elasticmachine
commented
1 month ago Pinging @elastic/security-solution (Team: SecuritySolution)
Closed joseph-coulter closed 1 month ago
elasticmachine
commented
1 month ago Pinging @elastic/security-solution (Team: SecuritySolution)
elasticmachine
commented
1 month ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
elasticmachine
commented
1 month ago Pinging @elastic/security-detection-engine (Team:Detection Engine)
joseph-coulter
commented
1 month ago Hi Yara, since there are some issues with reproducing the issue, I can try to wait for an alert I feel shouldn't have triggered and once that happens I could screenshare and demonstrate the process that convinced me the exception isn't working properly if you'd like. Thanks.
yctercero
commented
1 month ago Hi @joseph-coulter ! That would be great. Usually what is most helpful in these scenarios is to gather:
Please remember this is a public ticket so please don't share any sensitive information. You can also feel free to reach out to me directly in our community Slack to share more info.
yctercero
commented
1 month ago Closing out as we determined the issue was using a field in the exception that was only available for alert documents.
Following up on Slack to help figure out a good workflow for their use case.
Describe the bug:
malicious behavior detection rule exceptions not always preventing alerts that match the exception logic.
Kibana/Elasticsearch Stack version:
v 8.15.1
Server OS version:
Browser and Browser OS versions:
Elastic Endpoint version:
We have phased rollouts, so it varies.
Original install method (e.g. download page, yum, from source, etc.):
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Security alerts.
Steps to reproduce:
Reproduction depends on the alert, and can't be done reliably because sometimes an edit to an exception seems to work, however, I'll outline my method of confirming that the exception should have prevented an alert that was triggered.
Because the date of the last edit to the exception was before the date of the alert, and editing the alert without changing it closes that alert, I believe that's sufficient to rule out any issues with the exception logic and confirm that the exception logic should have prevented the alert from triggering.
Current behavior:
Sometimes exceptions don't prevent alerts that match the exception logic
Expected behavior:
Exception should prevent alerts from triggering if they match the exception logic.
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context (logs, chat logs, magical formulas, etc.):
I don't actually know if this happens exclusively with the endpoint security alert. I may have only seen it in that alert because it accounts for a very large portion of alerts in my environment. It's also notable that because there are so many malicious behavior detection alerts, and they all are categorized as one alert called "endpoint security", this causes every single malicious behavior detection alert exception to apply to one rule, and as a result, the endpoint security alert has what might be considered a large number of exceptions, around 50 right now. If that turns out to be an issue, I can move a few that really should be endpoint exceptions rather than rule exceptions, however by the time I'm done tuning that alert it'll likely be hundreds of exceptions.