Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

11957 hardware breakpoint set #333

Merged
merged 8 commits into from
Feb 1, 2023
Merged

11957 hardware breakpoint set #333

merged 8 commits into from
Feb 1, 2023

Conversation

AsuNa-jp
Copy link
Contributor

@AsuNa-jp AsuNa-jp commented Jan 25, 2023
edited
Loading

Change Summary

This PR adds a new field which indicates whether a hardware breakpoint is set for a thread.

Protections team is interested in this information because, for example, hardware breakpoints are used for patch-less hooking to bypass security products/features such as AMSI.

Sample values

see package/endpoint/data_stream/alerts/sample_event.json

Release Target

8.8.0

Q/A

For mapping changes:

  • I ran make after making the schema changes, and committed all changes
  • If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
  • If this is a metadata change, I also updated both transform destination schemas to match

For Transform changes:

  • The new transform successfully starts in Kibana
  • The corresponding transform destination schema was updated if necessary

@AsuNa-jp AsuNa-jp changed the title Asuka 11957 hardware breakpoint set [DO NOT MERGE]Asuka 11957 hardware breakpoint set Jan 25, 2023
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 25, 2023
edited
Loading

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-01-30T19:19:09.510+0000

  • Duration: 7 min 16 sec

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

@AsuNa-jp AsuNa-jp changed the title [DO NOT MERGE]Asuka 11957 hardware breakpoint set [DO NOT MERGE] 11957 hardware breakpoint set Jan 25, 2023
@AsuNa-jp AsuNa-jp self-assigned this Jan 25, 2023
jdu2600
jdu2600 reviewed Jan 30, 2023
View reviewed changes
custom_schemas/custom_process.yml Outdated
Comment on lines 194 to 197
description: >
Check whether a hardware breakpoint is set for the thread.
Include this field, only if the hardware breakpoint is setted.
example: "true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This generates a non-fatal warning - "Short descriptions must be single line, and under 120 characters"
You can explicitly set a short description with short:

Suggested change
description: >
Check whether a hardware breakpoint is set for the thread.
Include this field, only if the hardware breakpoint is setted.
example: "true"
short: Whether a hardware breakpoint was set for the thread.
description: >
Whether a hardware breakpoint was set for the thread.
This field is omitted if false.
example: "true"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Fixed as suggested!

@AsuNa-jp AsuNa-jp marked this pull request as ready for review January 30, 2023 11:10
@AsuNa-jp AsuNa-jp requested a review from a team as a code owner January 30, 2023 11:10
@AsuNa-jp
Copy link
Contributor Author

/test

@gabriellandau gabriellandau force-pushed the asuka_11957-hardware_breakpoint_set branch from c2f2616 to 7e136fe Compare January 30, 2023 19:18
gabriellandau
gabriellandau approved these changes Jan 30, 2023
View reviewed changes
Copy link
Contributor

@gabriellandau gabriellandau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gabriellandau
Copy link
Contributor

Green build

@AsuNa-jp
Copy link
Contributor Author

AsuNa-jp commented Jan 31, 2023
edited
Loading

LGTM

Thank you very much of fixing this issue, Gabe!

@AsuNa-jp AsuNa-jp changed the title [DO NOT MERGE] 11957 hardware breakpoint set 11957 hardware breakpoint set Jan 31, 2023
@AsuNa-jp
Copy link
Contributor Author

Hi @pzl @gergoabraham ! Could you take a look when you get a chance?

pzl
pzl approved these changes Jan 31, 2023
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Sorry for the wait, but thanks for the bump, this is good to merge

@AsuNa-jp AsuNa-jp merged commit 7e0c01b into main Feb 1, 2023
@AsuNa-jp AsuNa-jp deleted the asuka_11957-hardware_breakpoint_set branch February 1, 2023 05:25
@AsuNa-jp
Copy link
Contributor Author

AsuNa-jp commented Feb 1, 2023

@pzl Thanks for reviewing!

@elasticmachine
Copy link
Contributor

Package endpoint - 8.7.0 containing this change is available at https://epr.elastic.co/search?package=endpoint

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdu2600 jdu2600 jdu2600 left review comments

@pzl pzl pzl approved these changes

@gabriellandau gabriellandau gabriellandau approved these changes

@gergoabraham gergoabraham Awaiting requested review from gergoabraham gergoabraham was automatically assigned from elastic/security-onboarding-and-lifecycle-mgt

Assignees

@AsuNa-jp AsuNa-jp

Labels
v8.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@AsuNa-jp @elasticmachine @gabriellandau @pzl @jdu2600