diff --git a/custom_documentation/doc/endpoint/policy/policy_response.md b/custom_documentation/doc/endpoint/policy/policy_response.md index 3436d9cf9..f032fe84a 100644 --- a/custom_documentation/doc/endpoint/policy/policy_response.md +++ b/custom_documentation/doc/endpoint/policy/policy_response.md @@ -52,6 +52,8 @@ This is a state management document that is generated every time Endpoint refres | Endpoint.policy.applied.response.configurations.streaming.status | | Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions | | Endpoint.policy.applied.response.diagnostic.behavior_protection.status | +| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions | +| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status | | Endpoint.policy.applied.response.diagnostic.malware.concerned_actions | | Endpoint.policy.applied.response.diagnostic.malware.status | | Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions | diff --git a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml index e059c5b7e..ecb7224ec 100644 --- a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml +++ b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml @@ -60,6 +60,8 @@ fields: - Endpoint.policy.applied.response.configurations.streaming.status - Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions - Endpoint.policy.applied.response.diagnostic.behavior_protection.status + - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status - Endpoint.policy.applied.response.diagnostic.malware.concerned_actions - Endpoint.policy.applied.response.diagnostic.malware.status - Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions diff --git a/custom_schemas/custom_endpoint.yml b/custom_schemas/custom_endpoint.yml index 85ce2b97b..51d436315 100644 --- a/custom_schemas/custom_endpoint.yml +++ b/custom_schemas/custom_endpoint.yml @@ -247,6 +247,24 @@ enabled: false description: the diagnostic configurations of the applied policy + - name: policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + type: object + description: overall firewall anti-tamper configuration and status of the applied policy + + - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + description: all actions that were taken for the diagnostic configuration of firewall anti-tamper + + - name: policy.applied.response.diagnostic.firewall_anti_tamper.status + level: custom + type: keyword + description: > + the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to + the status of concerned actions but not a simple sum of the actions + short: the overall status of diagnostic firewall anti-tamper + - name: policy.applied.response.diagnostic.ransomware.concerned_actions level: custom type: keyword diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml index 1f20fb300..3a896c14e 100644 --- a/package/endpoint/data_stream/policy/fields/fields.yml +++ b/package/endpoint/data_stream/policy/fields/fields.yml @@ -367,6 +367,23 @@ ignore_above: 1024 description: the overall status of the diagnostic configuration of credential protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + type: object + description: overall firewall anti-tamper configuration and status of the applied policy + default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for the diagnostic configuration of firewall anti-tamper + default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions + default_field: false - name: policy.applied.response.diagnostic.malware.concerned_actions level: custom type: keyword diff --git a/package/endpoint/data_stream/policy/sample_event.json b/package/endpoint/data_stream/policy/sample_event.json index e169c7a2d..c6e4f01b5 100644 --- a/package/endpoint/data_stream/policy/sample_event.json +++ b/package/endpoint/data_stream/policy/sample_event.json @@ -243,6 +243,16 @@ "configure_diagnostic_rollback" ], "status": "success" + }, + "firewall_anti_tamper": { + "concerned_actions": [ + "load_config", + "workflow", + "download_global_artifacts", + "download_user_artifacts", + "configure_diagnostic_firewall_anti_tamper" + ], + "status": "success" } } }, diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index f3f94a2fd..4b1303e93 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -615,6 +615,40 @@ Endpoint.policy.applied.response.diagnostic.credential_protection.status: normalize: [] short: overall status of diagnostic behavior protection type: keyword +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper + description: overall firewall anti-tamper configuration and status of the applied + policy + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper + normalize: [] + short: overall firewall anti-tamper configuration and status of the applied policy + type: object +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper-concerned-actions + description: all actions that were taken for the diagnostic configuration of firewall + anti-tamper + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + ignore_above: 1024 + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + normalize: [] + short: all actions that were taken for the diagnostic configuration of firewall + anti-tamper + type: keyword +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper-status + description: the overall status of the diagnostic configuration of firewall anti-tamper, + this is correlated to the status of concerned actions but not a simple sum of + the actions + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status + ignore_above: 1024 + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper.status + normalize: [] + short: the overall status of diagnostic firewall anti-tamper + type: keyword Endpoint.policy.applied.response.diagnostic.malware.concerned_actions: dashed_name: Endpoint-policy-applied-response-diagnostic-malware-concerned-actions description: all actions that were taken for the diagnostic configuration of malware