Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] No arguments displayed for Memory Alert under rendered view #109794

Closed
muskangulati-qasource opened this issue Aug 24, 2021 · 11 comments
Closed

[Security Solution] No arguments displayed for Memory Alert under rendered view #109794

muskangulati-qasource opened this issue Aug 24, 2021 · 11 comments
Assignees
@michaelolo24
Labels
enhancement New value added to drive a business result QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team

Comments

@muskangulati-qasource
Copy link

Description:
No arguments displayed for Memory Alert under rendered view

Build Details:

VERSION: 7.15.0 BC1
BUILD: 43636
COMMIT: d791226d9385122f33f4a5ca38fa5369012fbec3
ARTIFACT: https://staging.elastic.co/7.15.0-d9929120/summary-7.15.0.html

Browser Details:
All

Preconditions:

  1. Kibana user should be logged in.
  2. Memory Alerts should be triggered

Steps to Reproduce:

  1. Navigate to the Alerts tab.
  2. Select the rendered view option
  3. Observe the arguments that do not show up for the Memory Alert

Impacted Test case:
N/A

Actual Result:
No arguments displayed for Memory Alert under rendered view

Expected Result:
Expected arguments should be displayed for Memory Alert under rendered view

What's working:
N/A

What's not working:
N/A

Screenshot
RenderViewForMemoryAlert

Logs:
N/A
@muskangulati-qasource muskangulati-qasource added bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Defend Workflows “EDR Workflows” sub-team of Security Solution v7.15.0 labels Aug 24, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@muskangulati-qasource
Copy link
Author

@manishgupta-qasource please review!!

@manishgupta-qasource
Copy link

manishgupta-qasource commented Aug 24, 2021
edited
Loading

Reviewed & assigned to @paul-tavares

CC: @kevinlog

@paul-tavares
Copy link
Contributor

Probably should be assigned to someone on the Detections and Response team 😃

@MadameSheema MadameSheema added the Team:Detections and Resp Security Detection Response Team label Aug 25, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@MadameSheema MadameSheema removed their assignment Aug 25, 2021
@peluja1012 peluja1012 added Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Investigations Security Solution Investigations Team and removed Team:Detections and Resp Security Detection Response Team Team:Defend Workflows “EDR Workflows” sub-team of Security Solution labels Mar 21, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@andrew-goldstein
Copy link
Contributor

@muskangulati-qasource would you be willing to attach the JSON from some sample events?

@muskangulati-qasource
Copy link
Author

Hi @andrew-goldstein,

Please find below the JSON files for the memory alerts:

Please let us know if anything else is required from our end.

Thanks!!

@andrew-goldstein
Copy link
Contributor

Thanks for providing the sample alerts @muskangulati-qasource!

@paulewing , @michaelolo24 I'm going to re-tag this issue as an enhancement, because the sample alerts have field values that don't match the existing criteria for displaying Endpoint row renderers, as documented in the two PRs below:

Next steps

  • @paulewing these new detections look like they would work with the exiting process row-renderers as-is. Would you be willing to confirm that based on the sample data in this issue? For example, the Malware Process Execution Detected alert below might be a good candidate for re-use:

Malware Process Execution Detected alert

Malware Process Execution Detected alerts with the following event.dataset, event.type, event.category, and event.action will be rendered in Timeline via row renderers:

event.dataset: endpoint.alerts and event.type: allowed and event.category: process and event.action: execution

Sample Malware Process Execution Detected alert

malware_process_execution_detected

DESKTOP-1 was detected executing a malicious process mimikatz_write.exe (8668) c:\temp\mimikatz_write.exe via parent process python.exe (4400) with result success

263f09eeee80e03aa27a2d19530e2451978e18bf733c5f1c64ff2389c5dc17b0

Fields in a Sample Malware Process Execution Detected alert

host.name was detected executing a malicious process process.name (process.pid) process.args via parent process process.parent.name (process.parent.pid) with result event.outcome

process.hash.sha256

  • If @paulewing confirms (for example) the above renderer can be re-used, it's a simple update to the code such that these new alerts are displayed when the event.dataset, event.type, event.category, and / or event.action criteria matches.

@andrew-goldstein andrew-goldstein added enhancement New value added to drive a business result and removed bug Fixes for quality problems that affect the customer experience labels Apr 13, 2022
@michaelolo24 michaelolo24 removed the impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. label Apr 14, 2022
@muskangulati-qasource
Copy link
Author

Hi @andrew-goldstein,

We have validated this issue on 8.14.0-BC1 and found that the issue is now fixed 🟢

Please find below the testing details:

Build details:

VERSION: 8.14.0
BUILD: 73520
COMMIT: c1513cd7e5a00eab209ba02d30cafd6945d75470

Screenshot:
image
image

Hence, closing this issue and marking it as "Validated".

Thanks!

@muskangulati-qasource muskangulati-qasource added the QA:Validated Issue has been validated by QA label Apr 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelolo24 michaelolo24

Labels
enhancement New value added to drive a business result QA:Validated Issue has been validated by QA Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting:Investigations Security Solution Investigations Team Team:Threat Hunting Security Solution Threat Hunting Team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@peluja1012 @andrew-goldstein @elasticmachine @michaelolo24 @MadameSheema @paul-tavares @manishgupta-qasource @muskangulati-qasource