Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Alerts] EQL Sequence "shell" alert is missing kibana.alert.uuid #125885

Closed
marshallmain opened this issue Feb 17, 2022 · 1 comment · Fixed by #125890
Closed

[Security Solution][Alerts] EQL Sequence "shell" alert is missing kibana.alert.uuid #125885

marshallmain opened this issue Feb 17, 2022 · 1 comment · Fixed by #125890
Labels
Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.1

Comments

@marshallmain
Copy link
Contributor

As a result, subsequent rule runs will attempt to write duplicate alerts. The duplicates won't be created, which is good, but they cause errors to be logged such as

ResponseError: {"took":911,"errors":true,"items":[{"create":{"_index":".internal.alerts-security.alerts-infosec-detections-000001","_id":"f3b02017135ce51411a768167836e0ef0bfc587f9a42d002065282a7c8a45c12","status":409,"error":{"type":"version_conflict_engine_exception","reason":"[f3b02017135ce51411a768167836e0ef0bfc587f9a42d002065282a7c8a45c12]: version conflict, document already exists (current version [1])","index_uuid":"ZLAUF8zzTlucc4ZXV-5Swg","shard":"0","index":".internal.alerts-security.alerts-infosec-detections-000001"}}},{"create":{"_index":".internal.alerts-security.alerts-infosec-detections-000001","_id":"1443f53d00d61d6775648f31cf2ed8a527e7d82742ee579de8c78085121c7ada","_version":1,"result":"created","_shards":{"total":2,"successful":2,"failed":0},"_seq_no":135270,"_primary_term":1,"status":201}},{"create":{"_index":".internal.alerts-security.alerts-infosec-detections-000001","_id":"61125124e76afeb4c7130af679266b5b93ad7562f17750cbeb50d9bda57218d8","_version":1,"result":"created","_shards":{"total":2,"successful":2,"failed":0},"_seq_no":135271,"_primary_term":1,"status":201}},{"create":{"_index":".internal.alerts-security.alerts-infosec-detections-000001","_id":"91aa28ba7a4a07afb33a23e34c5828820b4c3e7163587f6c51c89ab5d36fc6ef","_version":1,"result":"created","_shards":{"total":2,"successful":2,"failed":0},"_seq_no":135272,"_primary_term":1,"status":201}}]}
    at /usr/share/kibana/x-pack/plugins/rule_registry/server/rule_data_client/rule_data_client.js:183:29
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at alertWithPersistence (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:91:32)
    at /usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/factories/bulk_create_factory.js:37:7
    at eqlExecutor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/executors/eql.js:106:26)
    at Object.executor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.js:80:22)
    at Object.executor (/usr/share/kibana/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.js:261:29)
    at Object.executor (/usr/share/kibana/x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_wrapper.js:29:21)
    at TaskRunner.executeAlertInstances (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:201:31)
    at promiseResult (/usr/share/kibana/x-pack/plugins/alerting/server/lib/result_type.js:44:17)
    at TaskRunner.loadAlertAttributesAndRun (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:375:14)
    at errorAsAlertTaskRunResult (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:758:12)
    at TaskRunner.run (/usr/share/kibana/x-pack/plugins/alerting/server/task_runner/task_runner.js:439:9)
    at TaskManagerRunner.run (/usr/share/kibana/x-pack/plugins/task_manager/server/task_running/task_runner.js:272:22)

We should populate kibana.alert.uuid in the EQL sequence shell alerts the same way we populate the field for EQL sequence building block alerts and alerts from other rule types.

This bug also highlights the importance of having a reliable static type system for alerts, which could have caught the missing field easily.
@marshallmain marshallmain added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Alerts Security Detection Alerts Area Team v8.0.1 labels Feb 17, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@marshallmain marshallmain mentioned this issue Feb 17, 2022
Merged
@marshallmain marshallmain mentioned this issue Mar 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security Solution][Alerts] Populate kibana.alert.uuid in eql sequence alerts marshallmain/kibana
2 participants
@elasticmachine @marshallmain