elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.99k stars 8.24k forks source link

[Fleet] preconfigured package policy should support integration with extension #142269

Open nchaulet opened 2 years ago

nchaulet commented 2 years ago

Description

Preconfigured package policy should support integration with extension, like endpoint synthetics.

I saw two major issues that need to be solved to fix that:

Note that issue could impact the work done here too https://github.com/elastic/kibana/issues/140961

elasticmachine commented 2 years ago

Pinging @elastic/fleet (Team:Fleet)

DefSecSentinel commented 2 years ago

A user should be able to supply, something similar to, the following to their policy definition within the kibana.yml and pre-configure endpoint package integrations like you can currently with the System integration:

      - package:
          name: endpoint
        name: endpoint_linux
        id: preconfigured-endpoint
        enabled: true
        inputs:
          - type: endpoint
            enabled: true
            streams: []
            config:
              policy:
                value:
                  windows:
                    - type: events
                      vars:
                        - dll_and_driver_load: true
                        - dns: true
                        - file: true
                        - network: true
                        - process: true
                        - registry: true
                        - security: true
                    - type: malware
                      vars:
                        - mode: prevent
                        - blocklist: true
                    - type: ransomware
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: memory_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: behavior_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: popup
                      vars:
                        malware:
                          - message: ''
                          - enabled: true
                        ransomware:
                          - message: ''
                          - enabled: true
                        memory_protection:
                          - message: ''
                          - enabled: true
                        behavior_protection:
                          - message: ''
                          - enabled: true
                    - type: logging
                      vars:
                        file: info
                    - type: antivirus_registration
                      vars:
                        enabled: false
                    - type: attack_surface_reduction
                      vars:
                        credential_hardening:
                          - enabled: true
                  mac:
                    - type: events
                      vars:
                        - process: true
                        - file: true
                        - network: true
                    - type: malware
                      vars:
                        - mode: prevent
                        - blocklist: true
                    - type: behavior_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: memory_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: popup
                      vars:
                        malware:
                          - message: ''
                          - enabled: true
                        behavior_protection:
                          - message: ''
                          - enabled: true
                        memory_protection:
                          - message: ''
                          - enabled: true
                    - type: logging
                      vars:
                        - file: info
                  linux:
                    - type: events
                      vars:
                        - process: true
                        - file: true
                        - network: true
                        - session_data: false
                    - type: malware
                      vars:
                        - mode: prevent
                        - blocklist: true
                    - type: behavior_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: memory_protection
                      vars:
                        - mode: prevent
                        - supported: true
                    - type: popup
                      vars:
                        malware:
                          - message: ''
                          - enabled: true
                        behavior_protection:
                          - message: ''
                          - enabled: true
                        memory_protection:
                          - message: ''
                          - enabled: true
                    - type: logging
                      vars:
                        - file: info
DefSecSentinel commented 2 years ago

@elastic/fleet I know there are a lot of users out there who would love to have this capability.

DefSecSentinel commented 1 year ago

@elastic/fleet Is there any way we could add allowing the config key in the preconfigured package policy input schema so that people can pre-define their Endpoint agent policies in the Kibana.yml file (example above)? Would be a huge help on so many fronts. Thanks!

jlind23 commented 1 year ago

@kevinlog will someone on your end be able to implement this with our guidance?

kevinlog commented 1 year ago

@jlind23

We have seen similar feature requests for this too, so I agree that we should do it. However, we need to find time on our crowded roadmap. I don't think we'd be able to do this in 8.9, but maybe in a release not too much further out. I will work with product on our side on priority.

cc @caitlinbetz

elasticmachine commented 1 year ago

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)