From 53c011830dfbe9da04021d3529e5ce94e863236e Mon Sep 17 00:00:00 2001 From: Kevin Logan <56395104+kevinlog@users.noreply.github.com> Date: Tue, 31 Aug 2021 22:07:00 -0400 Subject: [PATCH] [Security Solution] Correct memory exception field names (#110705) --- .../common/ecs/event/index.ts | 2 +- .../common/endpoint/generate_data.ts | 2 +- .../event_details/alert_summary_view.test.tsx | 4 +- .../event_details/alert_summary_view.tsx | 2 +- .../exceptionable_endpoint_fields.json | 12 +-- .../components/exceptions/helpers.test.tsx | 85 +------------------ .../common/components/exceptions/helpers.tsx | 42 +-------- 7 files changed, 18 insertions(+), 131 deletions(-) diff --git a/x-pack/plugins/security_solution/common/ecs/event/index.ts b/x-pack/plugins/security_solution/common/ecs/event/index.ts index 14f38480f90c..9e2ebb059b3b 100644 --- a/x-pack/plugins/security_solution/common/ecs/event/index.ts +++ b/x-pack/plugins/security_solution/common/ecs/event/index.ts @@ -53,7 +53,7 @@ export enum EventCode { // Memory Protection alert MEMORY_SIGNATURE = 'memory_signature', // Memory Protection alert - MALICIOUS_THREAD = 'malicious_thread', + SHELLCODE_THREAD = 'shellcode_thread', // behavior BEHAVIOR = 'behavior', } diff --git a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts index afe85e1abaa5..8f985db732b6 100644 --- a/x-pack/plugins/security_solution/common/endpoint/generate_data.ts +++ b/x-pack/plugins/security_solution/common/endpoint/generate_data.ts @@ -678,7 +678,7 @@ export class EndpointDocGenerator extends BaseDataGenerator { action: 'start', kind: 'alert', category: 'malware', - code: isShellcode ? 'malicious_thread' : 'memory_signature', + code: isShellcode ? 'shellcode_thread' : 'memory_signature', id: this.seededUUIDv4(), dataset: 'endpoint', module: 'endpoint', diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx index db5eb2d882c6..2b399a057117 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx @@ -86,8 +86,8 @@ describe('AlertSummaryView', () => { return { category: 'event', field: 'event.code', - values: ['malicious_thread'], - originalValue: ['malicious_thread'], + values: ['shellcode_thread'], + originalValue: ['shellcode_thread'], }; } return item; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx index d8c1cc7fbfa6..da6c091ab069 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx @@ -157,7 +157,7 @@ function getEventFieldsToDisplay({ }): EventSummaryField[] { switch (eventCode) { // memory protection fields - case EventCode.MALICIOUS_THREAD: + case EventCode.SHELLCODE_THREAD: return memoryShellCodeAlertFields; case EventCode.MEMORY_SIGNATURE: return memorySignatureAlertFields; diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json index d46b39b90fe5..043ea11a51fd 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json @@ -19,13 +19,13 @@ "Target.process.pe.original_file_name", "Target.process.pe.product", "Target.process.pgid", - "Target.process.thread.Ext.start_address_details.allocation_type", + "Target.process.Ext.memory_region.allocation_type", "Target.process.thread.Ext.start_address_bytes_disasm_hash", "Target.process.thread.Ext.start_address_allocation_offset", - "Target.process.thread.Ext.start_address_details.allocation_size", - "Target.process.thread.Ext.start_address_details.region_size", - "Target.process.thread.Ext.start_address_details.region_protection", - "Target.process.thread.Ext.start_address_details.memory_pe.imphash", + "Target.process.Ext.memory_region.allocation_size", + "Target.process.Ext.memory_region.region_size", + "Target.process.Ext.memory_region.region_protection", + "Target.process.Ext.memory_region.memory_pe.imphash", "Target.process.thread.Ext.start_address_bytes", "agent.id", "agent.type", @@ -82,6 +82,8 @@ "process.Ext.services", "process.Ext.user", "process.Ext.code_signature", + "process.Ext.token.integrity_level_name", + "process.Ext.memory_region.malware_signature.all_names", "process.executable", "process.hash.md5", "process.hash.sha1", diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx index 9696604ddf22..209d7d8fa273 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx @@ -1031,7 +1031,7 @@ describe('Exception helpers', () => { ]); }); - test('it should return pre-populated memory shellcode items for event code `malicious_thread`', () => { + test('it should return pre-populated memory shellcode items for event code `shellcode_thread`', () => { const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', { _id: '123', process: { @@ -1049,7 +1049,7 @@ describe('Exception helpers', () => { self_injection: true, }, event: { - code: 'malicious_thread', + code: 'shellcode_thread', }, Target: { process: { @@ -1108,52 +1108,10 @@ describe('Exception helpers', () => { value: 'high', id: '123', }, - { - field: 'Target.process.thread.Ext.start_address_details', - type: 'nested', - entries: [ - { - field: 'allocation_type', - operator: 'included', - type: 'match', - value: 'PRIVATE', - id: '123', - }, - { - field: 'allocation_size', - operator: 'included', - type: 'match', - value: '4000', - id: '123', - }, - { - field: 'region_size', - operator: 'included', - type: 'match', - value: '4000', - id: '123', - }, - { - field: 'region_protection', - operator: 'included', - type: 'match', - value: 'RWX', - id: '123', - }, - { - field: 'memory_pe.imphash', - operator: 'included', - type: 'match', - value: 'a hash', - id: '123', - }, - ], - id: '123', - }, ]); }); - test('it should return pre-populated memory shellcode items for event code `malicious_thread` and skip empty', () => { + test('it should return pre-populated memory shellcode items for event code `shellcode_thread` and skip empty', () => { const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', { _id: '123', process: { @@ -1171,7 +1129,7 @@ describe('Exception helpers', () => { self_injection: true, }, event: { - code: 'malicious_thread', + code: 'shellcode_thread', }, Target: { process: { @@ -1217,41 +1175,6 @@ describe('Exception helpers', () => { value: 'high', id: '123', }, - { - field: 'Target.process.thread.Ext.start_address_details', - type: 'nested', - entries: [ - { - field: 'allocation_size', - operator: 'included', - type: 'match', - value: '4000', - id: '123', - }, - { - field: 'region_size', - operator: 'included', - type: 'match', - value: '4000', - id: '123', - }, - { - field: 'region_protection', - operator: 'included', - type: 'match', - value: 'RWX', - id: '123', - }, - { - field: 'memory_pe.imphash', - operator: 'included', - type: 'match', - value: 'a hash', - id: '123', - }, - ], - id: '123', - }, ]); }); }); diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx index 3d219b90a2fc..58da977fcb8f 100644 --- a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx +++ b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx @@ -577,7 +577,7 @@ export const getPrepopulatedMemoryShellcodeException = ({ eventCode: string; alertEcsData: Flattened; }): ExceptionsBuilderExceptionItem => { - const { process, Target } = alertEcsData; + const { process } = alertEcsData; const entries = filterEmptyExceptionEntries([ { field: 'Memory_protection.feature', @@ -609,44 +609,6 @@ export const getPrepopulatedMemoryShellcodeException = ({ type: 'match' as const, value: process?.Ext?.token?.integrity_level_name ?? '', }, - { - field: 'Target.process.thread.Ext.start_address_details', - type: 'nested' as const, - entries: [ - { - field: 'allocation_type', - operator: 'included' as const, - type: 'match' as const, - value: Target?.process?.thread?.Ext?.start_address_details?.allocation_type ?? '', - }, - { - field: 'allocation_size', - operator: 'included' as const, - type: 'match' as const, - value: String(Target?.process?.thread?.Ext?.start_address_details?.allocation_size) ?? '', - }, - { - field: 'region_size', - operator: 'included' as const, - type: 'match' as const, - value: String(Target?.process?.thread?.Ext?.start_address_details?.region_size) ?? '', - }, - { - field: 'region_protection', - operator: 'included' as const, - type: 'match' as const, - value: - String(Target?.process?.thread?.Ext?.start_address_details?.region_protection) ?? '', - }, - { - field: 'memory_pe.imphash', - operator: 'included' as const, - type: 'match' as const, - value: - String(Target?.process?.thread?.Ext?.start_address_details?.memory_pe?.imphash) ?? '', - }, - ], - }, ]); return { @@ -845,7 +807,7 @@ export const defaultEndpointExceptionItems = ( alertEcsData, }), ]; - case 'malicious_thread': + case 'shellcode_thread': return [ getPrepopulatedMemoryShellcodeException({ listId,