[Security Solution] Correct linux OS lookup for Endpoint Exceptions (#103038)

kevinlog · kibanamachine · commit 4a802a8ba111 · 2021-06-25T00:25:50.000Z
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json
@@ -1,19 +1,11 @@
 [
   "Endpoint.policy.applied.id",
-  "Target.process.Ext.code_signature.status",
-  "Target.process.Ext.code_signature.subject_name",
-  "Target.process.Ext.code_signature.trusted",
-  "Target.process.Ext.code_signature.valid",
   "Target.process.Ext.services",
   "Target.process.Ext.user",
   "Target.process.hash.md5",
   "Target.process.hash.sha1",
   "Target.process.hash.sha256",
   "Target.process.hash.sha512",
-  "Target.process.parent.Ext.code_signature.status",
-  "Target.process.parent.Ext.code_signature.subject_name",
-  "Target.process.parent.Ext.code_signature.trusted",
-  "Target.process.parent.Ext.code_signature.valid",
   "Target.process.parent.hash.md5",
   "Target.process.parent.hash.sha1",
   "Target.process.parent.hash.sha256",
@@ -38,10 +30,6 @@
   "event.outcome",
   "event.provider",
   "event.type",
-  "file.Ext.code_signature.status",
-  "file.Ext.code_signature.subject_name",
-  "file.Ext.code_signature.trusted",
-  "file.Ext.code_signature.valid",
   "file.attributes",
   "file.device",
   "file.directory",
@@ -78,20 +66,12 @@
   "host.os.platform",
   "host.os.version",
   "host.type",
-  "process.Ext.code_signature.status",
-  "process.Ext.code_signature.subject_name",
-  "process.Ext.code_signature.trusted",
-  "process.Ext.code_signature.valid",
   "process.Ext.services",
   "process.Ext.user",
   "process.hash.md5",
   "process.hash.sha1",
   "process.hash.sha256",
   "process.hash.sha512",
-  "process.parent.Ext.code_signature.status",
-  "process.parent.Ext.code_signature.subject_name",
-  "process.parent.Ext.code_signature.trusted",
-  "process.parent.Ext.code_signature.valid",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",
   "process.parent.hash.sha256",
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json b/x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_windows_mac_fields.json
@@ -18,5 +18,21 @@
     "process.parent.executable.caseless",
     "process.parent.name.caseless",
     "process.parent.working_directory.caseless",
-    "process.working_directory.caseless"
+    "process.working_directory.caseless",
+    "Target.process.Ext.code_signature.status",
+    "Target.process.Ext.code_signature.subject_name",
+    "Target.process.Ext.code_signature.trusted",
+    "Target.process.Ext.code_signature.valid",
+    "Target.process.parent.Ext.code_signature.status",
+    "Target.process.parent.Ext.code_signature.subject_name",
+    "Target.process.parent.Ext.code_signature.trusted",
+    "Target.process.parent.Ext.code_signature.valid",
+    "file.Ext.code_signature.status",
+    "file.Ext.code_signature.subject_name",
+    "file.Ext.code_signature.trusted",
+    "file.Ext.code_signature.valid",
+    "process.parent.Ext.code_signature.status",
+    "process.parent.Ext.code_signature.subject_name",
+    "process.parent.Ext.code_signature.trusted",
+    "process.parent.Ext.code_signature.valid"
 ]  
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx
@@ -87,17 +87,6 @@ const mockLinuxEndpointFields = [
     aggregatable: false,
     readFromDocValues: false,
   },
-  {
-    name: 'file.Ext.code_signature.status',
-    type: 'string',
-    esTypes: ['text'],
-    count: 0,
-    scripted: false,
-    searchable: true,
-    aggregatable: false,
-    readFromDocValues: false,
-    subType: { nested: { path: 'file.Ext.code_signature' } },
-  },
 ];
 
 export const getEndpointField = (name: string) =>
diff --git a/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx b/x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx
@@ -236,7 +236,10 @@ export const enrichExceptionItemsWithOS = (
 export const retrieveAlertOsTypes = (alertData?: AlertData): OsTypeArray => {
   const osDefaults: OsTypeArray = ['windows', 'macos'];
   if (alertData != null) {
-    const os = alertData.host && alertData.host.os && alertData.host.os.family;
+    const os =
+      alertData?.agent?.type === 'endpoint'
+        ? alertData.host?.os?.name?.toLowerCase()
+        : alertData.host?.os?.family;
     if (os != null) {
       return osType.is(os) ? [os] : osDefaults;
     }
@@ -361,48 +364,64 @@ export const getPrepopulatedEndpointException = ({
   const { file, host } = alertEcsData;
   const filePath = file?.path ?? '';
   const sha256Hash = file?.hash?.sha256 ?? '';
-  const filePathDefault = host?.os?.family === 'linux' ? 'file.path' : 'file.path.caseless';
+  const isLinux = host?.os?.name === 'Linux';
+
+  const commonFields: Array<{
+    field: string;
+    operator: 'excluded' | 'included';
+    type: 'match';
+    value: string;
+  }> = [
+    {
+      field: isLinux ? 'file.path' : 'file.path.caseless',
+      operator: 'included',
+      type: 'match',
+      value: filePath ?? '',
+    },
+    {
+      field: 'file.hash.sha256',
+      operator: 'included',
+      type: 'match',
+      value: sha256Hash ?? '',
+    },
+    {
+      field: 'event.code',
+      operator: 'included',
+      type: 'match',
+      value: eventCode ?? '',
+    },
+  ];
+  const entriesToAdd = () => {
+    if (isLinux) {
+      return addIdToEntries(commonFields);
+    } else {
+      return addIdToEntries([
+        {
+          field: 'file.Ext.code_signature',
+          type: 'nested',
+          entries: [
+            {
+              field: 'subject_name',
+              operator: 'included',
+              type: 'match',
+              value: codeSignature != null ? codeSignature.subjectName : '',
+            },
+            {
+              field: 'trusted',
+              operator: 'included',
+              type: 'match',
+              value: codeSignature != null ? codeSignature.trusted : '',
+            },
+          ],
+        },
+        ...commonFields,
+      ]);
+    }
+  };
 
   return {
     ...getNewExceptionItem({ listId, namespaceType: listNamespace, ruleName }),
-    entries: addIdToEntries([
-      {
-        field: 'file.Ext.code_signature',
-        type: 'nested',
-        entries: [
-          {
-            field: 'subject_name',
-            operator: 'included',
-            type: 'match',
-            value: codeSignature != null ? codeSignature.subjectName : '',
-          },
-          {
-            field: 'trusted',
-            operator: 'included',
-            type: 'match',
-            value: codeSignature != null ? codeSignature.trusted : '',
-          },
-        ],
-      },
-      {
-        field: filePathDefault,
-        operator: 'included',
-        type: 'match',
-        value: filePath ?? '',
-      },
-      {
-        field: 'file.hash.sha256',
-        operator: 'included',
-        type: 'match',
-        value: sha256Hash ?? '',
-      },
-      {
-        field: 'event.code',
-        operator: 'included',
-        type: 'match',
-        value: eventCode ?? '',
-      },
-    ]),
+    entries: entriesToAdd(),
   };
 };
 
