Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detection Rules] Add 7.10 rules - v3 #82214

Merged
merged 9 commits into from
Nov 3, 2020
Merged

[Detection Rules] Add 7.10 rules - v3 #82214

merged 9 commits into from
Nov 3, 2020

Conversation

brokensound77
Copy link
Contributor

Summary

Pull updates to detection rules from https://github.com/elastic/detection-rules/tree/7.10.

The is the 3rd and final PR for 7.10, with updates to #81676

Checklist

@brokensound77 brokensound77 added release_note:skip Skip the PR/issue when compiling release notes v7.10.0 Feature:Detection Rules Security Solution rules and Detection Engine labels Oct 31, 2020
@brokensound77 brokensound77 requested a review from a team as a code owner October 31, 2020 00:56
@brokensound77
Copy link
Contributor Author

@elasticmachine merge upstream

@brokensound77
Copy link
Contributor Author

@elasticmachine merge upstream

@brokensound77 brokensound77 mentioned this pull request Nov 2, 2020
Merged
spong
spong approved these changes Nov 3, 2020
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out, tested locally, and was able to install and run all pre-packaged rules. LGTM! 👍 Thanks for pairing on this one @brokensound77!

Testing notes:

Only failure (ignoring ML rules/jobs) was with the External Alerts rule, which was the result of the source indices not having event.ingested (an existing error to be resolved via #75382).

Bulk Indexing of signals failed: reason: "No mapping found for [event.ingested] in order to sort on" type: "query_shard_exception" name: "External Alerts" id: "b2b237cb-f06e-40f7-b12b-1201bc85fcb4" rule id: "eb079c62-4481-4d6e-9643-3ca499df7aaa" signals index: ".siem-signals-spong-default"

Also tested the new timeline templates and those appear to be working as well, although I'm not sure how well they help in certain situations. For example, here's the Investigate in timeline action for the RDP (Remote Desktop Protocol) from the Internet rule with and without the template. Without, you get the single alert, but with, since it's only constraining to src/dest ip exists, and the rule execution time window, you'll get all alerts/events for the window, with no way to find the specific alert you clicked from via the table. This is working as designed, but wanted to call out this behavior. cc @XavierM @MikePaquette @shimonmodi

Without Timeline Template

With (Generic Network) Timeline Template

@spong spong added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team labels Nov 3, 2020
@brokensound77 brokensound77 mentioned this pull request Nov 3, 2020
Closed
@brokensound77
Copy link
Contributor Author

Thanks @spong, I created this issue to track the timeline review. We can always reference any other issues created to track/discuss from a product perspective.

bm11100
bm11100 approved these changes Nov 3, 2020
View reviewed changes
Copy link

@bm11100 bm11100 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @spong. I think the timelines will cause more confusion than benefit. I thought the generic templates were just adjusting which columns we're displayed, not the actual fields to filter on. Approving for the updated rule logic, but think something should be done to make the timelines more usable.

@brokensound77 brokensound77 mentioned this pull request Nov 3, 2020
Merged
@brokensound77 brokensound77 requested review from a team as code owners November 3, 2020 18:54
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

distributable file count

id before after diff
default 42564 42558 -6

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@spong spong mentioned this pull request Nov 3, 2020
Merged
@brokensound77 brokensound77 merged commit 4323357 into elastic:master Nov 3, 2020
@brokensound77 brokensound77 mentioned this pull request Nov 3, 2020
Merged
brokensound77 added a commit to brokensound77/kibana that referenced this pull request Nov 3, 2020
@brokensound77
[Detection Rules] Add 7.10 rules - v3 (elastic#82214)
7868a16
@brokensound77 brokensound77 mentioned this pull request Nov 3, 2020
Merged
brokensound77 added a commit to brokensound77/kibana that referenced this pull request Nov 3, 2020
@brokensound77
[Detection Rules] Add 7.10 rules - v3 (elastic#82214)
e1650f9
spong pushed a commit that referenced this pull request Nov 4, 2020
@brokensound77
[Detection Rules] Add 7.10 rules - v3 (#82214) (#82543)
e420f3e
spong pushed a commit that referenced this pull request Nov 4, 2020
@brokensound77
[Detection Rules] Add 7.10 rules - v3 (#82214) (#82544)
9571427
@spong spong mentioned this pull request Nov 26, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bm11100 bm11100 bm11100 approved these changes

@spong spong spong approved these changes

@rw-access rw-access Awaiting requested review from rw-access

Assignees
No one assigned
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brokensound77 @kibanamachine @spong @bm11100