In the response, we can see, that it returns us the right threat, but it has 3 matched queries. 2 for the event with user 1 and host server. Also, we have 1 match query for the event with user 2. It was matched by the host.name
In this function, we try to get events from threats, but not account for partial matches
Indicator Match rule can produce false positive alerts if you use AND conditions
How to reproduce
request
``` PUT test_event { "mappings": { "properties": { "@timestamp": { "type": "date" }, "user": { "properties": { "name": { "type": "keyword" } } }, "host": { "properties": { "name": { "type": "keyword" } } } } } } PUT test_threat { "mappings": { "properties": { "@timestamp": { "type": "date" }, "user": { "properties": { "name": { "type": "keyword" } } }, "host": { "properties": { "name": { "type": "keyword" } } } } } } ```Should match
Should not match
Create 2-3 more threats, with a user which are not "user 2", for example "user 3" etc
Create IM rule
Observe that you have alerts with
user 2
, which you shouldn't haveWhy it happens
So it happens:
So, from our events we generate queries to finds threat
Query
Any folded content here. It requires an empty line just above it. ``` { "meta": { "alias": null, "negate": false, "disabled": false }, "query": { "bool": { "should": [ { "bool": { "should": [ { "bool": { "filter": [ { "bool": { "should": [ { "match": { "user.name": { "query": "user 1", "_name": "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq" } } } ], "minimum_should_match": 1 } }, { "bool": { "should": [ { "match": { "host.name": { "query": "server", "_name": "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" } } } ], "minimum_should_match": 1 } } ] } }, { "bool": { "filter": [ { "bool": { "should": [ { "match": { "user.name": { "query": "user 2", "_name": "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq" } } } ], "minimum_should_match": 1 } }, { "bool": { "should": [ { "match": { "host.name": { "query": "server", "_name": "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" } } } ], "minimum_should_match": 1 } } ] } } ], "minimum_should_match": 1 } } ], "minimum_should_match": 1 } } } ```Response
``` { "max_score": null, "hits": [ { "_index": "test_threat", "_id": "ypvUno4BlKOOo2xn8ZT6", "_score": null, "_source": { "host.name": "server", "user.name": "user 1" }, "sort": [ 0, 1712058467246, 0 ], "matched_queries": [ "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq", "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq", "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" ] } ] } ```In the response, we can see, that it returns us the right
threat
, but it has 3 matched queries. 2 for the event withuser 1
and hostserver
. Also, we have 1 match query for the event withuser 2
. It was matched by the host.nameIn this function, we try to get events from threats, but not account for partial matches