[SIEM] Authentications table doesn't show 'Last Success/Failed Source' column if only 'source.ip' is present #56716
Labels
bug
Fixes for quality problems that affect the customer experience
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Team:Threat Hunting
Security Solution Threat Hunting Team
Comments
spong
added
bug
|
Pinging @elastic/siem (Team:SIEM) |
1 task
MindyRS
added
the
Team: SecuritySolution
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
Authentications Tableon theHosts Pagewill not show values forLast Success/Failed Sourcewhen only a single source field (source.ip) is present.Looks like we're trying to verify there's a
sourceobject before checking forsource.ip, so in instances where the document only hassource.ip, it'll come back as a single field instead of object, and this check will fail.kibana/x-pack/legacy/plugins/siem/public/components/page/hosts/authentications_table/index.tsx
Line 269 in 23a0513
Response resulting in the bug:
{ "took": 6, "timed_out": false, "_shards": { "total": 10, "successful": 10, "skipped": 0, "failed": 0 }, "hits": { "max_score": null, "hits": [] }, "aggregations": { "group_by_users": { "doc_count_error_upper_bound": 0, "sum_other_doc_count": 0, "buckets": [ { "key": "dain", "doc_count": 5, "failures": { "doc_count": 1, "lastFailure": { "hits": { "total": { "value": 1, "relation": "eq" }, "max_score": null, "hits": [ { "_index": "ecs-custom", "_type": "_doc", "_id": "", "_score": null, "_source": { "syslog.severity": "6", "@timestamp": "2020-02-03T21:31:37.851Z", "message": "", "syslog.facility": "166", "event.category": "authentication", "host.ip": "", "type": "asa", "host.name": "", "event.code": "605004", "user.name": "dain", "host.os.version": "9.12(3)", "timestamp": "Feb 03 2020 16:31:37", "interface.name": "management", "network.application": "ssh", "event.type": "authentication_failure", "source.port": "", "host.os.name": "ASA", "source.ip": "127.0.0.1", "@version": "1" }, "sort": [ 1580765497851 ] } ] } } }, "successes": { "doc_count": 4, "lastSuccess": { "hits": { "total": { "value": 4, "relation": "eq" }, "max_score": null, "hits": [ { "_index": "ecs-custom", "_type": "_doc", "_id": "", "_score": null, "_source": { "syslog.severity": "6", "@timestamp": "2020-02-03T20:31:30.719Z", "message": "", "syslog.facility": "166", "event.category": "authentication", "host.ip": "127.0.0.1", "type": "asa", "host.name": "5508x-1", "event.code": "605005", "user.name": "dain", "host.os.version": "9.12(3)", "timestamp": "Feb 03 2020 15:31:30", "interface.name": "management", "network.application": "ssh", "event.type": "authentication_success", "source.port": "60381", "host.os.name": "ASA", "source.ip": "127.0.0.1", "@version": "1" }, "sort": [ 1580761890719 ] } ] } } } } ] }, "user_count": { "value": 1 } } }The text was updated successfully, but these errors were encountered: