github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.6] Add some 8.6 Endpoint telemetry fields (#146459) (#146512)

Browse source 
# Backport

This will backport the following commits from `main` to `8.6`:
- [Add some 8.6 Endpoint telemetry fields
(#146459)](https://github.com/elastic/kibana/pull/146459)

<!--- Backport version: 8.9.7 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Gabriel
Landau","email":"42078554+gabriellandau@users.noreply.github.com"},"sourceCommit":{"committedDate":"2022-11-29T09:54:57Z","message":"Add
some 8.6 Endpoint telemetry fields (#146459)\n\n## Summary\r\n\r\nAdd
some fields to Endpoint telemetry which are mistakenly stripped
by\r\nthe PII filter. These fields enable the Endpoint Protections team
to\r\nbetter triage alerts and create exceptions.\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"414ca820604c666af889a472da7e598fdcf5cfee","branchLabelMapping":{"^v8.7.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["Feature:Telemetry","release_note:skip","Team:
SecuritySolution","auto-backport","v8.6.0"],"number":146459,"url":"https://github.com/elastic/kibana/pull/146459","mergeCommit":{"message":"Add
some 8.6 Endpoint telemetry fields (#146459)\n\n## Summary\r\n\r\nAdd
some fields to Endpoint telemetry which are mistakenly stripped
by\r\nthe PII filter. These fields enable the Endpoint Protections team
to\r\nbetter triage alerts and create exceptions.\r\n\r\n###
Checklist\r\n\r\nDelete any items that are not applicable to this
PR.\r\n\r\n- [x] [Unit or
functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\nwere
updated or added to match the most common scenarios\r\n\r\n### For
maintainers\r\n\r\n- [ ] This was checked for breaking API changes and
was
[labeled\r\nappropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)\r\n\r\nCo-authored-by:
kibanamachine
<42973632+kibanamachine@users.noreply.github.com>","sha":"414ca820604c666af889a472da7e598fdcf5cfee"}},"sourceBranch":"main","suggestedTargetBranches":["8.6"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com>
This commit is contained in:
Kibana Machine 2022-11-29 07:35:46 -05:00 committed by GitHub
parent 10e20e33b8
commit 2e3606842a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 111 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
x-pack/plugins/security_solution/server/lib/telemetry/filterlists/endpoint_alerts.ts
View file

@ -26,9 +26,12 @@ const baseAllowlistFields: AllowlistFields = {
malware_signature: true,
memory_region: true,
protection: true,
session_info: true,
real: {
entity_id: true,
},
relative_file_creation_time: true,
relative_file_name_modify_time: true,
token: {
elevation: true,
elevation_type: true,
@ -50,6 +53,14 @@ const allowlistBaseEventFields: AllowlistFields = {
hash: true,
malware_signature: true,
pe: true,
Ext: {
device: {
volume_device_type: true,
},
load_index: true,
relative_file_creation_time: true,
relative_file_name_modify_time: true,
},
},
dns: true,
event: true,

100
x-pack/plugins/security_solution/server/lib/telemetry/sender.test.ts
View file

@ -91,6 +91,16 @@ describe('TelemetryEventsSender', () => {
ruleset: 'Z',
version: '100',
},
dll: {
Ext: {
device: {
volume_device_type: 'Disk File System',
},
load_index: 1,
relative_file_creation_time: 48628704.4029488,
relative_file_name_modify_time: 48628704.4029488,
},
},
file: {
extension: '.exe',
size: 3,
@ -99,6 +109,34 @@ describe('TelemetryEventsSender', () => {
test: 'me',
another: 'nope',
pe: {
Ext: {
dotnet: true,
streams: [
{
name: '#~',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
{
name: '#Blob',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
],
sections: [
{
name: '.reloc',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
],
},
original_file_name: 'malware.exe',
},
Ext: {
@ -117,6 +155,8 @@ describe('TelemetryEventsSender', () => {
header_bytes: 'data in here',
quarantine_result: true,
quarantine_message: 'this file is bad',
relative_file_creation_time: 48628704.4029488,
relative_file_name_modify_time: 48628704.4029488,
something_else: 'nope',
},
},
@ -135,6 +175,17 @@ describe('TelemetryEventsSender', () => {
entity_id: 'some_entity_id',
Ext: {
protection: 'PsProtectedSignerAntimalware-Light',
relative_file_creation_time: 48628704.4029488,
relative_file_name_modify_time: 48628704.4029488,
session_info: {
logon_type: 'Interactive',
client_address: '127.0.0.1',
id: 1,
authentication_package: 'NTLM',
relative_logon_time: 0.1,
relative_password_age: 2592000.123,
user_flags: ['LOGON_EXTRA_SIDS', 'LOGON_NTLMV2_ENABLED', 'LOGON_WINLOGON'],
},
},
},
Responses: '{ "result": 0 }', // >= 7.15
@ -220,12 +271,50 @@ describe('TelemetryEventsSender', () => {
ruleset: 'Z',
version: '100',
},
dll: {
Ext: {
device: {
volume_device_type: 'Disk File System',
},
load_index: 1,
relative_file_creation_time: 48628704.4029488,
relative_file_name_modify_time: 48628704.4029488,
},
},
file: {
extension: '.exe',
size: 3,
created: 0,
path: 'X',
pe: {
Ext: {
dotnet: true,
streams: [
{
name: '#~',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
{
name: '#Blob',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
],
sections: [
{
name: '.reloc',
hash: {
md5: 'debf08c09d49337fbe7acde4d3749242',
sha256: '90143dfb2e3210f18e1bcc50eb6c3961d11071e3ec024215b8835e468fa63e53',
},
},
],
},
original_file_name: 'malware.exe',
},
Ext: {
@ -258,6 +347,17 @@ describe('TelemetryEventsSender', () => {
entity_id: 'some_entity_id',
Ext: {
protection: 'PsProtectedSignerAntimalware-Light',
relative_file_creation_time: 48628704.4029488,
relative_file_name_modify_time: 48628704.4029488,
session_info: {
logon_type: 'Interactive',
client_address: '127.0.0.1',
id: 1,
authentication_package: 'NTLM',
relative_logon_time: 0.1,
relative_password_age: 2592000.123,
user_flags: ['LOGON_EXTRA_SIDS', 'LOGON_NTLMV2_ENABLED', 'LOGON_WINLOGON'],
},
},
},
Responses: '{ "result": 0 }',