-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Event Filters] Warning callout for incomplete code signature entries #193749
Conversation
Pinging @elastic/security-defend-workflows (Team:Defend Workflows) |
…ana into task/code-signature-warning
items[0]?.entries.forEach((e) => { | ||
if (e.type === 'nested' && e.field === 'process.Ext.code_signature') { | ||
e.entries.forEach((n) => { | ||
if (n.field === 'subject_name') { | ||
nestedName = true; | ||
} else if (n.field === 'trusted') { | ||
nestedTrusted = true; | ||
} | ||
}); | ||
} else if ( | ||
e.field === 'process.code_signature.subject_name' || | ||
(os.includes('macos') && e.field === 'process.code_signature.team_id') | ||
) { | ||
name = true; | ||
} else if (e.field === 'process.code_signature.trusted') { | ||
trusted = true; | ||
} | ||
}); | ||
return name !== trusted || nestedName !== nestedTrusted; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I’d recommend simplifying the code to avoid nested iterations. Consider using a single for loop with early returns. Here’s a rough pseudocode example
for (e of entries) {
if (e.type === 'nested' && e.field === 'process.Ext.code_signature) {
const includesNestedName = e.entries.some(entry => entry.field === 'subject_name')
const includesNestedTrusted = e.entries.some(entry => entry.field === 'trusted')
if (includesNestedName !== includesNestedTrusted) {
return true // Mismatch found, no need to continue
} else {
if (e.field === 'process.code_signature.subject_name' ||
(os.includes('macos') && e.field === 'process.code_signature.team_id')
) {
name = true;
} if (e.field === 'process.code_signature.trusted') {
trusted = true;
}
if (name !== trusted) {
return true; // Mismatch found in outer entries
}
return false; // No mismatch
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid ?
and checks for os
you can go with
const { os_types = ['windows'], entries = [] } = items[0] || {};
if items[0] is undefined then it will default to os_types = ['windows'] and empty entries, otherwise it will be overwritten with what items[0].os_types and .entries carries.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if either code block (including the suggestion) here is going to make sense in 3 months? Can we break it down into smaller chunks of contextual logic? Something like
isNestedTrustedEntry();
isNestedNameEntry();
isNameEntry();
isTrustedEntry();
and use that to compose a boolean statement?
If you do decide to break them into chunks, perhaps it would be a good idea to write unit tests for those so that we understand what that logic does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea @ashokaditya!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi, I tried to incorporate some of your logic for the single for loop with early returns. I could only do it for the nested condition however because the name
and trusted
fields need to be checked in all the entries.
size="s" | ||
data-test-subj="partialCodeSignatureCallout" | ||
> | ||
<p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I believe you can pass the tagName="p"
prop to <FormattedMessage />
, and it will render the message inside a
tag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
]) | ||
).toBeFalsy(); | ||
}); | ||
it('returns true if the entry has code signature subject name but not trusted field or vice versa', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be better to split into 2 tests
]) | ||
).toBeTruthy(); | ||
}); | ||
it('returns false if the entry has both code signature subject, or team id for mac, name and trusted field or vice versa', () => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let's split it into 2 cases for better maintainability and readability
items[0]?.entries.forEach((e) => { | ||
if (e.type === 'nested' && e.field === 'process.Ext.code_signature') { | ||
e.entries.forEach((n) => { | ||
if (n.field === 'subject_name') { | ||
nestedName = true; | ||
} else if (n.field === 'trusted') { | ||
nestedTrusted = true; | ||
} | ||
}); | ||
} else if ( | ||
e.field === 'process.code_signature.subject_name' || | ||
(os.includes('macos') && e.field === 'process.code_signature.team_id') | ||
) { | ||
name = true; | ||
} else if (e.field === 'process.code_signature.trusted') { | ||
trusted = true; | ||
} | ||
}); | ||
return name !== trusted || nestedName !== nestedTrusted; | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if either code block (including the suggestion) here is going to make sense in 3 months? Can we break it down into smaller chunks of contextual logic? Something like
isNestedTrustedEntry();
isNestedNameEntry();
isNameEntry();
isTrustedEntry();
and use that to compose a boolean statement?
If you do decide to break them into chunks, perhaps it would be a good idea to write unit tests for those so that we understand what that logic does.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks for incorporating my suggestions!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for addressing comments on tests.
One question, I still have is regarding other signature fields - #193749 (review)
Hi @vitaliidm so technically that field is a |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: |
Starting backport for target branches: 8.x |
…e signature entries (elastic#193749) ## Summary Navigate to Security Solution > Manage > Event Filters > Add Event Filter - [x] Warning callout shown when code signature field is incomplete (i.e. `process.code_signature.subject_name` w/o `process.code_signature.trusted` or vice versa) - [x] For mac operating systems, `process.code_signature.team_id` is also accepted as an equivalent to `subject_name` - [x] Warning callout is also shown for nested entries for this code signature field: `process.Ext.code_signature` - [x] Unit Tests # Screenshots ![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9) ![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b) MAC ![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd) NESTED ![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1) Followup prs: need to address user being allowed to choose the nested field: `process.Ext.code_signature` for a non-nested entry, need to address what happens when a user chooses `false` instead of true for the `trusted` field option --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 61c9137)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…te code signature entries (#193749) (#195184) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)](#193749) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Candace Park","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-04T06:26:39Z","message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9)\r\n\r\n![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b)\r\n\r\nMAC\r\n\r\n![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd)\r\n\r\nNESTED\r\n\r\n![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1)\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724","branchLabelMapping":{"^v9.0.0$":"main","^v8.16.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend Workflows","backport:prev-minor","v8.16.0"],"title":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries","number":193749,"url":"https://github.com/elastic/kibana/pull/193749","mergeCommit":{"message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9)\r\n\r\n![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b)\r\n\r\nMAC\r\n\r\n![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd)\r\n\r\nNESTED\r\n\r\n![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1)\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/193749","number":193749,"mergeCommit":{"message":"[Security Solution][Event Filters] Warning callout for incomplete code signature entries (#193749)\n\n## Summary\r\nNavigate to Security Solution > Manage > Event Filters > Add Event\r\nFilter\r\n\r\n- [x] Warning callout shown when code signature field is incomplete\r\n(i.e. `process.code_signature.subject_name` w/o\r\n`process.code_signature.trusted` or vice versa)\r\n- [x] For mac operating systems, `process.code_signature.team_id` is\r\nalso accepted as an equivalent to `subject_name`\r\n- [x] Warning callout is also shown for nested entries for this code\r\nsignature field: `process.Ext.code_signature`\r\n- [x] Unit Tests\r\n\r\n# Screenshots\r\n\r\n![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9)\r\n\r\n![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b)\r\n\r\nMAC\r\n\r\n![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd)\r\n\r\nNESTED\r\n\r\n![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1)\r\n\r\nFollowup prs: need to address user being allowed to choose the nested\r\nfield: `process.Ext.code_signature` for a non-nested entry, need to\r\naddress what happens when a user chooses `false` instead of true for the\r\n`trusted` field option\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"61c9137a1eeb1548e1878110194abc173fe64724"}},{"branch":"8.x","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Candace Park <[email protected]>
…e signature entries (elastic#193749) ## Summary Navigate to Security Solution > Manage > Event Filters > Add Event Filter - [x] Warning callout shown when code signature field is incomplete (i.e. `process.code_signature.subject_name` w/o `process.code_signature.trusted` or vice versa) - [x] For mac operating systems, `process.code_signature.team_id` is also accepted as an equivalent to `subject_name` - [x] Warning callout is also shown for nested entries for this code signature field: `process.Ext.code_signature` - [x] Unit Tests # Screenshots ![image](https://github.com/user-attachments/assets/e77cffa7-8b60-4441-9319-aa9964224bb9) ![image](https://github.com/user-attachments/assets/6ec7c6a1-28e8-4f8e-a6aa-3e65b1e0ba1b) MAC ![image](https://github.com/user-attachments/assets/86354b92-d7e3-44f1-8719-d9791dcaf9cd) NESTED ![image](https://github.com/user-attachments/assets/1392d7b2-0b63-40b8-95be-8a5bfa2e0af1) Followup prs: need to address user being allowed to choose the nested field: `process.Ext.code_signature` for a non-nested entry, need to address what happens when a user chooses `false` instead of true for the `trusted` field option --------- Co-authored-by: kibanamachine <[email protected]>
Summary
Navigate to Security Solution > Manage > Event Filters > Add Event Filter
process.code_signature.subject_name
w/oprocess.code_signature.trusted
or vice versa)process.code_signature.team_id
is also accepted as an equivalent tosubject_name
process.Ext.code_signature
Paired PR for endpoint exceptions: #198245
Screenshots
MAC
NESTED
Followup prs: need to address user being allowed to choose the nested field:
process.Ext.code_signature
for a non-nested entry, need to address what happens when a user choosesfalse
instead of true for thetrusted
field option