Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: Ensure operations on records with "*Missing" fields use correct search #8025

Closed
phil1090 opened this issue May 27, 2022 · 1 comment · Fixed by Security-Onion-Solutions/securityonion-soc#243
Closed

FIX: Ensure operations on records with "*Missing" fields use correct search #8025

phil1090 opened this issue May 27, 2022 · 1 comment · Fixed by Security-Onion-Solutions/securityonion-soc#243
Assignees
@coreyogburn
Labels
2.4 Planned for 2.4.X Hunt SOC

Comments

@phil1090
Copy link
Contributor

phil1090 commented May 27, 2022
edited by jertel
Loading

The Hunt pivot on a missing field (from a multi-field aggregation) does not produce a useful search. For example, if the network.protocol field displayed "*Missing", pivots on the field would use the search "network.protocol:"*Missing"". That search should be "-_exists_:network.protocol".

Also applies to Acknowledgments, and any other query that is executed against a search result record.
@phil1090 phil1090 added the SOC label May 27, 2022
@jertel jertel added the Hunt label Oct 28, 2022
@TOoSmOotH TOoSmOotH added the 2.4 Planned for 2.4.X label Dec 1, 2022
@jertel jertel changed the title FIX: Ensure Hunt pivots on "*Missing" fields use correct search FIX: Ensure operations on records with "*Missing" fields use correct search Dec 12, 2022
@defensivedepth defensivedepth mentioned this issue May 24, 2023
Closed
@coreyogburn coreyogburn self-assigned this Jun 28, 2023
@coreyogburn coreyogburn linked a pull request Jun 30, 2023 that will close this issue
Better Behavior around modifying queries with *Missing Security-Onion-Solutions/securityonion-soc#243
Merged
@dougburks
Copy link
Contributor

Tested and verified:
image
image
image

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@coreyogburn coreyogburn

Labels
2.4 Planned for 2.4.X Hunt SOC
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Better Behavior around modifying queries with *Missing Security-Onion-Solutions/securityonion-soc
5 participants
@dougburks @TOoSmOotH @phil1090 @jertel @coreyogburn