[Security Solution] Correct memory exception field names (#110705)
This commit is contained in:
parent
3e15695d06
commit
53c011830d
|
@ -53,7 +53,7 @@ export enum EventCode {
|
|||
// Memory Protection alert
|
||||
MEMORY_SIGNATURE = 'memory_signature',
|
||||
// Memory Protection alert
|
||||
MALICIOUS_THREAD = 'malicious_thread',
|
||||
SHELLCODE_THREAD = 'shellcode_thread',
|
||||
// behavior
|
||||
BEHAVIOR = 'behavior',
|
||||
}
|
||||
|
|
|
@ -678,7 +678,7 @@ export class EndpointDocGenerator extends BaseDataGenerator {
|
|||
action: 'start',
|
||||
kind: 'alert',
|
||||
category: 'malware',
|
||||
code: isShellcode ? 'malicious_thread' : 'memory_signature',
|
||||
code: isShellcode ? 'shellcode_thread' : 'memory_signature',
|
||||
id: this.seededUUIDv4(),
|
||||
dataset: 'endpoint',
|
||||
module: 'endpoint',
|
||||
|
|
|
@ -86,8 +86,8 @@ describe('AlertSummaryView', () => {
|
|||
return {
|
||||
category: 'event',
|
||||
field: 'event.code',
|
||||
values: ['malicious_thread'],
|
||||
originalValue: ['malicious_thread'],
|
||||
values: ['shellcode_thread'],
|
||||
originalValue: ['shellcode_thread'],
|
||||
};
|
||||
}
|
||||
return item;
|
||||
|
|
|
@ -157,7 +157,7 @@ function getEventFieldsToDisplay({
|
|||
}): EventSummaryField[] {
|
||||
switch (eventCode) {
|
||||
// memory protection fields
|
||||
case EventCode.MALICIOUS_THREAD:
|
||||
case EventCode.SHELLCODE_THREAD:
|
||||
return memoryShellCodeAlertFields;
|
||||
case EventCode.MEMORY_SIGNATURE:
|
||||
return memorySignatureAlertFields;
|
||||
|
|
|
@ -19,13 +19,13 @@
|
|||
"Target.process.pe.original_file_name",
|
||||
"Target.process.pe.product",
|
||||
"Target.process.pgid",
|
||||
"Target.process.thread.Ext.start_address_details.allocation_type",
|
||||
"Target.process.Ext.memory_region.allocation_type",
|
||||
"Target.process.thread.Ext.start_address_bytes_disasm_hash",
|
||||
"Target.process.thread.Ext.start_address_allocation_offset",
|
||||
"Target.process.thread.Ext.start_address_details.allocation_size",
|
||||
"Target.process.thread.Ext.start_address_details.region_size",
|
||||
"Target.process.thread.Ext.start_address_details.region_protection",
|
||||
"Target.process.thread.Ext.start_address_details.memory_pe.imphash",
|
||||
"Target.process.Ext.memory_region.allocation_size",
|
||||
"Target.process.Ext.memory_region.region_size",
|
||||
"Target.process.Ext.memory_region.region_protection",
|
||||
"Target.process.Ext.memory_region.memory_pe.imphash",
|
||||
"Target.process.thread.Ext.start_address_bytes",
|
||||
"agent.id",
|
||||
"agent.type",
|
||||
|
@ -82,6 +82,8 @@
|
|||
"process.Ext.services",
|
||||
"process.Ext.user",
|
||||
"process.Ext.code_signature",
|
||||
"process.Ext.token.integrity_level_name",
|
||||
"process.Ext.memory_region.malware_signature.all_names",
|
||||
"process.executable",
|
||||
"process.hash.md5",
|
||||
"process.hash.sha1",
|
||||
|
|
|
@ -1031,7 +1031,7 @@ describe('Exception helpers', () => {
|
|||
]);
|
||||
});
|
||||
|
||||
test('it should return pre-populated memory shellcode items for event code `malicious_thread`', () => {
|
||||
test('it should return pre-populated memory shellcode items for event code `shellcode_thread`', () => {
|
||||
const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
|
||||
_id: '123',
|
||||
process: {
|
||||
|
@ -1049,7 +1049,7 @@ describe('Exception helpers', () => {
|
|||
self_injection: true,
|
||||
},
|
||||
event: {
|
||||
code: 'malicious_thread',
|
||||
code: 'shellcode_thread',
|
||||
},
|
||||
Target: {
|
||||
process: {
|
||||
|
@ -1108,52 +1108,10 @@ describe('Exception helpers', () => {
|
|||
value: 'high',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'Target.process.thread.Ext.start_address_details',
|
||||
type: 'nested',
|
||||
entries: [
|
||||
{
|
||||
field: 'allocation_type',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'PRIVATE',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'allocation_size',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: '4000',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'region_size',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: '4000',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'region_protection',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'RWX',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'memory_pe.imphash',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'a hash',
|
||||
id: '123',
|
||||
},
|
||||
],
|
||||
id: '123',
|
||||
},
|
||||
]);
|
||||
});
|
||||
|
||||
test('it should return pre-populated memory shellcode items for event code `malicious_thread` and skip empty', () => {
|
||||
test('it should return pre-populated memory shellcode items for event code `shellcode_thread` and skip empty', () => {
|
||||
const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
|
||||
_id: '123',
|
||||
process: {
|
||||
|
@ -1171,7 +1129,7 @@ describe('Exception helpers', () => {
|
|||
self_injection: true,
|
||||
},
|
||||
event: {
|
||||
code: 'malicious_thread',
|
||||
code: 'shellcode_thread',
|
||||
},
|
||||
Target: {
|
||||
process: {
|
||||
|
@ -1217,41 +1175,6 @@ describe('Exception helpers', () => {
|
|||
value: 'high',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'Target.process.thread.Ext.start_address_details',
|
||||
type: 'nested',
|
||||
entries: [
|
||||
{
|
||||
field: 'allocation_size',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: '4000',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'region_size',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: '4000',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'region_protection',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'RWX',
|
||||
id: '123',
|
||||
},
|
||||
{
|
||||
field: 'memory_pe.imphash',
|
||||
operator: 'included',
|
||||
type: 'match',
|
||||
value: 'a hash',
|
||||
id: '123',
|
||||
},
|
||||
],
|
||||
id: '123',
|
||||
},
|
||||
]);
|
||||
});
|
||||
});
|
||||
|
|
|
@ -577,7 +577,7 @@ export const getPrepopulatedMemoryShellcodeException = ({
|
|||
eventCode: string;
|
||||
alertEcsData: Flattened<Ecs>;
|
||||
}): ExceptionsBuilderExceptionItem => {
|
||||
const { process, Target } = alertEcsData;
|
||||
const { process } = alertEcsData;
|
||||
const entries = filterEmptyExceptionEntries([
|
||||
{
|
||||
field: 'Memory_protection.feature',
|
||||
|
@ -609,44 +609,6 @@ export const getPrepopulatedMemoryShellcodeException = ({
|
|||
type: 'match' as const,
|
||||
value: process?.Ext?.token?.integrity_level_name ?? '',
|
||||
},
|
||||
{
|
||||
field: 'Target.process.thread.Ext.start_address_details',
|
||||
type: 'nested' as const,
|
||||
entries: [
|
||||
{
|
||||
field: 'allocation_type',
|
||||
operator: 'included' as const,
|
||||
type: 'match' as const,
|
||||
value: Target?.process?.thread?.Ext?.start_address_details?.allocation_type ?? '',
|
||||
},
|
||||
{
|
||||
field: 'allocation_size',
|
||||
operator: 'included' as const,
|
||||
type: 'match' as const,
|
||||
value: String(Target?.process?.thread?.Ext?.start_address_details?.allocation_size) ?? '',
|
||||
},
|
||||
{
|
||||
field: 'region_size',
|
||||
operator: 'included' as const,
|
||||
type: 'match' as const,
|
||||
value: String(Target?.process?.thread?.Ext?.start_address_details?.region_size) ?? '',
|
||||
},
|
||||
{
|
||||
field: 'region_protection',
|
||||
operator: 'included' as const,
|
||||
type: 'match' as const,
|
||||
value:
|
||||
String(Target?.process?.thread?.Ext?.start_address_details?.region_protection) ?? '',
|
||||
},
|
||||
{
|
||||
field: 'memory_pe.imphash',
|
||||
operator: 'included' as const,
|
||||
type: 'match' as const,
|
||||
value:
|
||||
String(Target?.process?.thread?.Ext?.start_address_details?.memory_pe?.imphash) ?? '',
|
||||
},
|
||||
],
|
||||
},
|
||||
]);
|
||||
|
||||
return {
|
||||
|
@ -845,7 +807,7 @@ export const defaultEndpointExceptionItems = (
|
|||
alertEcsData,
|
||||
}),
|
||||
];
|
||||
case 'malicious_thread':
|
||||
case 'shellcode_thread':
|
||||
return [
|
||||
getPrepopulatedMemoryShellcodeException({
|
||||
listId,
|
||||
|
|
Loading…
Reference in a new issue