Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Apply wildcards in value lists to exceptions #86560

Open
andrew-goldstein opened this issue Dec 18, 2020 · 4 comments · Fixed by #136147
Open

[Security Solution][Detections] Apply wildcards in value lists to exceptions #86560

andrew-goldstein opened this issue Dec 18, 2020 · 4 comments · Fixed by #136147
Labels
enhancement New value added to drive a business result Feature:Detection Rules Anything related to Security Solution's Detection Rules Feature:Rule Exceptions Security Solution Rule Exceptions feature Feature:Rule Value Lists Security Solution Detection Rule Value Lists sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: alert_triage Security Solution Alert Triage Theme Theme: correlation Security Solution Advanced Correlation Theme

Comments

@andrew-goldstein
Copy link
Contributor

Detection engine does not expand wildcards, for example *.googleapis.com in value lists when processing exceptions.

For example, a Keyword value list containing the following entry:

*.googleapis.com

when applied as an exception to a rule with the following query:

dns.question.name : *

will today, as of version 7.10, not prevent alerts from being generated for the example rule above, even if a sample event contained the following value for the dns.question.name field:

logging.googleapis.com

Kibana/Elasticsearch Stack version:

7.10

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Detection Rules

Steps to reproduce:

  1. Upload a Keyword value list containing the following value:
*.googleapis.com

per the screenshot below:

keyword-value-list-with-wildcards

  1. Create a rule with the following query:
dns.question.name : *

as shown in the screenshot below:

rule

  1. Create an exception for the rule that uses the value list, per the screenshot below:

rule-exceptions

Current behavior:

Alerts are still generated for events where the value of the dns.question.name field, for example:

logging.googleapis.com

would be covered by the expanded wildcard in the exception:

*.googleapis.com

as shown in the screenshot below:

alerts

Expected behavior:

An alert is not generated, because the wildcard in the exception's value list expands to match the value of the field in the source document.
@andrew-goldstein andrew-goldstein added enhancement New value added to drive a business result Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Dec 18, 2020
@andrew-goldstein
Copy link
Contributor Author

A user is describing a scenario where they would apply wildcards in an exception list in this discuss post

@peluja1012 peluja1012 added the Feature:Rule Exceptions Security Solution Rule Exceptions feature label Jul 28, 2021
@spong spong mentioned this issue Aug 31, 2021
Closed
@peluja1012 peluja1012 added Team:Detection Alerts Security Detection Alerts Area Team Feature:Rule Value Lists Security Solution Detection Rule Value Lists sdh-linked labels Sep 15, 2021
@peluja1012 peluja1012 added Theme: alert_triage Security Solution Alert Triage Theme Theme: correlation Security Solution Advanced Correlation Theme labels Oct 26, 2021
@ayedem
Copy link

ayedem commented Dec 20, 2021

Any update on this? This is functionality that is desperately needed.

@rdrgporto
Copy link

Hi,

This feature would be very useful 👍 😃 .

Regards

@ruant
Copy link

ruant commented Apr 22, 2022

Just want to chime in my wish for this request as well.
Worth noting that i hope this also adds support for the other operators, like "IS", and not just from the value list.
E.g "file.directory" IS "C:\Some*\Wildcard\Path"

@marshallmain marshallmain mentioned this issue Jul 19, 2022
Merged
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Detection Rules Anything related to Security Solution's Detection Rules Feature:Rule Exceptions Security Solution Rule Exceptions feature Feature:Rule Value Lists Security Solution Detection Rule Value Lists sdh-linked Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: alert_triage Security Solution Alert Triage Theme Theme: correlation Security Solution Advanced Correlation Theme
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution][Alerts] Detection engine wildcard exceptions marshallmain/kibana
6 participants
@peluja1012 @ruant @andrew-goldstein @rdrgporto @yctercero @ayedem