sentinel_one_cloud_funnel: improve detection rules support #9120
Conversation
efd6
added
enhancement
efd6
force-pushed
the
9086-sentinelone_cloud_funnel
branch
2 times, most recently
from
72e0edf
to
4d9ffde
Compare
🚀 Benchmarks reportTo see the full report comment with |
efd6
force-pushed
the
9086-sentinelone_cloud_funnel
branch
4 times, most recently
from
5fe3280
to
1e0b467
Compare
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
| field: process.code_signature.trusted | ||
| value: false | ||
| override: false | ||
| if: ctx.process?.code_signature?.exists == true |
There was a problem hiding this comment.
I am not sure if I understood this one, this will set process.code_signature.trusted to false whenever the signature exists? Or only if the ctx.sentinel_one_cloud_funnel?.event?.src?.process?.verified_status?.contains('verified') == true returns false?
There was a problem hiding this comment.
So the previous set sets the process.code_signature.trusted value to true if sentinel_one_cloud_funnel.event.src.process.verified_status contains "verified". This one sets it to false if a signature exists but process.code_signature.trusted is not already set (override: false). So if the previous set has not fired, and we have a signature then we have not verified it, so set to false.
| copy_from: sentinel_one_cloud_funnel.event.registry.key.path | ||
| ignore_empty_value: true | ||
| description: Implements Windows-like SplitCommandLine |
There was a problem hiding this comment.
Should we change this description?
There was a problem hiding this comment.
Yep, that is copy/paste error.
| @@ -6,7 +6,16 @@ processors: | |||
| value: [process] | |||
| - set: | |||
| field: event.type | |||
| value: [info] | |||
| value: [start] | |||
| @@ -229,6 +240,10 @@ processors: | |||
| field: json.src.process.image.path | |||
| target_field: sentinel_one_cloud_funnel.event.src.process.image.path | |||
| ignore_missing: true | |||
| - set: | |||
There was a problem hiding this comment.
I am wondering if this should be set from tgt instead of src in pipeline-process.yml, where I think we overwrite the 'hierarchy'
- set:
field: process.executable
copy_from: sentinel_one_cloud_funnel.event.tgt.process.image.path
ignore_empty_value: true
There was a problem hiding this comment.
The choice of src here was purely because of the local context; I have no expertise in the semantics of sentinel one fields, so if we have some expertise in this, that would be helpful.
| @@ -2,6 +2,9 @@ | |||
| "expected": [ | |||
| { | |||
| "@timestamp": "2022-10-03T15:32:29.475Z", | |||
| "destination": { | |||
| "address": "www.asdf.com" | |||
There was a problem hiding this comment.
Should we also capture into destination.domain?
packages/sentinel_one_cloud_funnel/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Show resolved
Hide resolved
efd6
force-pushed
the
9086-sentinelone_cloud_funnel
branch
from
47ac63c
to
1e79d02
Compare
💚 Build Succeeded
History
cc @efd6 |
|
86.5% Coverage on New Code
0.0% Duplication on New Code
|
Package sentinel_one_cloud_funnel - 0.12.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel |
1 similar comment
|
Package sentinel_one_cloud_funnel - 0.12.0 containing this change is available at https://epr.elastic.co/search?package=sentinel_one_cloud_funnel |
Also lower required kibana version.
Proposed commit message
See title.
Checklist
changelog.ymlfile.Author's Checklist
process.executable.caselessandprocess.name.caseless. These are not ECS fields, so are not added. They are multi-fields defined in some contexts.How to test this PR locally
First
(
gsedis GNUsedso if on macos you will need to install that, if on linuxs/gsed/sed/in the command above)then test with
elastic-packageas normal.Related issues
Screenshots