SIEM Rules fail silently with erroneous exemption list entries [Bug] #179619
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Rule Exceptions
Security Solution Rule Exceptions feature
impact:low
Addressing this issue will have a low level of impact on the quality/strength of our product.
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Describe the bug
SIEM Rules do not Produce Alerts, Warning, or Errors when erroneous exemption lists are created.
To Reproduce
In SIEM rules, rule editing UI
1.) add rule exemption
2.) name the exemption
3.) In the conditions section.
3.a) select an IP mapped field
3.b) chose the is one of operator
3.c) add values that do not meet the specifications of an IP address
4.) save the exception rule
Expected behavior
Once the SIEM rule has the exemption list with erounous values (i.e. IP entries like (
1.1.1.
,123097808
,.1.1.1
))Screenshots
Desktop (please complete the following information):
Additional context
The target index of the exclusions condition are mapped correctly as IP addresses.
Requested an FR to add additional data validations when creating exclusion list entries.
Rule Exemption Data validation [FR] elastic/kibana#179711
The text was updated successfully, but these errors were encountered: