search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.64k stars 8.23k forks source link

[bug] View alerts in SIEM uses a different query as overview #76625

Open SHolzhauer opened 4 years ago

SHolzhauer commented 4 years ago

Kibana version: 7.9 Elasticsearch version: 7.9 Server OS version: Linux hostname 3.10.0-1127.18.2.el7.x86_64 #1 SMP Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux Browser version: Google Chrome Version 85.0.4183.83 (Official Build) (64-bit) Browser OS version:

Original install method (e.g. download page, yum, from source, etc.): yum Describe the bug: The overview page for Security displays external alerts correctly, but the host->external alerts tab does not display the alerts. It appears as if different queries are used.

Steps to reproduce:

  1. Have external alerts
  2. Open the overview tab, you should see them displayed in the visualization
  3. Click on "View alerts"
  4. No results:

Expected behavior: See the external alerts in the "view alerts" pane.

Screenshots (if relevant): image image Provide logs and/or server output (if relevant):

Query used by overview

{
  "aggregations": {
    "alertsGroup": {
      "terms": {
        "field": "event.module",
        "missing": "All others",
        "order": {
          "_count": "desc"
        },
        "size": 10
      },
      "aggs": {
        "alerts": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "112500ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1599127445720,
              "max": 1599131045720
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "event.kind": "alert"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-03T10:04:05.720Z",
              "lte": "2020-09-03T11:04:05.720Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

Query used by host tab This one adds the host.name filter

{
  "aggregations": {
    "alertsGroup": {
      "terms": {
        "field": "event.module",
        "missing": "All others",
        "order": {
          "_count": "desc"
        },
        "size": 10
      },
      "aggs": {
        "alerts": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "112500ms",
            "min_doc_count": 0,
            "extended_bounds": {
              "min": 1599119254818,
              "max": 1599122854818
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_all": {}
              },
              {
                "bool": {
                  "filter": [
                    {
                      "bool": {
                        "should": [
                          {
                            "exists": {
                              "field": "host.name"
                            }
                          }
                        ],
                        "minimum_should_match": 1
                      }
                    }
                  ]
                }
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "bool": {
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "event.kind": "alert"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-09-03T07:47:34.818Z",
              "lte": "2020-09-03T08:47:34.818Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0,
  "track_total_hits": true
}

Any additional context: These external alerts are incidents in an external system and do not have a host.name field.

elasticmachine commented 4 years ago

Pinging @elastic/siem (Team:SIEM)