search

elastic / security-docs

Elastic Security Documentation
Other
67 stars 180 forks source link

Clarify wildcard escaping rules for Endpoint alert exceptions, trusted apps, and event filters #5773

Open ferullo opened 1 month ago

ferullo commented 1 month ago

Description

This existing page documents the rules for escaping \, *, and ? for rule exceptions with this text

Some characters must be escaped with a backslash, such as \ for a literal backslash, * for an asterisk, and \? for a question mark. Windows paths must be divided with double backslashes (for example, C:\Windows\explorer.exe), and paths that already include double backslashes might require four backslashes for each divider

That text is not relevant for Endpoint alert exceptions, trusted apps, and event filters. Those three types of artifacts should not have \, *, or ? escaped.

Ideally we'd close this gap within Kibana. But doing that would be hard and not backwards compatible so at the very least we should document it.

Related links / assets

https://github.com/elastic/security-docs/issues/5766 made a similar request, involving the app's inconsistency between trusted apps and rule exceptions, so I closed that issue in favor if this one for tracking. Here's the original description from that ticket:

There seems to be an inconsistency between the sections of the documentation related to the use "matches" operator and the escape characters.

  • Trusted Applications Documentation The documentation states: "matches: Can include wildcards in Value, such as C:\path\*\app.exe. This option is only available for the Path field type. Available wildcards are ? (match one character) and * (match zero or more characters)."

  • Detection Rule Exception Documentation The documentation states: "matches | does not match — Allows you to use wildcards in Value, such as C:\\path\\*\\app.exe. Available wildcards are ? (match one character) and * (match zero or more characters). The selected Field data type must be keyword, text, or wildcard."

The primary inconsistency lies in the use of the escape character. The "Trusted Applications" documentation does not seem to require double backslashes for paths, while the "Detection Rule Exception" documentation does.

Could we please clarify whether the escape character (double backslashes) is necessary in both contexts or if the single backslash is fine? If so, it would be helpful to have the documentation updated for consistency to avoid any confusion.

Which documentation set needs improvement?

ESS and serverless

Software version

This is applicable to all Kibana and Endpoint versions.

Collaborators

PM: @caitlinbetz Developer: @gabriellandau @marshallmain

Timeline / deliverables

This is an enhancement request because this undocumented distinction is confusing to users.

joepeeples commented 1 month ago

For rule exceptions vs. trusted apps and event filters, as noted in https://github.com/elastic/security-docs/issues/5766#issuecomment-2344604851 the docs are basically already accurate, but we could make each component's requirements more explicit since users might not expect the differences. We haven't yet documented the discrepancy of rule exceptions vs. Endpoint exceptions, so we can highlight that too.

@ferullo @caitlinbetz, how far back do we need to backport? The issue template says "This is applicable to all Kibana and Endpoint versions," but the farther back we go the more challenging and burdensome backporting becomes. How about the 3 most recent 8.x versions (8.15, 8.14, 8.13) plus the most recent 7.x (7.17)?

ferullo commented 1 month ago

I think backporting as far as is easily do able is all we need to do. I'd say 8.14 and 8.14 at a minimum.

gabriellandau commented 4 weeks ago

This just came up in an SDH. Customer was double-escaping Endpoint exceptions and Trusted Apps, making them ineffective.