Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Severity/Risk override does not work with arrays #82384

Closed
FrankHassanabad opened this issue Nov 2, 2020 · 1 comment
Closed

[Security Solution] Severity/Risk override does not work with arrays #82384

FrankHassanabad opened this issue Nov 2, 2020 · 1 comment
Assignees
@banderror
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v8.0.0

Comments

@FrankHassanabad
Copy link
Contributor

FrankHassanabad commented Nov 2, 2020
edited
Loading

Describe the bug:

When the source index you are trying to create detections from has their severity or risk override contained in an array then they will not be correctly detected and the fallbacks of the non-overrides will end up taking effect.

Steps to reproduce:

  1. Add a lightweight mapping and two record sets for this from dev tools:
# Mappings
PUT delme-test-overrides
{
  "mappings": {
    "dynamic": "strict",
    "properties": {
      "@timestamp": {
        "type": "date"
      },
      "severity_override": {
        "type": "keyword"
      },
      "risk_override": {
        "type": "integer"
      }
    }
  }
}
# Single values are going to work
PUT delme-test-overrides/_doc/1
{
 "@timestamp": "2020-11-02T22:24:49.337Z",
 "severity_override": "test_value_1",
 "risk_override": 1
}

# Multiple values in an array will not trigger the overrides
PUT delme-test-overrides/_doc/2
{
 "@timestamp": "2020-11-02T22:24:49.337Z",
 "severity_override": ["test_value_2", "test_value_3"],
 "risk_override": [1]
}
  1. Create a rule that has a very large look back time like so below where it should detect both records and change both of their scores:

Screen Shot 2020-11-02 at 3 33 30 PM

  1. After running it, look at detections, put timeline in full screen mode, adjust your columns like I have below and you should see this:

Screen Shot 2020-11-02 at 3 38 41 PM

Both those records should have overrides but only one does which is the bug. What gets a bit complicated is my second example where I put two override values together in an array. The higher severity version should be chosen and tested for. Also users sometimes can put duplicates in the array that we should test for and work with.

Current behavior:
Does not do the overrides

Expected behavior:
Should do the overrides

Kibana/Elasticsearch Stack version:
7.9.0

Server OS version:
any

Browser and Browser OS versions:
any

Elastic Endpoint version:
any

Original install method (e.g. download page, yum, from source, etc.):
dev box locally

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
detection engine
@FrankHassanabad FrankHassanabad added bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Nov 2, 2020
@FrankHassanabad FrankHassanabad changed the title [Security Solution] Severity/Risk override does not work when there are arrays [Security Solution] Severity/Risk override does not work with arrays Nov 2, 2020
@banderror banderror mentioned this issue Nov 22, 2020
Merged
9 tasks
@banderror
Copy link
Contributor

PRs:

-> 8.0.0 #83723
-> 7.11.0 #84643

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@banderror banderror

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules fixed impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peluja1012 @FrankHassanabad @banderror @MadameSheema