Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Rule incorrectly reports gap when modifying interval while disabled and then re-enabling #155671

Open
Tracked by #165878
spong opened this issue Apr 24, 2023 · 2 comments
Open
Tracked by #165878

[Security Solution] Rule incorrectly reports gap when modifying interval while disabled and then re-enabling #155671

spong opened this issue Apr 24, 2023 · 2 comments
Assignees
@nkhristinin
Labels
8.15 candidate bug Fixes for quality problems that affect the customer experience Feature:Gap Detection/Remediation Security Solution Gap Detection/Remediation impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Apr 24, 2023

First identified in 8.8/main (in testing #155384), but based on the issue this probably has existed since the initial implementation of the Detection Engine/Gap Detection logic. This is very low impact based on the reproduction steps, but logging for future iterations of our gap detection/remediation logic.

Summary

If a previously executed disabled rule's interval is modified to be less than the previous interval, when it is re-enabled a gap will be reported even though it is just being re-enabled.

Reproduction steps

  • Create rule with a 10min interval and let it run once, then disable.
  • Edit rule to have a 10sec interval
  • Wait a few minutes
  • Enable rule and observe false gap warning (with duration being since its last execution)
@spong spong added bug Fixes for quality problems that affect the customer experience triage_needed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team Feature:Gap Detection/Remediation Security Solution Gap Detection/Remediation labels Apr 24, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

This was referenced Apr 24, 2023
Open
Merged
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nkhristinin nkhristinin

Labels
8.15 candidate bug Fixes for quality problems that affect the customer experience Feature:Gap Detection/Remediation Security Solution Gap Detection/Remediation impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@spong @nkhristinin @yctercero @elasticmachine @marshallmain