elasticmachine
commented
2 years ago Pinging @elastic/fleet (Team:Fleet)
Open nchaulet opened 2 years ago
elasticmachine
commented
2 years ago Pinging @elastic/fleet (Team:Fleet)
DefSecSentinel
commented
2 years ago A user should be able to supply, something similar to, the following to their policy definition within the kibana.yml and pre-configure endpoint package integrations like you can currently with the System integration:
- package:
name: endpoint
name: endpoint_linux
id: preconfigured-endpoint
enabled: true
inputs:
- type: endpoint
enabled: true
streams: []
config:
policy:
value:
windows:
- type: events
vars:
- dll_and_driver_load: true
- dns: true
- file: true
- network: true
- process: true
- registry: true
- security: true
- type: malware
vars:
- mode: prevent
- blocklist: true
- type: ransomware
vars:
- mode: prevent
- supported: true
- type: memory_protection
vars:
- mode: prevent
- supported: true
- type: behavior_protection
vars:
- mode: prevent
- supported: true
- type: popup
vars:
malware:
- message: ''
- enabled: true
ransomware:
- message: ''
- enabled: true
memory_protection:
- message: ''
- enabled: true
behavior_protection:
- message: ''
- enabled: true
- type: logging
vars:
file: info
- type: antivirus_registration
vars:
enabled: false
- type: attack_surface_reduction
vars:
credential_hardening:
- enabled: true
mac:
- type: events
vars:
- process: true
- file: true
- network: true
- type: malware
vars:
- mode: prevent
- blocklist: true
- type: behavior_protection
vars:
- mode: prevent
- supported: true
- type: memory_protection
vars:
- mode: prevent
- supported: true
- type: popup
vars:
malware:
- message: ''
- enabled: true
behavior_protection:
- message: ''
- enabled: true
memory_protection:
- message: ''
- enabled: true
- type: logging
vars:
- file: info
linux:
- type: events
vars:
- process: true
- file: true
- network: true
- session_data: false
- type: malware
vars:
- mode: prevent
- blocklist: true
- type: behavior_protection
vars:
- mode: prevent
- supported: true
- type: memory_protection
vars:
- mode: prevent
- supported: true
- type: popup
vars:
malware:
- message: ''
- enabled: true
behavior_protection:
- message: ''
- enabled: true
memory_protection:
- message: ''
- enabled: true
- type: logging
vars:
- file: info@elastic/fleet I know there are a lot of users out there who would love to have this capability.
DefSecSentinel
commented
1 year ago @elastic/fleet Is there any way we could add allowing the config key in the preconfigured package policy input schema so that people can pre-define their Endpoint agent policies in the Kibana.yml file (example above)? Would be a huge help on so many fronts. Thanks!
jlind23
commented
1 year ago @kevinlog will someone on your end be able to implement this with our guidance?
kevinlog
commented
1 year ago @jlind23
We have seen similar feature requests for this too, so I agree that we should do it. However, we need to find time on our crowded roadmap. I don't think we'd be able to do this in 8.9, but maybe in a release not too much further out. I will work with product on our side on priority.
cc @caitlinbetz
elasticmachine
commented
1 year ago Pinging @elastic/security-defend-workflows (Team:Defend Workflows)
Description
Preconfigured package policy should support integration with extension, like endpoint synthetics.
I saw two major issues that need to be solved to fix that:
currently when we create a package policy from preconfiguration we do not run external callback like it's done in the package policy handlerFixed by https://github.com/elastic/kibana/pull/149272configkey for an inputNote that issue could impact the work done here too https://github.com/elastic/kibana/issues/140961