[Security Solution] Customized Prebuilt Rule Retains “Modified” Status After Bypassing Review via Bulk Update #213503
Closed as not planned
Description
Description:
When a customized prebuilt rule with an available update is bulk updated without reviewing (by accepting the confirmation modal), the rule updates to Elastic’s version, replacing the previous customizations. However, the rule still retains the “Modified” status in the UI, and the is_customized flag remains true, despite no customizations remaining.
Rule before modification
{
"id": "33c42206-5c0d-42a6-b3fe-d18f5862c388",
"updated_at": "2025-03-06T23:29:14.890Z",
"updated_by": "admin",
"created_at": "2025-03-06T23:29:14.890Z",
"created_by": "admin",
"name": "Potential Cookies Theft via Browser Debugging",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Credential Access"
],
"interval": "5m",
"enabled": false,
"revision": 0,
"description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
"risk_score": 47,
"severity": "medium",
"note": "",
"license": "Elastic License v2",
"output_index": "",
"timestamp_override": "event.ingested",
"author": [
"Elastic"
],
"false_positives": [
"Developers performing browsers plugin or extension debugging."
],
"from": "now-9m",
"rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
"max_signals": 33,
"risk_score_mapping": [],
"severity_mapping": [],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
}
]
}
],
"to": "now",
"references": [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
],
"version": 101,
"exceptions_list": [],
"immutable": true,
"rule_source": {
"type": "external",
"is_customized": false
},
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
},
{
"package": "windows",
"version": "^1.5.0"
}
],
"required_fields": [
{
"name": "event.type",
"type": "keyword",
"ecs": true
},
{
"name": "process.args",
"type": "keyword",
"ecs": true
},
{
"name": "process.name",
"type": "keyword",
"ecs": true
}
],
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"type": "eql",
"language": "eql",
"index": [
"auditbeat-*",
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
"actions": []
}
Rule after modification
{
"id": "33c42206-5c0d-42a6-b3fe-d18f5862c388",
"updated_at": "2025-03-06T23:59:53.196Z",
"updated_by": "admin",
"created_at": "2025-03-06T23:29:14.890Z",
"created_by": "admin",
"name": "Potential Cookies Theft via Browser Debugging IS CUSTOMIZED",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Credential Access"
],
"interval": "1m",
"enabled": false,
"revision": 1,
"description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
"risk_score": 47,
"severity": "medium",
"license": "Elastic License v2",
"output_index": "",
"meta": {
"kibana_siem_app_url": ""
},
"timestamp_override": "event.ingested",
"timestamp_override_fallback_disabled": false,
"author": [
"Elastic"
],
"false_positives": [
"Developers performing browsers plugin or extension debugging."
],
"from": "now-41m",
"rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
"max_signals": 33,
"risk_score_mapping": [],
"severity_mapping": [],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
}
]
}
],
"to": "now",
"references": [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
],
"version": 101,
"exceptions_list": [],
"immutable": true,
"rule_source": {
"type": "external",
"is_customized": true
},
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
},
{
"package": "windows",
"version": "^1.5.0"
}
],
"required_fields": [
{
"name": "event.type",
"type": "keyword",
"ecs": true
},
{
"name": "process.args",
"type": "keyword",
"ecs": true
},
{
"name": "process.name",
"type": "keyword",
"ecs": true
}
],
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"type": "eql",
"language": "eql",
"index": [
"auditbeat-*",
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*",
"TEST"
],
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"\n",
"filters": [],
"actions": []
}
Rule after updating without reviewing changes
{
"id": "33c42206-5c0d-42a6-b3fe-d18f5862c388",
"updated_at": "2025-03-07T00:05:49.318Z",
"updated_by": "admin",
"created_at": "2025-03-06T23:29:14.890Z",
"created_by": "admin",
"name": "Potential Cookies Theft via Browser Debugging",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Credential Access",
"Domain: Endpoint",
"OS: Linux",
"OS: Windows",
"OS: macOS",
"Use Case: Threat Detection",
"Tactic: Credential Access",
"Data Source: Elastic Defend",
"Resources: Investigation Guide"
],
"interval": "5m",
"enabled": false,
"revision": 2,
"description": "Identifies the execution of a Chromium based browser with the debugging process argument, which may indicate an attempt to steal authentication cookies. An adversary may steal web application or service session cookies and use them to gain access web applications or Internet services as an authenticated user without needing credentials.",
"risk_score": 47,
"severity": "medium",
"note": "## Triage and analysis\n\n> **Disclaimer**:\n> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.\n\n### Investigating Potential Cookies Theft via Browser Debugging\n\nChromium-based browsers support debugging features that allow developers to inspect and modify web applications. Adversaries can exploit these features to access session cookies, enabling unauthorized access to web services. The detection rule identifies suspicious browser processes using debugging arguments, which may indicate cookie theft attempts, by monitoring specific process names and arguments across different operating systems.\n\n### Possible investigation steps\n\n- Review the process details to confirm the presence of suspicious debugging arguments such as \"--remote-debugging-port=*\", \"--remote-debugging-targets=*\", or \"--remote-debugging-pipe=*\". Check if these arguments were used in conjunction with \"--user-data-dir=*\" and ensure \"--remote-debugging-port=0\" is not present.\n- Identify the user account associated with the suspicious browser process to determine if it aligns with expected behavior or if it might be compromised.\n- Investigate the source IP address and network activity associated with the process to identify any unusual or unauthorized access patterns.\n- Check for any recent changes or anomalies in the user's account activity, such as unexpected logins or access to sensitive applications.\n- Correlate the event with other security alerts or logs to identify if this activity is part of a broader attack pattern or campaign.\n- If possible, capture and analyze the network traffic associated with the process to detect any data exfiltration attempts or communication with known malicious IP addresses.\n\n### False positive analysis\n\n- Development and testing activities may trigger the rule when developers use debugging features for legitimate purposes. To manage this, create exceptions for known developer machines or user accounts frequently involved in web application development.\n- Automated testing frameworks that utilize browser debugging for testing web applications can also cause false positives. Identify and exclude processes initiated by these frameworks by specifying their unique process names or user accounts.\n- Browser extensions or tools that rely on debugging ports for functionality might be flagged. Review and whitelist these extensions or tools if they are verified as safe and necessary for business operations.\n- Remote support or troubleshooting sessions using debugging features can be mistaken for suspicious activity. Implement a policy to log and review such sessions, allowing exceptions for recognized support tools or personnel.\n- Continuous integration/continuous deployment (CI/CD) pipelines that involve browser automation may inadvertently match the rule criteria. Exclude these processes by identifying and filtering based on the CI/CD system's user accounts or process identifiers.\n\n### Response and remediation\n\n- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.\n- Terminate any suspicious browser processes identified with debugging arguments to stop potential cookie theft in progress.\n- Conduct a thorough review of access logs for the affected web applications or services to identify any unauthorized access attempts using stolen cookies.\n- Invalidate all active sessions for the affected user accounts and force a re-authentication to ensure that any stolen session cookies are rendered useless.\n- Implement stricter browser security policies, such as disabling remote debugging features in production environments, to prevent similar exploitation in the future.\n- Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.\n- Enhance monitoring and alerting for similar suspicious browser activities by refining detection rules and incorporating additional threat intelligence.",
"license": "Elastic License v2",
"output_index": "",
"meta": {
"kibana_siem_app_url": ""
},
"timestamp_override": "event.ingested",
"timestamp_override_fallback_disabled": false,
"author": [
"Elastic"
],
"false_positives": [
"Developers performing browsers plugin or extension debugging."
],
"from": "now-9m",
"rule_id": "027ff9ea-85e7-42e3-99d2-bbb7069e02eb",
"max_signals": 33,
"risk_score_mapping": [],
"severity_mapping": [],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0006",
"name": "Credential Access",
"reference": "https://attack.mitre.org/tactics/TA0006/"
},
"technique": [
{
"id": "T1539",
"name": "Steal Web Session Cookie",
"reference": "https://attack.mitre.org/techniques/T1539/"
}
]
}
],
"to": "now",
"references": [
"https://github.com/defaultnamehere/cookie_crimes",
"https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/",
"https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/chrome_cookies.md",
"https://posts.specterops.io/hands-in-the-cookie-jar-dumping-cookies-with-chromiums-remote-debugger-port-34c4f468844e"
],
"version": 208,
"exceptions_list": [],
"immutable": true,
"rule_source": {
"type": "external",
"is_customized": true
},
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
},
{
"package": "windows",
"version": "^2.0.0"
}
],
"required_fields": [
{
"name": "event.type",
"type": "keyword",
"ecs": true
},
{
"name": "process.args",
"type": "keyword",
"ecs": true
},
{
"name": "process.name",
"type": "keyword",
"ecs": true
}
],
"setup": "## Setup\n\nIf enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,\nevents will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.\nHence for this rule to work effectively, users will need to add a custom ingest pipeline to populate\n`event.ingested` to @timestamp.\nFor more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html\n",
"type": "eql",
"language": "eql",
"index": [
"auditbeat-*",
"winlogbeat-*",
"logs-endpoint.events.*",
"logs-windows.*"
],
"query": "process where event.type in (\"start\", \"process_started\", \"info\") and\n process.name in (\n \"Microsoft Edge\",\n \"chrome.exe\",\n \"Google Chrome\",\n \"google-chrome-stable\",\n \"google-chrome-beta\",\n \"google-chrome\",\n \"msedge.exe\") and\n process.args : (\"--remote-debugging-port=*\",\n \"--remote-debugging-targets=*\",\n \"--remote-debugging-pipe=*\") and\n process.args : \"--user-data-dir=*\" and not process.args:\"--remote-debugging-port=0\"",
"filters": [],
"actions": []
}
Kibana/Elasticsearch Stack version:
VERSION: 9.1.0
BUILD: 84372
COMMIT: 636c06bcd35c4b563ba1742bee01b38636e61570
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Prebuilt Rules Update
Pre requisites:
prebuiltRulesCustomizationEnabledflag is enabled- Prebuilt rules are available
- Customized prebuilt rules are available
- The customized prebuilt rules has available update
Steps to reproduce:
- Navigate to the Rule Updates table.
- Select the customized prebuilt rule and initiate a bulk update.
- A confirmation modal appears, asking if the user wants to update the rule without reviewing.
- Accept and proceed with the update without reviewing.
- During the update process, the customized fields are overwritten with Elastic’s version, causing the rule to lose its customizations.
- After the update, navigate to the Rules Management table and search for the rule.
Test Data Details:
- Old package version: 8.4.2
- New package version: 8.17.6
- Rule modified: "Potential Cookies Theft Via Browser Debugging"
- Modified fields:
- schedule: updated to 40min/ lookback: 4min
- data source: added
testindex pattern - name: added "IS CUSTOMIZED" as suffix
Current behavior:
- The rule has no remaining customizations (fields were reverted to Elastic’s version).
- However, the rule is still marked as “Modified” in the UI.
- The rule’s
is_customizedflag remainstrue, even though no actual customizations exist.
Expected behavior:
If the customized rule is updated and its customizations are lost, it should no longer be marked as “Modified”, and is_customized should be false.
Screencast:
Screen.Recording.2025-03-06.at.4.05.18.PM.mov
Metadata
Metadata
Assignees
Labels
Security Solution Prebuilt Detection Rules areaSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Security Detection Rule Management TeamSecurity Detection Response TeamFixes for quality problems that affect the customer experienceAddressing this issue will have a high level of impact on the quality/strength of our product.