[Security Solution][Detections] Change from sha1 to sha256 (#73741)

Author: dplumlee

x-pack/plugins/security_solution/public/common/components/exceptions/add_exception_modal/index.tsx

@@ -40,6 +40,7 @@ import { AddExceptionComments } from '../add_exception_comments';
 import {
   enrichNewExceptionItemsWithComments,
   enrichExceptionItemsWithOS,
+  lowercaseHashValues,
   defaultEndpointExceptionItems,
   entryHasListType,
   entryHasNonEcsType,
@@ -256,7 +257,7 @@ export const AddExceptionModal = memo(function AddExceptionModal({
         : exceptionItemsToAdd;
     if (exceptionListType === 'endpoint') {
       const osTypes = retrieveAlertOsTypes();
-      enriched = enrichExceptionItemsWithOS(enriched, osTypes);
+      enriched = lowercaseHashValues(enrichExceptionItemsWithOS(enriched, osTypes));
     }
     return enriched;
   }, [comment, exceptionItemsToAdd, exceptionListType, retrieveAlertOsTypes]);

x-pack/plugins/security_solution/public/common/components/exceptions/edit_exception_modal/index.tsx

@@ -40,6 +40,7 @@ import {
   getOperatingSystems,
   entryHasListType,
   entryHasNonEcsType,
+  lowercaseHashValues,
 } from '../helpers';
 import { Loader } from '../../loader';
 
@@ -195,7 +196,7 @@ export const EditExceptionModal = memo(function EditExceptionModal({
     ];
     if (exceptionListType === 'endpoint') {
       const osTypes = exceptionItem._tags ? getOperatingSystems(exceptionItem._tags) : [];
-      enriched = enrichExceptionItemsWithOS(enriched, osTypes);
+      enriched = lowercaseHashValues(enrichExceptionItemsWithOS(enriched, osTypes));
     }
     return enriched;
   }, [exceptionItemsToAdd, exceptionItem, comment, exceptionListType]);

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_fields.json

@@ -6,40 +6,32 @@
   "Target.process.Ext.code_signature.valid",
   "Target.process.Ext.services",
   "Target.process.Ext.user",
-  "Target.process.command_line",
   "Target.process.command_line.text",
-  "Target.process.executable",
   "Target.process.executable.text",
   "Target.process.hash.md5",
   "Target.process.hash.sha1",
   "Target.process.hash.sha256",
   "Target.process.hash.sha512",
-  "Target.process.name",
   "Target.process.name.text",
   "Target.process.parent.Ext.code_signature.status",
   "Target.process.parent.Ext.code_signature.subject_name",
   "Target.process.parent.Ext.code_signature.trusted",
   "Target.process.parent.Ext.code_signature.valid",
-  "Target.process.parent.command_line",
   "Target.process.parent.command_line.text",
-  "Target.process.parent.executable",
   "Target.process.parent.executable.text",
   "Target.process.parent.hash.md5",
   "Target.process.parent.hash.sha1",
   "Target.process.parent.hash.sha256",
   "Target.process.parent.hash.sha512",
-  "Target.process.parent.name",
   "Target.process.parent.name.text",
   "Target.process.parent.pgid",
-  "Target.process.parent.working_directory",
   "Target.process.parent.working_directory.text",
   "Target.process.pe.company",
   "Target.process.pe.description",
   "Target.process.pe.file_version",
   "Target.process.pe.original_file_name",
   "Target.process.pe.product",
   "Target.process.pgid",
-  "Target.process.working_directory",
   "Target.process.working_directory.text",
   "agent.id",
   "agent.type",
@@ -74,15 +66,13 @@
   "file.mode",
   "file.name",
   "file.owner",
-  "file.path",
   "file.path.text",
   "file.pe.company",
   "file.pe.description",
   "file.pe.file_version",
   "file.pe.original_file_name",
   "file.pe.product",
   "file.size",
-  "file.target_path",
   "file.target_path.text",
   "file.type",
   "file.uid",
@@ -94,10 +84,8 @@
   "host.id",
   "host.os.Ext.variant",
   "host.os.family",
-  "host.os.full",
   "host.os.full.text",
   "host.os.kernel",
-  "host.os.name",
   "host.os.name.text",
   "host.os.platform",
   "host.os.version",
@@ -108,40 +96,36 @@
   "process.Ext.code_signature.valid",
   "process.Ext.services",
   "process.Ext.user",
-  "process.command_line",
   "process.command_line.text",
-  "process.executable",
   "process.executable.text",
   "process.hash.md5",
   "process.hash.sha1",
   "process.hash.sha256",
   "process.hash.sha512",
-  "process.name",
   "process.name.text",
   "process.parent.Ext.code_signature.status",
   "process.parent.Ext.code_signature.subject_name",
   "process.parent.Ext.code_signature.trusted",
   "process.parent.Ext.code_signature.valid",
-  "process.parent.command_line",
   "process.parent.command_line.text",
-  "process.parent.executable",
   "process.parent.executable.text",
   "process.parent.hash.md5",
   "process.parent.hash.sha1",
   "process.parent.hash.sha256",
   "process.parent.hash.sha512",
-  "process.parent.name",
   "process.parent.name.text",
   "process.parent.pgid",
-  "process.parent.working_directory",
   "process.parent.working_directory.text",
   "process.pe.company",
   "process.pe.description",
   "process.pe.file_version",
   "process.pe.original_file_name",
   "process.pe.product",
   "process.pgid",
-  "process.working_directory",
   "process.working_directory.text",
-  "rule.uuid"
+  "rule.uuid",
+  "user.domain",
+  "user.email",
+  "user.hash",
+  "user.id"
 ]

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx

@@ -24,6 +24,7 @@ import {
   entryHasListType,
   entryHasNonEcsType,
   prepareExceptionItemsForBulkClose,
+  lowercaseHashValues,
 } from './helpers';
 import { EmptyEntry } from './types';
 import {
@@ -663,4 +664,48 @@ describe('Exception helpers', () => {
       expect(result).toEqual(expected);
     });
   });
+
+  describe('#lowercaseHashValues', () => {
+    test('it should return an empty array with an empty array', () => {
+      const payload: ExceptionListItemSchema[] = [];
+      const result = lowercaseHashValues(payload);
+      expect(result).toEqual([]);
+    });
+
+    test('it should return all list items with entry hashes lowercased', () => {
+      const payload = [
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [{ field: 'user.hash', type: 'match', value: 'DDDFFF' }] as EntriesArray,
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [{ field: 'user.hash', type: 'match', value: 'aaabbb' }] as EntriesArray,
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            { field: 'user.hash', type: 'match_any', value: ['aaabbb', 'DDDFFF'] },
+          ] as EntriesArray,
+        },
+      ];
+      const result = lowercaseHashValues(payload);
+      expect(result).toEqual([
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [{ field: 'user.hash', type: 'match', value: 'dddfff' }] as EntriesArray,
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [{ field: 'user.hash', type: 'match', value: 'aaabbb' }] as EntriesArray,
+        },
+        {
+          ...getExceptionListItemSchemaMock(),
+          entries: [
+            { field: 'user.hash', type: 'match_any', value: ['aaabbb', 'dddfff'] },
+          ] as EntriesArray,
+        },
+      ]);
+    });
+  });
 });

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx

@@ -335,6 +335,36 @@ export const enrichExceptionItemsWithOS = (
   });
 };
 
+/**
+ * Returns given exceptionItems with all hash-related entries lowercased
+ */
+export const lowercaseHashValues = (
+  exceptionItems: Array<ExceptionListItemSchema | CreateExceptionListItemSchema>
+): Array<ExceptionListItemSchema | CreateExceptionListItemSchema> => {
+  return exceptionItems.map((item) => {
+    const newEntries = item.entries.map((itemEntry) => {
+      if (itemEntry.field.includes('.hash')) {
+        if (itemEntry.type === 'match') {
+          return {
+            ...itemEntry,
+            value: itemEntry.value.toLowerCase(),
+          };
+        } else if (itemEntry.type === 'match_any') {
+          return {
+            ...itemEntry,
+            value: itemEntry.value.map((val) => val.toLowerCase()),
+          };
+        }
+      }
+      return itemEntry;
+    });
+    return {
+      ...item,
+      entries: newEntries,
+    };
+  });
+};
+
 /**
  * Returns the value for the given fieldname within TimelineNonEcsData if it exists
  */
@@ -413,7 +443,7 @@ export const defaultEndpointExceptionItems = (
     data: alertData,
     fieldName: 'file.Ext.code_signature.trusted',
   });
-  const [sha1Hash] = getMappedNonEcsValue({ data: alertData, fieldName: 'file.hash.sha1' });
+  const [sha256Hash] = getMappedNonEcsValue({ data: alertData, fieldName: 'file.hash.sha256' });
   const [eventCode] = getMappedNonEcsValue({ data: alertData, fieldName: 'event.code' });
   const namespaceType = 'agnostic';
 
@@ -446,10 +476,10 @@ export const defaultEndpointExceptionItems = (
           value: filePath ?? '',
         },
         {
-          field: 'file.hash.sha1',
+          field: 'file.hash.sha256',
           operator: 'included',
           type: 'match',
-          value: sha1Hash ?? '',
+          value: sha256Hash ?? '',
         },
         {
           field: 'event.code',

x-pack/plugins/security_solution/public/detections/components/alerts_table/default_config.tsx

@@ -202,7 +202,7 @@ export const requiredFieldsForActions = [
   'file.path',
   'file.Ext.code_signature.subject_name',
   'file.Ext.code_signature.trusted',
-  'file.hash.sha1',
+  'file.hash.sha256',
   'host.os.family',
   'event.code',
 ];