Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solutions][Detection Engine] Critical bug where value lists were not operational #80368

Merged
merged 5 commits into from
Oct 14, 2020

Conversation

FrankHassanabad
Copy link
Contributor

@FrankHassanabad FrankHassanabad commented Oct 13, 2020

Summary

Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists.

Example is upload a list in the file hosts.txt and a type of keyword:

Screen Shot 2020-10-13 at 9 50 58 AM

Then add it as a threat mapping using:

  • Index of .items-${space_id} such as .items-default
  • Use the mapping field of "keyword"
  • Use the query of list_id: ${file_name} such as list_id : "hosts.txt"

Screen Shot 2020-10-13 at 9 50 58 AM

Screen Shot 2020-10-13 at 11 08 40 AM

Checklist

Delete any items that are not applicable to this PR.

@FrankHassanabad FrankHassanabad changed the title Make value lists work [Security Solutions][Detection Engine] Critical bug where value lists were not working Oct 13, 2020
@FrankHassanabad FrankHassanabad self-assigned this Oct 13, 2020
@FrankHassanabad FrankHassanabad added release_note:skip Skip the PR/issue when compiling release notes v8.0.0 v7.11.0 v7.10.0 bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team labels Oct 13, 2020
@FrankHassanabad FrankHassanabad changed the title [Security Solutions][Detection Engine] Critical bug where value lists were not working [Security Solutions][Detection Engine] Critical bug where value lists were not operational Oct 13, 2020
@FrankHassanabad FrankHassanabad marked this pull request as ready for review October 13, 2020 17:18
@FrankHassanabad FrankHassanabad requested review from a team as code owners October 13, 2020 17:18
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had one question about documentation, but this looks great! I created a rule as described on master, and saw the mapping error:

Detections_-_Kibana

I then checked out this branch and the rule's next run succeeded 👍

}: GetSortWithTieBreakerOptions): SortWithTieBreaker[] => {
const ascOrDesc = sortOrder ?? 'asc';
if (sortField != null) {
return [{ [sortField]: ascOrDesc, '@timestamp': 'asc' }];
if (index.length === 1 && index[0] === listItemIndex) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially created a rule against a threat index like .items-*, which does not satisfy this condition and thus still suffers from this issue. This is mentioned in the description as "single index" but I wanted to call it out again since it's easy to miss.

@FrankHassanabad do we want to add a note about this in the threat match rule documentation, or is too much of a "power user" scenario?

Copy link
Contributor Author

@FrankHassanabad FrankHassanabad Oct 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a bit of a "power user" scenario and a bit of a trick. We can support it nicely in the UI because we can query for the index list item name and populate it like it is here and then disallow additional indexes as if you choose to use a plain list one that's all you can choose since value based lists aren't ECS standards.

For API users they will have to know their space names ahead of time and kind of fill in the API so we might want to update at least the API docs before release time to show an example of how to do it or we might need to add a better API for when they have a mapping and want to refer to a value based list.

@FrankHassanabad FrankHassanabad merged commit cb93434 into elastic:master Oct 14, 2020
@FrankHassanabad FrankHassanabad deleted the make-value-lists-work branch October 14, 2020 21:34
FrankHassanabad added a commit to FrankHassanabad/kibana that referenced this pull request Oct 14, 2020
… were not operational (elastic#80368)

## Summary

Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists.

Example is upload a list in the file `hosts.txt` and a type of `keyword`:

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png">

Then add it as a threat mapping using:
* Index of `.items-${space_id}` such as `.items-default`
* Use the mapping field of "keyword"
* Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` 

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png">

<img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png">


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit that referenced this pull request Oct 14, 2020
… were not operational (#80368) (#80595)

## Summary

Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists.

Example is upload a list in the file `hosts.txt` and a type of `keyword`:

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png">

Then add it as a threat mapping using:
* Index of `.items-${space_id}` such as `.items-default`
* Use the mapping field of "keyword"
* Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` 

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png">

<img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png">


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
FrankHassanabad added a commit that referenced this pull request Oct 14, 2020
… were not operational (#80368) (#80593)

## Summary

Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists.

Example is upload a list in the file `hosts.txt` and a type of `keyword`:

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png">

Then add it as a threat mapping using:
* Index of `.items-${space_id}` such as `.items-default`
* Use the mapping field of "keyword"
* Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` 

<img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png">

<img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png">


### Checklist

Delete any items that are not applicable to this PR.

- [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 15, 2020
* master: (102 commits)
  [Resolver] Fix flaky test (elastic#80576)
  Update Security Solution Bug Report Template (elastic#80668)
  [Observability] Kibana home page Observability link pointing to `/landing` (elastic#80636)
  [APM] Update User Experience app callout code to reflect new name (elastic#80641)
  [APM] Add missing ML privileges (elastic#80553)
  [DOCS] Adds intro line to the ML plugin readme file (elastic#80631)
  [ML] Functional tests - fix and re-enable validation API tests (elastic#80617)
  remove non-existing dependency from uptime plugin (elastic#80623)
  [ML] Fix job selection flyout overflow (elastic#80621)
  Move dashboard code in codeowner files to canvas team (elastic#80345)
  [Security Solution][Detections] Update signals template if outdated and rollover indices (elastic#80019)
  Sort service list by TPM if health is not shown (elastic#80447)
  Add in cluster version for sec telemetry sender. (elastic#80545)
  [Usage Collection] Usage collection add saved objects client to collector fetch context (elastic#80554)
  Change tag from experimental to beta (elastic#80443)
  [Metrics UI] Inventory view cleanup (elastic#79881)
  [Security Solutions][Detection Engine] Critical bug where value lists were not operational (elastic#80368)
  [Security Solution] Fix networkTopNFlow search strategy response (elastic#80362)
  [build] Retry docker pull (elastic#80432)
  add template for Security Solution bugs (elastic#80574)
  ...
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 22, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants