[Security Solution] Correct memory exception field names (#110705) (#110742)

Co-authored-by: Kevin Logan <56395104+kevinlog@users.noreply.github.com>

Author: kibanamachine

x-pack/plugins/security_solution/common/ecs/event/index.ts

@@ -53,7 +53,7 @@ export enum EventCode {
   // Memory Protection alert
   MEMORY_SIGNATURE = 'memory_signature',
   // Memory Protection alert
-  MALICIOUS_THREAD = 'malicious_thread',
+  SHELLCODE_THREAD = 'shellcode_thread',
   // behavior
   BEHAVIOR = 'behavior',
 }

x-pack/plugins/security_solution/common/endpoint/generate_data.ts

@@ -678,7 +678,7 @@ export class EndpointDocGenerator extends BaseDataGenerator {
         action: 'start',
         kind: 'alert',
         category: 'malware',
-        code: isShellcode ? 'malicious_thread' : 'memory_signature',
+        code: isShellcode ? 'shellcode_thread' : 'memory_signature',
         id: this.seededUUIDv4(),
         dataset: 'endpoint',
         module: 'endpoint',

x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.test.tsx

@@ -86,8 +86,8 @@ describe('AlertSummaryView', () => {
           return {
             category: 'event',
             field: 'event.code',
-            values: ['malicious_thread'],
-            originalValue: ['malicious_thread'],
+            values: ['shellcode_thread'],
+            originalValue: ['shellcode_thread'],
           };
         }
         return item;

x-pack/plugins/security_solution/public/common/components/event_details/alert_summary_view.tsx

@@ -157,7 +157,7 @@ function getEventFieldsToDisplay({
 }): EventSummaryField[] {
   switch (eventCode) {
     // memory protection fields
-    case EventCode.MALICIOUS_THREAD:
+    case EventCode.SHELLCODE_THREAD:
       return memoryShellCodeAlertFields;
     case EventCode.MEMORY_SIGNATURE:
       return memorySignatureAlertFields;

x-pack/plugins/security_solution/public/common/components/exceptions/exceptionable_endpoint_fields.json

@@ -19,13 +19,13 @@
   "Target.process.pe.original_file_name",
   "Target.process.pe.product",
   "Target.process.pgid",
-  "Target.process.thread.Ext.start_address_details.allocation_type",
+  "Target.process.Ext.memory_region.allocation_type",
   "Target.process.thread.Ext.start_address_bytes_disasm_hash",
   "Target.process.thread.Ext.start_address_allocation_offset",
-  "Target.process.thread.Ext.start_address_details.allocation_size",
-  "Target.process.thread.Ext.start_address_details.region_size",
-  "Target.process.thread.Ext.start_address_details.region_protection",
-  "Target.process.thread.Ext.start_address_details.memory_pe.imphash",
+  "Target.process.Ext.memory_region.allocation_size",
+  "Target.process.Ext.memory_region.region_size",
+  "Target.process.Ext.memory_region.region_protection",
+  "Target.process.Ext.memory_region.memory_pe.imphash",
   "Target.process.thread.Ext.start_address_bytes",
   "agent.id",
   "agent.type",
@@ -82,6 +82,8 @@
   "process.Ext.services",
   "process.Ext.user",
   "process.Ext.code_signature",
+  "process.Ext.token.integrity_level_name",
+  "process.Ext.memory_region.malware_signature.all_names",
   "process.executable",
   "process.hash.md5",
   "process.hash.sha1",

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.test.tsx

@@ -1031,7 +1031,7 @@ describe('Exception helpers', () => {
       ]);
     });
 
-    test('it should return pre-populated memory shellcode items for event code `malicious_thread`', () => {
+    test('it should return pre-populated memory shellcode items for event code `shellcode_thread`', () => {
       const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
         _id: '123',
         process: {
@@ -1049,7 +1049,7 @@ describe('Exception helpers', () => {
           self_injection: true,
         },
         event: {
-          code: 'malicious_thread',
+          code: 'shellcode_thread',
         },
         Target: {
           process: {
@@ -1108,52 +1108,10 @@ describe('Exception helpers', () => {
           value: 'high',
           id: '123',
         },
-        {
-          field: 'Target.process.thread.Ext.start_address_details',
-          type: 'nested',
-          entries: [
-            {
-              field: 'allocation_type',
-              operator: 'included',
-              type: 'match',
-              value: 'PRIVATE',
-              id: '123',
-            },
-            {
-              field: 'allocation_size',
-              operator: 'included',
-              type: 'match',
-              value: '4000',
-              id: '123',
-            },
-            {
-              field: 'region_size',
-              operator: 'included',
-              type: 'match',
-              value: '4000',
-              id: '123',
-            },
-            {
-              field: 'region_protection',
-              operator: 'included',
-              type: 'match',
-              value: 'RWX',
-              id: '123',
-            },
-            {
-              field: 'memory_pe.imphash',
-              operator: 'included',
-              type: 'match',
-              value: 'a hash',
-              id: '123',
-            },
-          ],
-          id: '123',
-        },
       ]);
     });
 
-    test('it should return pre-populated memory shellcode items for event code `malicious_thread` and skip empty', () => {
+    test('it should return pre-populated memory shellcode items for event code `shellcode_thread` and skip empty', () => {
       const defaultItems = defaultEndpointExceptionItems('list_id', 'my_rule', {
         _id: '123',
         process: {
@@ -1171,7 +1129,7 @@ describe('Exception helpers', () => {
           self_injection: true,
         },
         event: {
-          code: 'malicious_thread',
+          code: 'shellcode_thread',
         },
         Target: {
           process: {
@@ -1217,41 +1175,6 @@ describe('Exception helpers', () => {
           value: 'high',
           id: '123',
         },
-        {
-          field: 'Target.process.thread.Ext.start_address_details',
-          type: 'nested',
-          entries: [
-            {
-              field: 'allocation_size',
-              operator: 'included',
-              type: 'match',
-              value: '4000',
-              id: '123',
-            },
-            {
-              field: 'region_size',
-              operator: 'included',
-              type: 'match',
-              value: '4000',
-              id: '123',
-            },
-            {
-              field: 'region_protection',
-              operator: 'included',
-              type: 'match',
-              value: 'RWX',
-              id: '123',
-            },
-            {
-              field: 'memory_pe.imphash',
-              operator: 'included',
-              type: 'match',
-              value: 'a hash',
-              id: '123',
-            },
-          ],
-          id: '123',
-        },
       ]);
     });
   });

x-pack/plugins/security_solution/public/common/components/exceptions/helpers.tsx

@@ -577,7 +577,7 @@ export const getPrepopulatedMemoryShellcodeException = ({
   eventCode: string;
   alertEcsData: Flattened<Ecs>;
 }): ExceptionsBuilderExceptionItem => {
-  const { process, Target } = alertEcsData;
+  const { process } = alertEcsData;
   const entries = filterEmptyExceptionEntries([
     {
       field: 'Memory_protection.feature',
@@ -609,44 +609,6 @@ export const getPrepopulatedMemoryShellcodeException = ({
       type: 'match' as const,
       value: process?.Ext?.token?.integrity_level_name ?? '',
     },
-    {
-      field: 'Target.process.thread.Ext.start_address_details',
-      type: 'nested' as const,
-      entries: [
-        {
-          field: 'allocation_type',
-          operator: 'included' as const,
-          type: 'match' as const,
-          value: Target?.process?.thread?.Ext?.start_address_details?.allocation_type ?? '',
-        },
-        {
-          field: 'allocation_size',
-          operator: 'included' as const,
-          type: 'match' as const,
-          value: String(Target?.process?.thread?.Ext?.start_address_details?.allocation_size) ?? '',
-        },
-        {
-          field: 'region_size',
-          operator: 'included' as const,
-          type: 'match' as const,
-          value: String(Target?.process?.thread?.Ext?.start_address_details?.region_size) ?? '',
-        },
-        {
-          field: 'region_protection',
-          operator: 'included' as const,
-          type: 'match' as const,
-          value:
-            String(Target?.process?.thread?.Ext?.start_address_details?.region_protection) ?? '',
-        },
-        {
-          field: 'memory_pe.imphash',
-          operator: 'included' as const,
-          type: 'match' as const,
-          value:
-            String(Target?.process?.thread?.Ext?.start_address_details?.memory_pe?.imphash) ?? '',
-        },
-      ],
-    },
   ]);
 
   return {
@@ -845,7 +807,7 @@ export const defaultEndpointExceptionItems = (
           alertEcsData,
         }),
       ];
-    case 'malicious_thread':
+    case 'shellcode_thread':
       return [
         getPrepopulatedMemoryShellcodeException({
           listId,