From 872504aed582f28ebdab36f83b7c09e6a56e5333 Mon Sep 17 00:00:00 2001
From: Kevin Logan <56395104+kevinlog@users.noreply.github.com>
Date: Fri, 29 Sep 2023 17:34:46 -0400
Subject: [PATCH] [Security Solution] Add mac and enrichment fields advanced
Policy setting for 8.11 (#167536)
## Summary
Adds new advanced Policy options for Mac for 8.11
Enrichment fields:
### Checklist
Delete any items that are not applicable to this PR.
- [x] Any text added follows [EUI's writing
guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses
sentence case text and includes [i18n
support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md)
---------
Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com>
---
.../policy/models/advanced_policy_schema.ts | 66 +++++++++++++++++++
1 file changed, 66 insertions(+)
diff --git a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
index 02d856fa4ebd..46882ea876a9 100644
--- a/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
+++ b/x-pack/plugins/security_solution/public/management/pages/policy/models/advanced_policy_schema.ts
@@ -1362,4 +1362,70 @@ export const AdvancedPolicySchema: AdvancedPolicySchemaType[] = [
}
),
},
+ {
+ key: 'mac.advanced.kernel.fileaccess',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.kernel.fileaccess',
+ {
+ defaultMessage:
+ 'A value of false overrides other config settings that would enable kernel fileaccess events. Default: true.',
+ }
+ ),
+ },
+ {
+ key: 'mac.advanced.events.image_load',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.events.image_load',
+ {
+ defaultMessage:
+ 'A value of false overrides other config settings that would enable kernel image load events. Default: true.',
+ }
+ ),
+ },
+ {
+ key: 'mac.advanced.image_load.capture',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.image_load.collect',
+ {
+ defaultMessage:
+ 'Collect and send image load events to Elasticsearch. Take caution, this can be a very high data volume. Adding an event filter to drop unwanted events is strongly recommended. Default: false',
+ }
+ ),
+ },
+ {
+ key: 'windows.advanced.document_enrichment.fields',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.windows.advanced.document_enrichment.fields',
+ {
+ defaultMessage:
+ 'A comma delimited set of key=value pairs of values to add into all Endpoint documents. Each key must begin with Custom. An example is Custom.key=value1,Custom.key2=value2',
+ }
+ ),
+ },
+ {
+ key: 'mac.advanced.document_enrichment.fields',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.mac.advanced.document_enrichment.fields',
+ {
+ defaultMessage:
+ 'A comma delimited set of key=value pairs of values to add into all Endpoint documents. Each key must begin with Custom. An example is Custom.key=value1,Custom.key2=value2',
+ }
+ ),
+ },
+ {
+ key: 'linux.advanced.document_enrichment.fields',
+ first_supported_version: '8.11',
+ documentation: i18n.translate(
+ 'xpack.securitySolution.endpoint.policy.advanced.linux.advanced.document_enrichment.fields',
+ {
+ defaultMessage:
+ 'A comma delimited set of key=value pairs of values to add into all Endpoint documents. Each key must begin with Custom. An example is Custom.key=value1,Custom.key2=value2',
+ }
+ ),
+ },
];