Add new policy fields for diagnostic firewall_anti_tamper plugin (#637)

matthewh-elastic · web-flow · commit 3889c4ca78a1 · 2025-06-13T17:59:55.000+01:00
diff --git a/custom_documentation/doc/endpoint/policy/policy_response.md b/custom_documentation/doc/endpoint/policy/policy_response.md
@@ -52,6 +52,8 @@ This is a state management document that is generated every time Endpoint refres
 | Endpoint.policy.applied.response.configurations.streaming.status |
 | Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions |
 | Endpoint.policy.applied.response.diagnostic.behavior_protection.status |
+| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions |
+| Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status |
 | Endpoint.policy.applied.response.diagnostic.malware.concerned_actions |
 | Endpoint.policy.applied.response.diagnostic.malware.status |
 | Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions |
diff --git a/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml b/custom_documentation/src/endpoint/data_stream/policy/policy_response.yaml
@@ -60,6 +60,8 @@ fields:
   - Endpoint.policy.applied.response.configurations.streaming.status
   - Endpoint.policy.applied.response.diagnostic.behavior_protection.concerned_actions
   - Endpoint.policy.applied.response.diagnostic.behavior_protection.status
+  - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions
+  - Endpoint.policy.applied.response.diagnostic.firewall_anti_tamper.status
   - Endpoint.policy.applied.response.diagnostic.malware.concerned_actions
   - Endpoint.policy.applied.response.diagnostic.malware.status
   - Endpoint.policy.applied.response.diagnostic.memory_protection.concerned_actions
diff --git a/custom_schemas/custom_endpoint.yml b/custom_schemas/custom_endpoint.yml
@@ -247,6 +247,24 @@
       enabled: false
       description: the diagnostic configurations of the applied policy
 
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper
+      level: custom
+      type: object
+      description: overall firewall anti-tamper configuration and status of the applied policy
+
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions
+      level: custom
+      type: keyword
+      description: all actions that were taken for the diagnostic configuration of firewall anti-tamper
+
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper.status
+      level: custom
+      type: keyword
+      description: >
+        the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to
+        the status of concerned actions but not a simple sum of the actions
+      short: the overall status of diagnostic firewall anti-tamper
+
     - name: policy.applied.response.diagnostic.ransomware.concerned_actions
       level: custom
       type: keyword
diff --git a/package/endpoint/data_stream/policy/fields/fields.yml b/package/endpoint/data_stream/policy/fields/fields.yml
@@ -367,6 +367,23 @@
       ignore_above: 1024
       description: the overall status of the diagnostic configuration of credential protection, this is correlated to  the status of concerned actions but not a simple sum of the actions
       default_field: false
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper
+      level: custom
+      type: object
+      description: overall firewall anti-tamper configuration and status of the applied policy
+      default_field: false
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper.concerned_actions
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: all actions that were taken for the diagnostic configuration of firewall anti-tamper
+      default_field: false
+    - name: policy.applied.response.diagnostic.firewall_anti_tamper.status
+      level: custom
+      type: keyword
+      ignore_above: 1024
+      description: the overall status of the diagnostic configuration of firewall anti-tamper, this is correlated to the status of concerned actions but not a simple sum of the actions
+      default_field: false
     - name: policy.applied.response.diagnostic.malware.concerned_actions
       level: custom
       type: keyword
diff --git a/package/endpoint/data_stream/policy/sample_event.json b/package/endpoint/data_stream/policy/sample_event.json
@@ -243,6 +243,16 @@
                                 "configure_diagnostic_rollback"
                             ],
                             "status": "success"
+                        },
+                        "firewall_anti_tamper": {
+                            "concerned_actions": [
+                                "load_config",
+                                "workflow",
+                                "download_global_artifacts",
+                                "download_user_artifacts",
+                                "configure_diagnostic_firewall_anti_tamper"
+                            ],
+                            "status": "success"
                         }
                     }
                 },
diff --git a/schemas/v1/policy/policy.yaml b/schemas/v1/policy/policy.yaml
