Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[bug] View alerts in SIEM uses a different query as overview #76625

Open
SHolzhauer opened this issue Sep 3, 2020 · 1 comment
Open

[bug] View alerts in SIEM uses a different query as overview #76625

SHolzhauer opened this issue Sep 3, 2020 · 1 comment
Labels
Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM triage_needed

Comments

@SHolzhauer
Copy link

Kibana version:
7.9
Elasticsearch version:
7.9
Server OS version:
Linux hostname 3.10.0-1127.18.2.el7.x86_64 #1 SMP Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Browser version:
Google Chrome Version 85.0.4183.83 (Official Build) (64-bit)
Browser OS version:

Original install method (e.g. download page, yum, from source, etc.):
yum
Describe the bug:
The overview page for Security displays external alerts correctly, but the host->external alerts tab does not display the alerts.
It appears as if different queries are used.

Steps to reproduce:

  1. Have external alerts
  2. Open the overview tab, you should see them displayed in the visualization
  3. Click on "View alerts"
  4. No results:

Expected behavior:
See the external alerts in the "view alerts" pane.

Screenshots (if relevant):
image
image
Provide logs and/or server output (if relevant):

Query used by overview

{
  "aggregations": {
    "alertsGroup": {
      "terms": {
        "field": "event.module",
        "missing": "All others",
        "order": {
          "_count": "desc"
        },
        "size": 10
      },
      "aggs": {
        "alerts": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "112500ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1599127445720,
              "max": 1599131045720
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "event.kind": "alert"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-03T10:04:05.720Z",
              "lte": "2020-09-03T11:04:05.720Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

Query used by host tab
This one adds the host.name filter

{
  "aggregations": {
    "alertsGroup": {
      "terms": {
        "field": "event.module",
        "missing": "All others",
        "order": {
          "_count": "desc"
        },
        "size": 10
      },
      "aggs": {
        "alerts": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "112500ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1599119254818,
              "max": 1599122854818
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              },
              {
                "bool": {
                  "filter": [
                    {
                      "bool": {
                        "should": [
                          {
                            "exists": {
                              "field": "host.name"
                            }
                          }
                        ],
                        "minimum_should_match": 1
                      }
                    }
                  ]
                }
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "event.kind": "alert"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-03T07:47:34.818Z",
              "lte": "2020-09-03T08:47:34.818Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

Any additional context:
These external alerts are incidents in an external system and do not have a host.name field.

@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM triage_needed
Projects
None yet
Development

No branches or pull requests

4 participants