-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solutions][Detection Engine] Critical bug where value lists were not operational #80368
[Security Solutions][Detection Engine] Critical bug where value lists were not operational #80368
Conversation
Pinging @elastic/siem (Team:SIEM) |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
}: GetSortWithTieBreakerOptions): SortWithTieBreaker[] => { | ||
const ascOrDesc = sortOrder ?? 'asc'; | ||
if (sortField != null) { | ||
return [{ [sortField]: ascOrDesc, '@timestamp': 'asc' }]; | ||
if (index.length === 1 && index[0] === listItemIndex) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I initially created a rule against a threat index like .items-*
, which does not satisfy this condition and thus still suffers from this issue. This is mentioned in the description as "single index" but I wanted to call it out again since it's easy to miss.
@FrankHassanabad do we want to add a note about this in the threat match rule documentation, or is too much of a "power user" scenario?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's a bit of a "power user" scenario and a bit of a trick. We can support it nicely in the UI because we can query for the index list item name and populate it like it is here and then disallow additional indexes as if you choose to use a plain list one that's all you can choose since value based lists aren't ECS standards.
For API users they will have to know their space names ahead of time and kind of fill in the API so we might want to update at least the API docs before release time to show an example of how to do it or we might need to add a better API for when they have a mapping and want to refer to a value based list.
… were not operational (elastic#80368) ## Summary Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists. Example is upload a list in the file `hosts.txt` and a type of `keyword`: <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png"> Then add it as a threat mapping using: * Index of `.items-${space_id}` such as `.items-default` * Use the mapping field of "keyword" * Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png"> <img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… were not operational (#80368) (#80595) ## Summary Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists. Example is upload a list in the file `hosts.txt` and a type of `keyword`: <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png"> Then add it as a threat mapping using: * Index of `.items-${space_id}` such as `.items-default` * Use the mapping field of "keyword" * Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png"> <img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
… were not operational (#80368) (#80593) ## Summary Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists. Example is upload a list in the file `hosts.txt` and a type of `keyword`: <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893319-0a33bf00-0d45-11eb-9c67-81fe9495d802.png"> Then add it as a threat mapping using: * Index of `.items-${space_id}` such as `.items-default` * Use the mapping field of "keyword" * Use the query of `list_id: ${file_name}` such as `list_id : "hosts.txt"` <img width="808" alt="Screen Shot 2020-10-13 at 9 50 58 AM" src="https://user-images.githubusercontent.com/1151048/95893884-8af2bb00-0d45-11eb-9a38-97aef6e1a754.png"> <img width="1065" alt="Screen Shot 2020-10-13 at 11 08 40 AM" src="https://user-images.githubusercontent.com/1151048/95893902-92b25f80-0d45-11eb-84a0-5cf60e8ba0bf.png"> ### Checklist Delete any items that are not applicable to this PR. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
* master: (102 commits) [Resolver] Fix flaky test (elastic#80576) Update Security Solution Bug Report Template (elastic#80668) [Observability] Kibana home page Observability link pointing to `/landing` (elastic#80636) [APM] Update User Experience app callout code to reflect new name (elastic#80641) [APM] Add missing ML privileges (elastic#80553) [DOCS] Adds intro line to the ML plugin readme file (elastic#80631) [ML] Functional tests - fix and re-enable validation API tests (elastic#80617) remove non-existing dependency from uptime plugin (elastic#80623) [ML] Fix job selection flyout overflow (elastic#80621) Move dashboard code in codeowner files to canvas team (elastic#80345) [Security Solution][Detections] Update signals template if outdated and rollover indices (elastic#80019) Sort service list by TPM if health is not shown (elastic#80447) Add in cluster version for sec telemetry sender. (elastic#80545) [Usage Collection] Usage collection add saved objects client to collector fetch context (elastic#80554) Change tag from experimental to beta (elastic#80443) [Metrics UI] Inventory view cleanup (elastic#79881) [Security Solutions][Detection Engine] Critical bug where value lists were not operational (elastic#80368) [Security Solution] Fix networkTopNFlow search strategy response (elastic#80362) [build] Retry docker pull (elastic#80432) add template for Security Solution bugs (elastic#80574) ...
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
Fixes bugs to allow users to use value based lists manually. This isn't a first class citizen of the UI at the moment but you can manually add them to the existing UI as long as it's a single index and does not mix ECS threat lists with item lists.
Example is upload a list in the file
hosts.txt
and a type ofkeyword
:Then add it as a threat mapping using:
.items-${space_id}
such as.items-default
list_id: ${file_name}
such aslist_id : "hosts.txt"
Checklist
Delete any items that are not applicable to this PR.