Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EDR Workflows] Workflow Insights - migrate to Signature field #205323

Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

[EDR Workflows] Workflow Insights - migrate to Signature field #205323

wants to merge 5 commits into from
+199 −132

Conversation

szwarckonrad
Copy link
Contributor

@szwarckonrad szwarckonrad commented Dec 31, 2024
edited
Loading

This PR adds checks to verify whether the signer_id is present in file events stored in the ES, which serve as the foundation for generating endpoint insights. Previously, we relied solely on the executable path, which caused issues when a single AV generated multiple paths.

With these changes:

  • If the signer_id exists in the file event, it will be used for generating insights.
  • For cases where the signer_id is unavailable (e.g., Linux, which lacks signers), the executable path will still be used as a fallback.
Screen.Recording.2024-12-31.at.15.31.24.mov

@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 31, 2024
edited
Loading

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!

@szwarckonrad szwarckonrad mentioned this pull request Jan 2, 2025
Draft
@szwarckonrad szwarckonrad self-assigned this Jan 2, 2025
@szwarckonrad szwarckonrad added release_note:skip Skip the PR/issue when compiling release notes v9.0.0 Team:Defend Workflows “EDR Workflows” sub-team of Security Solution backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) v8.18.0 labels Jan 2, 2025
tomsonpl
tomsonpl approved these changes Jan 7, 2025
View reviewed changes
Copy link
Contributor

@tomsonpl tomsonpl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a question, but approving anyway 👍

...nagement/pages/endpoint_hosts/view/details/components/insights/workflow_insights_results.tsx
@@ -122,7 +122,9 @@ export const WorkflowInsightsResults = ({
{insight.message}
</EuiText>
<EuiText size={'xs'} color={'subdued'}>
{item.entries[0].type === 'match' && item.entries[0].value}
{item.entries[0].type === 'match' &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to make sure: we add more checks, so all of them have to be met in order to be valid?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomsonpl tomsonpl tomsonpl approved these changes

@joeypoon joeypoon Awaiting requested review from joeypoon

At least 1 approving review is required to merge this pull request.

Assignees

@szwarckonrad szwarckonrad

Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@szwarckonrad @elasticmachine @tomsonpl