Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIEM Rules fail silently with erroneous exemption list entries [Bug] #179619

Open
DanielBrown2023 opened this issue Mar 26, 2024 · 5 comments
Open

SIEM Rules fail silently with erroneous exemption list entries [Bug] #179619

DanielBrown2023 opened this issue Mar 26, 2024 · 5 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Exceptions Security Solution Rule Exceptions feature impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@DanielBrown2023
Copy link

Describe the bug
SIEM Rules do not Produce Alerts, Warning, or Errors when erroneous exemption lists are created.

To Reproduce
In SIEM rules, rule editing UI
1.) add rule exemption
2.) name the exemption
3.) In the conditions section.
3.a) select an IP mapped field
3.b) chose the is one of operator
3.c) add values that do not meet the specifications of an IP address
4.) save the exception rule

Expected behavior
Once the SIEM rule has the exemption list with erounous values (i.e. IP entries like (1.1.1., 123097808, .1.1.1))

Screenshots
image

Desktop (please complete the following information):

  • OS: Elastic Search Service
  • Version: 8.12.0

Additional context
The target index of the exclusions condition are mapped correctly as IP addresses.

Requested an FR to add additional data validations when creating exclusion list entries.
Rule Exemption Data validation [FR] elastic/kibana#179711
@DanielBrown2023 DanielBrown2023 added the bug Fixes for quality problems that affect the customer experience label Mar 26, 2024
@vgomez-el
Copy link

vgomez-el commented Mar 28, 2024
edited

Confirmed it is happening in 8.12 and 8.13 version too.

image

I will move it to kibana public repo and assign it to the proper team. I will also mark it as a impact:low, since the rule execution is stopped and a error message is displayed on rule details page because of the bad IP format:
image

@vgomez-el vgomez-el transferred this issue from elastic/detection-rules Mar 28, 2024
@vgomez-el vgomez-el added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area labels Mar 28, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@vgomez-el vgomez-el added triage_needed impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. labels Mar 28, 2024
@Mikaayenson Mikaayenson mentioned this issue Mar 29, 2024
Open
@yctercero
Copy link
Contributor

Thanks for opening this @DanielBrown2023 - I've added it to a ticket we have going for some planned enhancements to value lists.

@yctercero yctercero added the Feature:Rule Exceptions Security Solution Rule Exceptions feature label May 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Rule Exceptions Security Solution Rule Exceptions feature impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yctercero @elasticmachine @vgomez-el @DanielBrown2023