Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Artifacts] Artifact creation for Endpoint Event Filtering #96499

Merged
merged 10 commits into from
Apr 12, 2021
Merged

[Security Solution][Artifacts] Artifact creation for Endpoint Event Filtering #96499

merged 10 commits into from
Apr 12, 2021

Conversation

paul-tavares
Copy link
Contributor

@paul-tavares paul-tavares commented Apr 7, 2021
edited
Loading

Summary

  • Add the creation of Endpoint Event Filtering artifacts and associated Policy manifest entries (NOTE: this functionality is only executed if the eventFilteringEnabled config setting is set)
  • Adds a new methods to the Lists Plugin ExceptionsListClient to create the Endpoint Event Filtering list (called currently only from the Manifest Management code)

Testing

Click here to view the different tests that were manually done

With feature flag turned off

  • Event Filter artifacts are not created and entries are not included in manifest
  • The endpoint event filters list is not created

With feature flag turned on

  • the endpoint event filters list (via Lists Plugin) is created (during the first time we query for entries):
{
  "exception-list-agnostic" : {
    "created_at" : "2021-04-07T19:25:16.566Z",
    "created_by" : "kibana",
    "description" : "Endpoint Security Event Filters List",
    "immutable" : false,
    "list_id" : "endpoint_event_filters",
    "list_type" : "list",
    "name" : "Endpoint Security Event Filters List",
    "os_types" : [ ],
    "tags" : [ ],
    "tie_breaker_id" : "f4770601-e69b-4668-82bb-e70c0bc8445e",
    "type" : "endpoint",
    "updated_by" : "kibana",
    "version" : 1
  },
  "type" : "exception-list-agnostic",
  "references" : [ ],
  "migrationVersion" : {
    "exception-list-agnostic" : "7.12.0"
  },
  "coreMigrationVersion" : "8.0.0",
  "updated_at" : "2021-04-07T19:25:16.566Z"
  }
}
  • changes to event filters triggered new artifacts to be generated and new version of manifest to be created:
server    log   [16:17:57.314] [info][plugins][securitySolution] Committed manifest 1.0.3
server    log   [16:17:59.374] [info][plugins][securitySolution] Cleaned up artifact endpoint-eventfilterlist-macos-v1-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
server    log   [16:17:59.391] [info][plugins][securitySolution] Cleaned up artifact endpoint-eventfilterlist-windows-v1-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
server    log   [16:17:59.408] [info][plugins][securitySolution] Cleaned up artifact endpoint-eventfilterlist-linux-v1-d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658
  • entries for event filters are included in the policy manifest
{
    "manifest_version" : "1.0.0",
    "schema_version" : "v1",
    "artifacts" : {
      //...
      "endpoint-eventfilterlist-macos-v1" : {
        "encryption_algorithm" : "none",
        "decoded_sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "decoded_size" : 14,
        "encoded_sha256" : "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
        "encoded_size" : 22,
        "relative_url" : "/api/endpoint/artifacts/download/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "compression_algorithm" : "zlib"
      },
      "endpoint-eventfilterlist-windows-v1" : {
        "encryption_algorithm" : "none",
        "decoded_sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "decoded_size" : 14,
        "encoded_sha256" : "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
        "encoded_size" : 22,
        "relative_url" : "/api/endpoint/artifacts/download/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "compression_algorithm" : "zlib"
      },
      "endpoint-eventfilterlist-linux-v1" : {
        "encryption_algorithm" : "none",
        "decoded_sha256" : "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "decoded_size" : 14,
        "encoded_sha256" : "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
        "encoded_size" : 22,
        "relative_url" : "/api/endpoint/artifacts/download/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
        "compression_algorithm" : "zlib"
      }
    }
  }
  • event filters artifact content
-------------------------------------------------------------------
Policy:   tic-tac-toe
Manifest: 1.0.2 | v1
Artifact: endpoint-eventfilterlist-windows-v1
          Relative URL:   /api/endpoint/artifacts/download/endpoint-eventfilterlist-windows-v1/1a8295e6ccb93022c6f5ceb8997b29f2912389b3b38f52a8f5a2ff7b0154b1bc
          Encoded SHA256: c3dec543df1177561ab2aa74a37997ea3c1d748d532a597884f5a5c16670d56c
          Decoded SHA256: 1a8295e6ccb93022c6f5ceb8997b29f2912389b3b38f52a8f5a2ff7b0154b1bc
-------------------------------------------------------------------

{
  "entries": [
    {
      "type": "simple",
      "entries": [
        {
          "entries": [
            {
              "field": "nested.field",
              "operator": "included",
              "type": "exact_cased",
              "value": "some value"
            }
          ],
          "field": "some.parentField",
          "type": "nested"
        },
        {
          "field": "some.not.nested.field",
          "operator": "included",
          "type": "exact_cased",
          "value": "some value"
        }
      ]
    }
  ]
}

@paul-tavares paul-tavares added v8.0.0 release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.13.0 labels Apr 7, 2021
@paul-tavares paul-tavares self-assigned this Apr 7, 2021
@paul-tavares paul-tavares marked this pull request as ready for review April 7, 2021 21:06
@paul-tavares paul-tavares requested review from a team as code owners April 7, 2021 21:06
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

parkiino
parkiino approved these changes Apr 8, 2021
View reviewed changes
Copy link
Contributor

@parkiino parkiino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👀 lgtm

pzl
pzl approved these changes Apr 8, 2021
View reviewed changes
Copy link
Member

@pzl pzl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

@paul-tavares
Copy link
Contributor Author

@elasticmachine merge upstream

@paul-tavares paul-tavares added the auto-backport Deprecated - use backport:version if exact versions are needed label Apr 12, 2021
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @paul-tavares

madirey
madirey approved these changes Apr 12, 2021
View reviewed changes
Copy link
Contributor

@madirey madirey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!!!

@paul-tavares
Copy link
Contributor Author

Thanks @madirey

FYI: I might open up an issue to do some refactoring to manifest manger so that we don't have so much code duplication whenever we want to add a new artifact that is based upon the Exceptions lists. We should be able to just define the new type (ex. array of artifacts) and then have it use the same logic to loop through them.

@paul-tavares paul-tavares merged commit b33022f into elastic:master Apr 12, 2021
@paul-tavares paul-tavares deleted the task/olm-953-event-filter-artifacts branch April 12, 2021 15:58
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Apr 12, 2021
@paul-tavares @kibanamachine
[Security Solution][Artifacts] Artifact creation for Endpoint Event F…
a525dd5 
…iltering (elastic#96499)

* generate endpoint event filters artifacts
* Add ExperimentalFeature object to the initialization params of ManifestManager
* create event filters artifacts if feature flag is on
* change artifact migration to be less chatty in the logs (also: don't reference Fleet)
@kibanamachine kibanamachine mentioned this pull request Apr 12, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Apr 12, 2021
@kibanamachine @paul-tavares
[Security Solution][Artifacts] Artifact creation for Endpoint Event F…
6c3cd78 
…iltering (#96499) (#96811)

* generate endpoint event filters artifacts
* Add ExperimentalFeature object to the initialization params of ManifestManager
* create event filters artifacts if feature flag is on
* change artifact migration to be less chatty in the logs (also: don't reference Fleet)

Co-authored-by: Paul Tavares <56442535+paul-tavares@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@parkiino parkiino parkiino approved these changes

@dasansol92 dasansol92 dasansol92 approved these changes

@madirey madirey madirey approved these changes

@pzl pzl pzl approved these changes

Assignees

@paul-tavares paul-tavares

Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.13.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@paul-tavares @elasticmachine @kibanamachine @pzl @madirey @dasansol92 @parkiino