Open DanielBrown2023 opened 6 months ago
Confirmed it is happening in 8.12 and 8.13 version too.
I will move it to kibana public repo and assign it to the proper team. I will also mark it as a impact:low, since the rule execution is stopped and a error message is displayed on rule details page because of the bad IP format:
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detection-engine (Team:Detection Engine)
Thanks for opening this @DanielBrown2023 - I've added it to a ticket we have going for some planned enhancements to value lists.
Describe the bug SIEM Rules do not Produce Alerts, Warning, or Errors when erroneous exemption lists are created.
To Reproduce In SIEM rules, rule editing UI 1.) add rule exemption 2.) name the exemption 3.) In the conditions section. 3.a) select an IP mapped field 3.b) chose the is one of operator 3.c) add values that do not meet the specifications of an IP address 4.) save the exception rule
Expected behavior Once the SIEM rule has the exemption list with erounous values (i.e. IP entries like (
1.1.1.
,123097808
,.1.1.1
))Screenshots
Desktop (please complete the following information):
Additional context The target index of the exclusions condition are mapped correctly as IP addresses.
Requested an FR to add additional data validations when creating exclusion list entries. Rule Exemption Data validation [FR] elastic/kibana#179711