[Security Solution][Endpoint] Adds matches wildcard operator for file.path.text field for Event Filters#125202
Conversation
ashokaditya
added
release_note:feature
ashokaditya
force-pushed
the
task/olm-event_filters_wildacrd_paths-2525
branch
11 times, most recently
from
89e3a8a to
75892f2
Compare
|
actually, is it possible to combine duplicated entries into one like this: We support such filters, here is an example: Having it this way is a performance improvement as the wildcard is converted to one regex with OR match pattern. OK, looking again the the example, those two entries have different operator (included vs excluded) so couldn't be combined, but just keep this in mind in general. |
This is insightful @intxgo Thanks for pointing this out. I'll make sure I check this as I finish up the PR. |
ashokaditya
force-pushed
the
task/olm-event_filters_wildacrd_paths-2525
branch
8 times, most recently
from
825a266 to
4093521
Compare
@intxgo we talked offline and you pointed out that I was chasing down the wrong path. The grouping of values is only needed for ORed entries. Since event filters AND entries we don't need this improvement in this PR. In short, entries such as {
"entries": [
{
type: 'simple',
entries: [
{
"field": "file.path.text",
"operator": "excluded",
"type": "wildcard_caseless",
"value": "c:\\bin*\\group.exe"
}
]
},
{
type: 'simple',
entries: [
{
"field": "file.path.text",
"operator": "excluded",
"type": "wildcard_caseless",
"value": "d:\\doc*\\another.md"
}
]
}
]
}can be transformed to {
"entries": [
{
type: 'simple',
entries: [
{
"field": "file.path.text",
"operator": "excluded",
"type": "wildcard_caseless",
"value": [
"c:\\bin*\\group.exe",
"d:\\doc*\\another.md"
]
}
]
}
]
}but entries that look like {
type: 'simple',
entries: [
{
"field": "file.path.text",
"operator": "excluded",
"type": "wildcard_caseless",
"value": "c:\\bin*\\group.exe"
},
{
"field": "file.path.text",
"operator": "excluded",
"type": "wildcard_caseless",
"value": "d:\\doc*\\another.md"
}
]
}should not be transformed further to group values yet. |
ashokaditya
force-pushed
the
task/olm-event_filters_wildacrd_paths-2525
branch
4 times, most recently
from
0c27e38 to
fb482cb
Compare
review changes
review changes
FrankHassanabad
left a comment
FrankHassanabad
left a comment
There was a problem hiding this comment.
LGTM. Appreciate all the work to make these matches work out and all the feedback you changed here. Really awesome.
💚 Build SucceededMetrics [docs]Module Count
Public APIs missing comments
Async chunks
Unknown metric groupsAPI count
History
To update your PR or re-run it, just comment with: cc @ashokaditya |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
kibanamachine
added
the
backport missing
ashokaditya
added
backport:skip
…wildcard) in wildcard-ed event filter `file.path.text` (#127432) * update filename regex to include multiple hyphens and periods Uses a much simpler pattern that covers a whole gamut file name patterns. fixes elastic/security-team/issues/3294 * remove duplicated code * add tests for `process.name` entry for filenames with wildcard path refs /pull/120349 /pull/125202 * Add file.name optimized entry when wildcard filepath in file.path.text has a filename fixes elastic/security-team/issues/3294 * update regex to include unicode chars review changes * add tests for `file.name` and `process.name` entries if it already exists This works out of the box and we don't add endpoint related `file.name` or `process.name` entry when it already is added by the user refs /pull/127958#discussion_r829086447 elastic/security-team/issues/3199 * fix `file.name` and `file.path.text` entries for linux and mac/linux refs /pull/127098 * do not add endpoint optimized entry Add `file.name` and `process.name` entry for wildcard path values only when file.name and process.name entries do not already exist. The earlier commit 8a516ae was mistakenly labeled as this worked out of the box. In the same commit we notice that the test data had a wildcard file path that did not add a `file.name` or `process.name` entry. For more see: /pull/127958#discussion_r829086447 elastic/security-team/issues/3199 * update regex to include gamut of unicode characters review suggestions * remove regex altogether simplifies the logic to check if path is without wildcard characters. This way it includes all other strings as valid filenames that do not have * or ? * update artifact creation for `file.path.text` entries Similar to when we normalize `file.path.caseless` entries, except that the `type` is `*_cased` for linux and `*_caseless` for non-linux
10 participants
Summary
Notable changes
matchesandoperators fornot matchfile.path.textfields.process.nameentries forfile.path.textwhen there's a simple filename at the end of the wildcard pathpackages/kbn-securitysolution-utilsin order to use in both Trusted Apps and Event Filters input validations.For creating/updating event filters, this change allows adding wildcard path values when the selected field is
file.path.textviamatchesoperator.Screens
Artifact cards vs artifact entries
Windows
windows artifact entry
Mac
mac artifact entry
Linux
linux artifact entry
Checklist
Delete any items that are not applicable to this PR.