Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecation Notice to Cloud Defend Rules #4520

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Deprecation Notice to Cloud Defend Rules #4520

wants to merge 4 commits into from
+54 −54

Conversation

shashank-elastic
Copy link
Contributor

Pull Request

Issue link(s): https://github.com/elastic/security-team/issues/11393

Summary - What I changed

  • Issue Deprecation notice via rule name.

How To Test

  • Unit test should pass.

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@shashank-elastic shashank-elastic self-assigned this Mar 6, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Mar 6, 2025

Rule: Deprecation - Guidelines

These guidelines serve as a reminder set of considerations when recommending the deprecation of a rule.

Documentation and Context

  • Description of the reason for deprecation.
  • Include any context or historical data supporting the deprecation decision.

Rule Metadata Checks

  • deprecated = true added to the rule metadata.
  • updated_date should be the date of the PR.

Testing and Validation

  • A prior rule tuning occurred for the rule where Deprecated - is prepended to the rule name, and the rule has already been released.
  • Rule has be moved to the _deprecated directory.
  • Double check gaps potentially or inadvertently introduced.
  • Provide evidence that the rule is no longer needed or has been replaced (e.g., alternative rules, updated detection methods).

Aegrah
Aegrah reviewed Mar 6, 2025
View reviewed changes
Copy link
Contributor

@Aegrah Aegrah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we still looking to migrate these over to Elastic Defend prior to deprecation? For the vast majority of these, we can write similar rules using the process.entry_leader.entry_meta.type == "container" to determine whether the process' init stems from a container.

I am fine doing this before I leave for PTO. WDYT? @imays11

w0rk3r
w0rk3r reviewed Mar 6, 2025
View reviewed changes
rules/integrations/cloud_defend/container_workload_protection.toml
@@ -42,7 +42,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Container Workload Protection
### Investigating Deprecated - Container Workload Protection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Container Workload Protection
### Investigating Container Workload Protection

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of the rule name changes in Investigation Guide is because of the Unit test failure reported here - https://github.com/elastic/detection-rules/actions/runs/13694627124/job/38294173310

rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml
@@ -45,7 +45,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating AWS Credentials Searched For Inside A Container
### Investigating Deprecated - AWS Credentials Searched For Inside A Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - AWS Credentials Searched For Inside A Container
### Investigating AWS Credentials Searched For Inside A Container

...loud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml
@@ -70,7 +70,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Sensitive Files Compression Inside A Container
### Investigating Deprecated - Sensitive Files Compression Inside A Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Sensitive Files Compression Inside A Container
### Investigating Sensitive Files Compression Inside A Container

...ns/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml
@@ -52,7 +52,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Sensitive Keys Or Passwords Searched For Inside A Container
### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Sensitive Keys Or Passwords Searched For Inside A Container
### Investigating Sensitive Keys Or Passwords Searched For Inside A Container

...tions/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml
@@ -39,7 +39,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container
### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Modification of Dynamic Linker Preload Shared Object Inside A Container
### Investigating Modification of Dynamic Linker Preload Shared Object Inside A Container

...tegrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml
@@ -42,7 +42,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating SSH Authorized Keys File Modified Inside a Container
### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - SSH Authorized Keys File Modified Inside a Container
### Investigating SSH Authorized Keys File Modified Inside a Container

...ations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
@@ -48,7 +48,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating File System Debugger Launched Inside a Privileged Container
### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - File System Debugger Launched Inside a Privileged Container
### Investigating File System Debugger Launched Inside a Privileged Container

...grations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml
@@ -46,7 +46,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Mount Launched Inside a Privileged Container
### Investigating Deprecated - Mount Launched Inside a Privileged Container
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Mount Launched Inside a Privileged Container
### Investigating Mount Launched Inside a Privileged Container

...end/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml
@@ -47,7 +47,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Potential Container Escape via Modified notify_on_release File
### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Potential Container Escape via Modified notify_on_release File
### Investigating Potential Container Escape via Modified notify_on_release File

..._defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml
@@ -46,7 +46,7 @@ note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Potential Container Escape via Modified release_agent File
### Investigating Deprecated - Potential Container Escape via Modified release_agent File
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
### Investigating Deprecated - Potential Container Escape via Modified release_agent File
### Investigating Potential Container Escape via Modified release_agent File

@w0rk3r
Copy link
Contributor

w0rk3r commented Mar 6, 2025

We should also provide a reason for the deprecation, either in the setup guide or in the rule description, so it is clear to customers why this is being deprecated. Here is an example we did for the threat match rules.

@Mikaayenson
Copy link
Contributor

If you search for cloud_defend in our repo, it shows up in a couple places. We may need to make other minor changes.

@shashank-elastic
Copy link
Contributor Author

Updates

  • We would continue to announce deprecation in this release, and then tune as per @Aegrah as a separate effort after the complete deprecation is announced.
  • For adding additional information on deprecation, I would wait till we have @imays11 look on this and we can add those additional information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Mikaayenson Mikaayenson Awaiting requested review from Mikaayenson

@imays11 imays11 Awaiting requested review from imays11

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@Aegrah Aegrah Awaiting requested review from Aegrah

Assignees

@shashank-elastic shashank-elastic

Labels
backport: auto meta:rapid-merge Rule: Deprecation removal of a rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@shashank-elastic @w0rk3r @Mikaayenson @Samirbous @Aegrah @terrancedejesus