[8.19] [Security Solution][Endpoint Exceptions] Fixes bug where behavior alerts do not show nested code signatures with subject name and trusted field (#212325)#220553
Merged
kibanamachine merged 3 commits intoelastic:8.19from May 19, 2025
Conversation
…rts do not show nested code signatures with subject name and trusted field (elastic#212325) ## Summary When navigating to the endpoint exceptions form from an alert, we pre-populate certain exceptions fields based on the type of alert. There was a bug for behavior alerts where we did not use the proper nested `code_signature` field for windows and mac endpoints. Instead of showing the nested `code_signature` field that has the `subject_name` and `trusted` sub-fields, we only showed non-nested `code_signature subject field. This PR also refactors the code to account for the following behaviors that we want: - [x] If `field.Ext.code_signature` is present, we want to use the nested `code_signature` subject field with the `subject_name` and `trusted` sub-fields for - [x] If `field.Ext.code_signature` is not present, we will default to the non-nested `field.code_signature.subject_name` and `field.code_signature.trusted` field pair. - [x] We will only show non-empty pre-populated values and also only code signature values with the `trusted` field set to `true` - [x] Pre-populated code signature fields are only present in windows and mac OSes. - [x] Behavior, ransomware and default alerts had the code_signature adjustments - [x] Previously the code duplicated a set of the pre-populated fields PER code signature. Now, each pre-populated field is only shown once, followed by all valid code_signatures. - [x] Does not allow duplicate code signatures # SCREENSHOTS Behavior alert w/ nested `process.Ext.code_signature` and non-nested `dll.code_signature` fields  Malware alert w/ nested `file.Ext.code_signature` <img width="1281" alt="image" src="https://github.com/user-attachments/assets/4845c6e5-5567-49df-b66a-1b9a2e6410db" /> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> (cherry picked from commit 76e256c)
7 tasks
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
💔 Build Failed
Failed CI StepsTest Failures
Metrics [docs]Public APIs missing comments
Async chunks
Historycc @parkiino |
Contributor
|
@elasticmachine merge upstream |
Contributor
|
@elasticmachine merge upstream |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.19:Questions ?
Please refer to the Backport tool documentation