[Security Solution]: Adding the OR condition on the rule exception creates multiple exception name on the updated rule exception notification.

ghost commented 1 year ago

Describe the bug: Adding the OR condition on the rule exception creates multiple exception name on the updated rule exception notification.

Build Details:

VERSION: 8.6.0-BC5
BUILD: 58693
COMMIT: ed40c16ce9999cc47ad55c11bb097d2e443b31a6

Preconditions

Kibana should be running.

Steps to Reproduce

Navigate to Rules exception tab.
Now, create a shared exception list.
Now create a rule exception and add on the created shared exception list.
Now, edit the rule exception and add OR condition on the exception.
Observe that adding the OR condition on the rule exception creates multiple exception name on the updated rule exception notification.

Actual Result Adding the OR condition on the rule exception creates multiple exception name on the updated rule exception notification.

Expected Result Adding the OR condition on the rule exception multiple exception name on the updated rule exception notification should not display.

Screen-Recording:

https://user-images.githubusercontent.com/84007952/205908875-086ec835-6811-4339-8b19-358aebd5f43c.mp4

elasticmachine commented 1 year ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)

ghost commented 1 year ago

@karanbirsingh-qasource Please review.

cybersecdiva commented 1 year ago

Tested in current`8.7.0` deployment:

Preconditions: Kibana should be running

Steps to reproduce behavior:

Go to Security -> Manage -> Shared Exception Lists
Create a shared exception list in this scenario for testing my shared exception list is named "testbugsharedlist"
Under the recently created shared list create a rule exception and fill in the required fields
Edit the rule exception and add the OR condition on the rule exception

Screen video capture:

https://user-images.githubusercontent.com/35679937/229914735-70acee6c-74ca-4a3d-a6e2-d2fb290e71d9.mp4

Observations:

The updated rule exception notification shows the multiple exception name for the rule exception named "ruletest" for the Shared Exception List named "testbugsharedlist"
The behavior also exists on any rules that generated alerts that contain rule and endpoint exceptions

Screenshot of "Endpoint Security" rule with generated Malware Detection Alerts with an updated endpoint exception:

Screen recorded behavior rule "Endpoint Security" with generated alerts that have rule or endpoint exceptions:

https://user-images.githubusercontent.com/35679937/229940229-df1227e7-c857-4e63-be43-58bfd0a24829.mp4

Conclusion

Multiple exception names are occurring on the updated rule exception notification for both shared exception list and when updating rule exceptions for rules with generated alerts and endpoint exceptions

Bug Improvement Suggestions:

Update the notification display for update rule exceptions with the single name rule exceptions in the UI
Correct the notification display messages for update rule and endpoint exceptions for both rules that generate alerts and shared exception list rule exceptions

cc: @MadameSheema Update FYI Observations

cybersecdiva commented 1 year ago

Tested in`8.9.0`:

Build Details:
VERSION: 8.9.0 BC5
BUILD: 64715
COMMIT: beb56356c5c037441f89264361302513ff5bd9f8

Preconditions: Kibana should be running

Steps to reproduce behavior:

Go to Security -> Manage -> Shared Exception Lists
Create a shared exception list in this scenario for testing my shared exception list is named "bugtest"
Under the recently created shared list create a rule exception and fill in the required fields
Edit the rule exception and add the OR condition on the rule exception

Screen video capture:

https://github.com/elastic/kibana/assets/35679937/df503695-521e-49dd-a195-491aa2c52f0d

Observations:

The updated rule exception notification shows the multiple exception name for the rule exception named "test" for the Shared Exception List named "bugtest"
The behavior also exists on any rules that generated alerts that contain rule and endpoint exceptions

Screenshot of a newly created Shared Exception list of an updated rule exception with the OR condition:

Screenshot of "Endpoint Security" rule with generated Malware Detection Alerts with an updated endpoint exception:

Screenshot of behavior rule "Endpoint Security" with generated alerts that have rule or endpoint exceptions:

Conclusion

Multiple exception names are occurring on the updated rule exception notification for both shared exception list and when updating rule exceptions for rules with generated alerts and endpoint exceptions

Bug Improvement Suggestions:

Update the notification display for update rule exceptions with the single name rule exceptions in the UI
Correct the notification display messages for update rule and endpoint exceptions for both rules that generate alerts and shared exception list rule exceptions

cc: @MadameSheema Updated FYI Observations

pborgonovi commented 3 months ago

Validated latest 8.15 BC and it's still happening:

elastic / kibana