github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution][Admin][Policy] Add credential access to endpoint policy windows eventing (#149553)

Browse source 
## Summary

- [x] Adds `Credential Access` option to Endpoint policy windows (only)
events, default is set to `true` for new policies
- [x] Migration for old policies, with the default set to `false`


# Screenshots

![image](https://user-images.githubusercontent.com/56409205/214680325-56f0ba9a-45b7-4b3e-afaf-c5fd8e367440.png)
This commit is contained in:
Candace Park 2023-02-02 17:17:56 -05:00 committed by GitHub
parent 5909ca5b76
commit 89b89abf20
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 182 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/core/server/integration_tests/saved_objects/migrations/check_registered_types.test.ts
View file

@ -104,7 +104,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"ingest-agent-policies": "54d586fdafae83ba326e47d1a3727b0d9c910a12",
"ingest-download-sources": "1e69dabd6db5e320fe08c5bda8f35f29bafc6b54",
"ingest-outputs": "29181ecfdc7723f544325ecef7266bccbc691a54",
"ingest-package-policies": "d93048bf153f9043946e8965065a88014f7ccb41",
"ingest-package-policies": "0335a28af793ce25b4969d2156cfaf1dae2ef812",
"ingest_manager_settings": "6f36714825cc15ea8d7cda06fde7851611a532b4",
"inventory-view": "bc2bd1e7ec7c186159447ab228d269f22bd39056",
"kql-telemetry": "29544cd7d3b767c5399878efae6bd724d24c03fd",

2
x-pack/plugins/fleet/server/saved_objects/index.ts
View file

@ -53,6 +53,7 @@ import {
migrateInstallationToV860,
migratePackagePolicyToV860,
} from './migrations/to_v8_6_0';
import { migratePackagePolicyToV870 } from './migrations/security_solution';
/*
* Saved object types and mappings
@ -240,6 +241,7 @@ const getSavedObjectTypes = (
'8.4.0': migratePackagePolicyToV840,
'8.5.0': migratePackagePolicyToV850,
'8.6.0': migratePackagePolicyToV860,
'8.7.0': migratePackagePolicyToV870,
},
},
[PACKAGES_SAVED_OBJECT_TYPE]: {

1
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/index.ts
View file

@ -16,3 +16,4 @@ export { migratePackagePolicyToV830 } from './to_v8_3_0';
export { migratePackagePolicyToV840 } from './to_v8_4_0';
export { migratePackagePolicyToV850 } from './to_v8_5_0';
export { migratePackagePolicyToV860 } from './to_v8_6_0';
export { migratePackagePolicyToV870 } from './to_v8_7_0';

134
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_7_0.test.ts Normal file
View file

@ -0,0 +1,134 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SavedObjectMigrationContext, SavedObjectUnsanitizedDoc } from '@kbn/core/server';
import type { PackagePolicy } from '../../../../common';
import { migratePackagePolicyToV870 as migration } from './to_v8_7_0';
describe('8.7.0 Endpoint Package Policy migration', () => {
const policyDoc = ({ windowsEvents = {} }) => {
return {
id: 'mock-saved-object-id',
attributes: {
name: 'Some Policy Name',
package: {
name: 'endpoint',
title: '',
version: '',
},
id: 'endpoint',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'endpoint',
enabled: true,
streams: [],
config: {
policy: {
value: {
windows: {
...windowsEvents,
},
mac: {},
linux: {},
},
},
},
},
],
},
type: ' nested',
};
};
it('adds credential access to windows events, defaulted to false', () => {
const initialDoc = policyDoc({
windowsEvents: { events: { process: true, file: true, network: true } },
});
const migratedDoc = policyDoc({
windowsEvents: {
events: { process: true, file: true, network: true, credential_access: false },
},
});
expect(migration(initialDoc, {} as SavedObjectMigrationContext)).toEqual(migratedDoc);
});
it('does not modify non-endpoint package policies', () => {
const doc: SavedObjectUnsanitizedDoc<PackagePolicy> = {
id: 'mock-saved-object-id',
attributes: {
name: 'Some Policy Name',
package: {
name: 'notEndpoint',
title: '',
version: '',
},
id: 'notEndpoint',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'notEndpoint',
enabled: true,
streams: [],
config: {},
},
],
},
type: ' nested',
};
expect(
migration(doc, {} as SavedObjectMigrationContext) as SavedObjectUnsanitizedDoc<PackagePolicy>
).toEqual({
attributes: {
name: 'Some Policy Name',
package: {
name: 'notEndpoint',
title: '',
version: '',
},
id: 'notEndpoint',
policy_id: '',
enabled: true,
namespace: '',
revision: 0,
updated_at: '',
updated_by: '',
created_at: '',
created_by: '',
inputs: [
{
type: 'notEndpoint',
enabled: true,
streams: [],
config: {},
},
],
},
type: ' nested',
id: 'mock-saved-object-id',
});
});
});

30
x-pack/plugins/fleet/server/saved_objects/migrations/security_solution/to_v8_7_0.ts Normal file
View file

@ -0,0 +1,30 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
import type { SavedObjectMigrationFn, SavedObjectUnsanitizedDoc } from '@kbn/core/server';
import type { PackagePolicy } from '../../../../common';
export const migratePackagePolicyToV870: SavedObjectMigrationFn<PackagePolicy, PackagePolicy> = (
packagePolicyDoc
) => {
if (packagePolicyDoc.attributes.package?.name !== 'endpoint') {
return packagePolicyDoc;
}
const updatedPackagePolicyDoc: SavedObjectUnsanitizedDoc<PackagePolicy> = packagePolicyDoc;
const input = updatedPackagePolicyDoc.attributes.inputs[0];
if (input && input.config) {
const policy = input.config.policy.value;
policy.windows.events.credential_access = false;
}
return updatedPackagePolicyDoc;
};

1
x-pack/plugins/security_solution/common/endpoint/models/policy_config.ts
View file

@ -15,6 +15,7 @@ export const policyFactory = (): PolicyConfig => {
return {
windows: {
events: {
credential_access: true,
dll_and_driver_load: true,
dns: true,
file: true,

2
x-pack/plugins/security_solution/common/endpoint/models/policy_config_helpers.test.ts
View file

@ -73,6 +73,7 @@ describe('Policy Config helpers', () => {
const defaultPolicy: PolicyConfig = policyFactory();
const windowsEvents: typeof defaultPolicy.windows.events = {
credential_access: false,
dll_and_driver_load: false,
dns: false,
file: false,
@ -120,6 +121,7 @@ describe('Policy Config helpers', () => {
export const eventsOnlyPolicy: PolicyConfig = {
windows: {
events: {
credential_access: true,
dll_and_driver_load: true,
dns: true,
file: true,

1
x-pack/plugins/security_solution/common/endpoint/types/index.ts
View file

@ -933,6 +933,7 @@ export interface PolicyConfig {
};
};
events: {
credential_access: boolean;
dll_and_driver_load: boolean;
dns: boolean;
file: boolean;

1
x-pack/plugins/security_solution/public/management/pages/policy/store/policy_details/index.test.ts
View file

@ -271,6 +271,7 @@ describe('policy details: ', () => {
value: {
windows: {
events: {
credential_access: true,
dll_and_driver_load: true,
dns: false,
file: true,

9
x-pack/plugins/security_solution/public/management/pages/policy/view/policy_forms/events/windows.tsx
View file

@ -16,6 +16,15 @@ import type { EventFormOption } from '../../components/events_form';
import { EventsForm } from '../../components/events_form';
const OPTIONS: ReadonlyArray<EventFormOption<OperatingSystem.WINDOWS>> = [
{
name: i18n.translate(
'xpack.securitySolution.endpoint.policyDetailsConfig.windows.events.credentialAccess',
{
defaultMessage: 'Credential Access',
}
),
protectionField: 'credential_access',
},
{
name: i18n.translate(
'xpack.securitySolution.endpoint.policyDetailsConfig.windows.events.dllDriverLoad',