Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update endpoint event and alert types #69292

Merged
merged 12 commits into from
Jun 18, 2020
Merged

Update endpoint event and alert types #69292

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
4479506
start redoing types
marshallmain Jun 12, 2020
359b0b7
merge master resolve conflicts
marshallmain Jun 12, 2020
ee66d88
finish redoing types
marshallmain Jun 16, 2020
c3b5744
Merge branch 'master' into update-types
marshallmain Jun 16, 2020
a7f0d75
fix bad test
marshallmain Jun 16, 2020
1fef0da
rework tests
marshallmain Jun 17, 2020
85468e9
Merge branch 'master' into update-types
marshallmain Jun 17, 2020
244443e
fix more types
marshallmain Jun 17, 2020
30111f4
Merge branch 'master' into update-types
elasticmachine Jun 18, 2020
81a2e2f
fix test
marshallmain Jun 18, 2020
cc9c754
Fix endpoints test and render error
paul-tavares Jun 18, 2020
a4d1287
add deletePolicyStream to alerts api tests
marshallmain Jun 18, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 7 additions & 5 deletions x-pack/plugins/security_solution/common/endpoint/generate_data.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ describe('data generator', () => {
const metadata = generator.generateHostMetadata(timestamp);
expect(metadata['@timestamp']).toEqual(timestamp);
expect(metadata.event.created).toEqual(timestamp);
expect(metadata.endpoint).not.toBeNull();
expect(metadata.Endpoint).not.toBeNull();
expect(metadata.agent).not.toBeNull();
expect(metadata.host).not.toBeNull();
});
Expand All @@ -57,18 +57,18 @@ describe('data generator', () => {
const hostPolicyResponse = generator.generatePolicyResponse(timestamp);
expect(hostPolicyResponse['@timestamp']).toEqual(timestamp);
expect(hostPolicyResponse.event.created).toEqual(timestamp);
expect(hostPolicyResponse.endpoint).not.toBeNull();
expect(hostPolicyResponse.Endpoint).not.toBeNull();
expect(hostPolicyResponse.agent).not.toBeNull();
expect(hostPolicyResponse.host).not.toBeNull();
expect(hostPolicyResponse.endpoint.policy.applied).not.toBeNull();
expect(hostPolicyResponse.Endpoint.policy.applied).not.toBeNull();
});

it('creates alert event documents', () => {
const timestamp = new Date().getTime();
const alert = generator.generateAlert(timestamp);
expect(alert['@timestamp']).toEqual(timestamp);
expect(alert.event.action).not.toBeNull();
expect(alert.endpoint).not.toBeNull();
expect(alert.Endpoint).not.toBeNull();
expect(alert.agent).not.toBeNull();
expect(alert.host).not.toBeNull();
expect(alert.process.entity_id).not.toBeNull();
Expand Down Expand Up @@ -364,7 +364,9 @@ describe('data generator', () => {
it('creates full resolver tree', () => {
const alertAncestors = 3;
const generations = 2;
const events = [...generator.fullResolverTreeGenerator(alertAncestors, generations)];
const events = [
...generator.fullResolverTreeGenerator({ ancestors: alertAncestors, generations }),
];
const rootNode = buildResolverTree(events);
const visitedEvents = countResolverEvents(rootNode, alertAncestors + generations);
expect(visitedEvents).toEqual(events.length);
Expand Down
189 changes: 90 additions & 99 deletions x-pack/plugins/security_solution/common/endpoint/generate_data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import {
EndpointEvent,
Host,
HostMetadata,
HostOS,
OSFields,
HostPolicyResponse,
HostPolicyResponseActionStatus,
PolicyData,
Expand All @@ -28,38 +28,46 @@ interface EventOptions {
processName?: string;
}

const Windows: HostOS[] = [
const Windows: OSFields[] = [
{
name: 'windows 10.0',
full: 'Windows 10',
version: '10.0',
variant: 'Windows Pro',
Ext: {
variant: 'Windows Pro',
},
},
{
name: 'windows 10.0',
full: 'Windows Server 2016',
version: '10.0',
variant: 'Windows Server',
Ext: {
variant: 'Windows Server',
},
},
{
name: 'windows 6.2',
full: 'Windows Server 2012',
version: '6.2',
variant: 'Windows Server',
Ext: {
variant: 'Windows Server',
},
},
{
name: 'windows 6.3',
full: 'Windows Server 2012R2',
version: '6.3',
variant: 'Windows Server Release 2',
Ext: {
variant: 'Windows Server Release 2',
},
},
];

const Linux: HostOS[] = [];
const Linux: OSFields[] = [];

const Mac: HostOS[] = [];
const Mac: OSFields[] = [];

const OS: HostOS[] = [...Windows, ...Mac, ...Linux];
const OS: OSFields[] = [...Windows, ...Mac, ...Linux];

const APPLIED_POLICIES: Array<{
name: string;
Expand Down Expand Up @@ -186,7 +194,7 @@ interface HostInfo {
type: string;
};
host: Host;
endpoint: {
Endpoint: {
policy: {
applied: {
id: string;
Expand Down Expand Up @@ -283,8 +291,8 @@ export class EndpointDocGenerator {
* Creates new random policy id for the host to simulate new policy application
*/
public updatePolicyId() {
this.commonInfo.endpoint.policy.applied.id = this.randomChoice(APPLIED_POLICIES).id;
this.commonInfo.endpoint.policy.applied.status = this.randomChoice([
this.commonInfo.Endpoint.policy.applied = this.randomChoice(APPLIED_POLICIES);
this.commonInfo.Endpoint.policy.applied.status = this.randomChoice([
HostPolicyResponseActionStatus.success,
HostPolicyResponseActionStatus.failure,
HostPolicyResponseActionStatus.warning,
Expand All @@ -310,7 +318,7 @@ export class EndpointDocGenerator {
mac: this.randomArray(3, () => this.randomMac()),
os: this.randomChoice(OS),
},
endpoint: {
Endpoint: {
policy: {
applied: this.randomChoice(APPLIED_POLICIES),
},
Expand Down Expand Up @@ -371,77 +379,88 @@ export class EndpointDocGenerator {
sha1: 'fake file sha1',
sha256: 'fake file sha256',
},
code_signature: {
trusted: false,
subject_name: 'bad signer',
},
malware_classification: {
identifier: 'endpointpe',
score: 1,
threshold: 0.66,
version: '3.0.33',
Ext: {
code_signature: [
{
trusted: false,
subject_name: 'bad signer',
},
],
malware_classification: {
identifier: 'endpointpe',
score: 1,
threshold: 0.66,
version: '3.0.33',
},
temp_file_path: 'C:/temp/fake_malware.exe',
},
temp_file_path: 'C:/temp/fake_malware.exe',
},
process: {
pid: 2,
name: 'malware writer',
start: ts,
uptime: 0,
user: 'SYSTEM',
entity_id: entityID,
executable: 'C:/malware.exe',
parent: parentEntityID ? { entity_id: parentEntityID, pid: 1 } : undefined,
token: {
domain: 'NT AUTHORITY',
integrity_level: 16384,
integrity_level_name: 'system',
privileges: [
{
description: 'Replace a process level token',
enabled: false,
name: 'SeAssignPrimaryTokenPrivilege',
},
],
sid: 'S-1-5-18',
type: 'tokenPrimary',
user: 'SYSTEM',
},
code_signature: {
trusted: false,
subject_name: 'bad signer',
},
hash: {
md5: 'fake md5',
sha1: 'fake sha1',
sha256: 'fake sha256',
},
Ext: {
code_signature: [
{
trusted: false,
subject_name: 'bad signer',
},
],
user: 'SYSTEM',
token: {
domain: 'NT AUTHORITY',
integrity_level: 16384,
integrity_level_name: 'system',
privileges: [
{
description: 'Replace a process level token',
enabled: false,
name: 'SeAssignPrimaryTokenPrivilege',
},
],
sid: 'S-1-5-18',
type: 'tokenPrimary',
user: 'SYSTEM',
},
},
},
dll: [
{
pe: {
architecture: 'x64',
imphash: 'c30d230b81c734e82e86e2e2fe01cd01',
},
code_signature: {
subject_name: 'Cybereason Inc',
trusted: true,
},
compile_time: 1534424710,

hash: {
md5: '1f2d082566b0fc5f2c238a5180db7451',
sha1: 'ca85243c0af6a6471bdaa560685c51eefd6dbc0d',
sha256: '8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2',
},
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
mapped_address: 5362483200,
mapped_size: 0,

path: 'C:\\Program Files\\Cybereason ActiveProbe\\AmSvc.exe',
Ext: {
compile_time: 1534424710,
mapped_address: 5362483200,
mapped_size: 0,
malware_classification: {
identifier: 'Whitelisted',
score: 0,
threshold: 0,
version: '3.0.0',
},
},
},
],
};
Expand Down Expand Up @@ -561,28 +580,9 @@ export class EndpointDocGenerator {
* @param percentTerminated - percent of nodes which will have process termination events
* @param alwaysGenMaxChildrenPerNode - flag to always return the max children per node instead of it being a random number of children
*/
public *alertsGenerator(
numAlerts: number,
alertAncestors?: number,
childGenerations?: number,
maxChildrenPerNode?: number,
relatedEventsPerNode?: number,
relatedAlertsPerNode?: number,
percentNodesWithRelated?: number,
percentTerminated?: number,
alwaysGenMaxChildrenPerNode?: boolean
) {
public *alertsGenerator(numAlerts: number, options: TreeOptions = {}) {
for (let i = 0; i < numAlerts; i++) {
yield* this.fullResolverTreeGenerator(
alertAncestors,
childGenerations,
maxChildrenPerNode,
relatedEventsPerNode,
relatedAlertsPerNode,
percentNodesWithRelated,
percentTerminated,
alwaysGenMaxChildrenPerNode
);
yield* this.fullResolverTreeGenerator(options);
}
}

Expand All @@ -600,35 +600,26 @@ export class EndpointDocGenerator {
* @param percentTerminated - percent of nodes which will have process termination events
* @param alwaysGenMaxChildrenPerNode - flag to always return the max children per node instead of it being a random number of children
*/
public *fullResolverTreeGenerator(
alertAncestors?: number,
childGenerations?: number,
maxChildrenPerNode?: number,
relatedEventsPerNode?: RelatedEventInfo[] | number,
relatedAlertsPerNode?: number,
percentNodesWithRelated?: number,
percentTerminated?: number,
alwaysGenMaxChildrenPerNode?: boolean
) {
public *fullResolverTreeGenerator(options: TreeOptions = {}) {
const ancestry = this.createAlertEventAncestry(
alertAncestors,
relatedEventsPerNode,
percentNodesWithRelated,
percentTerminated
options.ancestors,
options.relatedEvents,
options.percentWithRelated,
options.percentTerminated
);
for (let i = 0; i < ancestry.length; i++) {
yield ancestry[i];
}
// ancestry will always have at least 2 elements, and the last element will be the alert
yield* this.descendantsTreeGenerator(
ancestry[ancestry.length - 1],
childGenerations,
maxChildrenPerNode,
relatedEventsPerNode,
relatedAlertsPerNode,
percentNodesWithRelated,
percentTerminated,
alwaysGenMaxChildrenPerNode
options.generations,
options.children,
options.relatedEvents,
options.relatedAlerts,
options.percentWithRelated,
options.percentTerminated,
options.alwaysGenMaxChildrenPerNode
);
}

Expand Down Expand Up @@ -940,7 +931,7 @@ export class EndpointDocGenerator {
host: {
id: this.commonInfo.host.id,
},
endpoint: {
Endpoint: {
policy: {
applied: {
actions: [
Expand Down Expand Up @@ -1045,7 +1036,7 @@ export class EndpointDocGenerator {
status: HostPolicyResponseActionStatus.success,
},
],
id: this.commonInfo.endpoint.policy.applied.id,
id: this.commonInfo.Endpoint.policy.applied.id,
response: {
configurations: {
events: {
Expand Down Expand Up @@ -1086,9 +1077,9 @@ export class EndpointDocGenerator {
],
},
},
status: this.commonInfo.endpoint.policy.applied.status,
status: this.commonInfo.Endpoint.policy.applied.status,
version: policyVersion,
name: this.commonInfo.endpoint.policy.applied.name,
name: this.commonInfo.Endpoint.policy.applied.name,
},
},
},
Expand Down
Loading