Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Host.ip are not formatted correctly. #108662

Closed
ghost opened this issue Aug 16, 2021 · 9 comments
Closed

[Security Solution] Host.ip are not formatted correctly. #108662

ghost opened this issue Aug 16, 2021 · 9 comments
Assignees
@jonathan-buttner
Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team Theme: rac label obsolete

Comments

@ghost
Copy link

ghost commented Aug 16, 2021
edited by ghost
Loading

Describe the bug
Host.ip are not formatted correctly.

Build Details:

Version:7.15.0 SNAPSHOT
Commit:aa12d107c38c5cda96fc32bcd1f8226df172826a
Build:43370

Browser Details:
N/A

Preconditions

  1. Kibana users should be logged in.
  2. endpoint should be installed.
  3. Alerts should be generated say: mimikatz

Steps to Reproduce

  1. Navigate to alerts page.
  2. click on "view details" icon of generated alerts
  3. Click on table tab and search the host.ip
  4. Observe that Host.ip are not formatted correctly.

Actual Result
Host.ip are not formatted correctly.

Expected Result
Host.ip should be formatted correctly either with enter or with comma.

What's Working

  • N/A

What's Not Working

  • N/A

Screen-Shot
image
@ghost ghost added bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.15.0 labels Aug 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost
Copy link
Author

ghost commented Aug 16, 2021

@manishgupta-qasource Please review!!

@MadameSheema MadameSheema added Team:Threat Hunting Security Solution Threat Hunting Team triage_needed labels Aug 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@MadameSheema
Copy link
Member

@deepikakeshav-qasource can you please share the JSON data? Thanks :)

@ghost
Copy link
Author

ghost commented Aug 17, 2021

Hi @MadameSheema,

Please find the below Json Data for Rule.

Build Details:

Version : 8.0.0-SNAPSHOT
Commit:f952643e542a712149883d03f3cc99584d2b17eb

Json Data:

json.txt

Thanks!!

@jonathan-buttner
Copy link
Contributor

@deepikakeshav-qasource can you email me the creds for the elastic stack that has the alert on it? Can you also confirm via the Discover app that searching for _id: 58af803e296a36b187910b341c75124af9efeb572f97fd0f3eb0b8e563e69c57 within index: .siem-signals-default-000001 shows that host.ip is a comma delimited string like in the json.txt file you provided? "10.0.6.31,127.0.0.1,::1" If it is a string then we'll want the endpoint to convert it to an array of IPs.

@ghost
Copy link
Author

ghost commented Aug 24, 2021

Hi @jonathan-buttner,

We have created a new environment for this ticket's required test data and shared the credentials for the same on email.

In discover tab the IPs are displaying with commas. Please find below the screenshot for the same:

Screenshot:
ip

Please let us know if anything else is required from our end.

Thanks!!

@MadameSheema MadameSheema mentioned this issue Aug 24, 2021
Closed
@jonathan-buttner
Copy link
Contributor

Looks like it is a valid array in Elasticsearch then, so the flyout is not displaying it correctly. Looks like a valid bug on our side. Thanks for finding it!

@MadameSheema MadameSheema added the Theme: rac label obsolete label Aug 25, 2021
@ghost
Copy link
Author

ghost commented Nov 18, 2021

Hi Team ,

We have validated this ticket on 7.16.0 BC5 and found that issue is fixed. Please find the complete testing details:

Build Details:

Version:7.16.0 BC5
Build: 46061
COMMIT: f13296db8798dd0cd39ab6cc4a61a35a2a2b05cc

Screenshots:
image

Hence, We are closing this ticket and marking as QA Validated.

Thanks!!

@ghost ghost added the QA:Validated Issue has been validated by QA label Nov 18, 2021
@ghost ghost closed this as completed Nov 18, 2021
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jonathan-buttner jonathan-buttner

Labels
bug Fixes for quality problems that affect the customer experience impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@elasticmachine @MadameSheema @jonathan-buttner @paulewing @manishgupta-qasource