search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.51k stars 8.06k forks source link

[Security Solution] EQL sequence rules with `not` operator for some events create alerts with no context fields #168708

Open marshallmain opened 9 months ago

marshallmain commented 9 months ago

For an EQL search like 

GET winlogbeat*,logs-system*/_eql/search
{
  "query": """sequence with maxspan=60s
[ any where true ]
![ any where event.action : "user_channel_join"]"""
}

The EQL search API returns the missing event as { "_index": "", "_id": "", "_source": {}, "missing": true } which we didn't account for in the EQL rule. The EQL rule type includes fields that are common across all events in the sequence in the final alert, but this missing event has no fields at all so it finds no fields that are common across all events.

We should probably look for common fields only from events in the sequence that are actually present. We should also consider only making building block alerts for events that are actually present in the sequence.

In timeline, the building block alerts and shell alert for the sequence

sequence by user.email, slack.audit.entity.name with maxspan=60s
[ any where event.action : "public_channel_preview" ]
![ any where event.action : "user_channel_join"]

ends up looking like this: image

elasticmachine commented 9 months ago

Pinging @elastic/security-solution (Team: SecuritySolution)

LaZyDK commented 3 months ago

Will this be worked on?

yctercero commented 3 months ago

Hi @LaZyDK ! Thanks for reaching out - it's not currently prioritized. How critical is this enhancement for your use case?