Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Engine] Threshold rules do not create signals with CIDR IP's #77253

Closed
FrankHassanabad opened this issue Sep 10, 2020 · 2 comments · Fixed by #82444
Closed

[Security Solution][Detection Engine] Threshold rules do not create signals with CIDR IP's #77253

FrankHassanabad opened this issue Sep 10, 2020 · 2 comments · Fixed by #82444
Assignees
@madirey
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@FrankHassanabad
Copy link
Contributor

Kibana version:
7.9.0

Describe the bug:
CIDR queries for threshold rules do not work. If you add a CIDR query to a threshold rule it will not be able to correctly insert the signal because of the way it creates the synthetic signal in the file:

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts

Steps to reproduce:

Create a threshold rule with a CIDR like below on a threshold rule:

destination.ip: 10.142.0.7/16

Screen Shot 2020-09-10 at 4 08 18 PM

Run it and notice in your logs you see this error:

server    log   [13:43:52.965] [error][plugins][plugins][securitySolution][securitySolution] [-] bulkResponse had errors with responses of: {"failed to parse field [destination.ip] of type [ip] in document with id '75dc881c04149cc021e7e2ed5242e74349d33ff62ae1ce57317195738b200546'. Preview of field's value: '10.142.0.7/16'":{"count":1,"statusCode":400}}

Expected behavior:
It should write out the signal and not have errors.

Unit test for the code that shows the problem:

In this file:

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts

Add this test:

  it('should NOT add invalid characters from CIDR such as the "/" proper object for simple match_phrase filters', () => {
    const filters = {
      bool: {
        must: [],
        filter: [
          {
            bool: {
              should: [
                {
                  match: {
                    'destination.ip': '192.168.0.0/16',
                  },
                },
              ],
              minimum_should_match: 1,
            },
          },
        ],
        should: [],
        must_not: [],
      },
    };

    expect(getThresholdSignalQueryFields(filters)).toEqual({
      'destination.ip': '192.168.0.16',
    });
  });

Get this failed result to fix:

 getThresholdSignalQueryFields  should NOT add invalid characters from CIDR such as the "/" proper object for simple match_phrase filters

    expect(received).toEqual(expected) // deep equality

    - Expected  - 1
    + Received  + 1

      Object {
    -   "destination.ip": "192.168.0.16",
    +   "destination.ip": "192.168.0.0/16",
@FrankHassanabad FrankHassanabad added Team:SIEM Feature:Detection Rules Security Solution rules and Detection Engine labels Sep 10, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@FrankHassanabad FrankHassanabad added the bug Fixes for quality problems that affect the customer experience label Sep 10, 2020
@MadameSheema MadameSheema added the Team:Detections and Resp Security Detection Response Team label Oct 1, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 15, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security Solution)

@peluja1012 peluja1012 added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Oct 28, 2020
@madirey madirey mentioned this issue Nov 3, 2020
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@madirey madirey

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
6 participants
@madirey @peluja1012 @FrankHassanabad @MindyRS @elasticmachine @MadameSheema