search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.76k stars 8.16k forks source link

Indicator Match rule can produce false positive alerts if you use AND conditions #179825

Open nkhristinin opened 6 months ago

nkhristinin commented 6 months ago

Indicator Match rule can produce false positive alerts if you use AND conditions

How to reproduce

  1. create 2 indices
request ``` PUT test_event { "mappings": { "properties": { "@timestamp": { "type": "date" }, "user": { "properties": { "name": { "type": "keyword" } } }, "host": { "properties": { "name": { "type": "keyword" } } } } } } PUT test_threat { "mappings": { "properties": { "@timestamp": { "type": "date" }, "user": { "properties": { "name": { "type": "keyword" } } }, "host": { "properties": { "name": { "type": "keyword" } } } } } } ```
  1. Create events

Should match

POST test_event/_doc
{
  "@timestamp": ${DATE},
  "host.name": "server",
  "user.name": "user 1"
}

Should not match

POST test_event/_doc
{
  "@timestamp": ${DATE},
  "host.name": "server",
  "user.name": "user 2"
}
  1. Create threats. We need to have more threats, than events to reproduce 
    POST test_threat/_doc
{
"@timestamp": ${DATE},
"host.name": "server",
"user.name": "user 1"
}

Create 2-3 more threats, with a user which are not "user 2", for example "user 3" etc

Create IM rule

Screenshot 2024-04-02 at 15 12 51

Observe that you have alerts with user 2, which you shouldn't have

Why it happens

So it happens:

So, from our events we generate queries to finds threat

Query Any folded content here. It requires an empty line just above it. ``` { "meta": { "alias": null, "negate": false, "disabled": false }, "query": { "bool": { "should": [ { "bool": { "should": [ { "bool": { "filter": [ { "bool": { "should": [ { "match": { "user.name": { "query": "user 1", "_name": "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq" } } } ], "minimum_should_match": 1 } }, { "bool": { "should": [ { "match": { "host.name": { "query": "server", "_name": "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" } } } ], "minimum_should_match": 1 } } ] } }, { "bool": { "filter": [ { "bool": { "should": [ { "match": { "user.name": { "query": "user 2", "_name": "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq" } } } ], "minimum_should_match": 1 } }, { "bool": { "should": [ { "match": { "host.name": { "query": "server", "_name": "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" } } } ], "minimum_should_match": 1 } } ] } } ], "minimum_should_match": 1 } } ], "minimum_should_match": 1 } } } ```
Response ``` { "max_score": null, "hits": [ { "_index": "test_threat", "_id": "ypvUno4BlKOOo2xn8ZT6", "_score": null, "_source": { "host.name": "server", "user.name": "user 1" }, "sort": [ 0, 1712058467246, 0 ], "matched_queries": [ "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq", "65vYno4BlKOOo2xntJSi__SEP__test_event__SEP__user.name__SEP__user.name__SEP__mq", "9ZvZno4BlKOOo2xnVJSd__SEP__test_event__SEP__host.name__SEP__host.name__SEP__mq" ] } ] } ```

In the response, we can see, that it returns us the right threat, but it has 3 matched queries. 2 for the event with user 1 and host server. Also, we have 1 match query for the event with user 2. It was matched by the host.name

In this function, we try to get events from threats, but not account for partial matches

elasticmachine commented 6 months ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)