-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sentinel_one_cloud_funnel: improve detection rules support #9120
Conversation
72e0edf
to
4d9ffde
Compare
🚀 Benchmarks reportTo see the full report comment with |
5fe3280
to
1e0b467
Compare
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work 🧙🏼 🔥 🧙🏼 🔥 🧙🏼 🔥 🧙🏼 🔥
field: process.code_signature.trusted | ||
value: false | ||
override: false | ||
if: ctx.process?.code_signature?.exists == true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure if I understood this one, this will set process.code_signature.trusted
to false whenever the signature exists? Or only if the ctx.sentinel_one_cloud_funnel?.event?.src?.process?.verified_status?.contains('verified') == true
returns false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the previous set
sets the process.code_signature.trusted
value to true if sentinel_one_cloud_funnel.event.src.process.verified_status
contains "verified". This one sets it to false if a signature exists but process.code_signature.trusted
is not already set (override: false
). So if the previous set
has not fired, and we have a signature then we have not verified it, so set to false.
copy_from: sentinel_one_cloud_funnel.event.registry.key.path | ||
ignore_empty_value: true | ||
description: Implements Windows-like SplitCommandLine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we change this description?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, that is copy/paste error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey, thanks for the good work! I left one question :)
@@ -6,7 +6,16 @@ processors: | |||
value: [process] | |||
- set: | |||
field: event.type | |||
value: [info] | |||
value: [start] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
@@ -229,6 +240,10 @@ processors: | |||
field: json.src.process.image.path | |||
target_field: sentinel_one_cloud_funnel.event.src.process.image.path | |||
ignore_missing: true | |||
- set: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am wondering if this should be set from tgt
instead of src
in pipeline-process.yml, where I think we overwrite the 'hierarchy'
- set:
field: process.executable
copy_from: sentinel_one_cloud_funnel.event.tgt.process.image.path
ignore_empty_value: true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The choice of src
here was purely because of the local context; I have no expertise in the semantics of sentinel one fields, so if we have some expertise in this, that would be helpful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few minor suggestions. LGTM 👍🏼
@@ -2,6 +2,9 @@ | |||
"expected": [ | |||
{ | |||
"@timestamp": "2022-10-03T15:32:29.475Z", | |||
"destination": { | |||
"address": "www.asdf.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also capture into destination.domain
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No opinion, sorry!
packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
47ac63c
to
1e79d02
Compare
💚 Build Succeeded
History
cc @efd6 |
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Package sentinel_one_cloud_funnel - 0.12.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel |
1 similar comment
Package sentinel_one_cloud_funnel - 0.12.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel |
Also lower required kibana version.
Proposed commit message
See title.
Checklist
changelog.yml
file.Author's Checklist
process.executable.caseless
andprocess.name.caseless
. These are not ECS fields, so are not added. They are multi-fields defined in some contexts.How to test this PR locally
First
(
gsed
is GNUsed
so if on macos you will need to install that, if on linuxs/gsed/sed/
in the command above)then test with
elastic-package
as normal.Related issues
Screenshots