Skip to content

Commit

Permalink
[Security Solution][Detections] Change from sha1 to sha256 (#73741)
Browse files Browse the repository at this point in the history
  • Loading branch information
dplumlee committed Jul 30, 2020
1 parent 04a91c6 commit 3a70d48
Show file tree
Hide file tree
Showing 6 changed files with 88 additions and 27 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import { AddExceptionComments } from '../add_exception_comments';
import {
enrichNewExceptionItemsWithComments,
enrichExceptionItemsWithOS,
lowercaseHashValues,
defaultEndpointExceptionItems,
entryHasListType,
entryHasNonEcsType,
Expand Down Expand Up @@ -256,7 +257,7 @@ export const AddExceptionModal = memo(function AddExceptionModal({
: exceptionItemsToAdd;
if (exceptionListType === 'endpoint') {
const osTypes = retrieveAlertOsTypes();
enriched = enrichExceptionItemsWithOS(enriched, osTypes);
enriched = lowercaseHashValues(enrichExceptionItemsWithOS(enriched, osTypes));
}
return enriched;
}, [comment, exceptionItemsToAdd, exceptionListType, retrieveAlertOsTypes]);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ import {
getOperatingSystems,
entryHasListType,
entryHasNonEcsType,
lowercaseHashValues,
} from '../helpers';
import { Loader } from '../../loader';

Expand Down Expand Up @@ -195,7 +196,7 @@ export const EditExceptionModal = memo(function EditExceptionModal({
];
if (exceptionListType === 'endpoint') {
const osTypes = exceptionItem._tags ? getOperatingSystems(exceptionItem._tags) : [];
enriched = enrichExceptionItemsWithOS(enriched, osTypes);
enriched = lowercaseHashValues(enrichExceptionItemsWithOS(enriched, osTypes));
}
return enriched;
}, [exceptionItemsToAdd, exceptionItem, comment, exceptionListType]);
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,40 +6,32 @@
"Target.process.Ext.code_signature.valid",
"Target.process.Ext.services",
"Target.process.Ext.user",
"Target.process.command_line",
"Target.process.command_line.text",
"Target.process.executable",
"Target.process.executable.text",
"Target.process.hash.md5",
"Target.process.hash.sha1",
"Target.process.hash.sha256",
"Target.process.hash.sha512",
"Target.process.name",
"Target.process.name.text",
"Target.process.parent.Ext.code_signature.status",
"Target.process.parent.Ext.code_signature.subject_name",
"Target.process.parent.Ext.code_signature.trusted",
"Target.process.parent.Ext.code_signature.valid",
"Target.process.parent.command_line",
"Target.process.parent.command_line.text",
"Target.process.parent.executable",
"Target.process.parent.executable.text",
"Target.process.parent.hash.md5",
"Target.process.parent.hash.sha1",
"Target.process.parent.hash.sha256",
"Target.process.parent.hash.sha512",
"Target.process.parent.name",
"Target.process.parent.name.text",
"Target.process.parent.pgid",
"Target.process.parent.working_directory",
"Target.process.parent.working_directory.text",
"Target.process.pe.company",
"Target.process.pe.description",
"Target.process.pe.file_version",
"Target.process.pe.original_file_name",
"Target.process.pe.product",
"Target.process.pgid",
"Target.process.working_directory",
"Target.process.working_directory.text",
"agent.id",
"agent.type",
Expand Down Expand Up @@ -74,15 +66,13 @@
"file.mode",
"file.name",
"file.owner",
"file.path",
"file.path.text",
"file.pe.company",
"file.pe.description",
"file.pe.file_version",
"file.pe.original_file_name",
"file.pe.product",
"file.size",
"file.target_path",
"file.target_path.text",
"file.type",
"file.uid",
Expand All @@ -94,10 +84,8 @@
"host.id",
"host.os.Ext.variant",
"host.os.family",
"host.os.full",
"host.os.full.text",
"host.os.kernel",
"host.os.name",
"host.os.name.text",
"host.os.platform",
"host.os.version",
Expand All @@ -108,40 +96,36 @@
"process.Ext.code_signature.valid",
"process.Ext.services",
"process.Ext.user",
"process.command_line",
"process.command_line.text",
"process.executable",
"process.executable.text",
"process.hash.md5",
"process.hash.sha1",
"process.hash.sha256",
"process.hash.sha512",
"process.name",
"process.name.text",
"process.parent.Ext.code_signature.status",
"process.parent.Ext.code_signature.subject_name",
"process.parent.Ext.code_signature.trusted",
"process.parent.Ext.code_signature.valid",
"process.parent.command_line",
"process.parent.command_line.text",
"process.parent.executable",
"process.parent.executable.text",
"process.parent.hash.md5",
"process.parent.hash.sha1",
"process.parent.hash.sha256",
"process.parent.hash.sha512",
"process.parent.name",
"process.parent.name.text",
"process.parent.pgid",
"process.parent.working_directory",
"process.parent.working_directory.text",
"process.pe.company",
"process.pe.description",
"process.pe.file_version",
"process.pe.original_file_name",
"process.pe.product",
"process.pgid",
"process.working_directory",
"process.working_directory.text",
"rule.uuid"
"rule.uuid",
"user.domain",
"user.email",
"user.hash",
"user.id"
]
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import {
entryHasListType,
entryHasNonEcsType,
prepareExceptionItemsForBulkClose,
lowercaseHashValues,
} from './helpers';
import { EmptyEntry } from './types';
import {
Expand Down Expand Up @@ -663,4 +664,48 @@ describe('Exception helpers', () => {
expect(result).toEqual(expected);
});
});

describe('#lowercaseHashValues', () => {
test('it should return an empty array with an empty array', () => {
const payload: ExceptionListItemSchema[] = [];
const result = lowercaseHashValues(payload);
expect(result).toEqual([]);
});

test('it should return all list items with entry hashes lowercased', () => {
const payload = [
{
...getExceptionListItemSchemaMock(),
entries: [{ field: 'user.hash', type: 'match', value: 'DDDFFF' }] as EntriesArray,
},
{
...getExceptionListItemSchemaMock(),
entries: [{ field: 'user.hash', type: 'match', value: 'aaabbb' }] as EntriesArray,
},
{
...getExceptionListItemSchemaMock(),
entries: [
{ field: 'user.hash', type: 'match_any', value: ['aaabbb', 'DDDFFF'] },
] as EntriesArray,
},
];
const result = lowercaseHashValues(payload);
expect(result).toEqual([
{
...getExceptionListItemSchemaMock(),
entries: [{ field: 'user.hash', type: 'match', value: 'dddfff' }] as EntriesArray,
},
{
...getExceptionListItemSchemaMock(),
entries: [{ field: 'user.hash', type: 'match', value: 'aaabbb' }] as EntriesArray,
},
{
...getExceptionListItemSchemaMock(),
entries: [
{ field: 'user.hash', type: 'match_any', value: ['aaabbb', 'dddfff'] },
] as EntriesArray,
},
]);
});
});
});
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,36 @@ export const enrichExceptionItemsWithOS = (
});
};

/**
* Returns given exceptionItems with all hash-related entries lowercased
*/
export const lowercaseHashValues = (
exceptionItems: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>
): Array<ExceptionListItemSchema | CreateExceptionListItemSchema> => {
return exceptionItems.map((item) => {
const newEntries = item.entries.map((itemEntry) => {
if (itemEntry.field.includes('.hash')) {
if (itemEntry.type === 'match') {
return {
...itemEntry,
value: itemEntry.value.toLowerCase(),
};
} else if (itemEntry.type === 'match_any') {
return {
...itemEntry,
value: itemEntry.value.map((val) => val.toLowerCase()),
};
}
}
return itemEntry;
});
return {
...item,
entries: newEntries,
};
});
};

/**
* Returns the value for the given fieldname within TimelineNonEcsData if it exists
*/
Expand Down Expand Up @@ -413,7 +443,7 @@ export const defaultEndpointExceptionItems = (
data: alertData,
fieldName: 'file.Ext.code_signature.trusted',
});
const [sha1Hash] = getMappedNonEcsValue({ data: alertData, fieldName: 'file.hash.sha1' });
const [sha256Hash] = getMappedNonEcsValue({ data: alertData, fieldName: 'file.hash.sha256' });
const [eventCode] = getMappedNonEcsValue({ data: alertData, fieldName: 'event.code' });
const namespaceType = 'agnostic';

Expand Down Expand Up @@ -446,10 +476,10 @@ export const defaultEndpointExceptionItems = (
value: filePath ?? '',
},
{
field: 'file.hash.sha1',
field: 'file.hash.sha256',
operator: 'included',
type: 'match',
value: sha1Hash ?? '',
value: sha256Hash ?? '',
},
{
field: 'event.code',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -202,7 +202,7 @@ export const requiredFieldsForActions = [
'file.path',
'file.Ext.code_signature.subject_name',
'file.Ext.code_signature.trusted',
'file.hash.sha1',
'file.hash.sha256',
'host.os.family',
'event.code',
];
Expand Down

0 comments on commit 3a70d48

Please sign in to comment.