Skip to content

[macOS] Security events #582

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 30, 2025
Merged

[macOS] Security events #582

merged 7 commits into from
Jan 30, 2025

Conversation

ricardo-estc
Copy link
Contributor

Add file path to Security events

Change Summary

  • Updates macOS custom documentation for security events
  • Enriches security events schema with a file path. It can be used for various actions, such as gatekeeper override

Sample values

Sample document:

 
Release Target
 
Q/A
 
For mapping changes:
 
     
  •  I ran make after making the schema changes, and committed all changes
    •  
  •  If these field(s) are "exception"-able, I made a companion PR to Kibana adding it (see Readme)
    •  
  •  If this is a metadata change, I also updated both transform destination schemas to match
    •  
 
For Transform changes:
 
     
  •  The new transform successfully starts in Kibana
    •  
  •  The corresponding transform destination schema was updated if necessary
    •  
 
  
 
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  @ricardo-estc  
 
 
  Add security events documentation.     
 
   
 
 
  
  
  
 
 
  042367c  
 
 
 
 
Add file path to Security events
 
 
 
 
 
 
 
 
 
 
 
 @ricardo-estc ricardo-estc requested review from a team as code owners January 29, 2025 08:57 
 
  
 
  
 
 
 
 
 ferullo 
 
 
  ferullo  reviewed   Jan 29, 2025   
 
   View reviewed changes   
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
  Contributor  
 
 
 @ferullo  ferullo  left a comment 
 
 
  
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Is this change needed for 8.18 or 9.0?
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 ashokaditya 
 
 
  ashokaditya  reviewed   Jan 29, 2025   
 
   View reviewed changes   
 
 
 
 
    
  
  ...ocumentation/src/endpoint/data_stream/security/macos/macos_security_gatekeeper_override.yaml  Outdated   
  
 
 
 Comment on lines  76  to  78  
 
 
  
 
     - file.path  
 
     - file.code_signature.signing_id  
 
     - file.code_signature.team_id  
 
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
  Member  
 
  
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
These three fields look out of alphabetical order.
 
  
 
  
  
 
 
 
 
 
 
      
  
  custom_documentation/doc/endpoint/security/macos/macos_security_gatekeeper_override.md  Outdated   
  
 
 
 Comment on lines  71  to  73  
 
 
  
 
    | file.path |  
 
    | file.code_signature.signing_id |  
 
    | file.code_signature.team_id |  
 
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
  Member  
 
  
 
 
 
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
These file fields look out of alphabetical order.
 
  
 
  
  
 
 
 
 
 
 
   
 
 
 
 
 
 
 
 @ricardo-estc 
 
 
 
 
 
           Copy link  
   
 
 
  Contributor   Author  
 
  
 
 
  
  
  
@ferullo 9.0
 		 
  
  
 
  
 
 
  
 
 
 
 
 
 
 
 pzl 
 
 
  pzl  reviewed   Jan 29, 2025   
 
   View reviewed changes   
 
 
 
 
 
 
 
 
           Copy link  
   
 
 
  Member  
 
 
 @pzl  pzl  left a comment 
 
 
  
 
  
  
Choose a reason for hiding this comment
 
 The reason will be displayed to describe this comment to others. Learn more. 
  
  
 
Please update package/endpoint/data_stream/security/sample_event.json with example values for
 
     
  • file.path
    •  
  • file.code_signature.signing_id
    •  
  • file.code_signature.team_id
    •  
 
Other than that, this looks ok to squeeze into 9.0, if we can merge soon
 
  
  
  
 
 
 
 
 
 
 
 
 
 
 
  
 
 
 
 @ricardo-estc 
 
 
 
 
 
           Copy link  
   
 
 
  Contributor   Author  
 
  
 
 
  
  
  
@ashokaditya reordered the fields in alphabetical order
 @pzl updated sample_event.json
 		 
  
  
 
  
 
 
  
 
 
 
 
  
 
 
 
 @pzl 
 
 
 
 
 
           Copy link  
   
 
 
  Member  
 
 
  pzl  commented Jan 30, 2025 
 
 
 
  
  
  
@ricardo-estc content of PR looks good, I think CI error is just about formatting on that sample event json. I'm guessing the space after the key names and before the :
 		 
  
  
 
  
 
 
  
 
 
 
 
  
 
 
 
  
 
  @ricardo-estc ricardo-estc merged commit ee8d506 into   main   Jan 30, 2025 
 4 checks passed 
 
         
 
 
 
 
 
 
 @ricardo-estc ricardo-estc deleted the   ricardo/add_file_security_event   branch January 30, 2025 12:53 
 
 
 
  
 
 
 
 
 
 Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment 
 
 
 
 
 
 
 
 
 
 
 
 
 Labels 
 
 None yet 
 
 
  
 
 
  
 
 
    
 
 
  
 
 
 5 participants 
 
  @ricardo-estc   @pzl   @ashokaditya   @intxgo   @ferullo