Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Rule fails when timestamp override field is not mapped #91594

Closed
spong opened this issue Feb 17, 2021 · 2 comments · Fixed by #91597
Closed

[Security Solution][Detections] Rule fails when timestamp override field is not mapped #91594

spong opened this issue Feb 17, 2021 · 2 comments · Fixed by #91597
Assignees
@dhurley14
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@spong
Copy link
Member

spong commented Feb 17, 2021

In 7.11 support was added (#86368) for querying multiple timestamps and falling back to @timestamp if the timestampOverride field did not exist in the source index. If this fallback occurred, the rule would write a partial failure informing the user of the missing field, but still write any alerts from the fallback query using @timestamp. In testing #91553, a permutation was found that resulted in a full rule failure instead of a partial, and would prevent alerts from being written for the fallback query using @timestamp.

This can be recreated using any of the Elastic Endgame detection rules as the endgame-* index does not include a mapping for event.ingested, and the resulting ES error from this request is in a different format than what is currently expected.

  1. Modify an Elastic Endgame rule to use event.ingested as the timestamp override field, and enable the rule. Note: since this field doesn't exist and there is client side validation, you must duplicate, then export the rule, modify the ndjson, and re-import. Or just use this rule here... 🙂

event_ingested_failure_rule.ndjson.zip

  1. Once enabled, you should see the rule fail with the below error:

{
  "error": {
    "root_cause": [
      {
        "type": "query_shard_exception",
        "reason": "No mapping found for [event.ingested] in order to sort on",
        "index_uuid": "vU38GWfHQZGG3nbn1xQk3w",
        "index": "endgame-00001"
      }
    ],
    "type": "search_phase_execution_exception",
    "reason": "all shards failed",
    "phase": "query",
    "grouped": true,
    "failed_shards": [
      {
        "shard": 0,
        "index": "endgame-00001",
        "node": "UmFIfD_iQfepBl6sUyEk2g",
        "reason": {
          "type": "query_shard_exception",
          "reason": "No mapping found for [event.ingested] in order to sort on",
          "index_uuid": "vU38GWfHQZGG3nbn1xQk3w",
          "index": "endgame-00001"
        }
      }
    ]
  },
  "status": 400
}

This is the result of a different ES error response format, and the following line:

kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts

Line 139 in 4584a8b

: timestampFieldCapsResponse.body.fields[timestampField].unmapped.indices

Kibana version: 7.11.x
@spong spong added bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Feb 17, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@dhurley14 dhurley14 mentioned this issue Feb 17, 2021
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dhurley14 dhurley14

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
3 participants
@dhurley14 @spong @elasticmachine