[Security Solution] Threat Intelligence Overview card not supported on CCS setup

[MadameSheema]

Kibana version:

• 7.14BC3

Describe the bug:

• No threat intel data available to display message displayed on overview page on a CCS with threat intel alerts generated by filebeat with the module enabled

Initial status:

• CCS setup with 1 source and 1 remote
• Ingest data on the remote instance
• Ingest data on the remote instance with filebeat with the threatintel module enabled

Steps to reproduce:

1. On the source create an indicator match rule using the indexes of the remote
2. Once the alerts are generated navigate to the overview page

Current behaviour:

• 

Expected behavior:

• The data is displayed on the dashboard

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[MadameSheema]

@ecezalp @rylnd can you please take a look at this? Thanks

[ecezalp]

so it looks like a custom index name is assigned to what would have otherwise been the filebeat-* index (in the env above, it's remote:filebeat-* ) which is why we are unable to find event.type: "indicator"s while querying the filebeat-*, which results in the No Threat Intel data available to display warning above. For the feature to work as intended, the modified index name would have to be added to the list of indices that is being queried as a part of the query used in the useIsThreatIntelEnabled hook. Currently only DEFAULT_CTI_SOURCE_INDEX is queried, which is filebeat-*

[rylnd]

Note: this same issue will also affect the event enrichment query added in #103383, in that it will not support remote clusters.

[MadameSheema]

@deepikakeshav-qasource can you please validate the fix for this issue on the latest version? (7.15.0) Thanks :)

[ghost]

Hi @MadameSheema,

We have validated this ticket on 7.15.0 Latest build and observed that issue is Still occurring. Threat Intelligence Overview card not supported on CCS setup

Build Details:

Version : 7.15.0 Latest
Commit:add5d2c5ebeba1d8bcf6a79f8863cd78760e1b3e
Build: 44040

Screenshot:

threat.card.mp4

Thanks!!

[MadameSheema]

@deepikakeshav-qasource can you please retest again adding the CCS index on the Threat Indices placed on the Kibana advanced settings? Thanks

[ghost]

Hi @MadameSheema

Thank you for the update!!

We have added CCS index in Threat indices placed on the Kibana advanced settings and observed that data is displayed under Threat Intelligence overview card. However, dashboard button is disable. Could you please confirm if it is expected or we are missing something?

Screenshots

Overview_threat_card.mp4

indicator_match.mp4

Thanks!!

[MadameSheema]

@deepikakeshav-qasource did you follow the guide to Enable a kibana dashboard that is linked on the card?

[ghost]

Hi @ecezalp and @MadameSheema ,

Dashboard button is disable Threat Intelligence overview card for source machine. Please find the below detailed steps:

1. Install the filebeat on remote machine
2. Run the command .\filebeat.exe setup --dashboards on Remote machine
   
3. Create the remote indexes on source machine.
4. Add the same index in "threat indices" under Kibana advanced setting
5. then navigate to overview tab of security on source machine select the created index in data sources.
6. Observe that data is ingested from remote machine. However, dashboard is disabled.
   

Note: We did not installed the filebeat on source machine.

Could you please confirm if it is expected or we are missing anything?

Thanks!!

[MadameSheema]

@ecezalp any update regarding the above comment?

[rylnd]

To summarize: the bug as currently stated is that dashboard links don't work for remote clusters, despite the remote cluster having the necessary dashboards.

Since those dashboards are kibana data (saved objects), and the current kibana instance has no dashboards, this is expected behavior. Kibana cannot read saved objects from a remote cluster, it can only read from data indices.