[Security Solution] Severity/Risk override does not work with arrays #82384
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
fixed
impact:high
Addressing this issue will have a high level of impact on the quality/strength of our product.
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v7.11.0
v8.0.0
Describe the bug:
When the source index you are trying to create detections from has their severity or risk override contained in an array then they will not be correctly detected and the fallbacks of the non-overrides will end up taking effect.
Steps to reproduce:
Both those records should have overrides but only one does which is the bug. What gets a bit complicated is my second example where I put two override values together in an array. The higher severity version should be chosen and tested for. Also users sometimes can put duplicates in the array that we should test for and work with.
Current behavior:
Does not do the overrides
Expected behavior:
Should do the overrides
Kibana/Elasticsearch Stack version:
7.9.0
Server OS version:
any
Browser and Browser OS versions:
any
Elastic Endpoint version:
any
Original install method (e.g. download page, yum, from source, etc.):
dev box locally
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
detection engine
The text was updated successfully, but these errors were encountered: