Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution]Additional Field data not showing under preview rule alert table #129286

Closed
ghost opened this issue Apr 4, 2022 · 11 comments
Closed

[Security Solution]Additional Field data not showing under preview rule alert table #129286

ghost opened this issue Apr 4, 2022 · 11 comments
Assignees
@dplumlee
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rule Preview Security Solution Rule Preview fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.2.0

Comments

@ghost
Copy link

ghost commented Apr 4, 2022

Describe the bug
Additional Field date not showing under preview rule alert table

Build Details

Version:8.2.0-BC1
Commit : d18a093a2cf03991b93ea3de6a1054d580d3e82f
Build:51685

Steps

  • Login to Kibana
  • Create a Rule and generate some alert
  • Click on Edit rule and scroll down to preview rule
  • Click on Field and search for process.pid and add this field to table
  • Observed that field got added but date inside it does not show up

Screen-Cast

image

Additional observation

process.pid data is present in the alert table for same rule

image
@ghost ghost added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Apr 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Apr 4, 2022
@MadameSheema
Copy link
Member

@karanbirsingh-qasource can you please provide the JSON of the alert? Thanks :)

@ghost
Copy link
Author

ghost commented Apr 4, 2022

@MadameSheema Please find the required details

Screen-Cast:

Rules.-.Kibana.Mozilla.Firefox.2022-04-04.13-17-56.mp4

JSON:

{
  "_index": ".internal.preview.alerts-security.alerts-default-000001",
  "_id": "8b7d303d535bc4e94ac36bd696a64a7335aca9646d3f597760a8faffcf857355",
  "_score": 0,
  "_source": {
    "kibana.version": "8.2.0",
    "kibana.alert.rule.category": "Custom Query Rule",
    "kibana.alert.rule.consumer": "siem",
    "kibana.alert.rule.execution.uuid": "9d6b2ef8-56f0-4f3d-93f5-b715543d5ab3",
    "kibana.alert.rule.name": "Preview Rule",
    "kibana.alert.rule.producer": "preview-producer",
    "kibana.alert.rule.rule_type_id": "siem.queryRule",
    "kibana.alert.rule.uuid": "f0aaa677-8e90-4a8e-9439-058d89646ca1",
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.tags": [],
    "@timestamp": "2022-04-04T07:48:01.336Z",
    "process": {
      "parent": {
        "pid": 6368
      },
      "hash": {
        "sha1": "f1efb0fddc156e4c61c5f78a54700e4e7984d55d"
      },
      "executable": "C:\\Windows\\System32\\cmd.exe",
      "start": "2022-04-04T06:32:21.860Z",
      "args": [
        "C:\\WINDOWS\\system32\\cmd.exe"
      ],
      "working_directory": "C:\\Users\\zeus",
      "entity_id": "6SXmhMDPSBA1Tdbm",
      "name": "cmd.exe",
      "pid": 4132
    },
    "message": "Process cmd.exe (PID: 4132) by user WINDOWS-MACHINE\\zeus STARTED",
    "ecs": {
      "version": "8.0.0"
    },
    "host": {
      "architecture": "x86_64",
      "os": {
        "name": "Windows 10 Pro",
        "kernel": "10.0.19041.1586 (WinBuild.160101.0800)",
        "build": "19043.1586",
        "type": "windows",
        "platform": "windows",
        "version": "10.0",
        "family": "windows"
      },
      "id": "4143c277-074e-47a9-b37d-37f94b508705",
      "ip": [
        "10.0.7.214"
      ],
      "mac": [
        "00:50:56:b1:36:99"
      ],
      "hostname": "windows-machine",
      "name": "windows-machine"
    },
    "agent": {
      "id": "55b514f8-e37e-4155-a23c-3ce145b74742",
      "name": "windows-machine",
      "type": "auditbeat",
      "version": "8.2.0",
      "ephemeral_id": "d1237962-6fdc-4f30-b223-d95898f2df55",
      "hostname": "windows-machine"
    },
    "user": {
      "id": "S-1-5-21-4215045029-3277270250-148079304-1004",
      "group": {
        "id": "S-1-5-21-4215045029-3277270250-148079304-513",
        "name": "None"
      },
      "name": "WINDOWS-MACHINE\\zeus"
    },
    "service": {
      "type": "system"
    },
    "event.module": "system",
    "event.dataset": "process",
    "event.kind": "signal",
    "event.category": [
      "process"
    ],
    "event.type": [
      "start"
    ],
    "event.action": "process_started",
    "kibana.alert.original_time": "2022-04-04T06:32:22.800Z",
    "kibana.alert.ancestors": [
      {
        "id": "2H9G838BUUAtpnyTSvMk",
        "type": "event",
        "index": ".ds-auditbeat-8.2.0-2022.04.04-000001",
        "depth": 0
      }
    ],
    "kibana.alert.status": "active",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.depth": 1,
    "kibana.alert.reason": "process event with process cmd.exe, by WINDOWS-MACHINE\\zeus on windows-machine created low alert Preview Rule.",
    "kibana.alert.severity": "low",
    "kibana.alert.risk_score": 21,
    "kibana.alert.rule.parameters": {
      "description": "Preview Rule",
      "risk_score": 21,
      "severity": "low",
      "license": "",
      "meta": {
        "from": "now-25h",
        "kibana_siem_app_url": ""
      },
      "author": [],
      "false_positives": [],
      "from": "now-25h",
      "rule_id": "257a79c5-4d9d-4d39-af0d-609370c57b26",
      "max_signals": 100,
      "risk_score_mapping": [],
      "severity_mapping": [],
      "threat": [],
      "to": "now",
      "references": [],
      "version": 1,
      "exceptions_list": [],
      "immutable": false,
      "type": "query",
      "language": "kuery",
      "index": [
        "apm-*-transaction*",
        "traces-apm*",
        "auditbeat-*",
        "endgame-*",
        "filebeat-*",
        "logs-*",
        "packetbeat-*",
        "winlogbeat-*"
      ],
      "query": "process.name : \"cmd.exe\"",
      "filters": []
    },
    "kibana.alert.rule.actions": [],
    "kibana.alert.rule.author": [],
    "kibana.alert.rule.created_at": "2022-04-04T07:48:00.214Z",
    "kibana.alert.rule.created_by": "elastic",
    "kibana.alert.rule.description": "Preview Rule",
    "kibana.alert.rule.enabled": true,
    "kibana.alert.rule.exceptions_list": [],
    "kibana.alert.rule.false_positives": [],
    "kibana.alert.rule.from": "now-25h",
    "kibana.alert.rule.immutable": false,
    "kibana.alert.rule.interval": "1d",
    "kibana.alert.rule.license": "",
    "kibana.alert.rule.max_signals": 100,
    "kibana.alert.rule.references": [],
    "kibana.alert.rule.risk_score_mapping": [],
    "kibana.alert.rule.rule_id": "257a79c5-4d9d-4d39-af0d-609370c57b26",
    "kibana.alert.rule.severity_mapping": [],
    "kibana.alert.rule.threat": [],
    "kibana.alert.rule.to": "now",
    "kibana.alert.rule.type": "query",
    "kibana.alert.rule.updated_at": "2022-04-04T07:48:00.214Z",
    "kibana.alert.rule.updated_by": "elastic",
    "kibana.alert.rule.version": 1,
    "kibana.alert.rule.meta.from": "now-25h",
    "kibana.alert.rule.meta.kibana_siem_app_url": "",
    "kibana.alert.rule.risk_score": 21,
    "kibana.alert.rule.severity": "low",
    "kibana.alert.original_event.module": "system",
    "kibana.alert.original_event.dataset": "process",
    "kibana.alert.original_event.kind": "event",
    "kibana.alert.original_event.category": [
      "process"
    ],
    "kibana.alert.original_event.type": [
      "start"
    ],
    "kibana.alert.original_event.action": "process_started",
    "kibana.alert.uuid": "8b7d303d535bc4e94ac36bd696a64a7335aca9646d3f597760a8faffcf857355"
  },
  "fields": {
    "kibana.alert.severity": [
      "low"
    ],
    "kibana.alert.rule.updated_by": [
      "elastic"
    ],
    "signal.ancestors.depth": [
      0
    ],
    "event.category": [
      "process"
    ],
    "process.parent.pid": [
      6368
    ],
    "host.hostname": [
      "windows-machine"
    ],
    "host.mac": [
      "00:50:56:b1:36:99"
    ],
    "service.type": [
      "system"
    ],
    "signal.rule.enabled": [
      "true"
    ],
    "kibana.alert.ancestors.depth": [
      0
    ],
    "host.os.version": [
      "10.0"
    ],
    "signal.rule.max_signals": [
      100
    ],
    "kibana.alert.risk_score": [
      21
    ],
    "signal.rule.updated_at": [
      "2022-04-04T07:48:00.214Z"
    ],
    "user.group.name": [
      "None"
    ],
    "agent.name": [
      "windows-machine"
    ],
    "user.id": [
      "S-1-5-21-4215045029-3277270250-148079304-1004"
    ],
    "host.os.type": [
      "windows"
    ],
    "kibana.alert.original_event.module": [
      "system"
    ],
    "kibana.alert.rule.interval": [
      "1d"
    ],
    "kibana.alert.rule.type": [
      "query"
    ],
    "agent.hostname": [
      "windows-machine"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "kibana.alert.rule.immutable": [
      "false"
    ],
    "kibana.alert.original_event.type": [
      "start"
    ],
    "agent.id": [
      "55b514f8-e37e-4155-a23c-3ce145b74742"
    ],
    "signal.original_event.module": [
      "system"
    ],
    "signal.rule.from": [
      "now-25h"
    ],
    "kibana.alert.rule.enabled": [
      "true"
    ],
    "kibana.alert.rule.version": [
      "1"
    ],
    "kibana.alert.ancestors.type": [
      "event"
    ],
    "user.name": [
      "WINDOWS-MACHINE\\zeus"
    ],
    "signal.ancestors.index": [
      ".ds-auditbeat-8.2.0-2022.04.04-000001"
    ],
    "process.working_directory": [
      "C:\\Users\\zeus"
    ],
    "process.entity_id": [
      "6SXmhMDPSBA1Tdbm"
    ],
    "host.ip": [
      "10.0.7.214"
    ],
    "agent.type": [
      "auditbeat"
    ],
    "signal.original_event.category": [
      "process"
    ],
    "host.id": [
      "4143c277-074e-47a9-b37d-37f94b508705"
    ],
    "signal.original_event.type": [
      "start"
    ],
    "kibana.alert.rule.max_signals": [
      100
    ],
    "kibana.alert.rule.risk_score": [
      21
    ],
    "signal.original_event.dataset": [
      "process"
    ],
    "kibana.alert.rule.consumer": [
      "siem"
    ],
    "kibana.alert.rule.category": [
      "Custom Query Rule"
    ],
    "event.action": [
      "process_started"
    ],
    "@timestamp": [
      "2022-04-04T07:48:01.336Z"
    ],
    "kibana.alert.original_event.action": [
      "process_started"
    ],
    "signal.rule.updated_by": [
      "elastic"
    ],
    "host.os.platform": [
      "windows"
    ],
    "kibana.alert.rule.severity": [
      "low"
    ],
    "agent.ephemeral_id": [
      "d1237962-6fdc-4f30-b223-d95898f2df55"
    ],
    "kibana.alert.uuid": [
      "8b7d303d535bc4e94ac36bd696a64a7335aca9646d3f597760a8faffcf857355"
    ],
    "kibana.alert.rule.execution.uuid": [
      "9d6b2ef8-56f0-4f3d-93f5-b715543d5ab3"
    ],
    "kibana.alert.rule.meta.kibana_siem_app_url": [
      ""
    ],
    "kibana.version": [
      "8.2.0"
    ],
    "process.hash.sha1": [
      "f1efb0fddc156e4c61c5f78a54700e4e7984d55d"
    ],
    "signal.rule.license": [
      ""
    ],
    "signal.ancestors.type": [
      "event"
    ],
    "kibana.alert.rule.rule_id": [
      "257a79c5-4d9d-4d39-af0d-609370c57b26"
    ],
    "signal.rule.type": [
      "query"
    ],
    "kibana.alert.ancestors.id": [
      "2H9G838BUUAtpnyTSvMk"
    ],
    "kibana.alert.rule.description": [
      "Preview Rule"
    ],
    "process.pid": [
      4132
    ],
    "kibana.alert.rule.producer": [
      "preview-producer"
    ],
    "signal.rule.created_by": [
      "elastic"
    ],
    "kibana.alert.rule.to": [
      "now"
    ],
    "signal.rule.interval": [
      "1d"
    ],
    "kibana.alert.rule.created_by": [
      "elastic"
    ],
    "signal.rule.id": [
      "f0aaa677-8e90-4a8e-9439-058d89646ca1"
    ],
    "signal.rule.risk_score": [
      21
    ],
    "signal.reason": [
      "process event with process cmd.exe, by WINDOWS-MACHINE\\zeus on windows-machine created low alert Preview Rule."
    ],
    "host.os.name": [
      "Windows 10 Pro"
    ],
    "kibana.alert.rule.name": [
      "Preview Rule"
    ],
    "host.name": [
      "windows-machine"
    ],
    "signal.status": [
      "open"
    ],
    "event.kind": [
      "signal"
    ],
    "signal.rule.created_at": [
      "2022-04-04T07:48:00.214Z"
    ],
    "kibana.alert.workflow_status": [
      "open"
    ],
    "kibana.alert.rule.uuid": [
      "f0aaa677-8e90-4a8e-9439-058d89646ca1"
    ],
    "kibana.alert.original_event.category": [
      "process"
    ],
    "kibana.alert.reason": [
      "process event with process cmd.exe, by WINDOWS-MACHINE\\zeus on windows-machine created low alert Preview Rule."
    ],
    "signal.ancestors.id": [
      "2H9G838BUUAtpnyTSvMk"
    ],
    "signal.original_time": [
      "2022-04-04T06:32:22.800Z"
    ],
    "process.name": [
      "cmd.exe"
    ],
    "signal.rule.severity": [
      "low"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "kibana.alert.ancestors.index": [
      ".ds-auditbeat-8.2.0-2022.04.04-000001"
    ],
    "agent.version": [
      "8.2.0"
    ],
    "user.group.id": [
      "S-1-5-21-4215045029-3277270250-148079304-513"
    ],
    "kibana.alert.depth": [
      1
    ],
    "host.os.family": [
      "windows"
    ],
    "kibana.alert.rule.from": [
      "now-25h"
    ],
    "kibana.alert.rule.parameters": [
      {
        "severity": "low",
        "max_signals": 100,
        "severity_mapping": [],
        "references": [],
        "risk_score": 21,
        "risk_score_mapping": [],
        "author": [],
        "query": "process.name : \"cmd.exe\"",
        "description": "Preview Rule",
        "index": [
          "apm-*-transaction*",
          "traces-apm*",
          "auditbeat-*",
          "endgame-*",
          "filebeat-*",
          "logs-*",
          "packetbeat-*",
          "winlogbeat-*"
        ],
        "language": "kuery",
        "filters": [],
        "type": "query",
        "version": 1,
        "rule_id": "257a79c5-4d9d-4d39-af0d-609370c57b26",
        "license": "",
        "immutable": false,
        "exceptions_list": [],
        "meta": {
          "from": "now-25h",
          "kibana_siem_app_url": ""
        },
        "from": "now-25h",
        "false_positives": [],
        "threat": [],
        "to": "now"
      }
    ],
    "process.start": [
      "2022-04-04T06:32:21.860Z"
    ],
    "signal.rule.version": [
      "1"
    ],
    "signal.original_event.kind": [
      "event"
    ],
    "kibana.alert.status": [
      "active"
    ],
    "signal.depth": [
      1
    ],
    "kibana.alert.original_event.dataset": [
      "process"
    ],
    "signal.rule.immutable": [
      "false"
    ],
    "host.os.build": [
      "19043.1586"
    ],
    "kibana.alert.rule.rule_type_id": [
      "siem.queryRule"
    ],
    "signal.rule.name": [
      "Preview Rule"
    ],
    "event.module": [
      "system"
    ],
    "signal.rule.rule_id": [
      "257a79c5-4d9d-4d39-af0d-609370c57b26"
    ],
    "host.os.kernel": [
      "10.0.19041.1586 (WinBuild.160101.0800)"
    ],
    "kibana.alert.rule.license": [
      ""
    ],
    "kibana.alert.original_event.kind": [
      "event"
    ],
    "process.executable": [
      "C:\\Windows\\System32\\cmd.exe"
    ],
    "kibana.alert.rule.updated_at": [
      "2022-04-04T07:48:00.214Z"
    ],
    "signal.rule.description": [
      "Preview Rule"
    ],
    "process.args": [
      "C:\\WINDOWS\\system32\\cmd.exe"
    ],
    "message": [
      "Process cmd.exe (PID: 4132) by user WINDOWS-MACHINE\\zeus STARTED"
    ],
    "signal.original_event.action": [
      "process_started"
    ],
    "signal.rule.to": [
      "now"
    ],
    "kibana.alert.rule.created_at": [
      "2022-04-04T07:48:00.214Z"
    ],
    "event.type": [
      "start"
    ],
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.meta.from": [
      "now-25h"
    ],
    "event.dataset": [
      "process"
    ],
    "kibana.alert.original_time": [
      "2022-04-04T06:32:22.800Z"
    ]
  }
}

@manishgupta-qasource
Copy link

Reviewed & assigned to @MadameSheema

@MadameSheema MadameSheema added the Team:Threat Hunting Security Solution Threat Hunting Team label Apr 4, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@MadameSheema MadameSheema removed the Team:Threat Hunting Security Solution Threat Hunting Team label Apr 4, 2022
@MadameSheema
Copy link
Member

@karanbirsingh-qasource can you please create a rule that generates that alert, and check if the value is displayed or not on the alerts table?? Thanks ^^

@ghost
Copy link
Author

ghost commented Apr 4, 2022

Yes , Glo information of process.pid is present on the Alert Table on Alert Page

image

image

image

@michaelolo24 michaelolo24 mentioned this issue Apr 6, 2022
Closed
@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team Team:Threat Hunting Security Solution Threat Hunting Team Team:Detection Alerts Security Detection Alerts Area Team Team:Threat Hunting:Investigations Security Solution Investigations Team labels Apr 6, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@peluja1012 peluja1012 changed the title [Security Solution]Additional Field date not showing under preview rule alert table [Security Solution]Additional Field data not showing under preview rule alert table Apr 6, 2022
@dplumlee dplumlee mentioned this issue Apr 6, 2022
Merged
20 tasks
@MadameSheema
Copy link
Member

@karanbirsingh-qasource can you please validate this issue on latest 8.2.0 snapshot and the next 8.2.0BC? Thanks!!

@ghost
Copy link
Author

ghost commented Apr 19, 2022

Hi @MadameSheema

Please find the observation for latest 8.2.0-SNAPSHOT . Issue is fixed ✔️

Build Details:

Version:8.2.0-SNAPSHOT
Commit:44f2776a5ece1844358845994c9f4a2dfec4c4a4
Build:51972

Snap-Shoot:

  • New Rule

image

  • Editing existing rule

image

We will again check the issue once BC4 will be available.

thanks!!

@ghost
Copy link
Author

ghost commented Apr 21, 2022

Hi @MadameSheema

we have validated this issue on 8.2.0 BC4 and found it fixed ✔️ .

Build Details:

Version: 8.2.0
Commit:9a5003d8cf0062bf24ef64d6712b44823888cc03
Build:52005

Snap-Shoot:

image

image

@ghost ghost closed this as completed Apr 21, 2022
@ghost ghost added the QA:Validated Issue has been validated by QA label Apr 21, 2022
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rule Preview Security Solution Rule Preview fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detection Alerts Security Detection Alerts Area Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team v8.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@elasticmachine @michaelolo24 @MadameSheema @marshallmain @dplumlee @manishgupta-qasource