Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution] Add supported field to ransomware #100135

Merged
merged 11 commits into from
May 19, 2021

Conversation

kevinlog
Copy link
Contributor

@kevinlog kevinlog commented May 14, 2021

Summary

This PR adds a supported field to the Ransomware protection.

The supported field indicates to the Endpoint via Policy config if the Ransomware protection is currently supported. Right now, this is controlled by the license level. If the user has Platinum, then Ransomware is supported. If they are below Platinum, the Ransomware is unsupported. The Endpoint needs this information in order to properly enable/disabled diagnostic Ransomware protections based on user input.

Platinum license:
image

If you downgrade below Platinum, the Policy will update:
image

Checklist

Delete any items that are not applicable to this PR.

Copy link
Contributor

@ferullo ferullo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@kevinlog kevinlog added Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.14.0 v8.0.0 release_note:skip Skip the PR/issue when compiling release notes labels May 17, 2021
@kevinlog
Copy link
Contributor Author

@elasticmachine merge upstream

@kevinlog kevinlog marked this pull request as ready for review May 18, 2021 11:29
@kevinlog kevinlog requested review from a team as code owners May 18, 2021 11:29
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

/**
* Strips paid features from an existing or new `PolicyConfig` for gold and below license
*/
export const policyFactoryWithSupportedFeatures = (
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a reason why you created another function as opposed to just updating the existing policyFactory (policy config with defaults for platinum licenses) and the policyFactoryWithoutPaidFeatures (policy config with defaults for gold and below licenses) windows.ransomware.supported fields?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also use this function to correctly set the supported when the license changes. I want to ensure that I'm only changing the fields that I want to. I broke it out to its own function so that I didn't resent everything to the default.

You can see how it's used here: https://github.com/elastic/kibana/pull/100135/files#diff-6a6ff8e750469752a4993b278b7023af4bef43a49ccee59c3933e3d7c68c78f5R26

Also here in a test: https://github.com/elastic/kibana/pull/100135/files#diff-861c70c43696ed0ea535a55a47a316c434a14510046d2eb623d6b228d32e4c8eR211

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gotcha!

@botelastic botelastic bot added the Team:Fleet Team label for Observability Data Collection Fleet team label May 18, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/fleet (Team:Fleet)

@kevinlog
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.8MB 6.8MB +624.0B
Unknown metric groups

References to deprecated APIs

id before after diff
canvas 29 25 -4
crossClusterReplication 8 6 -2
fleet 22 20 -2
globalSearch 4 2 -2
indexManagement 12 7 -5
infra 261 149 -112
lens 67 45 -22
licensing 18 15 -3
maps 286 208 -78
ml 121 115 -6
monitoring 109 56 -53
stackAlerts 101 95 -6
total -295

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@paul-tavares paul-tavares left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor comment, but other than that LGTM 🚢 🚀

describe('7.14.0 Endpoint Package Policy migration', () => {
const migration = migrateEndpointPackagePolicyToV7140;
it('adds supported option for ransomware on migrations', () => {
const doc = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any chance you can collapse several of these document mocks into a builder function instead?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paul-tavares my next PR is Linux Malware and will build on this migration test, I'll address this there.

@kevinlog kevinlog merged commit 9da1a70 into elastic:master May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution Team:Fleet Team label for Observability Data Collection Fleet team v7.14.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants