[Security Solution][Detection Engine] - Update exceptions logic #71512
Conversation
|
Commenting here but testing this out with the below exceptions yieleded this query (excluding rule query)..
Looks good! |
…ge value list was blocking signal creation
| @@ -37,11 +38,28 @@ export const filterEventsAgainstList = async ({ | |||
| return eventSearchResult; | |||
| } | |||
|
|
|||
| const exceptionItemsWithLargeValueLists = exceptionsList.reduce<ExceptionListItemSchema[]>( | |||
There was a problem hiding this comment.
NOTE: I found that when an exception item did not include a large value list, it still entered the logic of mapping through the exceptions to find large value lists and resulted in filteredHitsPromises being [[]]. Since it read it as not null, and having a length, we would pass back a SignalSearchResponse with 0 hits and this was passed to the function creating the signals.
|
I have reviewed the DSL from the PR description and they look good. I have one general comment: the examples here tend to use exceptions that ar in the form of |
Ah, I'm not sure about this one. The logic that we need to implement, on a signal per signal basis, is: If we put the It could be that if the exception contains a list, then the whole exception needs to be implemented in code, rather than KQL. Not sure if we can get around that. |
x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.test.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/common/detection_engine/build_exceptions_query.ts
Outdated
Show resolved
Hide resolved
|
Pinging @elastic/siem (Team:SIEM) |
…sure better, unit tests need updating
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededBuild metrics@kbn/optimizer bundle module count
async chunks size
miscellaneous assets size
History
To update your PR or re-run it, just comment with: |
…tic#71512) Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]>
* master: [APM] Add error rates to Service Map popovers (elastic#69520) [Security Solution][Detection Engine] - Update exceptions logic (elastic#71512) [Security Solution] Full screen timeline, Collapse event (elastic#71786) [Security Solution][Exception Modal] Create endpoint exception list if it doesn't already exist (elastic#71807) [Detection Rules] Add 7.9 rules (elastic#71808) [Search] Add telemetry for data plugin search service (elastic#70677) Add @elastic/safer-lodash-set as an alternative to lodash.set (elastic#67452) [tests] Temporarily skipped to promote snapshot
* master: [APM] Add error rates to Service Map popovers (elastic#69520) [Security Solution][Detection Engine] - Update exceptions logic (elastic#71512) [Security Solution] Full screen timeline, Collapse event (elastic#71786) [Security Solution][Exception Modal] Create endpoint exception list if it doesn't already exist (elastic#71807) [Detection Rules] Add 7.9 rules (elastic#71808) [Search] Add telemetry for data plugin search service (elastic#70677) Add @elastic/safer-lodash-set as an alternative to lodash.set (elastic#67452) [tests] Temporarily skipped to promote snapshot
…) (#71847) Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]> Co-authored-by: Yara Tercero <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]>
…tic#71512) Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]>
…) (#72106) Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]> Co-authored-by: Yara Tercero <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Yara Tercero <[email protected]>
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Summary
This PR addresses a few different issues with how exceptions are handled in the detections engine. We previously were using the following logic:
This resulted in some confusion in with the logic and expected results. The logic that creates the KQL from the exceptions was updated so that the logic now resembles (visually looks) closer to how the user thinks of it. So given the following:
...is now being broken down into the following....
Due to a few limitations, primarily the lack of subquery functionality, we want to find an optimal way of querying the raw events. We've found that we can leverage KQL/ES with exceptions that do not include large value lists as shown above. Any exception items that include large value lists will get dealt with in
filter_with_lists.ts.For context, the exception items are formed using KQL to allow a user to still add a nested exception even when the rule language is lucene. Lucene does not support nested queries, but we are able to send a mix of kql and lucene queries to be built into the proper ES dsl.
Single exception item w/ single entry
Rule Query:
host.name: *KQL:
[{"query":"host.name:*", "language":"kuery"}, {"query":"not (event.module:\"traefik\")", "language":"kuery"}]Exception per UI:
event.module - is - traefikES query:
Multiple exception items w/ single entry
Rule Query:
host.name: *KQL:
[{"query":"host.name:*","language":"kuery"},{"query":"not ((event.module:\"traefik\") or (source.port:*))","language":"kuery"}]Exception 1 per UI:
event.module - is - traefikException 2 per UI:
source.port - existsES query:
Single exception item w/ multiple entries
Rule Query:
host.name: *KQL:
[{"query":"host.name:*","language":"kuery"},{"query":"not (event.module:\"suricata\" and destination.ip:\"10.128.0.33\")","language":"kuery"}]Exception per UI:
event.module - is - suricata and destination.ip - is - 10.128.0.33ES query:
Single exception item w/ large value list entry
Rule Query:
host.name: *KQL:
[{"query":"host.name: * ","language":"kuery"}Post initial KQL search filters candidate signals against large value list
Exception per UI:
source.ip - is not in list -[LIST W/ ONE IP]ES query:
Checklist
For maintainers