From a1d87a11ae0dd1b2520dc4c2348c42193ccfb421 Mon Sep 17 00:00:00 2001 From: Matthew H Date: Thu, 12 Jun 2025 09:54:59 +0100 Subject: [PATCH 1/3] add firewall_anti_tamper fields --- .../doc/endpoint/policy/policy_response.md | 2 ++ .../data_stream/policy/policy_response.yaml | 2 ++ custom_schemas/custom_endpoint.yml | 18 +++++++++++ .../data_stream/policy/fields/fields.yml | 17 ++++++++++ schemas/v1/policy/policy.yaml | 31 +++++++++++++++++++ 5 files changed, 70 insertions(+) diff --git a/custom_documentation/doc/endpoint/policy/policy_response.md b/custom_documentation/doc/endpoint/policy/policy_response.md index 3436d9cf9..b40fb768d 100644 --- a/custom_documentation/doc/endpoint/policy/policy_response.md +++ b/custom_documentation/doc/endpoint/policy/policy_response.md @@ -36,6 +36,8 @@ This is a state management document that is generated every time Endpoint refres | Endpoint.policy.applied.response.configurations.behavior_protection.status | | Endpoint.policy.applied.response.configurations.events.concerned_actions | | Endpoint.policy.applied.response.configurations.events.status | +| Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions | +| Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status | | Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions | | Endpoint.policy.applied.response.configurations.host_isolation.status | | Endpoint.policy.applied.response.configurations.logging.concerned_actions | diff --git a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml index e059c5b7e..f60ec5b60 100644 --- a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml +++ b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml @@ -44,6 +44,8 @@ fields: - Endpoint.policy.applied.response.configurations.behavior_protection.status - Endpoint.policy.applied.response.configurations.events.concerned_actions - Endpoint.policy.applied.response.configurations.events.status + - Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions + - Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status - Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions - Endpoint.policy.applied.response.configurations.host_isolation.status - Endpoint.policy.applied.response.configurations.logging.concerned_actions diff --git a/custom_schemas/custom_endpoint.yml b/custom_schemas/custom_endpoint.yml index 85ce2b97b..25db7efb8 100644 --- a/custom_schemas/custom_endpoint.yml +++ b/custom_schemas/custom_endpoint.yml @@ -171,6 +171,24 @@ but not a simple sum of the actions short: the overall status of memory_protection + - name: policy.applied.response.configurations.firewall_anti_tamper + level: custom + type: object + description: overall firewall_anti_tamper configuration and status of the applied policy + + - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + description: all actions that were taken for firewall_anti_tamper + + - name: policy.applied.response.configurations.firewall_anti_tamper.status + level: custom + type: keyword + description: > + the overall status of firewall_anti_tamper, this is correlated to the status of concerned actions + but not a simple sum of the actions + short: the overall status of firewall_anti_tamper + - name: policy.applied.response.configurations.streaming level: custom type: object diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml index 1f20fb300..b6b0a014a 100644 --- a/package/endpoint/data_stream/policy/fields/fields.yml +++ b/package/endpoint/data_stream/policy/fields/fields.yml @@ -245,6 +245,23 @@ ignore_above: 1024 description: the overall status of event collection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false + - name: policy.applied.response.configurations.firewall_anti_tamper + level: custom + type: object + description: overall firewall_anti_tamper configuration and status of the applied policy + default_field: false + - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for firewall_anti_tamper + default_field: false + - name: policy.applied.response.configurations.firewall_anti_tamper.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of firewall_anti_tamper, this is correlated to the status of concerned actions but not a simple sum of the actions + default_field: false - name: policy.applied.response.configurations.host_isolation.concerned_actions level: custom type: keyword diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index f3f94a2fd..ecb7b943f 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -395,6 +395,37 @@ Endpoint.policy.applied.response.configurations.events.status: normalize: [] short: the overall status of event collection type: keyword +Endpoint.policy.applied.response.configurations.firewall_anti_tamper: + dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper + description: overall firewall_anti_tamper configuration and status of the applied + policy + flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper + level: custom + name: policy.applied.response.configurations.firewall_anti_tamper + normalize: [] + short: overall firewall_anti_tamper configuration and status of the applied policy + type: object +Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions: + dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-concerned-actions + description: all actions that were taken for firewall_anti_tamper + flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions + ignore_above: 1024 + level: custom + name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions + normalize: [] + short: all actions that were taken for firewall_anti_tamper + type: keyword +Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status: + dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-status + description: the overall status of firewall_anti_tamper, this is correlated to the + status of concerned actions but not a simple sum of the actions + flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status + ignore_above: 1024 + level: custom + name: policy.applied.response.configurations.firewall_anti_tamper.status + normalize: [] + short: the overall status of firewall_anti_tamper + type: keyword Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions: dashed_name: Endpoint-policy-applied-response-configurations-host-isolation-concerned-actions description: all actions that were taken for host isolation From f9f8baa8795bffce38833e8084b6eedda3bb120d Mon Sep 17 00:00:00 2001 From: Matthew H Date: Thu, 12 Jun 2025 13:50:18 +0100 Subject: [PATCH 2/3] add firewall_anti_tamper fields --- custom_schemas/custom_endpoint.yml | 8 ++++---- .../endpoint/data_stream/policy/fields/fields.yml | 6 +++--- schemas/v1/policy/policy.yaml | 12 ++++++------ 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/custom_schemas/custom_endpoint.yml b/custom_schemas/custom_endpoint.yml index 25db7efb8..5a7d95e97 100644 --- a/custom_schemas/custom_endpoint.yml +++ b/custom_schemas/custom_endpoint.yml @@ -174,20 +174,20 @@ - name: policy.applied.response.configurations.firewall_anti_tamper level: custom type: object - description: overall firewall_anti_tamper configuration and status of the applied policy + description: overall firewall anti-tamper configuration and status of the applied policy - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions level: custom type: keyword - description: all actions that were taken for firewall_anti_tamper + description: all actions that were taken for firewall anti-tamper - name: policy.applied.response.configurations.firewall_anti_tamper.status level: custom type: keyword description: > - the overall status of firewall_anti_tamper, this is correlated to the status of concerned actions + the overall status of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions - short: the overall status of firewall_anti_tamper + short: the overall status of firewall anti-tamper - name: policy.applied.response.configurations.streaming level: custom diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml index b6b0a014a..d10338103 100644 --- a/package/endpoint/data_stream/policy/fields/fields.yml +++ b/package/endpoint/data_stream/policy/fields/fields.yml @@ -248,19 +248,19 @@ - name: policy.applied.response.configurations.firewall_anti_tamper level: custom type: object - description: overall firewall_anti_tamper configuration and status of the applied policy + description: overall firewall anti-tamper configuration and status of the applied policy default_field: false - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions level: custom type: keyword ignore_above: 1024 - description: all actions that were taken for firewall_anti_tamper + description: all actions that were taken for firewall anti-tamper default_field: false - name: policy.applied.response.configurations.firewall_anti_tamper.status level: custom type: keyword ignore_above: 1024 - description: the overall status of firewall_anti_tamper, this is correlated to the status of concerned actions but not a simple sum of the actions + description: the overall status of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - name: policy.applied.response.configurations.host_isolation.concerned_actions level: custom diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index ecb7b943f..710b57037 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -397,34 +397,34 @@ Endpoint.policy.applied.response.configurations.events.status: type: keyword Endpoint.policy.applied.response.configurations.firewall_anti_tamper: dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper - description: overall firewall_anti_tamper configuration and status of the applied + description: overall firewall anti-tamper configuration and status of the applied policy flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper level: custom name: policy.applied.response.configurations.firewall_anti_tamper normalize: [] - short: overall firewall_anti_tamper configuration and status of the applied policy + short: overall firewall anti-tamper configuration and status of the applied policy type: object Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions: dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-concerned-actions - description: all actions that were taken for firewall_anti_tamper + description: all actions that were taken for firewall anti-tamper flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions ignore_above: 1024 level: custom name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions normalize: [] - short: all actions that were taken for firewall_anti_tamper + short: all actions that were taken for firewall anti-tamper type: keyword Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status: dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-status - description: the overall status of firewall_anti_tamper, this is correlated to the + description: the overall status of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status ignore_above: 1024 level: custom name: policy.applied.response.configurations.firewall_anti_tamper.status normalize: [] - short: the overall status of firewall_anti_tamper + short: the overall status of firewall anti-tamper type: keyword Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions: dashed_name: Endpoint-policy-applied-response-configurations-host-isolation-concerned-actions From 2b310eaa719b933c00563b2b8f0859f8cbe23f70 Mon Sep 17 00:00:00 2001 From: Matthew H Date: Fri, 13 Jun 2025 11:46:35 +0100 Subject: [PATCH 3/3] convert to diagnostic, add sample field --- .../doc/endpoint/policy/policy_response.md | 4 +- .../data_stream/policy/policy_response.yaml | 4 +- custom_schemas/custom_endpoint.yml | 36 +++++----- .../data_stream/policy/fields/fields.yml | 34 +++++----- .../data_stream/policy/sample_event.json | 10 +++ schemas/v1/policy/policy.yaml | 65 ++++++++++--------- 6 files changed, 83 insertions(+), 70 deletions(-) diff --git a/custom_documentation/doc/endpoint/policy/policy_response.md b/custom_documentation/doc/endpoint/policy/policy_response.md index b40fb768d..f032fe84a 100644 --- a/custom_documentation/doc/endpoint/policy/policy_response.md +++ b/custom_documentation/doc/endpoint/policy/policy_response.md @@ -36,8 +36,6 @@ This is a state management document that is generated every time Endpoint refres | Endpoint.policy.applied.response.configurations.behavior_protection.status | | Endpoint.policy.applied.response.configurations.events.concerned_actions | | Endpoint.policy.applied.response.configurations.events.status | -| Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions | -| Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status | | Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions | | Endpoint.policy.applied.response.configurations.host_isolation.status | | Endpoint.policy.applied.response.configurations.logging.concerned_actions | @@ -54,6 +52,8 @@ This is a state management document that is generated every time Endpoint refres | Endpoint.policy.applied.response.configurations.streaming.status | | Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions | | Endpoint.policy.applied.response.diagnostic.behavior_protection.status | +| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions | +| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status | | Endpoint.policy.applied.response.diagnostic.malware.concerned_actions | | Endpoint.policy.applied.response.diagnostic.malware.status | | Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions | diff --git a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml index f60ec5b60..ecb7224ec 100644 --- a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml +++ b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml @@ -44,8 +44,6 @@ fields: - Endpoint.policy.applied.response.configurations.behavior_protection.status - Endpoint.policy.applied.response.configurations.events.concerned_actions - Endpoint.policy.applied.response.configurations.events.status - - Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions - - Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status - Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions - Endpoint.policy.applied.response.configurations.host_isolation.status - Endpoint.policy.applied.response.configurations.logging.concerned_actions @@ -62,6 +60,8 @@ fields: - Endpoint.policy.applied.response.configurations.streaming.status - Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions - Endpoint.policy.applied.response.diagnostic.behavior_protection.status + - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status - Endpoint.policy.applied.response.diagnostic.malware.concerned_actions - Endpoint.policy.applied.response.diagnostic.malware.status - Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions diff --git a/custom_schemas/custom_endpoint.yml b/custom_schemas/custom_endpoint.yml index 5a7d95e97..51d436315 100644 --- a/custom_schemas/custom_endpoint.yml +++ b/custom_schemas/custom_endpoint.yml @@ -171,24 +171,6 @@ but not a simple sum of the actions short: the overall status of memory_protection - - name: policy.applied.response.configurations.firewall_anti_tamper - level: custom - type: object - description: overall firewall anti-tamper configuration and status of the applied policy - - - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions - level: custom - type: keyword - description: all actions that were taken for firewall anti-tamper - - - name: policy.applied.response.configurations.firewall_anti_tamper.status - level: custom - type: keyword - description: > - the overall status of firewall anti-tamper, this is correlated to the status of concerned actions - but not a simple sum of the actions - short: the overall status of firewall anti-tamper - - name: policy.applied.response.configurations.streaming level: custom type: object @@ -265,6 +247,24 @@ enabled: false description: the diagnostic configurations of the applied policy + - name: policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + type: object + description: overall firewall anti-tamper configuration and status of the applied policy + + - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + description: all actions that were taken for the diagnostic configuration of firewall anti-tamper + + - name: policy.applied.response.diagnostic.firewall_anti_tamper.status + level: custom + type: keyword + description: > + the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to + the status of concerned actions but not a simple sum of the actions + short: the overall status of diagnostic firewall anti-tamper + - name: policy.applied.response.diagnostic.ransomware.concerned_actions level: custom type: keyword diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml index d10338103..3a896c14e 100644 --- a/package/endpoint/data_stream/policy/fields/fields.yml +++ b/package/endpoint/data_stream/policy/fields/fields.yml @@ -245,23 +245,6 @@ ignore_above: 1024 description: the overall status of event collection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false - - name: policy.applied.response.configurations.firewall_anti_tamper - level: custom - type: object - description: overall firewall anti-tamper configuration and status of the applied policy - default_field: false - - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions - level: custom - type: keyword - ignore_above: 1024 - description: all actions that were taken for firewall anti-tamper - default_field: false - - name: policy.applied.response.configurations.firewall_anti_tamper.status - level: custom - type: keyword - ignore_above: 1024 - description: the overall status of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions - default_field: false - name: policy.applied.response.configurations.host_isolation.concerned_actions level: custom type: keyword @@ -384,6 +367,23 @@ ignore_above: 1024 description: the overall status of the diagnostic configuration of credential protection, this is correlated to the status of concerned actions but not a simple sum of the actions default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + type: object + description: overall firewall anti-tamper configuration and status of the applied policy + default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + level: custom + type: keyword + ignore_above: 1024 + description: all actions that were taken for the diagnostic configuration of firewall anti-tamper + default_field: false + - name: policy.applied.response.diagnostic.firewall_anti_tamper.status + level: custom + type: keyword + ignore_above: 1024 + description: the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions + default_field: false - name: policy.applied.response.diagnostic.malware.concerned_actions level: custom type: keyword diff --git a/package/endpoint/data_stream/policy/sample_event.json b/package/endpoint/data_stream/policy/sample_event.json index e169c7a2d..c6e4f01b5 100644 --- a/package/endpoint/data_stream/policy/sample_event.json +++ b/package/endpoint/data_stream/policy/sample_event.json @@ -243,6 +243,16 @@ "configure_diagnostic_rollback" ], "status": "success" + }, + "firewall_anti_tamper": { + "concerned_actions": [ + "load_config", + "workflow", + "download_global_artifacts", + "download_user_artifacts", + "configure_diagnostic_firewall_anti_tamper" + ], + "status": "success" } } }, diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml index 710b57037..4b1303e93 100644 --- a/schemas/v1/policy/policy.yaml +++ b/schemas/v1/policy/policy.yaml @@ -395,37 +395,6 @@ Endpoint.policy.applied.response.configurations.events.status: normalize: [] short: the overall status of event collection type: keyword -Endpoint.policy.applied.response.configurations.firewall_anti_tamper: - dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper - description: overall firewall anti-tamper configuration and status of the applied - policy - flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper - level: custom - name: policy.applied.response.configurations.firewall_anti_tamper - normalize: [] - short: overall firewall anti-tamper configuration and status of the applied policy - type: object -Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions: - dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-concerned-actions - description: all actions that were taken for firewall anti-tamper - flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.concerned_actions - ignore_above: 1024 - level: custom - name: policy.applied.response.configurations.firewall_anti_tamper.concerned_actions - normalize: [] - short: all actions that were taken for firewall anti-tamper - type: keyword -Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status: - dashed_name: Endpoint-policy-applied-response-configurations-firewall-anti-tamper-status - description: the overall status of firewall anti-tamper, this is correlated to the - status of concerned actions but not a simple sum of the actions - flat_name: Endpoint.policy.applied.response.configurations.firewall_anti_tamper.status - ignore_above: 1024 - level: custom - name: policy.applied.response.configurations.firewall_anti_tamper.status - normalize: [] - short: the overall status of firewall anti-tamper - type: keyword Endpoint.policy.applied.response.configurations.host_isolation.concerned_actions: dashed_name: Endpoint-policy-applied-response-configurations-host-isolation-concerned-actions description: all actions that were taken for host isolation @@ -646,6 +615,40 @@ Endpoint.policy.applied.response.diagnostic.credential_protection.status: normalize: [] short: overall status of diagnostic behavior protection type: keyword +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper + description: overall firewall anti-tamper configuration and status of the applied + policy + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper + normalize: [] + short: overall firewall anti-tamper configuration and status of the applied policy + type: object +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper-concerned-actions + description: all actions that were taken for the diagnostic configuration of firewall + anti-tamper + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + ignore_above: 1024 + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions + normalize: [] + short: all actions that were taken for the diagnostic configuration of firewall + anti-tamper + type: keyword +Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status: + dashed_name: Endpoint-policy-applied-response-diagnostic-firewall-anti-tamper-status + description: the overall status of the diagnostic configuration of firewall anti-tamper, + this is correlated to the status of concerned actions but not a simple sum of + the actions + flat_name: Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status + ignore_above: 1024 + level: custom + name: policy.applied.response.diagnostic.firewall_anti_tamper.status + normalize: [] + short: the overall status of diagnostic firewall anti-tamper + type: keyword Endpoint.policy.applied.response.diagnostic.malware.concerned_actions: dashed_name: Endpoint-policy-applied-response-diagnostic-malware-concerned-actions description: all actions that were taken for the diagnostic configuration of malware