[Security Solution] User can make Exceptions for Behavior Protection …

…alerts (#106853)

x-pack/plugins/security_solution/common/ecs/dll/index.ts

@@ -0,0 +1,15 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { CodeSignature } from '../file';
+import { ProcessPe } from '../process';
+
+export interface DllEcs {
+  path?: string;
+  code_signature?: CodeSignature;
+  pe?: ProcessPe;
+}

x-pack/plugins/security_solution/common/ecs/index.ts

@@ -9,6 +9,7 @@ import { AgentEcs } from './agent';
 import { AuditdEcs } from './auditd';
 import { DestinationEcs } from './destination';
 import { DnsEcs } from './dns';
+import { DllEcs } from './dll';
 import { EndgameEcs } from './endgame';
 import { EventEcs } from './event';
 import { FileEcs } from './file';
@@ -68,4 +69,5 @@ export interface Ecs {
   // eslint-disable-next-line @typescript-eslint/naming-convention
   Memory_protection?: MemoryProtection;
   Target?: Target;
+  dll?: DllEcs;
 }

x-pack/plugins/security_solution/common/ecs/process/index.ts

@@ -5,14 +5,16 @@
  * 2.0.
  */
 
-import { Ext } from '../file';
+import { CodeSignature, Ext } from '../file';
 
 export interface ProcessEcs {
   Ext?: Ext;
+  command_line?: string[];
   entity_id?: string[];
   exit_code?: number[];
   hash?: ProcessHashData;
   parent?: ProcessParentData;
+  code_signature?: CodeSignature;
   pid?: number[];
   name?: string[];
   ppid?: number[];
@@ -32,10 +34,17 @@ export interface ProcessHashData {
 export interface ProcessParentData {
   name?: string[];
   pid?: number[];
+  executable?: string[];
 }
 
 export interface Thread {
   id?: number[];
   start?: string[];
   Ext?: Ext;
 }
+export interface ProcessPe {
+  original_file_name?: string;
+  company?: string;
+  description?: string;
+  file_version?: string;
+}

x-pack/plugins/security_solution/common/ecs/registry/index.ts

@@ -10,4 +10,9 @@ export interface RegistryEcs {
   key?: string[];
   path?: string[];
   value?: string[];
+  data?: RegistryEcsData;
+}
+
+export interface RegistryEcsData {
+  strings?: string[];
 }

x-pack/plugins/security_solution/common/endpoint/generate_data.ts

@@ -392,6 +392,7 @@ enum AlertTypes {
   MALWARE = 'MALWARE',
   MEMORY_SIGNATURE = 'MEMORY_SIGNATURE',
   MEMORY_SHELLCODE = 'MEMORY_SHELLCODE',
+  BEHAVIOR = 'BEHAVIOR',
 }
 
 const alertsDefaultDataStream = {
@@ -778,11 +779,117 @@ export class EndpointDocGenerator extends BaseDataGenerator {
           alertsDataStream,
           alertType,
         });
+      case AlertTypes.BEHAVIOR:
+        return this.generateBehaviorAlert({
+          ts,
+          entityID,
+          parentEntityID,
+          ancestry,
+          alertsDataStream,
+        });
       default:
         return assertNever(alertType);
     }
   }
 
+  /**
+   * Creates a memory alert from the simulated host represented by this EndpointDocGenerator
+   * @param ts - Timestamp to put in the event
+   * @param entityID - entityID of the originating process
+   * @param parentEntityID - optional entityID of the parent process, if it exists
+   * @param ancestry - an array of ancestors for the generated alert
+   * @param alertsDataStream the values to populate the data_stream fields when generating alert documents
+   */
+  public generateBehaviorAlert({
+    ts = new Date().getTime(),
+    entityID = this.randomString(10),
+    parentEntityID,
+    ancestry = [],
+    alertsDataStream = alertsDefaultDataStream,
+  }: {
+    ts?: number;
+    entityID?: string;
+    parentEntityID?: string;
+    ancestry?: string[];
+    alertsDataStream?: DataStream;
+  } = {}): AlertEvent {
+    const processName = this.randomProcessName();
+    const newAlert: AlertEvent = {
+      ...this.commonInfo,
+      data_stream: alertsDataStream,
+      '@timestamp': ts,
+      ecs: {
+        version: '1.6.0',
+      },
+      rule: {
+        id: this.randomUUID(),
+      },
+      event: {
+        action: 'rule_detection',
+        kind: 'alert',
+        category: 'behavior',
+        code: 'behavior',
+        id: this.seededUUIDv4(),
+        dataset: 'endpoint.diagnostic.collection',
+        module: 'endpoint',
+        type: 'info',
+        sequence: this.sequence++,
+      },
+      file: {
+        name: 'fake_behavior.exe',
+        path: 'C:/fake_behavior.exe',
+      },
+      destination: {
+        port: 443,
+        ip: this.randomIP(),
+      },
+      source: {
+        port: 59406,
+        ip: this.randomIP(),
+      },
+      network: {
+        transport: 'tcp',
+        type: 'ipv4',
+        direction: 'outgoing',
+      },
+      registry: {
+        path:
+          'HKEY_USERS\\S-1-5-21-2460036010-3910878774-3458087990-1001\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\chrome',
+        value: processName,
+        data: {
+          strings: `C:/fake_behavior/${processName}`,
+        },
+      },
+      process: {
+        pid: 2,
+        name: processName,
+        entity_id: entityID,
+        executable: `C:/fake_behavior/${processName}`,
+        parent: parentEntityID
+          ? {
+              entity_id: parentEntityID,
+              pid: 1,
+            }
+          : undefined,
+        Ext: {
+          ancestry,
+          code_signature: [
+            {
+              trusted: false,
+              subject_name: 'bad signer',
+            },
+          ],
+          user: 'SYSTEM',
+          token: {
+            integrity_level_name: 'high',
+            elevation_level: 'full',
+          },
+        },
+      },
+      dll: this.getAlertsDefaultDll(),
+    };
+    return newAlert;
+  }
   /**
    * Returns the default DLLs used in alerts
    */

x-pack/plugins/security_solution/common/endpoint/types/index.ts

@@ -301,6 +301,21 @@ export type AlertEvent = Partial<{
     feature: ECSField<string>;
     self_injection: ECSField<boolean>;
   }>;
+  destination: Partial<{
+    port: ECSField<number>;
+    ip: ECSField<string>;
+  }>;
+  source: Partial<{
+    port: ECSField<number>;
+    ip: ECSField<string>;
+  }>;
+  registry: Partial<{
+    path: ECSField<string>;
+    value: ECSField<string>;
+    data: Partial<{
+      strings: ECSField<string>;
+    }>;
+  }>;
   Target: Partial<{
     process: Partial<{
       thread: Partial<{
@@ -359,6 +374,9 @@ export type AlertEvent = Partial<{
       }>;
     }>;
   }>;
+  rule: Partial<{
+    id: ECSField<string>;
+  }>;
   file: Partial<{
     owner: ECSField<string>;
     name: ECSField<string>;
@@ -677,6 +695,8 @@ export type SafeEndpointEvent = Partial<{
     }>;
   }>;
   network: Partial<{
+    transport: ECSField<string>;
+    type: ECSField<string>;
     direction: ECSField<string>;
     forwarded_ip: ECSField<string>;
   }>;

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json

@@ -56,6 +56,7 @@
   "file.mode",
   "file.name",
   "file.owner",
+  "file.path",
   "file.pe.company",
   "file.pe.description",
   "file.pe.file_version",
@@ -76,6 +77,7 @@
   "host.os.platform",
   "host.os.version",
   "host.type",
+  "process.command_line",
   "process.Ext.services",
   "process.Ext.user",
   "process.Ext.code_signature",
@@ -85,6 +87,7 @@
   "process.hash.sha256",
   "process.hash.sha512",
   "process.name",
+  "process.parent.executable",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",
   "process.parent.hash.sha256",
@@ -97,11 +100,24 @@
   "process.pe.product",
   "process.pgid",
   "rule.uuid",
+  "rule.id",
+  "source.ip",
+  "source.port",
+  "destination.ip",
+  "destination.port",
+  "registry.path",
+  "registry.value",
+  "registry.data.strings",
   "user.domain",
   "user.email",
   "user.hash",
   "user.id",
   "Ransomware.feature",
   "Memory_protection.feature",
-  "Memory_protection.self_injection"
+  "Memory_protection.self_injection",
+  "dll.path",
+  "dll.code_signature.subject_name",
+  "dll.pe.original_file_name",
+  "dns.question.name",
+  "dns.question.type"
 ]