Cannot create Exception for Rule "Persistence via Extensible Firmware Modification"

Elastic Security
1

The Defend Rule "Malicious Behavior Prevention Alert: Persistence via Extensible Firmware Modification" gets triggered in our environment. The behavior is explainable and unproblematic, so we wanted to create an endpoint exception.

The Problem is: the command line creating this event is C:\WINDOWS\system32\svchost.exe -k GPSvcGroup - which alone is too broad for an exception. What was detected was the file SiPolicy.p7b that we roll out via GPO. The command line in combination with this file name would be specific enough for me.

The problem is that I cannot use the file name in the exception: the alert has this name listed in the attribute "Events.file.name" and "Events.file.path" - in Endpoint Exceptions I can only use "file.name" and "file.path", without the "Events" field on top.

If I look in the json of the alert, I see both

 "Events.file.name": [
      "SiPolicy.p7b"
    ],

and

"file" :{
    [...]
    "name": "SiPolicy.p7b"
}

I think the file name is a crucial part of this alert, and without it a suitable exception is not possible. Is this excpected / wanted behavior, a bug, or am I just not seeing the correct way to create an exception that would fit my needs?

Best regards,

Tobias

2

Hi @RalphDibney ,

This is a limitation of the Kibana UI. Although Endpoint Alert Exceptions are processed on the Endpoint host only fields that are mapped in Elasticsearch are selectable in Endpoint Alert Exceptions. Endpoint itself supports any fields included in the alert document before it is written to Elasticsearch (i.e. pipeline enrichment fields won't functionally work in Endpoint Alert Exceptions even they're mapped since the field didn't exist when Endpoint processes the exception).

So, if you go add a custom mapping for Events.file.name you'll see it start to appear as an option in Endpoint Alert Exceptions.

I've gone through this workflow in the past and did it by adding the mapping to the logs-endpoint.alerts@custom component template. After I forced a rollover of the logs-endpoint.alerts-* index and also generated a new alert into that index I then saw the new field I wanted for and Endpoint Alert Exception. I'll be honest that I'm not sure if I needed to force an index rollover and/or generate an alert. Perhaps waiting a bit of time would have been enough. But that's what I did and it worked for me.

I'm not sure but you also might be able to use Endpoint.file.name without adding a mapping if you use the API rather than Kibana UI. If you're already an API user you might prefer to try that out first.

I hope this helps. Please follow up if you need more guidance or have trouble getting it to work.