[Request] Add Signer option to Mac trusted apps field condition #6035
Description
Description
https://www.elastic.co/guide/en/security/7.17/trusted-apps-ov.html
This changes target 8.17 release.
We’ve updated the field options for macOS Trusted Apps conditions to include “Signer” alongside “Path” and “Hash.” Previously, only Windows supported all three options. With these changes, Linux remains the only operating system limited to “Hash” and “Path” options.
380649174-ea8fb734-7884-451d-8873-e3a29861876b.mov
Background & resources
- PRs: [EDR Workflows] Add Signer option to Mac trusted apps kibana#197821
- Issues/metas: https://github.com/elastic/security-team/issues/9580
- Point of contact: @szwarckonrad
- Test environments: https://p.elstc.co/paste/l5IZvTAl#1Un4u4pkjB7LUg5p2IhzyBL8nfeLfQ4OjlAgcqZ5lY1
Which documentation set does this change impact?
ESS and serverless
ESS release
N/A
Serverless release
The week of Nov 4th
Feature differences
The feature is identical in ESS and Serverless
API docs impact
https://www.elastic.co/docs/api/doc/kibana/operation/operation-createendpointlistitem
These changes address the validation of the entries field as defined in the Elastic API documentation, which, to my knowledge, currently lacks coverage in the docs. Specifically, we modified the validation behavior for os_types=["mac"] to allow entries.field = process.code_signature, aligning it with the Windows pattern that supports “Signer,” “Hash,” and “Path” entries.field values. In contrast, Linux still supports only “Hash” and “Path.” Since this doesn’t appear in the documentation, I don’t believe any doc updates are necessary.
Prerequisites, privileges, feature flags
This change does not affect the existing RBAC or Serverless Tier requirements for Trusted Apps.
This is not gated behind a feature flag.