Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Rule Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' #3613

Closed
jvalente-salemstate opened this issue Apr 22, 2024 · 1 comment · Fixed by #3790
Closed

[Rule Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' #3613

jvalente-salemstate opened this issue Apr 22, 2024 · 1 comment · Fixed by #3790
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule

Comments

@jvalente-salemstate
Copy link
Contributor

jvalente-salemstate commented Apr 22, 2024
edited
Loading

Describe the bug
This is a threshold rule that triggers when the cardinality of host.id for any given elastic_agent_id is more than one. For rules containing the forwarded tag, host details are populated but they may contain host details from the event (m365_defender.event device events, panw.panos logs containing host info). It may also be triggering if the host id is null.
These can't be added as exceptions since the fields aren't available in a threshold

To Reproduce

Use any integration that can exports host.id and includes forwarded in the tag.

Run the ES|QL query to view the datasets causing this


from logs-* 
| where host.id is not null and elastic_agent.id is not null
| stats hosts_per_agent = count_distinct
(host.id) by elastic_agent.id, data_stream.dataset
| where hosts_per_agent > 1 
| sort hosts_per_agent desc | keep hosts_per_agent, data_stream.dataset

Expected behavior

The rule should not trigger on forwarded events or when host.id does not exist.
@jvalente-salemstate jvalente-salemstate added the bug Something isn't working label Apr 22, 2024
@jvalente-salemstate jvalente-salemstate changed the title [Bug] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' [Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' Apr 22, 2024
@jvalente-salemstate
Copy link
Contributor Author

Accidentally submitted as a bug instead of tuning. Fixed the title but I can't seem to adjust labels.

@jvalente-salemstate jvalente-salemstate changed the title [Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' [Rule Tuning] Very high false positive rate in 'Agent Spoofing - Multiple Hosts Using Same Agent' Apr 22, 2024
@w0rk3r w0rk3r added Rule: Tuning tweaking or tuning an existing rule backlog and removed bug Something isn't working labels May 20, 2024
@jvalente-salemstate jvalente-salemstate mentioned this issue Jun 15, 2024
Merged
2 tasks
@tehbooom tehbooom mentioned this issue Jul 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backlog community Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Rule Tuning] Agent Spoofing - Multiple Hosts Using Same Agent jvalente-salemstate/detection-rules
2 participants
@w0rk3r @jvalente-salemstate