Closed MakoWish closed 1 year ago
Some AbuseCH documents are ingested with empty strings for hash values. This is causing an infinite number of detection rule hits and effectively rendering the rule unusable.
detection-rules/#2954
{ "input": { "type": "httpjson" }, "agent": { "name": "Redacted", "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259", "type": "filebeat", "ephemeral_id": "e58cd5a2-1d47-4b89-b490-c1e13b364d7f", "version": "8.8.1" }, "@timestamp": "2023-06-22T07:35:41.076Z", "ecs": { "version": "8.8.0" }, "related": { "hash": [ "B9DAFC265A8BFEAA7EB30A2BA415310235381E48", "8E45F8B7642FA964FE628039040D5D77A7D3F177687A6969ECD000C83826EA4C94E3F6B615A5091DA0CDBFE86D183CCE", "7CC8EF889A24D8BE46158ED9525EDB3EFE4B872709EDFE4C565FB562271969EE", "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E", "24576:JILK2NYDAYN0O6PUCD65X8HVLTFBQICQT/UC/FVWG/X5YIEYBF1KMXMWLKRA:", "67274E089D17FCBDB0A31877D7155622", "" ] }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "ti_abusech.malwarebazaar" }, "abusech": { "malwarebazaar": { "intelligence": { "downloads": 109, "uploads": 1 }, "tags": [ "exe" ], "anonymous": 0, "code_sign": [] } }, "elastic_agent": { "id": "cdcd8072-1d30-414a-aa71-c96d2cb5e259", "version": "8.8.1", "snapshot": false }, "threat": { "indicator": { "geo": { "country_iso_code": "NL" }, "first_seen": "2023-06-22T07:31:33.000Z", "file": { "extension": "exe", "size": 2740224, "mime_type": "application/x-dosexec", "pe": { "imphash": "" }, "name": "67274e089d17fcbdb0a31877d7155622.exe", "hash": { "sha1": "b9dafc265a8bfeaa7eb30a2ba415310235381e48", "sha384": "8e45f8b7642fa964fe628039040d5d77a7d3f177687a6969ecd000c83826ea4c94e3f6b615a5091da0cdbfe86d183cce", "sha256": "7cc8ef889a24d8be46158ed9525edb3efe4b872709edfe4c565fb562271969ee", "tlsh": "T102C59EE8D06B40D2FC076EC468287AD7073231B3DEE50438276E7A089F7BDA95549E5E", "ssdeep": "24576:jIlK2NYDaYn0o6PuCD65x8HvLtFBqicQT/UC/FVWg/X5YIEYBF1kmXmWLKRa:", "md5": "67274e089d17fcbdb0a31877d7155622" }, "elf": {} }, "provider": "abuse_ch", "type": "file" }, "software": {} }, "event": { "agent_id_status": "verified", "ingested": "2023-06-22T07:35:43Z", "created": "2023-06-22T07:35:41.076Z", "kind": "enrichment", "category": "threat", "type": "indicator", "dataset": "ti_abusech.malwarebazaar" }, "tags": [ "forwarded", "abusech-malwarebazaar" ] }
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Describe the Issue
Some AbuseCH documents are ingested with empty strings for hash values. This is causing an infinite number of detection rule hits and effectively rendering the rule unusable.
Related Issues
detection-rules/#2954
Sample Data