Skip to content

[Security Solution] Timeline actions not returning nested fields #90808

Closed
Closed
[Security Solution] Timeline actions not returning nested fields#90808
Labels
Team:Threat HuntingSecurity Solution Threat Hunting TeambugFixes for quality problems that affect the customer experiencefixed
@dplumlee

Description

@dplumlee
dplumlee
opened on Feb 9, 2021

Overview

In 7.11, the required fields for actions aren't properly returning nested fields such as file.Ext.code_signature which is causing the exceptions modal to softly break in that it cannot autofill those fields with Endpoint exceptions.

Expected fields being returned

export const requiredFieldsForActions = [
  '@timestamp',
  'signal.status',
  'signal.group.id',
  'signal.original_time',
  'signal.rule.building_block_type',
  'signal.rule.filters',
  'signal.rule.from',
  'signal.rule.language',
  'signal.rule.query',
  'signal.rule.name',
  'signal.rule.to',
  'signal.rule.id',
  'signal.rule.index',
  'signal.rule.type',
  'signal.original_event.kind',
  'signal.original_event.module',
  // Endpoint exception fields
  'file.path',
  'file.Ext.code_signature.subject_name',
  'file.Ext.code_signature.trusted',
  'file.hash.sha256',
  'host.os.family',
  'event.code',
];

Actual fields being returned

Screen Shot 2021-02-09 at 11 22 32 AM

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:Threat HuntingSecurity Solution Threat Hunting TeambugFixes for quality problems that affect the customer experiencefixed

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions