Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Indicator match rule mappings are not validated during creation #93589

Open
MadameSheema opened this issue Mar 4, 2021 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience documentation Feature:Indicator Match Rule Security Solution Indicator Match Rule feature Feature:Rule Creation Security Solution Detection Rule Creation impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@MadameSheema
Copy link
Member

Describe the bug:

  • In the threatintel module, the domain indicator, is mapped as keyword. However, some of the values represented are IPs. If you want to match your ingested data that contains IPs with the domain indicator, the execution of the rule will fail.

Kibana/Elasticsearch Stack version:

  • 7.12.0

Preconditions:

  • To have the threatintel module activated
  • To have ingested in an doc an IP that matches with one of the listed indicator domains:
    • Mapping
 {
   "properties":{
      "@timestamp":{
         "type":"date"
      },
      "destination":{
         "properties":{
            "ip":{
               "type":"ip"
            }
         }
      }
   }
} 
  • Data
{
     "@timestamp":"2021-02-22T21:00:49.337Z",
      "destination":{
            "ip": "117.242.211.13"
         }
}

Steps to reproduce:

  1. Create an indicator match rule with the following details:
  • Index patterns: the name of the index where you created the example doc
  • Custom query: *:*
  • Indicator index patterns: file*
  • Indicator mapping: destination.ip MATCHES threatintel.indicator.domain
  • Indicator index query: *:*
  • Runs every: 10s
  • Additional look-back time: 300000h
  1. Wait for the rule to be exectuted

Current behavior:

Screenshot 2021-03-04 at 13 48 45

Expected behavior:

  • No error is displayed
  • Alerts are generated
@MadameSheema MadameSheema added bug Fixes for quality problems that affect the customer experience Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Mar 4, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@MadameSheema
Copy link
Member Author

Found during 7.12.0 BC3 testing: #93589

@rylnd rylnd changed the title [Security Solution][Detections] Threat Indicator rule matches can be confusing [Security Solution][Detections] Indicator match rule mappings are not validated during creation Mar 5, 2021
@MadameSheema MadameSheema added impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. and removed triage_needed labels Mar 17, 2021
@peluja1012 peluja1012 added Team: CTI Feature:Indicator Match Rule Security Solution Indicator Match Rule feature labels Mar 18, 2022
@peluja1012 peluja1012 added Team:Security Solution Platform Security Solution Platform Team and removed Team: CTI labels Aug 3, 2022
@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Security Solution Platform Security Solution Platform Team labels May 14, 2023
@yctercero yctercero added the Feature:Rule Creation Security Solution Detection Rule Creation label Jun 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience documentation Feature:Indicator Match Rule Security Solution Indicator Match Rule feature Feature:Rule Creation Security Solution Detection Rule Creation impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Development

No branches or pull requests

4 participants