Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] [CTI] Indicator Match "field matching" logic ignored when a saved query is used in rule configuration #107986

Closed
peluja1012 opened this issue Aug 10, 2021 · 3 comments · Fixed by #109253
Closed

[Security Solution] [CTI] Indicator Match "field matching" logic ignored when a saved query is used in rule configuration #107986

peluja1012 opened this issue Aug 10, 2021 · 3 comments · Fixed by #109253
Assignees
@nkhristinin
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: CTI Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@peluja1012
Copy link
Contributor

peluja1012 commented Aug 10, 2021
edited
Loading

Describe the bug:
When an Indicator Match rule is configured with a saved query (i.e. a saved_id), the field matching logic (i.e. field.x matches field.y) is not taken in account when processing the rule. This leads to unexpected alerts being generated.

Kibana/Elasticsearch Stack version:
7.14

Steps to reproduce:

  1. Create an Indicator Match rule with the following configuration:

    image

  2. Using Kibana -> Dev Tools, create test-filebeat and test-indicator-index indices as shown below

    Dev Tools commands 
    PUT test-indicator-index
{
   "mappings" : {
     "properties" : {
       "@timestamp" : {
         "type" : "date"
       },
       "url" : {
         "properties" : {
           "full" : {
             "type" : "text",
             "fields" : {
               "keyword" : {
                 "type" : "keyword",
                 "ignore_above" : 256
               }
             }
           }
         }
       }
     }
   }
}

PUT test-filebeat
 {
   "mappings" : {
     "properties" : {
       "@timestamp" : {
         "type" : "date"
       },
       "url": {
         "properties": {
           "original" : {
             "type" : "keyword",
             "ignore_above" : 1024,
             "fields" : {
               "text" : {
                 "type" : "text",
                 "norms" : false
               }
             }
           }
         }
       }
     }
   }
 }

  3. Using Kibana -> Dev Tools, index some test documents into the test-filebeat and test-indicator-index indices as shown below

    Dev Tools commands 
     POST test-indicator-index/_doc
 {
   "@timestamp": "2021-07-27T08:51:49.337Z",
   "url": {
     "full": "foo.test.com/"
   }
 }
 
 POST test-filebeat/_doc
 {
   "@timestamp": "2021-07-27T08:51:49.337Z",
   "url": {
     "original": "http://test"
   }
 }

  4. Activate the rule. Notice that no alerts are generated as expected.

  5. Edit the rule. Under the Custom query section, click on the saved query icon and then click on Save current query. Finally save the changes to the rule configuration.

    image

  6. Deactive/Activate the rule to force it to execute again. Notice that an alert is created unexpectedly. The generated alert has no Threat Intel data.

    image
@peluja1012 peluja1012 added bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team: CTI labels Aug 10, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@nkhristinin nkhristinin mentioned this issue Aug 19, 2021
Merged
2 tasks
@nkhristinin nkhristinin linked a pull request Aug 19, 2021 that will close this issue
[Security Solution] [CTI] Fixes bug that caused Threshold and Indicator Match rules to ignore custom rule filters if a saved query was used in the rule definition. #109253
Merged
2 tasks
@rylnd rylnd mentioned this issue Aug 19, 2021
Closed
@ecezalp
Copy link
Contributor

ecezalp commented Oct 30, 2021

testing instructions

  • follow the reproduction steps outlined in this bug description, and confirm that the bug is no longer reproducable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nkhristinin nkhristinin

Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: CTI Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
4 participants
@peluja1012 @nkhristinin @elasticmachine @ecezalp