[Security] Add telemetry for new protection types and arrays of objects#97624
Merged
rw-access merged 8 commits intoelastic:masterfrom Apr 20, 2021
rw-access:telemetry-new-protections
Merged
[Security] Add telemetry for new protection types and arrays of objects#97624rw-access merged 8 commits intoelastic:masterfrom rw-access:telemetry-new-protections
rw-access merged 8 commits intoelastic:masterfrom
rw-access:telemetry-new-protections
Conversation
rw-access
added
v8.0.0
release_note:skip
joe-desimone
approved these changes
Apr 20, 2021
oatkiller
reviewed
Apr 20, 2021
| return { | ||
| ...newEvent, | ||
| // cast to object[] to be a valid SearchTypes variant | ||
| [allowKey]: (eventValue as object[]).map((v) => |
Contributor
There was a problem hiding this comment.
It seems like this cast isn't safe because even if eventValue is an array, it might be an array of strings, boolean, or any other object, according to SearchTypes.
Contributor
Author
There was a problem hiding this comment.
fair point. yeah i think this assumes that you'll never find something inconsistent with the schema
oatkiller
reviewed
Apr 20, 2021
Comment on lines
+401
to
+407
| return { | ||
| ...newEvent, | ||
| // cast to object[] to be a valid SearchTypes variant | ||
| [allowKey]: (eventValue as object[]).map((v) => | ||
| copyAllowlistedFields(allowValue, v as TelemetryEvent) | ||
| ), | ||
| }; |
Contributor
There was a problem hiding this comment.
Suggested change
| return { | |
| ...newEvent, | |
| // cast to object[] to be a valid SearchTypes variant | |
| [allowKey]: (eventValue as object[]).map((v) => | |
| copyAllowlistedFields(allowValue, v as TelemetryEvent) | |
| ), | |
| }; | |
| const allowedFields = []; | |
| for (const v of eventValue) { | |
| if (typeof v === 'object') { | |
| // casting this as AllowlistFields is a recursive structure, any object values it has are also AllowlistFields | |
| const sub: AllowlistFields = v as AllowlistFields; | |
| allowedFields.push(copyAllowlistedFields(allowValue, sub)); | |
| } | |
| } | |
| return { | |
| ...newEvent, | |
| [allowKey]: allowedFields, | |
| }; |
This approach would check that the value is an object before casting it to an AllowlistFields
Contributor
Author
There was a problem hiding this comment.
also i thought for loops were basically despised for being non-idiomatic
Contributor
Author
There was a problem hiding this comment.
this work? basically did what you have but filter+map
bbcaec1
Contributor
Author
There was a problem hiding this comment.
also had to split out BaseSearchTypes from SearchTypes, for typescript to not barf
oatkiller
approved these changes
Apr 20, 2021
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Apr 20, 2021
…ts (elastic#97624) * Add telemetry for new protection types and arrays of objects * Add malware_signature to process.Ext + dll.Ext * Fix comments for base fields * Move naming convention disable to a line * Fix unit test for rule.version
Contributor
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
Contributor
💛 Build succeeded, but was flaky
Test FailuresKibana Pipeline / general / X-Pack Search Sessions Integration.x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space·ts.Dashboard dashboard in space Disabled storing search sessions "before all" hook for "Doesn't allow to store a session"Standard OutStack TraceKibana Pipeline / general / X-Pack Search Sessions Integration.x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search/sessions_in_space·ts.Dashboard dashboard in space Disabled storing search sessions "after all" hook for "Doesn't allow to store a session"Standard OutStack TraceKibana Pipeline / general / X-Pack Search Sessions Integration.x-pack/test/search_sessions_integration/tests/apps/dashboard/async_search.Dashboard "after all" hook in "Dashboard"Standard OutStack TraceMetrics [docs]Unknown metric groupsAPI count
API count missing comments
Non-exported public API item count
History
To update your PR or re-run it, just comment with: |
kibanamachine
added a commit
that referenced
this pull request
Apr 20, 2021
…ts (#97624) (#97703) * Add telemetry for new protection types and arrays of objects * Add malware_signature to process.Ext + dll.Ext * Fix comments for base fields * Move naming convention disable to a line * Fix unit test for rule.version Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Added additional telemetry fields for new protection types.
The behavior protection contains
events: [...]where some events (file, registry, network, process, etc.) are nested inside the document. I slightly restructured the code for better reuse. Also, I added support to traverse arrays of objects, which the existing allowlist checking code didn't do.