Open defensivedepth opened 8 months ago
@ferullo Opened the discussion per https://discuss.elastic.co/t/event-filters-wildcards/343295/6
Pinging @elastic/security-defend-workflows (Team:Defend Workflows)
cc @kevinlog @nfritts @roxana-gheorghe @caitlinbetz
@defensivedepth A PR is open to add "matches" support to Event Filters. Given that they already support "is", "is not", "is one of", and "is not one of" I think after that PR is merged the only thing you'd still want to see added is a "does not match" operator. Do you agree or do I misunderstand you?
Currently Elastic Fleet / Defend supports a limited set of Event Filters (docs): Exclusions and limited use of wildcards.
Though this is useful as is, it is quite limited. I would like to see a more robust filtering setup, something akin to what Sysmon can do via it's configuration files. Specifically, the ability to specify both
Include
andExclude
filters.For example, these are some rough stats for the sysmon config that Florian Roth maintains:
You can see that for the
network connection
dataset, we have both include & exclude filters. Here is that filterset: https://github.com/Neo23x0/sysmon-config/blob/277c594ec506899b985efc238ee0f0d1efc1c9f6/sysmonconfig-export.xml#L267This allows us to
Include
specific generic events like:<Image condition="begin with">C:\ProgramData</Image> <!--Normally, network communications should be sourced from "Program Files" not from ProgramData, something to look at-->
But also
exclude
specific high-volume benign events that would have matched the include:<Image condition="begin with">C:\ProgramData\Microsoft\Windows Defender\Platform\</Image>
The other piece to this is the ability to use wildcards more freely. As you can see from the stats above,
BeginsWith
andEndsWith
are common wildcard use-cases.Finally - I recently spoke at BSides Augusta about converting Florian Roth's sysmon config (process filters) to import them into Elastic Fleet. (Video here) Having the additional functionality discussed here would allow us to bring more filters into the platform and allow us to reduce the amount of data we have to ship + ingest + sort through - which is always a win for Defenders.