Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] GUID not taken into consideration when creating a new detection rule using YAML #1126

Closed
pr3l14t0r opened this issue Sep 3, 2024 · 2 comments
Closed

[BUG] GUID not taken into consideration when creating a new detection rule using YAML #1126

pr3l14t0r opened this issue Sep 3, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@pr3l14t0r
Copy link

What is the bug?
When i create a new detection rule using a yaml template, the id does not get transferred and saved. This is a deal-breaker for automation approaches where i want to collect my rules in a github repository and POST or PUT them via API commands.

I was not able to create a rule using yaml, where the id would actually be kept.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. Go to Detection Rules (/_dashboards/app/opensearch_security_analytics_dashboards#/rules)
  2. Click on 'Create detection rule'
  3. Choose the YAML Editor instead of the Visual Editor
  4. Insert the following example yaml syntax for a rule:
id: 80b4b6da-23f1-43b9-b578-0111fd6cb1d2
date: 2024/08/30
modified: 2024/08/30
logsource:
  product: gworkspace
title: GWorkspace Login Email Forwarding Out Of Domain
description: >-
  This event indicates that a user has enabled to forward incoming emails to an address that is outside of the domain. This could indicate a potential data exfiltration.
tags:
  - attack.exfiltration
  - attack.t1567
falsepositives:
  - A legit configuration done by a user.
level: high
status: test
references:
  - >-
    https://developers.google.com/admin-sdk/reports/v1/appendix/activity/login#email_forwarding_out_of_domain
author: pr3l14t0r
detection:
  selection:
    google_workspace.event.name: email_forwarding_out_of_domain
    applicationName: login
  condition: selection
  1. Go back to Detection Rules (/_dashboards/app/opensearch_security_analytics_dashboards#/rules)
  2. Search for the rule you have just created by its name: GWorkspace Login Email Forwarding Out Of Domain
  3. Click on the rule - the configuration of that rule opens
  4. Click on YAML instead of the Visual
  5. NOTICE that the field id does not show a proper GUID, but instead a string that looks like a document-id from OpenSearch
  6. Proceed and click on "Action" -> "Edit"
  7. Select YAML Editor
  8. NOTICE that the value for id displayed here has changed again. In my case, another GUID is shown which differs from the one that i have set in my yaml file.
  9. Notice that in general, some fields have been removed:
field status
id changed
date removed
modified removed

What is the expected behavior?
The GUID that has been set in yaml should be kept for the rule when it gets imported. This is the only field that should never change and thus qualifies the most for automation tasks. If i would take the field title for example, i would not be able to find already existing rule via API when i change the title in my yaml files.

Furthermore, when displaying a rules configuration, i would expect to see the GUID as id and not a document-id.

Additionally, it would be way more easy to reference a rule by its GUID in API requests, instead if the document-id.

What is your host/environment?

  • OS: AWS Managed OpenSearch
  • Version: v 2.13.0

Do you have any screenshots?

This screenshot shows the rules' yaml syntax in VSCode.

Screenshot 2024-09-03 114132

After you have created the rule in OpenSearch, click on it to check its configuration. This screenshot shows what is described in step 10, where you see a document-id (or whatever) instead of the GUID.

Screenshot 2024-09-03 114233

And finally, if you proceed from the previous step by clicking on "Action" -> "Edit Rule" and open the YAML Editor, you will see that the GUID got exchanged.

Screenshot 2024-09-03 114248

Do you have any additional context?
No.
@pr3l14t0r pr3l14t0r added bug Something isn't working untriaged labels Sep 3, 2024
@pr3l14t0r
Copy link
Author

Need to add a small addendum here.
The GUID value in id field is actually the same for each rule that i have created. In fact, all of my custom rules seem to have the GUID 25b9c01c-350d-4b95-bed1-836d04a4f324 .

The Creating Detection Rules section of the OpenSearch documentation does not mention the term GUID anywhere, which means that it is not clear how this is handled.
On the other hand, the Rule Creation Guide of Sigma is referred there, which definitely states that you need to set a GUID yourself, see here.

title: a short capitalised title with less than 50 characters
id: generate one here https://www.uuidgenerator.net/version4
status: experimental
[...]

May someone elaborate about this? Why are GUIDs ignored when specified manually?

@eirsep eirsep removed the untriaged label Sep 17, 2024
@eirsep
Copy link
Member

eirsep commented Sep 17, 2024

There is an issue opened in security analytics backend plugin to fix this
opensearch-project/security-analytics#1301

@eirsep eirsep closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eirsep @pr3l14t0r