Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Threshold rules incorrectly populate kibana.alert.original_time when the rule groups by @timestamp, effecting Timeline investigations #144467

Open
Tracked by #165878
andrew-goldstein opened this issue Nov 2, 2022 · 3 comments
Open
Tracked by #165878

[Security Solution] Threshold rules incorrectly populate kibana.alert.original_time when the rule groups by @timestamp, effecting Timeline investigations #144467

andrew-goldstein opened this issue Nov 2, 2022 · 3 comments
Assignees
@marshallmain
Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Threshold Rule Security Solution Threshold rule type impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@andrew-goldstein
Copy link
Contributor

Threshold rules incorrectly populate kibana.alert.original_time when the rule groups by @timestamp. As a result, the to part of the date range is invalid when a user investigates a Threshold rule in timeline. @marshallmain provided the following detailed explanation:

The kibana.alert.original_time value of alert document is wrong because we don't handle it correctly when the threshold rule groups by @timestamp. On these two lines we set the @timestamp value of a synthetic source doc to the maximum value of the timestamp override field across all docs in the bucket. The second line there adds the field-value pairs that the docs were grouped by - in this case, also @timestamp, so it overwrites the @timestamp set by the first line with a different (in this case smaller) value.

The end result of the above is that kibana.alert.original_time gets created incorrectly and we use it as the to time for the timeline, resulting in an invalid range of dates.

Kibana/Elasticsearch Stack version:

8.5.0
@andrew-goldstein andrew-goldstein added bug Fixes for quality problems that affect the customer experience triage_needed Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. sdh-linked labels Nov 2, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@andrew-goldstein andrew-goldstein mentioned this issue Nov 2, 2022
Open
@andrew-goldstein
Copy link
Contributor Author

Related issue: #144473

@MadameSheema MadameSheema added the Team:Detection Alerts Security Detection Alerts Area Team label Nov 4, 2022
@marshallmain marshallmain added v8.6.0 impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed triage_needed labels Nov 4, 2022
@peluja1012 peluja1012 added the Feature:Threshold Rule Security Solution Threshold rule type label Feb 10, 2023
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marshallmain marshallmain

Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Threshold Rule Security Solution Threshold rule type impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @andrew-goldstein @yctercero @elasticmachine @MadameSheema @marshallmain