Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Change from sha1 to sha256 #73741

Merged
merged 4 commits into from
Jul 30, 2020

Conversation

dplumlee
Copy link
Contributor

@dplumlee dplumlee commented Jul 29, 2020

Summary

Changes the pre-populated endpoint field to sha256 and changes endpoint exceptionable fields to .text fields. Also lowercases hash fields in endpoint exceptions.

Screen Shot 2020-07-29 at 5 04 41 PM

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@dplumlee dplumlee added Feature:Detection Rules Security Solution rules and Detection Engine Team:SIEM v7.10.0 v7.9.0 v8.0.0 labels Jul 29, 2020
@dplumlee dplumlee marked this pull request as ready for review July 29, 2020 21:17
@dplumlee dplumlee requested review from a team as code owners July 29, 2020 21:17
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@dplumlee dplumlee added the release_note:skip Skip the PR/issue when compiling release notes label Jul 29, 2020
@madirey
Copy link
Contributor

madirey commented Jul 29, 2020

Can we lowercase the hash just before sending? In case a user enters something manually?

@dplumlee
Copy link
Contributor Author

@madirey are we lowercasing values for all hash fields?

@madirey
Copy link
Contributor

madirey commented Jul 29, 2020

@dplumlee That was my understanding... @peluja1012 can you confirm? Or @gabriellandau / @crowens ?

@gabriellandau
Copy link
Contributor

If we're sending exact_cased hashes, we should ensure they're lowercase.

): Array<ExceptionListItemSchema | CreateExceptionListItemSchema> => {
return exceptionItems.map((item) => {
const newEntries = item.entries.map((itemEntry) => {
if (itemEntry.field.includes('.hash')) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM for merging, but you could be a little more specific here and check for .hash.. Can implement later if you think it's worth doing. Thanks for doing this!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ECS has user.hash with no subfields unlike the other hash fields so we may want to stick with .hash

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okies. As long as we don't have any other collisions here...

@dplumlee dplumlee force-pushed the exceptionable-field-text branch from 16c0cdd to 9b65057 Compare July 30, 2020 16:56
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Build metrics

async chunks size

id value diff baseline
securitySolution 7.3MB +270.0B 7.3MB

History

  • 💔 Build #65581 failed 16c0cdd99b37c1862fa7846fae57d0b7dd015ec3
  • 💔 Build #65568 failed b56c399b345c6159430ff11feabb9871cfa6859f
  • 💚 Build #65404 succeeded d59a07c414ee497577ed7f0fc50faa13de1508d3
  • 💚 Build #65387 succeeded 1b2ae149e1ba14f3979e32e8bc7f9d7f2ca5daec

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

dplumlee added a commit to dplumlee/kibana that referenced this pull request Jul 30, 2020
gmmorris added a commit to gmmorris/kibana that referenced this pull request Jul 31, 2020
* master: (54 commits)
  [ML] Migrate to React BrowserRouter and Kibana provided History. (elastic#71941)
  [Discover] Improve  saveSearch functional test handling (elastic#73626)
  [Metrics UI] Fix all threshold alert conditions disappearing due to alert prefill (elastic#73708)
  [Metrics UI] Fix alert previews of ungrouped alerts (elastic#73735)
  [SIEM] Fixes "include building block button" to operate (elastic#73900)
  [Metrics UI] Fix alert management to open without refresh (elastic#73739)
  [Security Solution][Lists] - Tests cleanup and remove unnecessary import (elastic#73865)
  [Ingest Management] main branch uses epr-snapshot. Others production (elastic#73555)
  [Canvas][tech-debt] Fix SVG not shrinking vertically properly (elastic#73867)
  [Maps] upgrade turf (elastic#73816)
  [Security Solution][Telemetry] Concurrent telemetry requests (elastic#73558)
  [Security Solution][Exceptions] - Update how nested entries are displayed in exceptions viewer (elastic#73745)
  [Security Solution][Exceptions] Adds autocomplete workaround for .text fields (elastic#73761)
  [Metrics UI] Fix previewing of No Data results (elastic#73753)
  Closes elastic#72914 by hiding anomaly detection settings links when the ml plugin is disabled. (elastic#73638)
  [Ingest Manager] Fix config selection in enrollment flyout from config list page (elastic#73833)
  [DOCS] Fixes typo in Alerting actions (elastic#73756)
  [APM] fixes linking errors to ML and Discover (elastic#73758)
  Handle promise rejections when building artifacts (elastic#73831)
  [Security Solution][Detections] Change from sha1 to sha256 (elastic#73741)
  ...
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0 v7.10.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants