defensivedepth
commented
8 months ago @ferullo Opened the discussion per https://discuss.elastic.co/t/event-filters-wildcards/343295/6
Open defensivedepth opened 8 months ago
defensivedepth
commented
8 months ago @ferullo Opened the discussion per https://discuss.elastic.co/t/event-filters-wildcards/343295/6
elasticmachine
commented
8 months ago Pinging @elastic/security-defend-workflows (Team:Defend Workflows)
ferullo
commented
8 months ago cc @kevinlog @nfritts @roxana-gheorghe @caitlinbetz
ferullo
commented
7 months ago @defensivedepth A PR is open to add "matches" support to Event Filters. Given that they already support "is", "is not", "is one of", and "is not one of" I think after that PR is merged the only thing you'd still want to see added is a "does not match" operator. Do you agree or do I misunderstand you?
Currently Elastic Fleet / Defend supports a limited set of Event Filters (docs): Exclusions and limited use of wildcards.
Though this is useful as is, it is quite limited. I would like to see a more robust filtering setup, something akin to what Sysmon can do via it's configuration files. Specifically, the ability to specify both
IncludeandExcludefilters.For example, these are some rough stats for the sysmon config that Florian Roth maintains:
You can see that for the
network connectiondataset, we have both include & exclude filters. Here is that filterset: https://github.com/Neo23x0/sysmon-config/blob/277c594ec506899b985efc238ee0f0d1efc1c9f6/sysmonconfig-export.xml#L267This allows us to
Includespecific generic events like:<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->But also
excludespecific high-volume benign events that would have matched the include:<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>The other piece to this is the ability to use wildcards more freely. As you can see from the stats above,
BeginsWithandEndsWithare common wildcard use-cases.Finally - I recently spoke at BSides Augusta about converting Florian Roth's sysmon config (process filters) to import them into Elastic Fleet. (Video here) Having the additional functionality discussed here would allow us to bring more filters into the platform and allow us to reduce the amount of data we have to ship + ingest + sort through - which is always a win for Defenders.