Skip to content

[Security Solution][Detection Engine] Threshold rules do not create signals with CIDR IP's #77253

Closed
#82444
Closed
[Security Solution][Detection Engine] Threshold rules do not create signals with CIDR IP's#77253
#82444
Assignees
madirey
Labels
Feature:Detection RulesSecurity Solution rules and Detection EngineTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detections and RespSecurity Detection Response TeamTeam:SIEMbugFixes for quality problems that affect the customer experienceimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.
@FrankHassanabad

Description

@FrankHassanabad
FrankHassanabad
opened on Sep 10, 2020

Kibana version:
7.9.0

Describe the bug:
CIDR queries for threshold rules do not work. If you add a CIDR query to a threshold rule it will not be able to correctly insert the signal because of the way it creates the synthetic signal in the file:

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.ts

Steps to reproduce:

Create a threshold rule with a CIDR like below on a threshold rule:

destination.ip: 10.142.0.7/16

Screen Shot 2020-09-10 at 4 08 18 PM

Run it and notice in your logs you see this error:

server    log   [13:43:52.965] [error][plugins][plugins][securitySolution][securitySolution] [-] bulkResponse had errors with responses of: {"failed to parse field [destination.ip] of type [ip] in document with id '75dc881c04149cc021e7e2ed5242e74349d33ff62ae1ce57317195738b200546'. Preview of field's value: '10.142.0.7/16'":{"count":1,"statusCode":400}}

Expected behavior:
It should write out the signal and not have errors.

Unit test for the code that shows the problem:

In this file:

x-pack/plugins/security_solution/server/lib/detection_engine/signals/bulk_create_threshold_signals.test.ts

Add this test:

  it('should NOT add invalid characters from CIDR such as the "/" proper object for simple match_phrase filters', () => {
    const filters = {
      bool: {
        must: [],
        filter: [
          {
            bool: {
              should: [
                {
                  match: {
                    'destination.ip': '192.168.0.0/16',
                  },
                },
              ],
              minimum_should_match: 1,
            },
          },
        ],
        should: [],
        must_not: [],
      },
    };

    expect(getThresholdSignalQueryFields(filters)).toEqual({
      'destination.ip': '192.168.0.16',
    });
  });

Get this failed result to fix:

 getThresholdSignalQueryFields  should NOT add invalid characters from CIDR such as the "/" proper object for simple match_phrase filters

    expect(received).toEqual(expected) // deep equality

    - Expected  - 1
    + Received  + 1

      Object {
    -   "destination.ip": "192.168.0.16",
    +   "destination.ip": "192.168.0.0/16",

Metadata

Metadata

Assignees

Labels

Feature:Detection RulesSecurity Solution rules and Detection EngineTeam: SecuritySolutionSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Team:Detections and RespSecurity Detection Response TeamTeam:SIEMbugFixes for quality problems that affect the customer experienceimpact:mediumAddressing this issue will have a medium level of impact on the quality/strength of our product.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions