Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] "threat.indicator.matched.type" field is displayed as "indicator_match_rule" value for threat indicator Rule. #105573

Closed
ghost opened this issue Jul 14, 2021 · 5 comments
Closed

[Security Solution] "threat.indicator.matched.type" field is displayed as "indicator_match_rule" value for threat indicator Rule. #105573

ghost opened this issue Jul 14, 2021 · 5 comments
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed v7.14.0

Comments

@ghost
Copy link

ghost commented Jul 14, 2021

Describe the bug
threat.indicator.matched.type field is displayed as "indicator_match_rule" value for threat indicator Rule.

Build Details:

VERSION: 7.14.0 BC2
BUILD: 42401
COMMIT: 9826a943dc2e47f26ec6de94816e7d297b752994
ARTIFACT: https://staging.elastic.co/7.14.0-e99135ef/summary-7.14.0.html

Browser Details:
N/A

Browser Details
All

Preconditions
1.Kibana users should be logged in.
2. Filebeat should be installed.

Steps to Reproduce

  1. Navigate to Dev tools add the following:
Create an index 

PUT /mydata/

PUT /mydata/_mapping
{
"properties":{
"@timestamp":{
"type":"date"
},
"hash":{
"properties":{
"md5":{
"ignore_above":1024,
"type":"keyword"
}
}
}
}
}

POST /mydata/_doc/
{
"@timestamp": "2021-02-22T21:00:49.337Z",

    "hash": {
      "md5": "eec5c6c219535fba3a0492ea8118b397"
    }
}

  1. Navigate to create a new rule under security app.
  2. Click on the Indicator match rule.
  3. In Index pattern add the "mydata" index.
  4. Custom query: ":"
  5. Indicator index patterns : filebeat-*
  6. Indicator index query: ":"
  7. In Indicator mapping add: field: hash.md5 and Indicator index field: threatintel.indicator.file.hash.md5
  8. In about Section add the rule name.
  9. In the schedule section add run every: 10 seconds and Additional look-back time: 30000 hours
  10. Create and activate the rule.
  11. Generate the alerts.
  12. Add the field "threat.indicator.matched.type" in alerts table.
  13. Observe that threat.indicator.matched.type field is displayed as "indicator_match_rule" value for threat indicator Rule.

Actual Result
threat.indicator.matched.type field is displayed as "indicator_match_rule" value for threat indicator Rule.

Expected Result
threat.indicator.matched.type field should display as "file" value for threat indicator Rule.

What's Working

  • This issue is not occurring on 7.13.0.
    7 13 0_matched_type

What's Not Working

  • N/A

Screen-Shot
7 14 0_matched_type
@ghost ghost added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0 labels Jul 14, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ghost ghost changed the title [Security Solution] threat.indicator.matched.type field is displayed as "indicator_match_rule" value for threat indicator Rule. [Security Solution] "threat.indicator.matched.type" field is displayed as "indicator_match_rule" value for threat indicator Rule. Jul 14, 2021
@ghost
Copy link
Author

ghost commented Jul 14, 2021

@manishgupta-qasource Please review!!

@manishgupta-qasource
Copy link

Reviewed & Assigned to @MadameSheema

@manishgupta-qasource manishgupta-qasource added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Jul 14, 2021
@manishgupta-qasource manishgupta-qasource removed their assignment Jul 14, 2021
@MadameSheema MadameSheema removed their assignment Jul 14, 2021
@MadameSheema
Copy link
Member

@ecezalp @rylnd can you please take a look at this? thanks :)

@ecezalp
Copy link
Contributor

ecezalp commented Jul 26, 2021
edited
Loading

the observed behavior is intentional and is partly relevant to the conversation here.

To summarize, the information convened in threat.indicator.matched.type is intentionally overridden with the name of the matching strategy used within the security_solution, and it can have the values indicator_match_rule or investigation_time. The information that was previously displayed with threat.indicator.matched.type can be found under threat.indicator.type.

Considering that no changes are planned for this behavior, I am closing the issue. Please reopen if there are any additional concerns.

@ecezalp ecezalp closed this as completed Jul 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed v7.14.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elasticmachine @MadameSheema @ecezalp @manishgupta-qasource