Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[7.12][Telemetry] Security telemetry allowlist fix. #92850

Merged
merged 2 commits into from
Feb 25, 2021

Conversation

pjhampton
Copy link
Contributor

Summary

There was a bug in the allowlist layout for security telemetry in #91920
We are working on ways to make this easier to extend / manage / test in backref'd protections issue.

Checklist

The allowlist is already covered with tests - see #77200
Additional fields have been vetted for PII compliance by senior managers.

For maintainers

@pjhampton pjhampton added Feature:Telemetry v7.12.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 25, 2021
@pjhampton pjhampton requested review from jeska and Bamieh February 25, 2021 16:58
@pjhampton pjhampton self-assigned this Feb 25, 2021
@pjhampton pjhampton requested a review from a team as a code owner February 25, 2021 16:58
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@Bamieh
Copy link
Member

Bamieh commented Feb 25, 2021

Does this fix affect the sent data downstream? do we need to reach out to infra about this change?

@Bamieh Bamieh added the release_note:skip Skip the PR/issue when compiling release notes label Feb 25, 2021
@pjhampton pjhampton added release_note:fix and removed release_note:skip Skip the PR/issue when compiling release notes labels Feb 25, 2021
@pjhampton
Copy link
Contributor Author

I have already updated the infra indexers @Bamieh. It was just this piece that is broken

Copy link
Member

@jeska jeska left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚢

Copy link
Contributor

@gabriellandau gabriellandau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

Copy link
Contributor

@gabriellandau gabriellandau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add process.thread?

        "thread": {
            "Ext": {
                "call_stack": [
                    {
                        "instruction_pointer": 140722403727300,
                        "memory_section": {
                            "memory_address": 140722403086336,
                            "memory_size": 1159168,
                            "protection": "R-X"
                        },
                        "module_path": "c:\\windows\\system32\\ntdll.dll",
                        "symbol_info": "c:\\windows\\system32\\ntdll.dll!ZwCreateThreadEx+0x14"
                    },
                    {
                        "instruction_pointer": 140722362113391,
                        "memory_section": {
                            "memory_address": 140722361929728,
                            "memory_size": 1122304,
                            "protection": "R-X"
                        },
                        "module_path": "c:\\windows\\system32\\kernelbase.dll",
                        "symbol_info": "c:\\windows\\system32\\kernelbase.dll!CreateRemoteThreadEx+0x29f"
                    },
                    {
                        "instruction_pointer": 140722391791069,
                        "memory_section": {
                            "memory_address": 140722391683072,
                            "memory_size": 516096,
                            "protection": "R-X"
                        },
                        "module_path": "c:\\windows\\system32\\kernel32.dll",
                        "symbol_info": "c:\\windows\\system32\\kernel32.dll!CreateThread+0x3d"
                    },
                    {
                        "instruction_pointer": 140697069180492,
                        "memory_section": {
                            "memory_address": 140697069096960,
                            "memory_size": 1785856,
                            "protection": "R-X"
                        },
                        "module_path": "c:\\git\\endpoint-dev\\build\\elastic\\windows\\msvc14\\x64\\releasestatic\\memoryprotectiontests.exe",
                        "symbol_info": "c:\\git\\endpoint-dev\\build\\elastic\\windows\\msvc14\\x64\\releasestatic\\memoryprotectiontests.exe!0x7FF696D4564C"
                    }
                ]
            },
            "id": 7680
        },

Copy link
Contributor

@gabriellandau gabriellandau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pjhampton pjhampton enabled auto-merge (squash) February 25, 2021 19:29
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @pjhampton

@pjhampton pjhampton merged commit 9306663 into master Feb 25, 2021
pjhampton added a commit that referenced this pull request Feb 26, 2021
* Security telemetry allowlist fix.

* Also add process.thread.
pjhampton added a commit that referenced this pull request Feb 26, 2021
* Security telemetry allowlist fix.

* Also add process.thread.
@pjhampton pjhampton deleted the pjhampton/fix-allowlist-target branch February 26, 2021 08:46
gmmorris added a commit to gmmorris/kibana that referenced this pull request Feb 26, 2021
…bana into task-manager/docs-monitoring

* 'task-manager/docs-monitoring' of github.com:gmmorris/kibana: (40 commits)
  [Security Solution][Case][Bug] Improve case logging (elastic#91924)
  [Alerts][Doc] Added README documentation for alerts plugin status and framework health checks configuration options. (elastic#92761)
  Add warning for EQL and Threshold rules if exception list contains value list items (elastic#92914)
  [Security Solution][Case] Fix subcases bugs on detections and case view (elastic#91836)
  [APM] Always allow access to Profiling via URL (elastic#92889)
  [Vega] Allow image loading without CORS policy by changing the default to crossOrigin=null (elastic#91991)
  skip flaky suite (elastic#92114)
  [APM] Fix for default fields in correlations view (elastic#91868) (elastic#92090)
  chore(NA): bump bazelisk to v1.7.5 (elastic#92905)
  [Maps] fix selecting EMS basemap does not populate input (elastic#92711)
  API docs (elastic#92827)
  [kbn/test] add import/export support to KbnClient (elastic#92526)
  Test fix management scripted field filter functional test and unskip it  (elastic#92756)
  [App Search] Create Curation view/functionality (elastic#92560)
  [Reporting/Discover] include the document's entire set of fields (elastic#92730)
  [Fleet] Add new index to fleet for artifacts being served out of fleet-server (elastic#92860)
  [Alerts][Doc] Added README documentation for API key invalidation configuration options. (elastic#92757)
  [Discover][docs] Add search for relevance (elastic#90611)
  [Alerts][Docs] Extended README.md and the user docs with the licensing information. (elastic#92564)
  [7.12][Telemetry] Security telemetry allowlist fix. (elastic#92850)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Telemetry release_note:fix Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants