maxmustermann/kibana
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[Security Solution] Correct memory exception field names (#110705)

Browse source
This commit is contained in:
Kevin Logan 2021-08-31 22:07:00 -04:00 committed by GitHub
parent 3e15695d06
commit 53c011830d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 18 additions and 131 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
x-pack/plugins/security_solution/common/ecs/event/index.ts
View file

@ -53,7 +53,7 @@ export enum EventCode {
// Memory Protection alert
MEMORY_SIGNATURE = 'memory_signature',
// Memory Protection alert
MALICIOUS_THREAD = 'malicious_thread',
SHELLCODE_THREAD = 'shellcode_thread',
// behavior
BEHAVIOR = 'behavior',
}

2
x-pack/plugins/security_solution/common/endpoint/generate_data.ts
View file

@ -678,7 +678,7 @@ export class EndpointDocGenerator extends BaseDataGenerator {
action: 'start',
kind: 'alert',
category: 'malware',
code: isShellcode ? 'malicious_thread' : 'memory_signature',
code: isShellcode ? 'shellcode_thread' : 'memory_signature',
id: this.seededUUIDv4(),
dataset: 'endpoint',
module: 'endpoint',

4
x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx
View file

@ -86,8 +86,8 @@ describe('AlertSummaryView', () => {
return {
category: 'event',
field: 'event.code',
values: ['malicious_thread'],
originalValue: ['malicious_thread'],
values: ['shellcode_thread'],
originalValue: ['shellcode_thread'],
};
}
return item;

2
x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx
View file

@ -157,7 +157,7 @@ function getEventFieldsToDisplay({
}): EventSummaryField[] {
switch (eventCode) {
// memory protection fields
case EventCode.MALICIOUS_THREAD:
case EventCode.SHELLCODE_THREAD:
return memoryShellCodeAlertFields;
case EventCode.MEMORY_SIGNATURE:
return memorySignatureAlertFields;

12
x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json
View file

@ -19,13 +19,13 @@
"Target.process.pe.original_file_name",
"Target.process.pe.product",
"Target.process.pgid",
"Target.process.thread.Ext.start_address_details.allocation_type",
"Target.process.Ext.memory_region.allocation_type",
"Target.process.thread.Ext.start_address_bytes_disasm_hash",
"Target.process.thread.Ext.start_address_allocation_offset",
"Target.process.thread.Ext.start_address_details.allocation_size",
"Target.process.thread.Ext.start_address_details.region_size",
"Target.process.thread.Ext.start_address_details.region_protection",
"Target.process.thread.Ext.start_address_details.memory_pe.imphash",
"Target.process.Ext.memory_region.allocation_size",
"Target.process.Ext.memory_region.region_size",
"Target.process.Ext.memory_region.region_protection",
"Target.process.Ext.memory_region.memory_pe.imphash",
"Target.process.thread.Ext.start_address_bytes",
"agent.id",
"agent.type",
@ -82,6 +82,8 @@
"process.Ext.services",
"process.Ext.user",
"process.Ext.code_signature",
"process.Ext.token.integrity_level_name",
"process.Ext.memory_region.malware_signature.all_names",
"process.executable",
"process.hash.md5",
"process.hash.sha1",

85
x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
View file

@ -1031,7 +1031,7 @@ describe('Exception helpers', () => {
]);
});
test('it should return pre-populated memory shellcode items for event code `malicious_thread`', () => {
test('it should return pre-populated memory shellcode items for event code `shellcode_thread`', () => {
const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
_id: '123',
process: {
@ -1049,7 +1049,7 @@ describe('Exception helpers', () => {
self_injection: true,
},
event: {
code: 'malicious_thread',
code: 'shellcode_thread',
},
Target: {
process: {
@ -1108,52 +1108,10 @@ describe('Exception helpers', () => {
value: 'high',
id: '123',
},
{
field: 'Target.process.thread.Ext.start_address_details',
type: 'nested',
entries: [
{
field: 'allocation_type',
operator: 'included',
type: 'match',
value: 'PRIVATE',
id: '123',
},
{
field: 'allocation_size',
operator: 'included',
type: 'match',
value: '4000',
id: '123',
},
{
field: 'region_size',
operator: 'included',
type: 'match',
value: '4000',
id: '123',
},
{
field: 'region_protection',
operator: 'included',
type: 'match',
value: 'RWX',
id: '123',
},
{
field: 'memory_pe.imphash',
operator: 'included',
type: 'match',
value: 'a hash',
id: '123',
},
],
id: '123',
},
]);
});
test('it should return pre-populated memory shellcode items for event code `malicious_thread` and skip empty', () => {
test('it should return pre-populated memory shellcode items for event code `shellcode_thread` and skip empty', () => {
const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
_id: '123',
process: {
@ -1171,7 +1129,7 @@ describe('Exception helpers', () => {
self_injection: true,
},
event: {
code: 'malicious_thread',
code: 'shellcode_thread',
},
Target: {
process: {
@ -1217,41 +1175,6 @@ describe('Exception helpers', () => {
value: 'high',
id: '123',
},
{
field: 'Target.process.thread.Ext.start_address_details',
type: 'nested',
entries: [
{
field: 'allocation_size',
operator: 'included',
type: 'match',
value: '4000',
id: '123',
},
{
field: 'region_size',
operator: 'included',
type: 'match',
value: '4000',
id: '123',
},
{
field: 'region_protection',
operator: 'included',
type: 'match',
value: 'RWX',
id: '123',
},
{
field: 'memory_pe.imphash',
operator: 'included',
type: 'match',
value: 'a hash',
id: '123',
},
],
id: '123',
},
]);
});
});

42
x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
View file

@ -577,7 +577,7 @@ export const getPrepopulatedMemoryShellcodeException = ({
eventCode: string;
alertEcsData: Flattened<Ecs>;
}): ExceptionsBuilderExceptionItem => {
const { process, Target } = alertEcsData;
const { process } = alertEcsData;
const entries = filterEmptyExceptionEntries([
{
field: 'Memory_protection.feature',
@ -609,44 +609,6 @@ export const getPrepopulatedMemoryShellcodeException = ({
type: 'match' as const,
value: process?.Ext?.token?.integrity_level_name ?? '',
},
{
field: 'Target.process.thread.Ext.start_address_details',
type: 'nested' as const,
entries: [
{
field: 'allocation_type',
operator: 'included' as const,
type: 'match' as const,
value: Target?.process?.thread?.Ext?.start_address_details?.allocation_type ?? '',
},
{
field: 'allocation_size',
operator: 'included' as const,
type: 'match' as const,
value: String(Target?.process?.thread?.Ext?.start_address_details?.allocation_size) ?? '',
},
{
field: 'region_size',
operator: 'included' as const,
type: 'match' as const,
value: String(Target?.process?.thread?.Ext?.start_address_details?.region_size) ?? '',
},
{
field: 'region_protection',
operator: 'included' as const,
type: 'match' as const,
value:
String(Target?.process?.thread?.Ext?.start_address_details?.region_protection) ?? '',
},
{
field: 'memory_pe.imphash',
operator: 'included' as const,
type: 'match' as const,
value:
String(Target?.process?.thread?.Ext?.start_address_details?.memory_pe?.imphash) ?? '',
},
],
},
]);
return {
@ -845,7 +807,7 @@ export const defaultEndpointExceptionItems = (
alertEcsData,
}),
];
case 'malicious_thread':
case 'shellcode_thread':
return [
getPrepopulatedMemoryShellcodeException({
listId,