Skip to content

[Security Solution][Endpoint Exceptions] Warning callout for incomplete code signature for endpoint exceptions#198245

Merged
parkiino merged 11 commits intoelastic:mainfrom
parkiino:task/exceptions-warning
Nov 12, 2024
Merged

[Security Solution][Endpoint Exceptions] Warning callout for incomplete code signature for endpoint exceptions#198245
parkiino merged 11 commits intoelastic:mainfrom
parkiino:task/exceptions-warning

Conversation

@parkiino
Copy link
Copy Markdown
Contributor

@parkiino parkiino commented Oct 30, 2024
edited
Loading

Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

  • Warning callout shown in endpoint exceptions when code signature field is incomplete (i.e. process.code_signature.subject_name w/o process.code_signature.trusted or vice versa)
  • For mac operating systems, process.code_signature.team_id is also accepted as an equivalent to subject_name
  • Warning callout is also shown for nested entries for this code signature field: process.Ext.code_signature
  • Unit Tests

Screenshots

Subject name only -- warning is present
image

Trusted field only -- warning is present
image

Both subject name and trusted fields -- no warning is present
image

@parkiino parkiino added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 labels Oct 30, 2024
@parkiino parkiino marked this pull request as ready for review October 30, 2024 21:39
@parkiino parkiino requested a review from a team as a code owner October 30, 2024 21:39
@parkiino parkiino requested a review from rylnd October 30, 2024 21:39
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Oct 30, 2024

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

@parkiino parkiino requested review from a team, paul-tavares and tomsonpl and removed request for a team October 31, 2024 14:48
paul-tavares
paul-tavares approved these changes Nov 4, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a suggestions re: tests for the reducer files changed, but am 👍

..._solution/public/detection_engine/rule_exceptions/components/add_exception_flyout/reducer.ts
wildcardWarningExists: warningExists,
};
}
case 'setPartialCodeSignature': {
Copy link
Copy Markdown
Contributor

@paul-tavares paul-tavares Nov 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suggest you add some tests for the reducer files you changed as well.

tomsonpl
tomsonpl approved these changes Nov 8, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@parkiino parkiino mentioned this pull request Nov 11, 2024
Merged
4 tasks
@parkiino parkiino enabled auto-merge (squash) November 12, 2024 05:24
@elasticmachine
Copy link
Copy Markdown
Contributor

elasticmachine commented Nov 12, 2024

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 13.4MB 13.4MB +717.0B

History

rylnd
rylnd approved these changes Nov 12, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes LGTM, thanks!

@parkiino parkiino merged commit ce481f1 into elastic:main Nov 12, 2024
@parkiino parkiino deleted the task/exceptions-warning branch November 12, 2024 19:31
@kibanamachine kibanamachine mentioned this pull request Nov 12, 2024
Merged
3 tasks
@kibanamachine kibanamachine mentioned this pull request Nov 13, 2024
Merged
3 tasks
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
@parkiino @CAWilson94
[Security Solution][Endpoint Exceptions] Warning callout for incomple…
298908c 
…te code signature for endpoint exceptions (elastic#198245)

## Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

- [x] Warning callout shown in endpoint exceptions when code signature
field is incomplete (i.e. process.code_signature.subject_name w/o
process.code_signature.trusted or vice versa)
- [x] For mac operating systems, process.code_signature.team_id is also
accepted as an equivalent to subject_name
- [ ] Warning callout is also shown for nested entries for this code
signature field: process.Ext.code_signature
- [x] Unit Tests

# Screenshots
Subject name only -- warning is present

![image](https://github.com/user-attachments/assets/eccf4d49-a4b1-47fc-8c51-bddf4fd6664f)

Trusted field only -- warning is present

![image](https://github.com/user-attachments/assets/d3ba6716-e7d1-4709-a5b1-1e472964b6e3)


Both subject name and trusted fields -- no warning is present

![image](https://github.com/user-attachments/assets/11b179ff-278e-4ec6-a749-638f428215aa)
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Nov 18, 2024
@parkiino @CAWilson94
[Security Solution][Endpoint Exceptions] Warning callout for incomple…
055ca2d 
…te code signature for endpoint exceptions (elastic#198245)

## Summary

Navigate to Security Solution > Manage > Rules > Add Endpoint Exception

- [x] Warning callout shown in endpoint exceptions when code signature
field is incomplete (i.e. process.code_signature.subject_name w/o
process.code_signature.trusted or vice versa)
- [x] For mac operating systems, process.code_signature.team_id is also
accepted as an equivalent to subject_name
- [ ] Warning callout is also shown for nested entries for this code
signature field: process.Ext.code_signature
- [x] Unit Tests

# Screenshots
Subject name only -- warning is present

![image](https://github.com/user-attachments/assets/eccf4d49-a4b1-47fc-8c51-bddf4fd6664f)

Trusted field only -- warning is present

![image](https://github.com/user-attachments/assets/d3ba6716-e7d1-4709-a5b1-1e472964b6e3)


Both subject name and trusted fields -- no warning is present

![image](https://github.com/user-attachments/assets/11b179ff-278e-4ec6-a749-638f428215aa)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rylnd rylnd rylnd approved these changes

@tomsonpl tomsonpl tomsonpl approved these changes

@paul-tavares paul-tavares paul-tavares approved these changes

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.17.0 v9.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@parkiino @elasticmachine @rylnd @tomsonpl @paul-tavares @kibanamachine