Deprecation - Guidelines

These guidelines serve as a reminder set of considerations when recommending the deprecation of a rule.

Documentation and Context

  • Description of the reason for deprecation.
  • Include any context or historical data supporting the deprecation decision.

Rule Metadata Checks

  • deprecated = true added to the rule metadata.
  • updated_date should be the date of the PR.

Testing and Validation

  • A prior rule tuning occurred for the rule where Deprecated - is prepended to the rule name, and the rule has already been released.
  • Rule has be moved to the _deprecated directory.
  • Double check gaps potentially or inadvertently introduced.
  • Provide evidence that the rule is no longer needed or has been replaced (e.g., alternative rules, updated detection methods).

Aegrah
Aegrah reviewed Mar 6, 2025
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we still looking to migrate these over to Elastic Defend prior to deprecation? For the vast majority of these, we can write similar rules using the process.entry_leader.entry_meta.type == "container" to determine whether the process' init stems from a container.

I am fine doing this before I leave for PTO. WDYT? @imays11

w0rk3r
w0rk3r reviewed Mar 6, 2025
View reviewed changes
rules/integrations/cloud_defend/container_workload_protection.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Container Workload Protection
### Investigating Deprecated - Container Workload Protection
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Container Workload Protection
### Investigating Container Workload Protection

Copy link
Contributor Author

@shashank-elastic shashank-elastic Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of the rule name changes in Investigation Guide is because of the Unit test failure reported here - https://github.com/elastic/detection-rules/actions/runs/13694627124/job/38294173310

Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange one

rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating AWS Credentials Searched For Inside A Container
### Investigating Deprecated - AWS Credentials Searched For Inside A Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - AWS Credentials Searched For Inside A Container
### Investigating AWS Credentials Searched For Inside A Container

...loud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Sensitive Files Compression Inside A Container
### Investigating Deprecated - Sensitive Files Compression Inside A Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Sensitive Files Compression Inside A Container
### Investigating Sensitive Files Compression Inside A Container

...ns/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Sensitive Keys Or Passwords Searched For Inside A Container
### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
### Investigating Sensitive Keys Or Passwords Searched For Inside A Container

...tions/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container
### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container

...tegrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating SSH Authorized Keys File Modified Inside a Container
### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container
### Investigating SSH Authorized Keys File Modified Inside a Container

...ations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating File System Debugger Launched Inside a Privileged Container
### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container
### Investigating File System Debugger Launched Inside a Privileged Container

...grations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Mount Launched Inside a Privileged Container
### Investigating Deprecated - Mount Launched Inside a Privileged Container
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Mount Launched Inside a Privileged Container
### Investigating Mount Launched Inside a Privileged Container

...end/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Container Escape via Modified notify_on_release File
### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File
### Investigating Potential Container Escape via Modified notify_on_release File

..._defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Potential Container Escape via Modified release_agent File
### Investigating Deprecated - Potential Container Escape via Modified release_agent File
Copy link
Contributor

@w0rk3r w0rk3r Mar 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Potential Container Escape via Modified release_agent File
### Investigating Potential Container Escape via Modified release_agent File

@w0rk3r
Copy link
Contributor

w0rk3r commented Mar 6, 2025

We should also provide a reason for the deprecation, either in the setup guide or in the rule description, so it is clear to customers why this is being deprecated. Here is an example we did for the threat match rules.

@Mikaayenson
Copy link
Contributor

Mikaayenson commented Mar 6, 2025

If you search for cloud_defend in our repo, it shows up in a couple places. We may need to make other minor changes.

@shashank-elastic
Copy link
Contributor Author

shashank-elastic commented Mar 6, 2025

Updates

  • We would continue to announce deprecation in this release, and then tune as per @Aegrah as a separate effort after the complete deprecation is announced.
  • For adding additional information on deprecation, I would wait till we have @imays11 look on this and we can add those additional information.

@imays11
Copy link
Contributor

imays11 commented Mar 6, 2025
edited
Loading

@shashank-elastic I've added a setup guide with the additional deprecation context as suggested @w0rk3r

@Aegrah for any duplicated rules you create can you be sure to add the tag "Domain: Container" as this is what I'm directing users to look for within the Linux ruleset as a replacement for these rules.

@imays11 imays11 merged commit e28512a into main Mar 7, 2025
9 checks passed
@imays11 imays11 deleted the deprecate_notice_cloud_defend branch March 7, 2025 05:20
@Mikaayenson
Copy link
Contributor

Mikaayenson commented Mar 7, 2025

@shashank-elastic I've added a setup guide with the additional deprecation context as suggested @w0rk3r

Thanks for doing this @imays11. Just missed this, but we may have wanted to include in the note that they are already deprecated on severless.

@shashank-elastic shashank-elastic mentioned this pull request Mar 14, 2025
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@imays11 imays11 Awaiting requested review from imays11

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@shashank-elastic shashank-elastic

Labels

backport: auto meta:rapid-merge Rule: Deprecation removal of a rule

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@shashank-elastic @w0rk3r @Mikaayenson @imays11 @Samirbous @Aegrah @terrancedejesus