Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] The detection rules have defined source values for severity overridden but there is no Source field selected for the same. #85951

Closed
muskangulati-qasource opened this issue Dec 15, 2020 · 13 comments
Closed

[Security Solution] The detection rules have defined source values for severity overridden but there is no Source field selected for the same. #85951

muskangulati-qasource opened this issue Dec 15, 2020 · 13 comments
Assignees
@banderror
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v7.12.0 v8.0.0

Comments

@muskangulati-qasource
Copy link

Description
The detection rules have defined source values for severity overridden but there is no Source field selected for the same.

Build Details:
Platform: Staging
Version: 7.11.0-SNAPSHOT
Commit: 9b0ec30
Build number: 37292
Artifact: https://artifacts-api.elastic.co/v1/search/7.11.0-SNAPSHOT

Browser Details:
All

Preconditions:

  1. Elastic stack should be up and running

Steps to Reproduce:

  1. Navigate to the 'Detections' tab under Security.
  2. Click on 'Manage detection rules' & load the pre-built rules.
  3. Create a duplicate of this rule and edit this rule.
  4. Observe that under the 'severity override' section, the source fields are empty but it does have corresponding source values.

Impacted Test case:

  • N/A

Actual Result:
The detection rules have defined source values for severity overridden but there is no Source field selected for the same.

Expected Result:
The detection rules should have both source values and Source fields for severity overridden.

What's working:
For 7.11 older builds, it is working fine:
EventRules2

What's not working:
N/A

Screenshot:
EventRules
@muskangulati-qasource muskangulati-qasource added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Dec 15, 2020
@muskangulati-qasource
Copy link
Author

@manishgupta-qasource Please review!

@manishgupta-qasource
Copy link

Reviewed & assigned to @MadameSheema

@manishgupta-qasource manishgupta-qasource added the impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. label Dec 15, 2020
@MadameSheema MadameSheema added Team:Detections and Resp Security Detection Response Team and removed v7.11.0 labels Dec 17, 2020
@MadameSheema
Copy link
Member

@spong @pedro can you please help to prioritise this? Thanks :)

@banderror banderror mentioned this issue Dec 29, 2020
Merged
3 tasks
@banderror banderror added v8.0.0 v7.12.0 Feature:Detection Rules Anything related to Security Solution's Detection Rules labels Dec 29, 2020
@banderror
Copy link
Contributor

banderror commented Dec 29, 2020
edited
Loading

Sorry, I'm not sure I fully got the steps mentioned in the description of the ticket, but I managed to reproduce the bug with the following steps:

  1. Make sure to not have Endpoint Security data indexed in Elasticsearch. Remove logs-endpoint.alerts-* indices if you have them.
  2. Navigate: [Security] -> [Detections] tab -> click [Manage detection rules].
  3. Load pre-built detection rules.
  4. Find "Endpoint Security" rule. Duplicate it: click context menu -> [Duplicate rule].
  5. Open the "Endpoint Security [Duplicate]" rule and click [Edit rule settings].
  6. Click [About].
  7. Observe the bug:
    • under the "Severity override" section, the source fields are empty but the mapping actually exists
    • under the "Risk score override" section, the source field is empty but the mapping actually exists

@muskangulati-qasource if you used other steps to reproduce it, please share, I want to make sure I addressed the case you described in the issue.

@muskangulati-qasource
Copy link
Author

Hi @banderror,

Sorry for the confusions and thank you for providing detailed steps.
The steps shared and issue addressed is exactly correct.

Please let us know if we are missing anything!

Thanks!!

@banderror
Copy link
Contributor

@muskangulati-qasource no worries, thank you, that's great!

@peluja1012
Copy link
Contributor

@muskangulati-qasource fix has been merged. Could you please validate when you get a chance?

@muskangulati-qasource
Copy link
Author

Hi @peluja1012,

We validated this ticket on latest 7.11.0 build and found that issue is partially fixed. Please find the observations below:

Build Details:

Platform: Staging
Version: 7.11.0
Commit: f3abc08ac648f8b302733c5c22a39048314a027c
Build number: 37399
Artifact: https://staging.elastic.co/7.11.0-710164a0/summary-7.11.0.html

Observation:

  • The source fields are empty but the mapping actually exists under the "Severity override": 🟢 Fixed
  • The source field is empty but the mapping actually exists under the "Risk score override": 🔴 Not fixed

Refer Screenshot:
severityOverridden

We will validate this ticket on BC2 to ensure the fixes are present there.

Please let us know if anything else is required from our end.

Thanks!!

@banderror
Copy link
Contributor

Yep, the fix hasn't been propagated to 7.11.0 build candidate yet.
The Artifact: https://staging.elastic.co/7.11.0-710164a0/summary-7.11.0.html is BC1 (referenced in https://github.com/elastic/dev/issues/1584) from 17 Dec 2020.
The fix should be already available in 7.11.0-SNAPSHOT (staging cloud) or let's wait for BC2.
Thank you!

@banderror
Copy link
Contributor

PRs:

-> 8.0.0 #87004
-> 7.12.0 #87411
-> 7.11.0 #87412

@muskangulati-qasource
Copy link
Author

Hi @MadameSheema,

We have validated this ticket on both 7.11.0-BC2 & 8.0-SNAPSHOT builds and found that issue is now fixed:

Build details:

  • Kibana version: 7.11.0-BC2
Build: 37605
Commit: a5126f7a280a6f4a27dc3aca65c1c89ccd1ac694
  • Kibana version: 8.0-SNAPSHOT
Build: 39338
Commit: b0ba4f47abe892729f11f349db91e845389a3e25

Refer screenshots:

  • Kibana version: 7.11.0-BC2
    7 11

  • Kibana version: 8.0-SNAPSHOT
    resolved!

Hence, we are closing this ticket!!

Thanks!

@ghost
Copy link

ghost commented Mar 1, 2021

Hi @MadameSheema

We have validated this ticket on 7.12.0 BC2 and found that issue is Fixed. The detection rules have both source values and Source fields for severity overridden when editing the rule.

Build Details:

Version: 7.12.0 BC2
Build: 39000
Commit: 4f65a5a1268fa78f1af9117d12312e1cee433376
Artifacts: https://staging.elastic.co/7.12.0-37f40745/summary-7.12.0.html

Screenshot:
Edit_rule

risk_score

Please let us know if anything else is required from our end.

Thanks!!

@ghost ghost added the QA:Validated Issue has been validated by QA label Mar 1, 2021
@ghost
Copy link

ghost commented Mar 30, 2021

Bug Conversion :

Updated 01 test case for this ticket
https://elastic.testrail.io/index.php?/cases/view/15541

Thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@banderror banderror

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Anything related to Security Solution's Detection Rules fixed impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.11.0 v7.12.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @banderror @MadameSheema @manishgupta-qasource @muskangulati-qasource