search

elastic / integrations

Elastic Integrations
https://www.elastic.co/integrations
Other
194 stars 421 forks source link

[AbuseCH] Empty String Values for Hashes Causing False Positive Detection Rule Alerts #7101

Closed MakoWish closed 1 year ago

MakoWish commented 1 year ago

Describe the Issue

Some AbuseCH documents are ingested with empty strings for hash values. This is causing an infinite number of detection rule hits and effectively rendering the rule unusable.

Related Issues

detection-rules/#2954

Sample Data

{
    "input": {
      "type": "httpjson"
    },
    "agent": {
      "name": "Redacted",
      "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259",
      "type": "filebeat",
      "ephemeral_id": "e58cd5a2-1d47-4b89-b490-c1e13b364d7f",
      "version": "8.8.1"
    },
    "@timestamp": "2023-06-22T07:35:41.076Z",
    "ecs": {
      "version": "8.8.0"
    },
    "related": {
      "hash": [
        "B9DAFC265A8BFEAA7EB30A2BA415310235381E48",
        "8E45F8B7642FA964FE628039040D5D77A7D3F177687A6969ECD000C83826EA4C94E3F6B615A5091DA0CDBFE86D183CCE",
        "7CC8EF889A24D8BE46158ED9525EDB3EFE4B872709EDFE4C565FB562271969EE",
        "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E",
        "24576:JILK2NYDAYN0O6PUCD65X8HVLTFBQICQT/UC/FVWG/X5YIEYBF1KMXMWLKRA:",
        "67274E089D17FCBDB0A31877D7155622",
        ""
      ]
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "ti_abusech.malwarebazaar"
    },
    "abusech": {
      "malwarebazaar": {
        "intelligence": {
          "downloads": 109,
          "uploads": 1
        },
        "tags": [
          "exe"
        ],
        "anonymous": 0,
        "code_sign": []
      }
    },
    "elastic_agent": {
      "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259",
      "version": "8.8.1",
      "snapshot": false
    },
    "threat": {
      "indicator": {
        "geo": {
          "country_iso_code": "NL"
        },
        "first_seen": "2023-06-22T07:31:33.000Z",
        "file": {
          "extension": "exe",
          "size": 2740224,
          "mime_type": "application/x-dosexec",
          "pe": {
            "imphash": ""
          },
          "name": "67274e089d17fcbdb0a31877d7155622.exe",
          "hash": {
            "sha1": "b9dafc265a8bfeaa7eb30a2ba415310235381e48",
            "sha384": "8e45f8b7642fa964fe628039040d5d77a7d3f177687a6969ecd000c83826ea4c94e3f6b615a5091da0cdbfe86d183cce",
            "sha256": "7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee",
            "tlsh": "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E",
            "ssdeep": "24576:jIlK2NYDaYn0o6PuCD65x8HvLtFBqicQT/UC/FVWg/X5YIEYBF1kmXmWLKRa:",
            "md5": "67274e089d17fcbdb0a31877d7155622"
          },
          "elf": {}
        },
        "provider": "abuse_ch",
        "type": "file"
      },
      "software": {}
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2023-06-22T07:35:43Z",
      "created": "2023-06-22T07:35:41.076Z",
      "kind": "enrichment",
      "category": "threat",
      "type": "indicator",
      "dataset": "ti_abusech.malwarebazaar"
    },
    "tags": [
      "forwarded",
      "abusech-malwarebazaar"
    ]
  }
elasticmachine commented 1 year ago

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)