From 4fde17f20c1899396c6db68cdefa39f4c88b68ea Mon Sep 17 00:00:00 2001
From: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Date: Tue, 20 Jun 2023 09:20:27 -0400
Subject: [PATCH] [8.8] [Security Solution] Adds several new fields to allowed
 Exceptions for Endpoint (#159835) (#159924)

# Backport

This will backport the following commits from `main` to `8.8`:
- [[Security Solution] Adds several new fields to allowed Exceptions for
Endpoint (#159835)](https://github.com/elastic/kibana/pull/159835)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Kevin
Logan","email":"56395104+kevinlog@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-06-19T12:58:08Z","message":"[Security
Solution] Adds several new fields to allowed Exceptions for Endpoint
(#159835)\n\n## Summary\r\n\r\nAdds the following new fields to allowed
Exceptions for Endpoint after\r\ncustomer and internal
requests.\r\n\r\nWe can backport this to `8.8.2` in addition to shipping
in `8.9.0`\r\n\r\n```\r\n \"process.args\",\r\n
\"process.parent.args\",\r\n \"dns.question.type\",\r\n
\"file.pe.Ext.dotnet\",\r\n \"file.pe.Ext.streams.hash.md5\",\r\n
\"file.pe.Ext.streams.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.md5\",\r\n \"file.pe.Ext.streams.name\",\r\n
\"Effective_process.entity_id\",\r\n
\"Effective_process.executable\",\r\n \"Effective_process.name\",\r\n
\"Effective_process.pid\"\r\n```\r\n\r\nSee the Endpoint Exception
builder below with the new fields available\r\nfor
use.\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/1bafd68b-3b35-4543-92cb-37d379801b92)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/ff582e63-f93b-42ce-b95e-13965f75098a)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/87e1b214-4a76-459c-800d-eb6877ed3b9a)","sha":"3e61769cdaef20bff5b788c6c365dfa80c1ca8ba","branchLabelMapping":{"^v8.9.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Team:Defend
Workflows","v8.8.0","v8.9.0"],"number":159835,"url":"https://github.com/elastic/kibana/pull/159835","mergeCommit":{"message":"[Security
Solution] Adds several new fields to allowed Exceptions for Endpoint
(#159835)\n\n## Summary\r\n\r\nAdds the following new fields to allowed
Exceptions for Endpoint after\r\ncustomer and internal
requests.\r\n\r\nWe can backport this to `8.8.2` in addition to shipping
in `8.9.0`\r\n\r\n```\r\n \"process.args\",\r\n
\"process.parent.args\",\r\n \"dns.question.type\",\r\n
\"file.pe.Ext.dotnet\",\r\n \"file.pe.Ext.streams.hash.md5\",\r\n
\"file.pe.Ext.streams.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.md5\",\r\n \"file.pe.Ext.streams.name\",\r\n
\"Effective_process.entity_id\",\r\n
\"Effective_process.executable\",\r\n \"Effective_process.name\",\r\n
\"Effective_process.pid\"\r\n```\r\n\r\nSee the Endpoint Exception
builder below with the new fields available\r\nfor
use.\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/1bafd68b-3b35-4543-92cb-37d379801b92)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/ff582e63-f93b-42ce-b95e-13965f75098a)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/87e1b214-4a76-459c-800d-eb6877ed3b9a)","sha":"3e61769cdaef20bff5b788c6c365dfa80c1ca8ba"}},"sourceBranch":"main","suggestedTargetBranches":["8.8"],"targetPullRequestStates":[{"branch":"8.8","label":"v8.8.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.9.0","labelRegex":"^v8.9.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/159835","number":159835,"mergeCommit":{"message":"[Security
Solution] Adds several new fields to allowed Exceptions for Endpoint
(#159835)\n\n## Summary\r\n\r\nAdds the following new fields to allowed
Exceptions for Endpoint after\r\ncustomer and internal
requests.\r\n\r\nWe can backport this to `8.8.2` in addition to shipping
in `8.9.0`\r\n\r\n```\r\n \"process.args\",\r\n
\"process.parent.args\",\r\n \"dns.question.type\",\r\n
\"file.pe.Ext.dotnet\",\r\n \"file.pe.Ext.streams.hash.md5\",\r\n
\"file.pe.Ext.streams.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.sha256\",\r\n
\"file.pe.Ext.sections.hash.md5\",\r\n \"file.pe.Ext.streams.name\",\r\n
\"Effective_process.entity_id\",\r\n
\"Effective_process.executable\",\r\n \"Effective_process.name\",\r\n
\"Effective_process.pid\"\r\n```\r\n\r\nSee the Endpoint Exception
builder below with the new fields available\r\nfor
use.\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/1bafd68b-3b35-4543-92cb-37d379801b92)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/ff582e63-f93b-42ce-b95e-13965f75098a)\r\n\r\n\r\n![image](https://github.com/elastic/kibana/assets/56395104/87e1b214-4a76-459c-800d-eb6877ed3b9a)","sha":"3e61769cdaef20bff5b788c6c365dfa80c1ca8ba"}}]}]
BACKPORT-->

Co-authored-by: Kevin Logan <56395104+kevinlog@users.noreply.github.com>
---
 .../utils/exceptionable_endpoint_fields.json         | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/exceptionable_endpoint_fields.json b/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/exceptionable_endpoint_fields.json
index faa73b290f3cb..93a35fdcdc6cc 100644
--- a/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/exceptionable_endpoint_fields.json
+++ b/x-pack/plugins/security_solution/public/detection_engine/rule_exceptions/utils/exceptionable_endpoint_fields.json
@@ -30,6 +30,10 @@
   "agent.id",
   "agent.type",
   "agent.version",
+  "Effective_process.entity_id",
+  "Effective_process.executable",
+  "Effective_process.name",
+  "Effective_process.pid",
   "elastic.agent.id",
   "event.action",
   "event.category",
@@ -59,6 +63,12 @@
   "file.path",
   "file.pe.company",
   "file.pe.description",
+  "file.pe.Ext.dotnet",
+  "file.pe.Ext.streams.hash.md5",
+  "file.pe.Ext.streams.hash.sha256",
+  "file.pe.Ext.streams.name",
+  "file.pe.Ext.sections.hash.md5",
+  "file.pe.Ext.sections.hash.sha256",
   "file.pe.file_version",
   "file.pe.original_file_name",
   "file.pe.product",
@@ -79,6 +89,7 @@
   "host.os.platform",
   "host.os.version",
   "host.type",
+  "process.args",
   "process.command_line",
   "process.code_signature.subject_name",
   "process.Ext.services",
@@ -92,6 +103,7 @@
   "process.hash.sha256",
   "process.hash.sha512",
   "process.name",
+  "process.parent.args",
   "process.parent.executable",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",