Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Endpoint] Adds matches wildcard operator for file.path.text field for Event Filters #125202

Merged
merged 24 commits into from
Mar 2, 2022
Merged

[Security Solution][Endpoint] Adds matches wildcard operator for file.path.text field for Event Filters #125202

merged 24 commits into from
Mar 2, 2022

Conversation

ashokaditya
Copy link
Member

@ashokaditya ashokaditya commented Feb 10, 2022
edited

Summary

Notable changes

  • added matches and not match operators for file.path.text fields.
  • changed artifact logic to include process.name entries for file.path.text when there's a simple filename at the end of the wildcard path
  • moved path validations for TA into packages/kbn-securitysolution-utils in order to use in both Trusted Apps and Event Filters input validations.
  • added relevant tests for the above changes

For creating/updating event filters, this change allows adding wildcard path values when the selected field is file.path.text via matches operator.

Screens
event filter card
event filter update form
event filter condition entry
Screenshot 2022-02-11 at 17 33 07
Screenshot 2022-02-11 at 17 20 20

Artifact cards vs artifact entries
Windows
windows event filter

windows artifact entry 

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_caseless",
          "value": "c:\\fol*\\sample.exe"
        },
        {
          "field": "process.name",
          "operator": "included",
          "type": "exact_caseless",
          "value": "sample.exe"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_caseless",
          "value": "a:\\filters\\fi*.exe"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_caseless",
          "value": "d:\\exac*\\this.exe"
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_caseless",
          "value": "this.exe"
        },
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_caseless",
          "value": "c:\\dam*\\file.*"
        }
      ]
    }
  ]
}

Mac
mac event filter

mac artifact entry 

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_caseless",
          "value": "/usr/l*/exact.app"
        },
        {
          "field": "process.name",
          "operator": "included",
          "type": "exact_caseless",
          "value": "exact.app"
        },
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_caseless",
          "value": "/opt/lib/fi*.dmg"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_caseless",
          "value": "/sy*/bin/readme.txt"
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_caseless",
          "value": "readme.txt"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_caseless",
          "value": "/usr/lib/read*"
        }
      ]
    }
  ]
}

Linux
linux event filter

linux artifact entry 

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_cased",
          "value": "/opt/*in/sys.dmg"
        },
        {
          "field": "process.name",
          "operator": "included",
          "type": "exact_cased",
          "value": "sys.dmg"
        },
        {
          "field": "file.path.text",
          "operator": "included",
          "type": "wildcard_cased",
          "value": " /sy*/file.*"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_cased",
          "value": "/usr/li*/readme.md"
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_cased",
          "value": "readme.md"
        },
        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_cased",
          "value": "/usr/bi*/arch*.txt"
        }
      ]
    }
  ]
}

Checklist

Delete any items that are not applicable to this PR.

@ashokaditya ashokaditya self-assigned this Feb 10, 2022
@ashokaditya ashokaditya added release_note:feature Makes this part of the condensed release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.2.0 labels Feb 10, 2022
@ashokaditya ashokaditya force-pushed the task/olm-event_filters_wildacrd_paths-2525 branch 11 times, most recently from 89e3a8a to 75892f2 Compare February 11, 2022 10:58
@intxgo
Copy link
Contributor

intxgo commented Feb 11, 2022
edited

actually, is it possible to combine duplicated entries into one like this:

        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_cased",
          "value": [
             "/usr/li*/readme.md",
             "/opt/*in/sys.dmg"
           ]
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_cased",
          "value": [
             "readme.md",
             "sys.dmg"
           ]
        },

We support such filters, here is an example:
https://github.com/elastic/endpoint-dev/blob/ce0d146dfeacd59789a890f5065019871fc4fb23/Libraries/FilterLib/Tests/filter_data/test-wildcard-7/exceptionlist.json

Having it this way is a performance improvement as the wildcard is converted to one regex with OR match pattern.

OK, looking again the the example, those two entries have different operator (included vs excluded) so couldn't be combined, but just keep this in mind in general.

@ashokaditya
Copy link
Member Author

actually, is it possible to combine duplicated entries into one like this:

        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_cased",
          "value": [
             "/usr/li*/readme.md",
             "/opt/*in/sys.dmg"
           ]
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_cased",
          "value": [
             "readme.md",
             "sys.dmg"
           ]
        },

We support such filters, here is an example: https://github.com/elastic/endpoint-dev/blob/ce0d146dfeacd59789a890f5065019871fc4fb23/Libraries/FilterLib/Tests/filter_data/test-wildcard-7/exceptionlist.json

Having it this way is a performance improvement as the wildcard is converted to one regex with OR match pattern.

OK, looking again the the example, those two entries have different operator (included vs excluded) so couldn't be combined, but just keep this in mind in general.

This is insightful @intxgo Thanks for pointing this out. I'll make sure I check this as I finish up the PR.

@ashokaditya ashokaditya force-pushed the task/olm-event_filters_wildacrd_paths-2525 branch 8 times, most recently from 825a266 to 4093521 Compare February 17, 2022 12:11
@ashokaditya
Copy link
Member Author

ashokaditya commented Feb 17, 2022
edited

actually, is it possible to combine duplicated entries into one like this:

        {
          "field": "file.path.text",
          "operator": "excluded",
          "type": "wildcard_cased",
          "value": [
             "/usr/li*/readme.md",
             "/opt/*in/sys.dmg"
           ]
        },
        {
          "field": "process.name",
          "operator": "excluded",
          "type": "exact_cased",
          "value": [
             "readme.md",
             "sys.dmg"
           ]
        },

We support such filters, here is an example: https://github.com/elastic/endpoint-dev/blob/ce0d146dfeacd59789a890f5065019871fc4fb23/Libraries/FilterLib/Tests/filter_data/test-wildcard-7/exceptionlist.json
Having it this way is a performance improvement as the wildcard is converted to one regex with OR match pattern.
OK, looking again the the example, those two entries have different operator (included vs excluded) so couldn't be combined, but just keep this in mind in general.

This is insightful @intxgo Thanks for pointing this out. I'll make sure I check this as I finish up the PR.

@intxgo we talked offline and you pointed out that I was chasing down the wrong path. The grouping of values is only needed for ORed entries. Since event filters AND entries we don't need this improvement in this PR.
Although, we probabaly want to improve TA artifacts for ORed entries in a new PR.

In short, entries such as

{
    "entries": [
        {
            type: 'simple',
            entries: [
                {
                    "field": "file.path.text",
                    "operator": "excluded",
                    "type": "wildcard_caseless",
                    "value": "c:\\bin*\\group.exe"
                }
            ]
        },
        {
            type: 'simple',
            entries: [
                {
                    "field": "file.path.text",
                    "operator": "excluded",
                    "type": "wildcard_caseless",
                    "value":  "d:\\doc*\\another.md"
                }
            ]
        }        
    ]
}

can be transformed to

{
    "entries": [
        {
            type: 'simple',
            entries: [
                {
                    "field": "file.path.text",
                    "operator": "excluded",
                    "type": "wildcard_caseless",
                    "value": [
                        "c:\\bin*\\group.exe", 
                       "d:\\doc*\\another.md"
                    ]
                }
            ]
        }       
    ]
}

but entries that look like

{
	type: 'simple',
	entries: [
		{
			"field": "file.path.text",
			"operator": "excluded",
			"type": "wildcard_caseless",
			"value": "c:\\bin*\\group.exe"
		},
        {
			"field": "file.path.text",
			"operator": "excluded",
			"type": "wildcard_caseless",
			"value": "d:\\doc*\\another.md"
		}
	]
}

should not be transformed further to group values yet.

@ashokaditya ashokaditya force-pushed the task/olm-event_filters_wildacrd_paths-2525 branch 4 times, most recently from 0c27e38 to fb482cb Compare February 21, 2022 09:37
@ashokaditya ashokaditya requested a review from a team as a code owner March 1, 2022 15:37
FrankHassanabad
FrankHassanabad approved these changes Mar 1, 2022
View reviewed changes
Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Appreciate all the work to make these matches work out and all the feedback you changed here. Really awesome.

@ashokaditya ashokaditya enabled auto-merge (squash) March 2, 2022 17:12
@kibana-ci
Copy link
Collaborator

💚 Build Succeeded

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
lists 298 300 +2
securitySolution 2886 2888 +2
total +4

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/securitysolution-autocomplete 34 35 +1
@kbn/securitysolution-list-utils 178 183 +5
@kbn/securitysolution-utils 4 26 +22
lists 161 162 +1
total +29

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
lists 140.8KB 147.4KB +6.6KB
securitySolution 4.7MB 4.7MB +6.4KB
total +13.0KB
Unknown metric groups

API count

id before after diff
@kbn/securitysolution-autocomplete 47 50 +3
@kbn/securitysolution-list-utils 223 231 +8
@kbn/securitysolution-utils 6 28 +22
lists 197 198 +1
total +34

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ashokaditya

@ashokaditya ashokaditya merged commit 9d53810 into elastic:main Mar 2, 2022
@ashokaditya ashokaditya deleted the task/olm-event_filters_wildacrd_paths-2525 branch March 2, 2022 19:18
@kibanamachine
Copy link
Contributor

Friendly reminder: Looks like this PR hasn’t been backported yet.
To create backports run node scripts/backport --pr 125202 or prevent reminders by adding the backport:skip label.

@kibanamachine kibanamachine added the backport missing Added to PRs automatically when the are determined to be missing a backport. label Mar 4, 2022
@ashokaditya ashokaditya added backport:skip This commit does not require backporting and removed backport missing Added to PRs automatically when the are determined to be missing a backport. labels Mar 4, 2022
lucasfcosta pushed a commit to lucasfcosta/kibana that referenced this pull request Mar 8, 2022
@ashokaditya @lucasfcosta
[Security Solution][Endpoint] Adds matches wildcard operator for `f…
ed1af92 
…ile.path.text` field for Event Filters (elastic#125202)

* labels for wildcard path entries

fixes elastic/security-team/issues/2525

* consistent naming and add missing tests

refs elastic/pull/120679

* add autocompletion for wildcard

fixes elastic/security-team/issues/2525

* ensure event filter artifacts have correct wildcard type for process.name entry

fixes elastic/security-team/issues/2525
fixes elastic/security-team/issues/2723

* set warning for input values

fixes elastic/security-team/issues/2525

* lift path validations to packages

fixes elastic/security-team/issues/2525

* Add more tests

fixes elastic/security-team/issues/2525

* Add wildcards to event filter generator

* fix merge i18n check

* Remove not match/excluded operator for now

review changes

* add mixed entries for wildcard

review changes

* comparison typo

refs 06c868b

* fix vulnerable regex

review changes

* ignore empty space on input

review changes

* update component

review changes

* use const enum

review changes

* update type imports to use ConditionEntryField, OperatingSystem, TrustedAppEntryTypes
lucasfcosta pushed a commit to lucasfcosta/kibana that referenced this pull request Mar 8, 2022
@ashokaditya @lucasfcosta
[Security Solution][Endpoint] Adds matches wildcard operator for `f…
ce03343 
…ile.path.text` field for Event Filters (elastic#125202)

* labels for wildcard path entries

fixes elastic/security-team/issues/2525

* consistent naming and add missing tests

refs elastic/pull/120679

* add autocompletion for wildcard

fixes elastic/security-team/issues/2525

* ensure event filter artifacts have correct wildcard type for process.name entry

fixes elastic/security-team/issues/2525
fixes elastic/security-team/issues/2723

* set warning for input values

fixes elastic/security-team/issues/2525

* lift path validations to packages

fixes elastic/security-team/issues/2525

* Add more tests

fixes elastic/security-team/issues/2525

* Add wildcards to event filter generator

* fix merge i18n check

* Remove not match/excluded operator for now

review changes

* add mixed entries for wildcard

review changes

* comparison typo

refs 06c868b

* fix vulnerable regex

review changes

* ignore empty space on input

review changes

* update component

review changes

* use const enum

review changes

* update type imports to use ConditionEntryField, OperatingSystem, TrustedAppEntryTypes
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Mar 15, 2022
@ashokaditya
add tests for process.name entry for filenames with wildcard path
76b180f 
refs
elastic/pull/120349
elastic/pull/125202
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Mar 15, 2022
@ashokaditya
add tests for process.name entry for filenames with wildcard path
079cf19 
refs
elastic/pull/120349
elastic/pull/125202
This was referenced Mar 15, 2022
Merged
Merged
ashokaditya added a commit to ashokaditya/kibana that referenced this pull request Mar 17, 2022
@ashokaditya
add tests for process.name entry for filenames with wildcard path
2b7f459 
refs
elastic/pull/120349
elastic/pull/125202
ashokaditya added a commit that referenced this pull request Mar 23, 2022
@ashokaditya
[Security Solution][Endpoint] Accept all kinds of filenames (without …
98300c2 
…wildcard) in wildcard-ed event filter `file.path.text` (#127432)

* update filename regex to include multiple hyphens and periods

Uses a much simpler pattern that covers a whole gamut file name patterns.
fixes elastic/security-team/issues/3294

* remove duplicated code

* add tests for `process.name` entry for filenames with wildcard path

refs
/pull/120349
/pull/125202

* Add file.name optimized entry when wildcard filepath in file.path.text has a filename

fixes elastic/security-team/issues/3294

* update regex to include unicode chars

review changes

* add tests for `file.name` and `process.name` entries if it already exists

This works out of the box and we don't add endpoint related `file.name` or `process.name` entry when it already is added by the user

refs
/pull/127958#discussion_r829086447
elastic/security-team/issues/3199

* fix `file.name` and `file.path.text` entries for linux and mac/linux

refs /pull/127098

* do not add endpoint optimized entry

Add `file.name` and `process.name` entry for wildcard path values only when file.name and process.name entries do not already exist.

The earlier commit 8a516ae was mistakenly labeled as this worked out of the box. In the same commit we notice that the test data had a wildcard file path that did not add a `file.name` or `process.name` entry.

For more see:
/pull/127958#discussion_r829086447
elastic/security-team/issues/3199

* update regex to include gamut of unicode characters

review suggestions

* remove regex altogether

simplifies the logic to check if path is without wildcard characters. This way it includes all other strings as valid filenames that do not have * or ?

* update artifact creation for `file.path.text` entries

Similar to when we normalize `file.path.caseless` entries, except that the `type` is `*_cased` for linux and `*_caseless` for non-linux
@joepeeples joepeeples mentioned this pull request Apr 12, 2022
Closed
@joepeeples joepeeples mentioned this pull request Apr 22, 2022
Closed
@yctercero yctercero mentioned this pull request Jul 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FrankHassanabad FrankHassanabad FrankHassanabad approved these changes

@joeypoon joeypoon joeypoon approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

@ferullo ferullo Awaiting requested review from ferullo

@intxgo intxgo Awaiting requested review from intxgo

@gabriellandau gabriellandau Awaiting requested review from gabriellandau

Assignees

@ashokaditya ashokaditya

Labels
backport:skip This commit does not require backporting release_note:feature Makes this part of the condensed release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Detections and Resp Security Detection Response Team v8.2.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
10 participants
@ashokaditya @intxgo @elasticmachine @kevinlog @gabriellandau @kibana-ci @kibanamachine @FrankHassanabad @joeypoon @paul-tavares