maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Security Solution][Exceptions] - Fixes bug for prepopulated endpoint exceptions (#94025)

Browse source 
### Summary

Addresses #93559

In a previous PR where we added id to exception entries, this case was missed where the exceptions are prepopulated for endpoint alerts.
This commit is contained in:
Yara Tercero 2021-03-09 17:43:26 -08:00 committed by GitHub
parent 89b23c06da
commit 37c9c5cc24
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 120 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
View file

@ -723,15 +723,16 @@ describe('Exception helpers', () => {
expect(prepopulatedItem.entries).toEqual([
{
entries: [
{ field: 'subject_name', operator: 'included', type: 'match', value: '' },
{ field: 'trusted', operator: 'included', type: 'match', value: '' },
{ id: '123', field: 'subject_name', operator: 'included', type: 'match', value: '' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: '' },
],
field: 'file.Ext.code_signature',
type: 'nested',
id: '123',
},
{ field: 'file.path.caseless', operator: 'included', type: 'match', value: '' },
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: '' },
{ field: 'event.code', operator: 'included', type: 'match', value: '' },
{ id: '123', field: 'file.path.caseless', operator: 'included', type: 'match', value: '' },
{ id: '123', field: 'file.hash.sha256', operator: 'included', type: 'match', value: '' },
{ id: '123', field: 'event.code', operator: 'included', type: 'match', value: '' },
]);
});
@ -748,24 +749,39 @@ describe('Exception helpers', () => {
{
entries: [
{
id: '123',
field: 'subject_name',
operator: 'included',
type: 'match',
value: 'someSubjectName',
},
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
],
field: 'file.Ext.code_signature',
type: 'nested',
id: '123',
},
{
id: '123',
field: 'file.path.caseless',
operator: 'included',
type: 'match',
value: 'some-file-path',
},
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some-hash' },
{ field: 'event.code', operator: 'included', type: 'match', value: 'some-event-code' },
{
id: '123',
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: 'some-hash',
},
{
id: '123',
field: 'event.code',
operator: 'included',
type: 'match',
value: 'some-event-code',
},
]);
});
});
@ -943,47 +959,77 @@ describe('Exception helpers', () => {
{
entries: [
{
id: '123',
field: 'subject_name',
operator: 'included',
type: 'match',
value: 'some_subject',
},
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
],
field: 'file.Ext.code_signature',
type: 'nested',
id: '123',
},
{
id: '123',
field: 'file.path.caseless',
operator: 'included',
type: 'match',
value: 'some file path',
},
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
{ field: 'event.code', operator: 'included', type: 'match', value: 'some event code' },
{
id: '123',
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: 'some hash',
},
{
id: '123',
field: 'event.code',
operator: 'included',
type: 'match',
value: 'some event code',
},
]);
expect(defaultItems[1].entries).toEqual([
{
entries: [
{
id: '123',
field: 'subject_name',
operator: 'included',
type: 'match',
value: 'some_subject_2',
},
{ field: 'trusted', operator: 'included', type: 'match', value: 'true' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'true' },
],
field: 'file.Ext.code_signature',
type: 'nested',
id: '123',
},
{
id: '123',
field: 'file.path.caseless',
operator: 'included',
type: 'match',
value: 'some file path',
},
{ field: 'file.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
{ field: 'event.code', operator: 'included', type: 'match', value: 'some event code' },
{
id: '123',
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: 'some hash',
},
{
id: '123',
field: 'event.code',
operator: 'included',
type: 'match',
value: 'some event code',
},
]);
});
@ -1014,59 +1060,91 @@ describe('Exception helpers', () => {
{
entries: [
{
id: '123',
field: 'subject_name',
operator: 'included',
type: 'match',
value: 'some_subject',
},
{ field: 'trusted', operator: 'included', type: 'match', value: 'false' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'false' },
],
field: 'process.Ext.code_signature',
type: 'nested',
id: '123',
},
{
id: '123',
field: 'process.executable',
operator: 'included',
type: 'match',
value: 'some file path',
},
{ field: 'process.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
{
id: '123',
field: 'process.hash.sha256',
operator: 'included',
type: 'match',
value: 'some hash',
},
{
id: '123',
field: 'Ransomware.feature',
operator: 'included',
type: 'match',
value: 'some ransomware feature',
},
{ field: 'event.code', operator: 'included', type: 'match', value: 'ransomware' },
{
id: '123',
field: 'event.code',
operator: 'included',
type: 'match',
value: 'ransomware',
},
]);
expect(defaultItems[1].entries).toEqual([
{
entries: [
{
id: '123',
field: 'subject_name',
operator: 'included',
type: 'match',
value: 'some_subject_2',
},
{ field: 'trusted', operator: 'included', type: 'match', value: 'true' },
{ id: '123', field: 'trusted', operator: 'included', type: 'match', value: 'true' },
],
field: 'process.Ext.code_signature',
type: 'nested',
id: '123',
},
{
id: '123',
field: 'process.executable',
operator: 'included',
type: 'match',
value: 'some file path',
},
{ field: 'process.hash.sha256', operator: 'included', type: 'match', value: 'some hash' },
{
id: '123',
field: 'process.hash.sha256',
operator: 'included',
type: 'match',
value: 'some hash',
},
{
id: '123',
field: 'Ransomware.feature',
operator: 'included',
type: 'match',
value: 'some ransomware feature',
},
{ field: 'event.code', operator: 'included', type: 'match', value: 'ransomware' },
{
id: '123',
field: 'event.code',
operator: 'included',
type: 'match',
value: 'ransomware',
},
]);
});
});

30
x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
View file

@ -38,6 +38,7 @@ import {
UpdateExceptionListItemSchema,
EntryNested,
OsTypeArray,
EntriesArray,
} from '../../../shared_imports';
import { IIndexPattern } from '../../../../../../../src/plugins/data/common';
import { validate } from '../../../../common/validate';
@ -46,6 +47,19 @@ import { CodeSignature } from '../../../../common/ecs/file';
import { WithCopyToClipboard } from '../../lib/clipboard/with_copy_to_clipboard';
import { addIdToItem, removeIdFromItem } from '../../../../common';
export const addIdToEntries = (entries: EntriesArray): EntriesArray => {
return entries.map((singleEntry) => {
if (singleEntry.type === 'nested') {
return addIdToItem({
...singleEntry,
entries: singleEntry.entries.map((nestedEntry) => addIdToItem(nestedEntry)),
});
} else {
return addIdToItem(singleEntry);
}
});
};
/**
* Returns the operator type, may not need this if using io-ts types
*
@ -150,14 +164,14 @@ export const getNewExceptionItem = ({
return {
comments: [],
description: `${ruleName} - exception list item`,
entries: [
addIdToItem({
entries: addIdToEntries([
{
field: '',
operator: 'included',
type: 'match',
value: '',
}),
],
},
]),
item_id: undefined,
list_id: listId,
meta: {
@ -464,7 +478,7 @@ export const getPrepopulatedEndpointException = ({
const sha256Hash = file?.hash?.sha256 ?? '';
return {
...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
entries: [
entries: addIdToEntries([
{
field: 'file.Ext.code_signature',
type: 'nested',
@ -501,7 +515,7 @@ export const getPrepopulatedEndpointException = ({
type: 'match',
value: eventCode ?? '',
},
],
]),
};
};
@ -529,7 +543,7 @@ export const getPrepopulatedRansomwareException = ({
const ransomwareFeature = Ransomware?.feature ?? '';
return {
...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
entries: [
entries: addIdToEntries([
{
field: 'process.Ext.code_signature',
type: 'nested',
@ -572,7 +586,7 @@ export const getPrepopulatedRansomwareException = ({
type: 'match',
value: eventCode ?? '',
},
],
]),
};
};