Artifact Filtering -> ES events filtering issues

redcanaryco / mac-monitor

Red Canary Mac Monitor is an advanced, stand-alone system monitoring tool tailor-made for macOS security research. Beginning with Endpoint Security (ES), it collects and enriches system events, displaying them graphically, with an expansive feature set designed to reduce noise.

938 stars 46 forks source link

Artifact Filtering -> ES events filtering issues #4

Open theevilbit opened 1 year ago

theevilbit commented 1 year ago

Describe the bug When I remove an event from the Artifact Filtering -> ES events to see it in the view, I can't add it back. I need to fully disable filtering and reenable it to be able to filter out the event.

Expected behavior When I click "remove", there should be a button to "add".

To Reproduce Steps to reproduce the behavior:

Enable artifact filtering
remove an item

Platform specifics (please complete the following information):

macOS version 13.3.1
Architecture Intel
- Version 1.0.1 (1)

Brandon7CC commented 1 year ago

Also correct!

@theevilbit Along a similar line... would you like a right click "focus related events" button? This would remove all but the related events (by initiating process / target process for exec/fork)? This should also be a easier ask 😄

Brandon7CC commented 1 year ago

@theevilbit after thinking more on this... this was the intended behavior. The original idea for the "event mask" would be that that it takes a "snapshot" of the events the user is subscribed to and then they have the ability to selectively remove from view. Adding them back would be taken care of by disabling and re-enabling the mask like you said.

I'm going to switch this from "bug" to "feature request". This will be a UI/UX change / feature addition.