[Security Detection Engine] Incorrect Indices for "Suspicious Web Browser Sensitive File Access" Rule

elastic / integrations

Elastic Integrations

https://www.elastic.co/integrations

Other

194 stars 421 forks source link

[Security Detection Engine] Incorrect Indices for "Suspicious Web Browser Sensitive File Access" Rule #10901

Open MakoWish opened 2 weeks ago

MakoWish commented 2 weeks ago

Issue:

The detection rule "Suspicious Web Browser Sensitive File Access" is currently configured to query the logs-endpoint.events.file.* indices, but it is a process-related rule and needs to instead be looking at the logs-endpoint.events.process.* indices. As the rule is currently configured, execution results in an error:

Suggestion:

Change the defined index in the detection rule. I will open a PR for this momentarily.

andrewkroh commented 2 weeks ago

Hi @MakoWish, I think the source for the rule is actually at

https://github.com/elastic/detection-rules/blob/e60c21b37b3327839570ee8be0f3a8cc3c8b0dfb/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml#L16

and, then the Detections team generates the content of the package based off that. So I think you want to make a PR to that change that file.

MakoWish commented 2 weeks ago

That is strange that what is in the Integrations repo shows logs-endpoint.events.file.* which is both the incorrect index, and incorrectly has a trailing .*.

https://github.com/elastic/integrations/blob/44c242ecdd24205e971a1f3ae0df81ff7344396f/packages/security_detection_engine/kibana/security_rule/20457e4f-d1de-4b92-ae69-142e27a4342a_207.json#L9

But what is in the Detection Rules repo shows logs-endpoint.events.file-* which has the incorrect index, but the trailing -* would be proper.

https://github.com/elastic/detection-rules/blob/e60c21b37b3327839570ee8be0f3a8cc3c8b0dfb/rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml#L16

There seems to be a disconnect somewhere.

andrewkroh commented 2 weeks ago

There seems to be a disconnect somewhere.

Maybe some kind of translation problem then...

@elastic/threat-research-and-detection-engineering, can you please take a look.

MakoWish commented 2 weeks ago

There actually seems to be more issues with this rule. Not only is it looking at process.* details, which would be in the logs-endpoint.events.process-* indices, but it is also looking for a file.name which does not exist in the logs-endpoint.events.process-* indices. I'll need to dig into this one a bit more.

MakoWish commented 2 weeks ago

Yeah, I cannot find any instances where process.Ext.effective_parent.executable: exists and file.name: exists in any of the logs-endpoint.events.* indices. Unless I am missing something, this seems to be an impossible query.

terrancedejesus commented 2 weeks ago

Hey everyone - To fix the rule, we can open an issue in the Detection Rules repository. Integrations is where we put the prebuilt package for these rules so they can follow the same package release process to EPR where fleet pulls them in.

Im away from my desk but happy to take an initial look when I return later.

Samirbous commented 2 weeks ago

this PR https://github.com/elastic/detection-rules/pull/4029 should fix the error, the index is correct, the process.Ext.effective_parent.executable (not populated in file events for macos) was replaced by Effective_process.executable (populated in file event for macos 8.11.1+)