Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to file modification on Linux for MDE #110

Merged
merged 2 commits into from
Jan 29, 2025
Merged

Update to file modification on Linux for MDE #110

merged 2 commits into from
Jan 29, 2025

Conversation

jonade
Copy link
Contributor

@jonade jonade commented Jan 2, 2025

Pull Request Template

Description

Quick update on File Modifications in Linux using MDE

Please provide the below information so we can validate before merging:

  1. Does the proposed EDR feature align with our definition of telemetry?(definition here) - Yes
  2. Could you please provide documentation to support the telemetry you are proposing?
  1. If no documentation is available for all the categories you are proposing, could you provide screenshots or sanitized logs?

There is not an ActionType of FileModified for File Modification events in Linux, but they simply appear as unique 'FileCreated' events.

Using tools such as nano to modify an existing script creates events in the Timeline view of the device, and the AH table, of ActionType 'FileCreated'

Below example updated the SCRIPT_VERSION variable in the MDE installation script to a different number, and then back again. We can see unique events for each modification, plus a duplicate SHA hash when it was returned back to it's original value.

image

Type of change

Please delete options that are not relevant.

  • Feature Improvement (non-breaking change which fixes an issue)
  • New feature (adding additional EDR product or proposing new event categories/sub-categories)
  • This change requires a documentation update
  • New tool (suggesting additional tools for improving collection and analysis)

Test Configuration:

  • EDR version: 101.24112.0001
  • Operating System version: Debian 12

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my corrections or additions are accurate
  • I have checked my code and corrected any misspellings

@tsale
Copy link
Owner

tsale commented Jan 29, 2025

Thanks for the PR! After reviewing and testing, We've decided to change this to "Partially" instead of "Yes". The issue is that while file modification events are logged, they are misclassified as FileCreated rather than FileModified. This means that while visibility exists, the event's labeling in the platform provides incorrect context, making it difficult for analysts to accurately distinguish between file creations and modifications.

Since this behavior could lead to incorrect assumptions in an investigation, marking it as Partial better reflects its limitations while still acknowledging that some telemetry is available.

@tsale tsale merged commit c98a380 into tsale:main Jan 29, 2025
@jonade
Copy link
Contributor Author

jonade commented Jan 30, 2025

Yep, that makes sense. Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jonade @tsale