-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add malware_signature for Memory protection alert #155
Changes from 4 commits
017c304
2121b1d
c23a052
8da9102
333a5cb
4341b40
6d9e686
de52a3a
1872d93
218e216
1f7d793
239b174
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
- name: malware_signature | ||
title: Malware Signature | ||
group: 2 | ||
short: These fields contain the yara malware signature. | ||
description: > | ||
These fields contain the yara malware signature. | ||
reusable: | ||
order: 1 | ||
top_level: false | ||
expected: | ||
- process.Ext | ||
- file.Ext | ||
type: group | ||
fields: | ||
- name: all_names | ||
level: custom | ||
type: keyword | ||
example: "Windows.EICAR.Not-a-virus" | ||
description: A sequence of signature names matched. | ||
|
||
- name: identifier | ||
level: custom | ||
type: keyword | ||
description: The model's unique identifier. | ||
|
||
- name: primary | ||
level: custom | ||
type: object | ||
gogochan marked this conversation as resolved.
Show resolved
Hide resolved
|
||
description: The first matching details. | ||
|
||
- name: secondary | ||
level: custom | ||
type: array | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. In Elasticsearch there isn't an Could we change this to the structure and type that will be contained within There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we use |
||
description: Additional matching details if available. | ||
|
||
- name: version | ||
level: custom | ||
type: keyword | ||
description: The version of the model used. |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -315,6 +315,8 @@ fields: | |||||
buffer: {} | ||||||
decompressed_size: {} | ||||||
encoding: {} | ||||||
malware_signature: | ||||||
fields: "*" | ||||||
gogochan marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
macro: | ||||||
fields: | ||||||
errors: | ||||||
|
@@ -469,6 +471,8 @@ fields: | |||||
exceptionable: true | ||||||
status: | ||||||
exceptionable: true | ||||||
malware_signature: | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should this go into memory_protection_event, since Memory Scan is presented to the user as part of Memory Protection? https://github.com/elastic/endpoint-package/blob/c23a052ef81ea39ab2934e2e1ea5b32bff102196/custom_subsets/elastic_endpoint/alerts/memory_protection_event.yaml There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This should stay where it is at the very least for malware (FileScore) events. We could duplicate it to another location as well for use by memory alerts though I'd vote against that. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I take it back. I now see you're commenting on Currently Linux only sends file activity based malware (FileScore) alerts (open, write, etc) so wouldn't ever need this location. But Windows and macOS can send process based malware alerts (process start). So I still think this is needed for Windows and macOS signature based FileScore alerts (and wonder why testing has been OK without this so far). But that's only whether or not this update is beneficial to malware alerts. My presumption would be that a standardized key name for yara signature matches regardless of the protection type would be better than it going in different places for different alert types. But I don't feel strongly, if my presumption is wrong I'll stay silent. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Per our discussion, I will remove this line from this PR. We will add it back in 7.15 |
||||||
fields: "*" | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Everything else here looks like this:
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should update the docs on
Since we want everything under |
||||||
malware_classification: | ||||||
fields: | ||||||
score: {} | ||||||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a heads up it doesn't look like
malware_signature
is being placed underfile.Ext
🤔 that might be because the file subset file doesn't include it 🤷♂️ is that ok?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated the title. All fields added here are for Memory Protection plugin.