mirror of
https://github.com/elastic/kibana.git
synced 2025-04-24 01:38:56 -04:00
[Security Solution][Endpoint] Split blocklist entry in multiple entries when different hash types (#164599)
Fixes: https://github.com/elastic/kibana/issues/164374 ## Summary During fleet artifact generation, we split those blocklist entries that contains multiple hash types in it, so the resulting artifact contains an entry for each hash type. This is done for each blocklist if they contain multiple hash types in it. It also updates ftr test to ensure the resulting artifact is generated correctly. For a blocklist containing these hashes: ``` ['741462ab431a22233c787baab9b653c7', 'aedb279e378bed6c2db3c9dc9e12ba635e0b391c', 'a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476'] ``` The artifact generated is: ``` { entries: [ { type: 'simple', entries: [ { field: 'file.hash.md5', operator: 'included', type: 'exact_cased_any', value: ['741462ab431a22233c787baab9b653c7'], }, ], }, { type: 'simple', entries: [ { field: 'file.hash.sha1', operator: 'included', type: 'exact_cased_any', value: ['aedb279e378bed6c2db3c9dc9e12ba635e0b391c'], }, ], }, { type: 'simple', entries: [ { field: 'file.hash.sha256', operator: 'included', type: 'exact_cased_any', value: ['a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476'], }, ], }, ] } ``` Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
David Sánchez
GitHub
parent
37efbf350d
commit
6659376838
2 changed files with 75 additions and 20 deletions
|
|
@ -14,14 +14,15 @@ import type {
|
|||
FoundExceptionListItemSchema,
|
||||
} from '@kbn/securitysolution-io-ts-list-types';
|
||||
import type { OperatingSystem } from '@kbn/securitysolution-utils';
|
||||
import { hasSimpleExecutableName } from '@kbn/securitysolution-utils';
|
||||
import { EntryFieldType, hasSimpleExecutableName } from '@kbn/securitysolution-utils';
|
||||
|
||||
import type {
|
||||
ENDPOINT_BLOCKLISTS_LIST_ID,
|
||||
ENDPOINT_EVENT_FILTERS_LIST_ID,
|
||||
ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID,
|
||||
ENDPOINT_LIST_ID,
|
||||
ENDPOINT_TRUSTED_APPS_LIST_ID,
|
||||
import {
|
||||
ENDPOINT_ARTIFACT_LISTS,
|
||||
type ENDPOINT_BLOCKLISTS_LIST_ID,
|
||||
type ENDPOINT_EVENT_FILTERS_LIST_ID,
|
||||
type ENDPOINT_HOST_ISOLATION_EXCEPTIONS_LIST_ID,
|
||||
type ENDPOINT_LIST_ID,
|
||||
type ENDPOINT_TRUSTED_APPS_LIST_ID,
|
||||
} from '@kbn/securitysolution-list-constants';
|
||||
import type { ExceptionListClient } from '@kbn/lists-plugin/server';
|
||||
import { validate } from '@kbn/securitysolution-io-ts-utils';
|
||||
|
|
@ -159,13 +160,36 @@ export function translateToEndpointExceptions(
|
|||
const entriesFiltered: TranslatedExceptionListItem[] = [];
|
||||
if (schemaVersion === 'v1') {
|
||||
exceptions.forEach((entry) => {
|
||||
const translatedItem = translateItem(schemaVersion, entry);
|
||||
const entryHash = createHash('sha256').update(JSON.stringify(translatedItem)).digest('hex');
|
||||
if (!entrySet.has(entryHash)) {
|
||||
entriesFiltered.push(translatedItem);
|
||||
entrySet.add(entryHash);
|
||||
// For Blocklist, we create a single entry for each blocklist entry item
|
||||
// if there is an entry with more than one hash type.
|
||||
if (
|
||||
entry.list_id === ENDPOINT_ARTIFACT_LISTS.blocklists.id &&
|
||||
entry.entries.length > 1 &&
|
||||
!!entry.entries[0].field.match(EntryFieldType.HASH)
|
||||
) {
|
||||
entry.entries.forEach((blocklistSingleEntry) => {
|
||||
const translatedItem = translateItem(schemaVersion, {
|
||||
...entry,
|
||||
entries: [blocklistSingleEntry],
|
||||
});
|
||||
const entryHash = createHash('sha256')
|
||||
.update(JSON.stringify(translatedItem))
|
||||
.digest('hex');
|
||||
if (!entrySet.has(entryHash)) {
|
||||
entriesFiltered.push(translatedItem);
|
||||
entrySet.add(entryHash);
|
||||
}
|
||||
});
|
||||
} else {
|
||||
const translatedItem = translateItem(schemaVersion, entry);
|
||||
const entryHash = createHash('sha256').update(JSON.stringify(translatedItem)).digest('hex');
|
||||
if (!entrySet.has(entryHash)) {
|
||||
entriesFiltered.push(translatedItem);
|
||||
entrySet.add(entryHash);
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
return entriesFiltered;
|
||||
} else {
|
||||
throw new Error('unsupported schemaVersion');
|
||||
|
|
|
|||
|
|
@ -374,7 +374,8 @@ export const getArtifactsListTestsData = () => [
|
|||
{
|
||||
type: 'input',
|
||||
selector: 'blocklist-form-values-input',
|
||||
value: 'A4370C0CF81686C0B696FA6261c9d3e0d810ae704ab8301839dffd5d5112f476',
|
||||
value:
|
||||
'A4370C0CF81686C0B696FA6261c9d3e0d810ae704ab8301839dffd5d5112f476,aedb279e378BED6C2DB3C9DC9e12ba635e0b391c,741462ab431a22233C787BAAB9B653C7',
|
||||
},
|
||||
{
|
||||
type: 'click',
|
||||
|
|
@ -385,7 +386,7 @@ export const getArtifactsListTestsData = () => [
|
|||
{
|
||||
selector: 'blocklistPage-card-criteriaConditions',
|
||||
value:
|
||||
'OSIS Windows\nAND file.hash.*IS ONE OF\na4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476',
|
||||
'OSIS Windows\nAND file.hash.*IS ONE OF\n741462ab431a22233c787baab9b653c7\naedb279e378bed6c2db3c9dc9e12ba635e0b391c\na4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476',
|
||||
},
|
||||
],
|
||||
},
|
||||
|
|
@ -414,6 +415,14 @@ export const getArtifactsListTestsData = () => [
|
|||
selector:
|
||||
'blocklist-form-values-input-a4370c0cf81686c0b696fa6261c9d3e0d810ae704ab8301839dffd5d5112f476',
|
||||
},
|
||||
{
|
||||
type: 'clear',
|
||||
selector: 'blocklist-form-values-input-741462ab431a22233c787baab9b653c7',
|
||||
},
|
||||
{
|
||||
type: 'clear',
|
||||
selector: 'blocklist-form-values-input-aedb279e378bed6c2db3c9dc9e12ba635e0b391c',
|
||||
},
|
||||
{
|
||||
type: 'input',
|
||||
selector: 'blocklist-form-values-input',
|
||||
|
|
@ -455,19 +464,41 @@ export const getArtifactsListTestsData = () => [
|
|||
type: 'blocklist',
|
||||
identifier: 'endpoint-blocklist-windows-v1',
|
||||
relative_url:
|
||||
'/api/fleet/artifacts/endpoint-blocklist-windows-v1/730aee3fea0a4d119285ecec500343262fb9f710915536a901a7b1cec8dff714',
|
||||
body: 'eJxVzM0KgzAQBOB32XORxJ81+ipSZM1uMJCqmFgq0ndvCr2Uuc03zAWypN1LhH64IJ2bQA/RP7YgcPsz5yVwRueDFDPFuYgzlQ3m2brJTmnds/rFhoOFc/s7kxfZNFqKwiMtZ4YnhSPLAFRXrbLKOqPRoFUTdugIS9S240oUG61IWlXTZCqlTdWxc9xwo3Xp6hbh/v7mA+fuPhA=',
|
||||
'/api/fleet/artifacts/endpoint-blocklist-windows-v1/637f1e8795406904980ae2ab4a69cea967756571507f6bd7fc94cde0add20df2',
|
||||
body: 'eJylzsFqwzAMgOF38bkU27Jlu69SQpEtmQTSNCTpWCl595qyy45bj9IvxPdUMm3LIKs6nZ9qe8yiTmodrvMo6vCr1UFGbrEOoxx7WvvjlX27uc2y0HZbWhqmMt5ZuG1/Psk3le1SaBW+0PRo4YvGeytnFZxxaCk7MGStBSghhkyUU0bfBtXt3X74q2ntyXyAIuFsQxIIMQtjsZyhJC5JjM2E4EVnSKb8G2c9fsJzEHTRpUaDEYvOmLASWjQNCaI5Gk0StKMcQZsIiWtlz94YW13AN7vbX9OOoO0=',
|
||||
encryption_algorithm: 'none',
|
||||
package_name: 'endpoint',
|
||||
encoded_size: 155,
|
||||
encoded_sha256: 'caa472e57d793539061e438337b519367303f4a75adf5a883c4104b88c30ee08',
|
||||
decoded_size: 196,
|
||||
decoded_sha256: '730aee3fea0a4d119285ecec500343262fb9f710915536a901a7b1cec8dff714',
|
||||
encoded_size: 218,
|
||||
encoded_sha256: '751aacf865573055bef82795d23d99b7ab695eb5fb2a36f1231f02f52da8adc0',
|
||||
decoded_size: 501,
|
||||
decoded_sha256: '637f1e8795406904980ae2ab4a69cea967756571507f6bd7fc94cde0add20df2',
|
||||
compression_algorithm: 'zlib',
|
||||
created: '2000-01-01T00:00:00.000Z',
|
||||
}),
|
||||
getExpectedUpdatedArtifactBodyWhenCreate: (): ArtifactBodyType => ({
|
||||
entries: [
|
||||
{
|
||||
type: 'simple',
|
||||
entries: [
|
||||
{
|
||||
field: 'file.hash.md5',
|
||||
operator: 'included',
|
||||
type: 'exact_cased_any',
|
||||
value: ['741462ab431a22233c787baab9b653c7'],
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
type: 'simple',
|
||||
entries: [
|
||||
{
|
||||
field: 'file.hash.sha1',
|
||||
operator: 'included',
|
||||
type: 'exact_cased_any',
|
||||
value: ['aedb279e378bed6c2db3c9dc9e12ba635e0b391c'],
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
type: 'simple',
|
||||
entries: [
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue