Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] No results in Rule Preview #119098

Closed
banderror opened this issue Nov 18, 2021 · 5 comments · Fixed by #121249
Closed

[Security Solution][Detections] No results in Rule Preview #119098

banderror opened this issue Nov 18, 2021 · 5 comments · Fixed by #121249
Assignees
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0

Comments

@banderror
Copy link
Contributor

Summary

I have a test index for source events with custom non-ECS fields. If I create a rule that targets this index, I can't see any results in the Rule Preview, but the rule is able to find the events and generate alerts if you save and run it.

Repro steps

Create a custom index for source events and write a test object with a timestamp as of today:

PUT /sdh-247
{
  "mappings": {
    "dynamic": "true",
    "properties": {
      "@timestamp": { "type": "date" },
      "deviceCustomDateLabel": { "type": "keyword" },
      "deviceCustomDate_Date": { "type": "date" },
      "deviceCustomDate_Long": { "type": "long" },
      "deviceCustomDate_DateNanos": { "type": "date_nanos" }
    }
  },
  "settings": {
    "index": {
      "number_of_shards": 1
    }
  }
}

PUT /sdh-247/_doc/1
{
  "@timestamp": "2021-11-18T12:10:30Z",
  "deviceCustomDateLabel": "TRENUTAN_DATUM_UO",
  "deviceCustomDate_Date": "2021-11-18T12:10:30Z",
  "deviceCustomDate_Long": 1074640200000,
  "deviceCustomDate_DateNanos": 1074640200000
}

Create a Custom query rule that should generate an alert based off of it:

Observe no results in the Rule Preview:

Set a sufficient look-back time so the rule could find the source event (e.g. 48 hours). Save and run this rule, and it should find the event and generate an alert from it:

Environment

Local dev environment
Branch: main
Kibana config:

elasticsearch:
  username: 'kibana_system'
  password: 'changeme'
  hosts: 'http://localhost:9200'

xpack.ruleRegistry.write.enabled: true
xpack.ruleRegistry.unsafe.indexUpgrade.enabled: true
xpack.ruleRegistry.unsafe.legacyMultiTenancy.enabled: true
xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']
@banderror banderror added bug Fixes for quality problems that affect the customer experience Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Nov 18, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ecezalp
Copy link
Contributor

ecezalp commented Nov 18, 2021

inspecting the rule preview query
Screen Shot 2021-11-18 at 4 19 27 PM

adding "event.category": {"type": "keyword"} mapping to the sdh-247 index, and creating a new event


PUT /sdh-247/_doc/2
{
  "@timestamp": "2021-11-18T12:10:30Z",
  "deviceCustomDateLabel": "TRENUTAN_DATUM_UO",
  "deviceCustomDate_Date": "2021-11-18T12:10:30Z",
  "deviceCustomDate_Long": 1074640200000,
  "deviceCustomDate_DateNanos": 1074640200000,
  "event": {
    "category": "test"
  }
}

the new event with the category shows up on the preview

@ecezalp
Copy link
Contributor

ecezalp commented Nov 19, 2021

the problem can be fixed by adding a value for the missing parameter to the matrix histogram query.

@ecezalp
Copy link
Contributor

ecezalp commented Nov 19, 2021

#119253

@peluja1012 peluja1012 added sdh-linked impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. labels Dec 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Fixes for quality problems that affect the customer experience impact:high Addressing this issue will have a high level of impact on the quality/strength of our product. sdh-linked Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.0
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants